Release Notes
IBM Security Identity Manager
Dispatcher Component for Directory Integrator-based Adapters
IBM Security Identity Manager Dispatcher Component for Directory Integrator-based Adapters is available. Compatibility, installation, and other getting-started issues are addressed.
Contents
Component Features and Purpose
Installation and Configuration Notes
Welcome to the IBM Security Identity Manager Dispatcher Component.
These Release Notes contain information for the following products that was not available when the IBM Security Identity Manager manuals were printed:
The Dispatcher Component is designed to support integration between Tivoli Directory Integrator and Security Identity Manager. The Dispatcher is shipped with each Directory Integrator based adapter and is updated to the current release version with each adapter release. This package provides the Dispatcher as a separately shipped component to fast-track upgrade and maintenance delivery.
Review and agree to the terms of the IBM Security Identity Adapter License prior to using this product.
The license can be viewed from the "license" folder included in the product package.
Component |
Version |
Release Date |
2020 September 03 10.33.01 |
Package Version |
6.0.40 |
Component Versions |
Dispatcher build: 6.0.40.107 |
Documentation |
The following guide is available in the IBM Security Identity Manager Knowledge Center: · IBM Security Identity Manager Dispatcher Installation and Configuration Guide |
Enhancement # (RFE) |
Description |
|
Items included in Current version (6.0.40) |
|
None |
|
Items included in 6.0.39 version |
RTC 163389 |
Ensure that Dispatcher should be forward compatible with Java 8 |
|
Items included in 6.0.38 version |
69879,821,821 RFE 101574 RTC 155972 |
Dispatcher enhancements for better problem message transport. |
RTC 153754 / 158915 / 158749 / 160519 |
FIPS 140-2 compliance for SDI/TDI Adapters. |
|
Items included in 6.0.37 version |
|
None |
|
Items included in 6.0.35 version |
|
None
|
|
Items included in 6.0.34 version |
|
None
|
|
Items included in 6.0.33 version |
|
None
|
|
Items included in 6.0.32 version |
RFE23019 17132 (7374)
|
In this release, a new feature has been added to the RMI Dispatcher at service level. With this new feature, when a test operation completes successfully, the Assembly Lines for that service will be removed from the Assembly Line cache. In addition, any Assembly Lines that were running when the test operation was fired, will also not be cached when they complete. Thus, now the dispatcher won’t require a restart if any attribute on the service form has been changed and the test operation has been completed successfully.
|
RTC 119318 |
|
|
Items included in 6.0.31 version |
RFE 30084 |
Default ALCacheSize For the unique requestID cannot be captured from TCB Dispatcher now preserves unique requestID.
|
|
Items included in 6.0.30 version |
105616 |
Added support for SDI 7.2. |
|
Items included in 6.0.29 version |
|
The assembly lines can now be synchronized at the dispatcher level using a locking mechanism. |
|
Items included in 6.0.28 version |
|
None |
|
Items included in 6.0.27 release |
|
The time that the dispatcher sleeps after a timeout interrupt happens to allow cleanup, is now configurable. |
|
Items included in 6.0.24 release
|
|
|
MR100110436 |
Dispatcher - Provide some sort of time out for TDI/RMI adapter requests. |
17069 (7313) |
ITIMAd script should include output file instead of /dev/null. |
30530 (17466)
APAR IV27993 |
PMR 60438,300,624 Caching in RMI Dispatcher
|
|
Items included in 6.0.6 release |
|
Initial Release |
Internal# |
APAR# |
Case# / Description |
|
|
Items closed in Current version (6.0.40) |
RTC
187417 |
IJ27308 |
Case TS003630892/ LDAP recon is causing Dispatcher OOM after upgrading from 6.0.30 to 6.0.39 |
RTC 187199 |
|
Case TS003550734/ Issue with case-sensitive filtering in RMI Dispatcher |
|
|
Items closed in 6.0.9 version |
RTC 161480/ 161481
|
|
PEN TEST - Enable JVM security by adding RMI authentication The Java RMI on the provided adapter system provides a remote unauthenticated command injection as the root user on the system. To resolve this, changes have been made to installer to set following three properties during dispatcher installation: 1. {protect}-systemqueue.auth.username 2. {protect}-systemqueue.auth.password 3. systemqueue.on=false These properties enables authentication on systemqueue which TDI Server uses for communication.
For details refer Installation and Configuration Notes section. |
RTC 162896 |
|
PEN TEST - Adapters are not installed with SSL encryption enabled by default By Default communication with adapters is unencrypted, default communication of sensitive information needs to be encrypted out of the box, with only options to disable encryption. To enable encryption in TDI system, we set following property to true during dispatcher installation: com.ibm.di.dispatcher.ssl=true By setting this property it enables one-way SSL on TDI-ISIM environment. End user has to configure the SSL setup manually.
For details refer Installation and Configuration Notes section.
|
|
|
Items closed in Current version (6.0.38) |
|
|
None |
|
|
Items closed in 6.0.37 version |
PMR: 83722,695,760 Bug 2209 RTC 153767
|
IV91236 |
Assembly line cache maintenance is stopped once a request was failed.
|
PMR: 82636,033,724 Bug 2213 RTC 153767
|
IV91236 |
Dispatcher not closing cached Assembly Lines, so keeping connections open |
PMR: 82462,033,724 Bug 2176 RTC 153767
|
IV91236 |
RMI Dispatcher throwing IndexOutOfBoundsException |
Internal Bug 1987 RTC 138914 |
|
ISIM: Documentation wrong for RMI Dispatcher for cluster environments |
|
|
Items closed in 6.0.35 version |
Internal Bug 2047 |
|
Internal report of logging issue in latest dispatcher.
|
PMR: 51402,227,000 |
RTC 145426 |
JMX remote connect dispatcher question/issue- System property was set with host name containing only IP address to resolve the JMX remote connect issue.
|
|
|
Items closed in 6.0.34 version |
PMR: 00492,499,000 |
RTC 137454 |
SSL connections fail to initialize in Dispatcher
For details, refer the "Installation and Configuration Notes, Corrections to Install Guide" section.
|
|
|
Items closed in 6.0.33 version |
Internal Bug 1813 |
|
When "ITIMAd stop" is executed, respective logs should be appended in ITIMAd_stdout.log file.
|
Internal Bug 1771 |
RTC 125650
|
Submit for doc update for 6.0/7.0 dispatcher docs for ITIMAd reference in /etc/init.2
|
Internal Bug 1794 |
RTC 124532
|
SSL configuration steps incorrect in Dispatcher Install guide
|
|
IV74585 |
RMI Dispatcher still seems to double the value of AssemblylineCacheTimeout (6.0.32)
|
|
|
Items closed in 6.0.32 version |
Internal Bug1575
|
|
Reconciliation fails using Peopletools adapter - Added a null check in the escapeDNValue() method in AdapterUtils.java, to check if the passed in String is null, and if so, an empty string is returned. |
|
|
Items closed in 6.0.31 version |
|
IV61292 |
Dispatcher doesn't lower connection count when AL filesystem path is incorrect
|
|
IV61588 |
Slash in reconcile filter syntax fails parsing on Dispatcher
|
|
|
Items closed in 6.0.30 version |
|
IV59786
|
Service Level Parameter ignored when the HostNameURL is undefined. |
|
|
PMR 91098,077,649 Added the missing StringUtility file
|
|
|
Items closed in 6.0.29 version |
|
Internal |
Added missing utility files for i5OS and PeopleTools adapter. |
|
|
Items closed in 6.0.28 version |
|
N/A |
PMR 25670,999,000 ITIM 5.1 RMI Dispatcher returning new attributes related to test connection to ISIM 6.0 server
|
|
|
Items closed in 6.0.27 release |
|
|
The default values for the timeout in itim_listener.properties file have been set to zero. By default, there would be no timeout. One may configure it as per need. |
|
|
Changes to TDI Adapters Dev. Reference Guide - Added note for implicit attributes
|
|
IV47103 |
In case the firewall is enabled, refer the following link to configure the port on which dispatcher remote object listens for RMI requests
|
|
IV44164 |
Dispatcher Install document references invalid URL for info Center
|
|
IV43453 |
RMI Development Reference guide needs to detail that multi adapters require unique AL names
|
|
|
Items closed in 6.0.24 release
|
|
|
|
|
IV35801 |
Dispatcher- Set AssemblylineCacheTimeout value gives twice the actual timeout
|
|
IV34811 |
Dispatcher silent installation docs
|
|
|
Items closed in 6.0.6 release
|
|
|
Initial Release |
Internal# |
APAR# |
Case# / Description |
|
|
Dispatcher installation issue on Windows Server 2012 Platform Installation of dispatcher on Windows Server 2012 fails. In order to install it, the following steps must be followed:
1. Navigate to the folder ITDI_HOME/jvm/jre/bin 2. Right click on the java.exe 3. Select properties and navigate to the Compatibility Tab. 4. Select the checkbox for "Run this program in compatibility mode for:" 5. Select the "Windows 7" option from the dropdown menu. 6. Apply the changes 7. Run the installer using java –jar DispatcherInstall.jar command from the command prompt.
|
|
|
Service creation fails after test operation is fired, when dispatcher is installed over SDI 7.2.
This problem occurs because SDI 7.2 returns a longer value of the adapter platform than the permissible value, after the test operation is fired. In order to fix this issue, you must add the following to your adapter schema file. (schema.dsml):
<!-- ******************************************************** --> <!-- erAdapterPlatform --> <!-- ******************************************************** --> <attribute-type single-value="true"> <name>erAdapterPlatform</name> <description>Adapter installation platform</description> <object-identifier>1.3.6.1.4.1.6054.3.1.2.122</object-identifier> <syntax>1.3.6.1.4.1.1466.115.121.1.15{2048}</syntax> </attribute-type>
Note: Do not add the above if you are using PeopleSoft Adapter (8.5.3)
|
|
|
Reconciliation Operation Issue The reconciliation operation happens in the form of batches. The batch size is dependent on the "SearchResultSetSize" attribute, specified in the "itim_listener.properties" file. Thus, the first batch would be reconciliation of "#" accounts, where "#" is nothing but the value specified in the "SearchResultSetSize", and subsequent batches too would be present for reconciliation of the remaining accounts, each batch of the size "#". Now, if an error or timeout occurs while the first batch of accounts is being executed, one would be able to witness that the request has failed along with the relevant error message. However, if error or timeout occurs while the subsequent batches are being processed, the request would fail, but no error message would be seen along, as in the previous case. This is a server side issue, ISIM recon limitation. |
See the IBM Security Identity Manager Dispatcher Installation Guide for detailed instructions.
The following corrections to the Installation Guide apply to this release:
Add the below ‘Enabling the FIPS mode’ section in Chapter 4, after ‘Configuring logging for the adapter’ section.
The keystore file created should be copied to TIMSOL folder and/or the encryption/decryption should be with the newly generated FIPS compliant keystore file.
Note: If FIPS mode is enabled, changes done to any authentication attributes in solution.properties file may not get affected directly and we may get error related decryption in ibmdi.log file. To resolve this error we have to re-encrypt the solution.properties file with key created for FIPS mode.
Sample command for encryption is:
cryptoutils -input ../timsol/solution.properties -output ../timsol/solution.properties
-mode encrypt_props -keystore ../server.jck -storepass mypass -alias server
-transformation AES/CBC/PKCS5Padding -storetype jceks -keypass mykeypass
1. Before installing this version of dispatcher, you need to uninstall the earlier versions of dispatcher. This installer cannot be run on top of existing dispatcher installation (builds 60.1012 or earlier).
2. Dispatcher installer will not ask for instance name and port number while upgrade.
3. The user who is running the installer must have the execute permissions on "ps" command on non-windows platforms.
Add below content after #5 in “Installing the Dispatcher in GUI mode section”:
6. Enter the Dispatcher Instance Name. Click Next.
7. Enter the Port number. Click Next.
8. Provide credentials to secure access to the Java Virtual Machine. For more information refer “Configuring JVM Security”(Hyperlink to this section in dispatcher guide). Click Next.
9. Select SSL level. When the check-box is checked the SSL is enabled. If you wish to disable SSL then deselect the check-box Enable SSL. If you disable SSL the communication therefore will be unencrypted i.e. in plain text. For more information refer “Configuring SSL communication”(Hyperlink to this section in dispatcher guide).
**End1**
Add the following content in Table 5. in “Installing the Dispatcher in silent mode”:
**Start2**
Parameter |
Description |
- DUSER_SYSQUEUE_USERNAME_INPUT_RESULT
|
This parameter provides the username for JVM security. |
-DUSER_SYSQUEUE_PASSWORD_INPUT_RESULT
|
This parameter provides the Password for JVM security. |
-DUSER_SYSQUEUE_REPASSWORD_INPUT_RESULT
|
This parameter provides the retype password filed for JVM security. |
-DUSER_INPUT_RESULTS_FOR_SSL
|
Provides SSL level; default value is Enable |
Also change the example for this section:
To install the adapter in silent mode and with one or more custom settings,
use the -D parameter. For example:
ITDI_HOME/jvm/jre/bin/java
-jar DispatcherInstall.jar -i silent
-DUSER_INSTALL_DIR="/opt/IBM/TDI/V7.1"
-DUSER_SELECTED_SOLDIR="/opt/IBM/TDI/V7.1/timsol"
-DUSER_INPUT_RMI_PORTNUMBER=1099 -DUSER_INPUT_WS_PORTNUMBER=8081 - DUSER_SYSQUEUE_USERNAME_INPUT_RESULT=”disp_user” -DUSER_SYSQUEUE_PASSWORD_INPUT_RESULT= “admin@123” -DUSER_SYSQUEUE_REPASSWORD_INPUT_RESULT= “admin@123”
-DUSER_INPUT_RESULTS_FOR_SSL=Enable
**End2**
**Start3**
As an adapter manages sensitive data of the users it is essential that communication should be encrypted. The SSL facilitates the encrypted communications between an adapter and end resource. SSL requires certificates to be installed.
During installation you may see the panel Enable SSL. The check-box is present on a panel. It is by default checked. When the check-box is checked the SSL is enabled. If you wish to disable SSL then deselect the check-box Enable SSL. If you disable SSL the communication therefore will be unencrypted i.e. in plain text. Whether SSL is enabled or disabled can be verified after installation.
The property "com.ibm.di.dispatcher.ssl" in solution.properties is set to true if SSL is enabled otherwise it is set to false.
**End3**
**Start4**
Since WAS and Dispatcher server communicates using RMI. It’s mandatory to secure the JVM.
In order to do so, default dispatcher installation is prompted with providing strong credentials for JVM security. These credentials will be required by an outside RMI process to access the RMI stub. You can always modify the existing credentials by changing following properties in solutions.properties file:
{protect}-systemqueue.auth.username
{protect}-systemqueue.auth.password
systemqueue.on=false
**End4**
The IBM Security Identity Manager Dispatcher was built and tested on the following product versions.
Dispatcher Installation Platform:
This component installs into Tivoli Directory Integrator and may be installed on any platform supported by the product. IBM recommends installing Tivoli Directory Integrator on each node of the Identity Manager WebShere cluster and then installing this adapter on each instance of Tivoli Directory Integrator. Supported Tivoli Directory Integrator versions include:
Dispatcher Installation Platform:
· Security Directory Integrator 7.2 + FP6 + 7.2.0-ISS-SDI-LA0019
Earlier versions of TDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapter.
Note: The adapter supports IBM Security Directory Integrator 7.2, which is available only to customers who have the correct
Entitlement. Contact your IBM representative to find out if you have the entitlement to download IBM Security Directory Integrator 7.2.
Managed Resource:
N/A
IBM Security Identity Manager:
· IBM Security Identity Manager v6.0
This information was developed for products and services offered
in the U.S.A. IBM may not offer the products, services, or features discussed
in this document in other countries. Consult your local IBM representative for
information on the products and services currently available in your area. Any
reference to an IBM product, program, or service is not intended to state or
imply that only that IBM product, program, or service may be used. Any
functionally equivalent product, program, or service that does not infringe any
IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product,
program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include
technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions
of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms
and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some measurements
may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered
trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of
IBM or other companies. A current list of IBM trademarks is available on the
Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
End of Release Notes