Release notes - IBM® Security Verify Governance Adapter 10.0.5 for UNIX and Linux
IBM® Security Verify Governance Adapter 10.0.5 for UNIX and Linux is available. Compatibility, installation, and other getting-started issues are addressed.
Copyright
International Business Machines Corporation 2003, 2024. All rights
reserved.
US
Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP
Schedule Contract with IBM Corp.
Table of Contents
1. Contents
2. Preface
3. Adapter Features and Purpose
6. Installation and Configuration Notes
Corrections to Installation Guide
7. Customizing or Extending Adapter Features
9. Notices
These Release Notes contain information for the following products that was not available when the IBM Security Identity Server manuals were printed:
· UNIX and Linux Adapter Installation and Configuration Guide
· UNIX and Linux Adapter User Guide
The IBM Security Verify Governance Adapter for UNIX and Linux is designed to create and manage accounts on AIX, HP-UX, RedHat and SUSE Linux systems. The adapter runs in "agentless" mode and communicates using Secure Shell (SSH) to the systems being managed.
IBM Security Verify Governance Adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from IBM Security Verify Governance Server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.
Managing service groups implies the following:
· Create service groups on the managed resource.
· Modify attribute of a service group.
· Delete a service group.
Note: Modify service group name is not supported.
· This adapter supports LDAP as a user registry on AIX only.
· This adapter does not support Network Information Service (NIS).
Review and agree to the terms of the IBM Security Verify Governance Adapter License prior to using this product. The license can be viewed from the "license" folder included in the adapter package.
Component |
Version |
Release Date |
2024 April 19 06.20.04 |
Adapter Version |
10.0.5 |
Component Versions |
Adapter build: 10.0.5.174 Profile: 10.0.5.174 Connector: 10.0.5.174 Dispatcher: Dispatcher 7.1.39 (or higher, packaged separately). |
Documentation |
The following guides are available in the IBM Documentation · UNIX and Linux Adapter Installation and Configuration Guide · UNIX and Linux Adapter User Guide |
Internal # |
Enhancement # (RFE) |
Description |
|
|
Items included in current release (10.0.5) |
SVGAD-1729 |
ADAPT-145 |
Update Unix/Linux adapter to support SDI10 |
SVGAD-1214 |
|
Verify linux adapter with Ubuntu 20.04.5 |
|
|
Items included in release (10.0.4) |
SVGAD-1027 |
ADAPT-132 / ADAPT-I-208 |
Unix PosixAdapter for RedHat 9.x (9.2) |
SVGAD-1468 |
|
Validate UnixLinux adapter on SLES 15.5 |
SVGAD-961/ SVGAD-769/ SVGAD-676 |
ADAPT-127 |
Enable IBM Security Identity Manager to manage AIX RBAC roles. (Added domains and default role for user) |
SVGAD-1161 |
Remove the support of Solaris OS |
|
|
Items included in release (10.0.3) |
|
RTC 191170 |
ADAPT-115 |
Fix umask recon for secure home directories (sudo) The umask settings are now retrieved and updated. When updating the umask for an account to 027, it got defined as 750 in the UI. The umask setting in the .profile file was updated with the 750 file permissions defined as umask, not 027. To resolve this we have kept the bitstring for the file permissions as is (as this is correct both in the UI and on the OS) , but flipped to bitstring for the umask as this was both displayed incorrectly in the UI as incorrectly written to the profile (as filepermission). |
ADAPT-132 |
ADAPT-I-208 |
Adapter certification on RedHat Enterprise Linux Server 9.0 |
|
|
Items included in release (10.0.2) |
RTC 190965 |
ADAPT-I-190 |
Adapter certification on AIX 7.3 |
|
|
Items included in release (10.0.1) |
|
None |
|
|
|
Items included in release (7.1.46) |
RTC 185239 |
|
Certify UnixLinux adapter on RHEL 8, SuSe 15 |
|
|
Items included in release (7.1.45) |
RTC 183245 |
RFE 129090 (57162) |
Unix/Linux Adapter supporting current encryption/hashing for SSH. Note: Use SDI 7.2.0 Fix Pack 6 & TDI 7.1.1 Fix Pack 9 onwards version for the below newly supported algorithms: • rsa-sha2-256, rsa-sha2-512, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521 • diffie-hellman-group14-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521 • aes192-ctr, aes256-ctr |
RTC 184762 |
RFE 92534 (44991) |
Allowed password maximum age limit in Linux and Solaris. If password maximum age value is greater than LDAP limit value (2147483647), then adapter will set LDAP limit value for password maximum age. See Allowed password maximum age limit in Linux and Solaris section for more information.
|
RTC 184354 |
|
Attribute value lookup support for IGI 5.2.5 |
|
|
Items included in the release (7.1.44) |
RTC 183246 |
|
50336: Don't create private group on user creation although additional attributes cannot be set |
|
|
Items included in the release (7.1.43) |
RTC 177521 |
|
Adapter certification on RHEL7.4 |
RTC 177521 |
|
Adapter certification on RHEL7.5 |
|
|
Items included in the release (7.1.42) |
RTC
174565 |
|
Verify and Certify Suse 12.3 Suse 12. Fixpack 3 is supported or not |
|
|
Items included in the release (7.1.41) |
RTC 168740 |
|
US - As a UnixLinux adapter developer, I must support the new specialFlags attribute in targetProfile.json |
|
|
Items included in the release (7.1.40) |
RTC 165309 |
|
US - As a UnixLinux adapter developer, I must implement support for the latest IGI requirements |
|
|
Items included in the release (7.1.39) |
RTC 158753 |
|
US - As a UnixLinux adapter developer, I should remove the <replaceMultiValue> tag in service.def |
RTC 156577 |
|
Adapter
certification on following new Linux releases SUSE 12.2 |
|
|
Items included in the release (7.1.38) |
RTC 151776 |
|
Add
support for IGI 5.2.x |
PMR 04119,67E,760 Bugz 2174 |
|
Adapter certification on AIX 7.2 |
|
|
Items included in the release (7.0.37) |
40870 (82030) RTC 142443 |
|
Password change automation for PIM Solaris Profile |
|
|
Items included in the release (7.0.36) |
42052 (84783) RTC 142442 |
|
ISIM v6.0 Unix and Linux Adapter support for Oracle Linux 6.6 |
RTC 142444 |
|
Adapter certification on RHEL7.2 |
RTC 142445 |
|
Adapter certification on SuSE12.1 |
|
|
Items included in the release (7.0.35) |
RTC138252 |
|
Adapter certification on Oracle Linux 7.1 |
|
|
Items included in the release (7.0.34) |
76587
(38540) |
|
Support for Dormant accounts on Linux. |
|
|
Items included in the release (7.0.33) |
RTC 127027 |
|
Adapter certification on Oracle Linux 7 |
RTC 124805 |
|
Adapter certification on RHEL7.1 |
RTC 127026 |
|
Adapter certification on SLES 12 |
RTC 127028 |
|
Adapter certification on AIX 7.1 TL3 |
|
|
Items included in the 7.0.32 release |
|
|
Initial release |
Internal# |
Known Issue/ Case# |
Description |
|
|
Items included in current release (10.0.5) |
Bug-4237 SVGAD-1458 |
|
INVALID_LOGIN_CREDENTIALS using Key Based Authentication Error: com.ibm.tivoli.remoteaccess.RemoteAccessAuthException: CTGRI0000E Could not establish a connection to the target machine with the authorization credentials that were provided. |
Bug-4226 SVGAD-1458 |
|
Posix adapter not working on AIX Error: Recon operation caught exception: com.ibm.di.connector.osconnector.exceptions.PosixException: Data read failed; retval: 1 |
|
|
Items included in release (10.0.4) |
Bug 3986 SVGAD-164 |
|
CTGIMT018E: A system error occurred while deleting an account. The account is not deleted. Error: no crontab for xxxxxxx Cannot lock password file: already locked. |
|
|
Items included in release (10.0.3) |
|
|
None |
|
|
Items included in release (10.0.2) |
RTC 187875 Bug 3315 |
IJ27274 |
"root all=(all:all) all" syntax in sudoers file causes recons to fail
It will fail for only 'root ALL=(ALL:ALL) ALL' As an alternate use 'root ALL=(ALL) ALL'
|
|
|
Items included in release (10.0.1) |
|
|
None |
|
|
Items included in release (7.1.46) |
|
|
None |
|
|
Items included in release (7.1.45) |
RTC 184353 Bug 2951 |
Case TS002309060 |
Allow $ in password $ was prohibited in earlier release but since its common character used in password, its being allowed again from this release onwards. However, there are still some limitations, so we must ensure that $() and ${} is not allowed. To use $ in password Select Allow $ in password checkbox in service form. See Allow $ in password section for more information.
|
|
|
Items included in release (7.1.44) |
RTC 183393 Bug 2874 |
PMR TS002079080 |
UnixLinux - change the special flags for erPosixPrimaryGroup’s to none |
|
|
Items included in the release (7.1.43) |
RTC 177762 Bug 2644 |
IJ07579 |
Groups not returned during reconciliation, $ is escaped in sed command, sed -e 's/\$ |
|
|
Items included in the release (7.1.42) |
|
|
None |
|
|
Items included in the release (7.1.41) |
RTC 166794 |
|
US - As a Unix Linux adapter developer, I must ensure that '$' characters in attribute names are not subject to macro expansion |
|
|
Items included in the release (7.1.40) |
RTC 161484 |
|
PEN TEST - User account creation allows a rogue Linux start process command to be appended
|
RTC 161485 |
|
PEN TEST - Group creation allows a rogue Linux start process command to be appended
|
RTC 161486 |
|
PEN TEST - Identity Service Center allows directory creation under /root
|
|
|
Items included in the release (7.1.39) |
|
|
None. |
|
|
Items included in the release (7.0.38) |
|
|
None. |
|
|
Items included in the release (7.0.37) |
|
|
None. |
|
|
Items included in the release (7.0.36) |
Bugz2033 RTC142016 |
IV83309 |
Linux recon scripts do not handle usernames with period in them. |
|
|
Items included in the release (7.0.35) |
Bug
1964 |
|
Adding
user to an AIX target with ISIM UnixLinux adapter fails.
|
|
|
Items included in the release (7.0.34) |
RTC129909 |
IV76420 |
No need to add an user to "Security" group for creating as super user on AIX. |
|
|
Items included in the 7.0.33 release |
Bugz1757 RTC124805 |
|
UnixLinux connector claims RHEL 7 is not supported |
Items included in the 7.0.32 release |
||
|
|
Initial release |
Internal# |
APAR# |
Case# / Description |
Bugz 2059, RTC 145019 |
PMR 44212,082,000 |
diffie-hellman-group-exchange-sha256 SSH key exchange algorithm does not work
Successful connection between the UNIX and Linux Adapter and a managed resource depends, in part, on the SSH key exchange algorithms configured on each of the systems. The underlying Remote Execution and Access (RXA) libraries used by the adapter define which SSH algorithms are supported. The RXA libraries are packaged with SDI. To get diffie-hellman-group-exchange-sha256 support, you must use ITDI 7.1.1 LA 0030 or later. |
|
|
Adding audit class value on AIX
During user add and user modify, if audit class attribute contains a valid value but some other attribute fails, then adapter returns failure instead of warning.
|
|
|
Deleting audit class value on AIX
Adapter returns success for deleting audit class value on AIX, but the changes do not reflect on resource. |
|
|
User add request with primary group value on Aix
Adapter returns failure status for useradd request if primary group contains value which does not exist on resource. |
|
|
Changing primary group values on AIX
When primary group and secondary groups values are updated in the same useradd or usermod request, the primary group value is added to the secondary groups list without removing the previous primary group name from the list. Example: Assume that a user is added with two attributes Primary group = gr01, Secondary Groups = gr02,gr03 Then the user is modified for the two attributes Primary group = grp1, Secondary Groups = grp2,grp3 Result: The new secondary group values are: grp1,grp2,grp3,gr01.
|
|
|
Password change with using LDAP registry on AIX
Configuring multiple AIX services to use the same LDAP may cause errors. If LDAP is configured to use password history checking, and IBM Security Identity Server is configured for password synchronization, any passwords changes initiated from the IBM Security Identity Server effectively cause IBM Security Identity Server to send the same password to each AIX service. The result is a history violation.
|
|
|
pwdadm process might be left running on AIX after root password change
If a failure occurs when changing root's password on AIX 7.1, the pwdadm command can consume a large number of CPU cycles. This can be resolved by installing AIX 7.1 TL3 or higher, which includes APAR IV63940. |
RTC 177762 Bug 2644 |
IJ07579 |
Groups not returned during reconciliation, $ is escaped in sed command, sed -e 's/\$
From this release (7.1.43), adapter does not support $ character in input values to avoid macro expansion or unwanted command execution.
Note: From release (7.1.45), adapter allows $ in password. $ was prohibited in earlier release but since its common character used in password, its being allowed again from this release onwards. However, there are still some limitations, so we must ensure that $() and ${} is not allowed. To use $ in password Select Allow $ in password checkbox in service form. (Ref. RTC 184353, Bug 2951, Case TS002309060)
|
Bug 2577 |
|
UNIX/Linux Adapter fails to create role on AIX 7.1 when authorization does not exist
On Aix 7.1, for creating a new role through adapter, make sure the authorization exists on Aix resource.
|
|
Bugz1098 IV50269 RTC96617 |
erPosixForcePwdChange request not working when set to 0
On Linux, Solaris and HPUX, the 'force password change' feature cannot be toggled. You can only set the 'force password change' option to true. The OS does not support resetting it back to false. On AIX, the 'force password change' feature can be toggled between true and false.
|
|
Supported shells
Only shells that support setting environment variables via "envvar = xxx; export envvar;" are supported for the service admin user. csh and tcsh in particular do not work (others might not work as well). The sh and bash shell works for the admin user. Note that on many systems, sh is a symlink to another shell. |
|
|
|
|
Internal# |
APAR# / Case# |
Description |
|
|
PosixAdapterInstall can only be installed on operating systems and releases that are specified in the Supported operating systems for the PosixAdapterInstall.jar section of the release notes and might have unexpected results if used in unsupported versions. For unsupported versions one can manually install the adapter. refer to Installing the adapter binaries or connector section under Installing. |
See the IBM Security Verify Governance Adapter for UNIX and Linux Installation Guide for detailed instructions.
The following corrections to the Installation Guide apply to this release:
Remove Solaris from Overview points
Installing the adapter using the installation wizard
About this task
Note: For IBM Security Verify Directory Integrator, use the PosixAdapterInstall.jar that is located in the SDI10.0 folder of the adapter package. For IBM Security Directory Integrator , use the PosixAdapterInstall.jar that is located in the SDI7.2 folder of the adapter package.
Prerequisites
Remove solaris from Operating systems
Installing the adapter binaries or connector
The connector might or might not be available with the base Security Directory Integrator or Security Directory Integrator product. The connector is required to establish communication between the adapter and the Dispatcher.
Before you begin:
The dispatcher must be installed
Procedure:
1. Create a temporary directory on the workstation where you want to extract the adapter. Verifying the adapter installation
Remove SolarisPConnRes.sh from Table 1. Adapter components
Enabling secure communication
Remove Solaris systems from title of About this task
Installing ILMT-Tags File
Before you begin:
The dispatcher must be installed
Procedure:
Copy the files from ILMT-Tags folder to the
specified location:
1. Windows: <SDI-HOME>\swidtag
2. Unix/Linux: <SDI-HOME>/swidtag
Service/Target form details
Remove Solaris operating system reference from description.
On the Authentication tab
Allow $ in password
Select this check box to use $ in a password.
Allowed password maximum age limit in Linux and Solaris
Remove Solaris from the title.
Installing the adapter language pack
The
adapters use a separate language package from the IBM Security
Identity Server. See the IBM Security Governance Adapters
Documentation
Center
for information about installing the adapter language pack.
IBM Security Verify Governance Adapter Documentation
Installing
in the Verify Governance Virtual Appliance
( Please add this new section at knowledge centre (under Installing > Installing in the Verify Governance Virtual Appliance) for UnixLinux Adapter to describe installation procedure of adapter in Verify Governance Virtual Appliance: https://www.ibm.com/docs/en/svgaa?topic=ldap-installing-in-virtual-appliance. Please add this below note as well after adding the description.)
Note: While uploading the Adapter package, you may receive System Error: A file included in the SDI Adapter zip already exists on the system and the Server Message log under Appliance tab of VA will have a reference to error com.ibm.identity.sdi.SDIManagementService E File ibm.com_IBM_Security_Verify_Governance_xxxx.swidtag found in the adapter zip at location ILMT-Tags/ already exists in system. This is because, you can install the same swidtags only once. So, if another adapter of the same type is installed, remove the swidtags.
The ibm.com_IBM_Security_Verify_Governance_Enterprise-xxxx.swidtag file is common to all adapters. In addition to the common swidtag file, an application adapter needs ibm.com_IBM_Security_Verify_Governance_Application_Adapters-xxxx.swidtag file and an infra adapter needs ibm.com_IBM_Security_Verify_Governance_Lifecycle-xxxx.swidtag and ibm.com_IBM_Security_Verify_Governance_Compliance-xxxx.swidtag files. So, if an application adapter is already installed and this is an infra adapter, then only install the infra-specific swidtags and the other way around. Please visit IBM Security Verify Governance Adapters v10.x link to identify the adapter type of the installed adapters.
Installing in an IBM Security Verify Directory Dispatcher
Container
Before you begin
The steps to install adapter and related files into the container can be performed using the adapterUtil.sh script, which is shipped with the dispatcher package. This script should be staged on the machine running Kubernetes cli. The adapterUtil.sh script is also readily available in the bin directory of ISIM IBM Security Verify Governance Identity Manager Container Starter Kit installation directory (If ISVDI was selected for installation during the ISIM container installation steps).
If, for any reason, the adapter util script cannot be executed or used, the below manual instructions must be followed to copy the files to the persistent volume.
Note: The container must be restarted after installing or uninstalling the adapter and any changes to the configuration.yaml. To activate changes and restart the container run the following commands:
· <path_to_starterkit>/bin/createConfigs.sh isvdi
· for OpenShift container: oc -n isvgim rollout restart deployment isvdi
· for kubernetes container: kubectl -n isvgim rollout restart deployment isvdi
Note: This document only describes the adapterUtil.sh command options that are required to install this adapter. For other command options, such as listing installed connectors and 3rd party jars, please refer to the Dispatcher10 Installation and Configuration Guide.
Installing / Upgrading / Re-installing / Downgrading the adapter
Using Script
Use the below command to install / upgrade/ re-install / downgrade the adapter:
/path/to/adapterUtil.sh -loadAdapter "/path/to/Adapter-UnixLinux-*.zip" accept
Where /path/to/adapterUtil.sh is the location where the adapterUtil.sh script could be found is installed and /path/to/Adapter-UnixLinux-*.zip is the location where the Adapter zip file is staged on the machine running Kubernetes cli.
Manually copying files to Persistent Volume
Copy the files to the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image as per the given directory structure:
PosixConnector.jar
Copy this file to the <Persistent_Volume>/jars/connectors directory.
Reconcile Scripts
Copy this file to the <Persistent_Volume>/timsol directory.
AIXPConnRes.sh
HPTrustPConnRes.sh
LinuxPConnRes.sh
LinuxShadowPConnRes.sh
HPNTrustPConnRes.sh
CryptPwd
ILMT-Tags
Copy below files to the <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Security_Verify_Governance_Compliance-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Lifecycle-10.0.2.swidtag
Enabling TLS 1.2
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced page from SDI to add advanced configuration element (if it don’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have an advanced configuration element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced to add an advanced configuration section to the config.yaml file.
To enable TLSv1.2, add 2 attr and value (key pair as mentioned in the SDI guide) as below:
- attr: com.ibm.di.SSLProtocols
value: 'TLSv1.2'
- attr: com.ibm.di.SSLServerProtocols
value: 'TLSv1.2'
Enabling debug logs and disabling json-logging
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have root-level and json-logging configuration elements, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging to the add root-level and json-logging configuration elements section to the config.yaml file.
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging page from SDI to add root-level and json-logging configuration elements (if they don’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
To enable debug logs, set the value for root-level to debug. To and to disable json logging, set the value for json-logging element to false.
Uninstalling the adapter
Using Script
Use the below command to remove the Aadapter:
/path/to/adapterUtil.sh -removeAdapter UnixLinux
Manually copyingremoving files tofrom the Persistent Volume
Remove files from the given directory structure of the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image.
Note: Some 3rd party jars and ILMT-Tags files might be common with other installed adapters, and hence should not be removed while uninstalling this adapter:
PosixConnector.jar
Remove this file from <Persistent_Volume>/jars/connectors directory.
ILMT-Tags
Remove below files from <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Security_Verify_Governance_Compliance-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Lifecycle-10.0.2.swidtag
Reconcile Scripts
Remove below files from <Persistent_Volume>/timsol directory:
AIXPConnRes.sh
HPTrustPConnRes.sh
LinuxPConnRes.sh
LinuxShadowPConnRes.sh
HPNTrustPConnRes.sh
CryptPwd
Customizing the adapter profile
Remove Solaris (PosixSolarisProfile.jar) section from this page
Customizing the adapter attributes
Adding home directory permissions on the account form
Remove POSIX Solaris account from procedure
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_HOME_Directory>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
to
<Root level="debug">
Post-7.2.0-ISS-SDI-FP0011
4. To enable TCB block in debug
5. Append the line com.ibm.di.logging.close=false in the <SDI_HOME_Directory>/etc/global.properties file
6. Start the SDI Server process
7. Re-create the problem and collect the
<SDI_Solution_Dir>/logs/ibmdi.log
Upgrading the adapter binaries or connector
Take backup of adapter binaries or connector
Procedure:
Take backup of below files before performing upgrade:
<SDI-HOME>/jars/connectors/PosixConnector.jar
Note: Stop the dispatcher service before the upgrading the connector and start it again after the upgrade is complete.
Upgrade adapter binaries or connector
Procedure:
Copy PosixConnector.jar from the adapter package to the <SDI-HOME>/jars/connectors directory.
Upgrading the adapter profile
Read the adapter Release Notes for any specific instructions before you import a new adapter profile.
There are OS specific adapter profiles included in the UnixLinux Adapter distribution package.
Note: Restart the Dispatcher service after importing the profile. Restarting the Dispatcher clears the assembly lines cache and ensures that the dispatcher runs the assembly lines from the updated adapter profile.
Adapter Attributes and Object classes
Remove Solaris from Operation Systems of Table 1. Account form attributes, descriptions, permissions, and applicable operating systems
Attribute |
Permissions |
Description |
OS |
erposixdomain |
Read and Write |
Specifies the Domains that the user is assigned. |
AIX |
erposixdefaultroles |
Read and Write |
Specifies the Default roles that the user is assigned. |
AIX |
erPosixMaxPwdAge |
Read and Write |
Specifies the maximum age for a password. If password maximum age value is greater than LDAP limit value, then adapter will set LDAP limit value for password maximum age.(Applies for Linux) |
AIX |
Adapter attributes by operations
Remove Solaris from System Login Add,System Login Change,System Login Delete,System Login Suspend and System Login Restore tables.
Key-based authentication for the UNIX and Linux Adapter
Enabling RSA key-based authentication on UNIX and Linux® operating systems
Note: On newer versions of OS (Redhat 8.8 & Ubuntu 20.04) command ssh-keygen -t rsa do not generate RSA key, it generates OPENSSH key. In order to generate rsa key on newer OS (using ssh-keygen utility) we need to use ssh-keygen -t rsa -m PEM command.
IBM Security Verify Governance Adapters for Unix and Linux can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Refer to the IBM Security Verify Governance Adapter Development and Customization Guide
The integration to the IBM Security Verify Governance server – the adapter framework – is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a Support Case is opened.
The IBM Security Verify Governance Adapter for UNIX and Linux was built and tested on the following product versions.
Adapter Installation Platform:
This adapter installs into Security Directory Integrator (SDI) and may be installed on any platform supported by the SDI product and supported by the target system libraries or client, where applicable. IBM recommends installing SDI on each node of the IBM Security Identity Server WAS Cluster and then installing this adapter on each instance of SDI. Supported SDI versions include:
Due to continuous Java security updates that may be applied to your ISIM or PIM servers, the following SDI releases are the officially supported versions:
· Security Directory Integrator 7.2 + FP12
· Security Verify Directory Integrator 10.0 FP1
Note: Earlier SDI supported versions may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions.
Managed Resource:
AIX
AIX7.3
HP-UX
HP-UX 11i v3 : Supported operating system modes: non-trusted, trusted non-secure
Oracle Linux
Linux7
Linux8
Linux9
Red Hat Linux
RedHat Linux Enterprise Server 9.0
RedHat Linux Enterprise Server 9.2
· Red Hat Enterprise Server supported operating system modes are standard and SE Linux
· Red Hat Linux Enterprise Server release updates may introduce changes and/or features that are not supported by the adapter. In such a case, support for the changes or features will be added in a future release of the adapter.
SUSE Enterprise Linux Server
SUSE SLES 12.5
SUSE SLES 15 SP3
SUSE SLES 15.5
Z System and LinuxONE
RedHat Linux Enterprise Server 8.8
SUSE SLES 15
SUSE SLES 15.4
Ubuntu 20.04.5 LTS
Supported IBM Security Verify servers
· IBM Security Verify Governance Identity Manager v10.0
· IBM Security Verify Governance v10.0
· *Unless this document specifies a specific fix pack version of ISVG Identity Manager v10, we expect the adapter to work with ISIM 6 as well. However, it will only be debugged and fixed from the perspective of ISVG-IM v10
Supported operating systems for the PosixAdapterInstall.jar
· Windows: Windows 11, Windows 10, Windows Server 2012 R2, 2016, 2019, and 2022,Windows 7 and 8.1 (x86 and x64)
· Apple: macOS Sonoma (14), macOS Ventura (13), macOS Ventura (13), macOS Montarey (12), macOS Big Sur (11), macOS Catalina (10.15), macOS Mojave (10.14)
· Linux: CentOS Stream 9.0, Red Hat Enterprise Linux 7.9, 8 (x64), 8.3, 8.4, 8.5, 8.6, 8.7, 9.0, 9.1, and 9.3, Red Hat Enterprise Linux 7.2 and 8 for PowerPC (little endian), Red Hat Linux 7.1 and 8 for PowerPC (little endian - silent and console mode only), OpenSUSE Linux 15.3 and 15.4, Oracle Linux 8.5, 9, and 9.3,SUSE Linux Enterprise 15,Ubuntu 21.4, 22.04, 22.10, and 23.10,Fedora 34, 36, 37, and 39
· Solaris: Solaris 11 (x86 and SPARC),Solaris 9, 10 (x86, SPARC, and AMD-64)
· HP-UX: HP-UX 11i (Itanium 2 and PA-RISC)
· AIX: AIX 7.1 and 7.2 (Power/PowerPC)
· IBM: i5/OS (OS/400) on System i - V5R3 and V5R4 (Enterprise Edition only), IBM i 6.1, and IBM i 7.1, z/OS
This
information was developed for products and services offered in the
U.S.A. IBM may not offer the products, services,
or
features discussed in this document in other countries. Consult your
local IBM representative for information on the
products
and services currently available in your area. Any reference to an
IBM product, program, or service is not
intended
to state or imply that only that IBM product, program, or service may
be used. Any functionally equivalent product, program, or service
that does not infringe any IBM intellectual property right may be
used instead. However, it is the user's responsibility to evaluate
and verify the operation of any non-IBM product, program, or
service.
IBM may have patents or pending patent
applications covering subject matter described in this document. The
furnishing
of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM
Director of Licensing
IBM Corporation
North Castle
Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your
country or send inquiries, in writing, to:
Intellectual
Property Licensing
Legal and Intellectual Property Law
IBM
Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa
242-8502 Japan
This
information could include technical inaccuracies or typographical
errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the
publication. IBM may make improvements and/or changes in the
product(s) and/or the program(s) described in this publication at any
time without notice.
Any references in this information to
non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at
those Web sites are not part of the materials for this IBM product
and use of those Web sites is at your own risk.
IBM may
use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to
you.
Licensees of this program who wish to have
information about it for the purpose of enabling: (i) the exchange of
information between independently created programs and other programs
(including this one) and (ii) the mutual use of the information which
has been exchanged should contact:
IBM
Corporation
2ZA4/101
11400 Burnet Road
Austin, TX
78758 U.S.A.
Such
information may be available, subject to appropriate terms and
conditions, including in some cases, payment of a fee.
The
licensed program described in this information and all licensed
material available for it are provided by IBM under terms of the IBM
Customer Agreement, IBM International Program License Agreement, or
any equivalent agreement between us.
Any performance data
contained herein was determined in a controlled environment.
Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these
measurements will be the same on generally available systems.
Furthermore, some measurements may have been estimated through
extrapolation. Actual results may vary. Users of this document should
verify the applicable data for their specific
environment.
Information concerning non-IBM products was
obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested
those products and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed
to the suppliers of those products.
Trademarks
IBM,
the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be
trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark
information" at www.ibm.com/legal/copytrade.shtml.
Microsoft,
Windows, and the Windows logo are trademarks of Microsoft Corporation
in the United States, other countries, or both.
Java and
all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
End of Release Notes