Release Notes
IBM Security Identity Adapter
Dispatcher Component for Directory Integrator-based Adapters
IBM security Identity Adapter Dispatcher Component for Directory Integrator-based Adapters is available. Compatibility, installation, and other getting-started issues are addressed.
Contents
Component Features and Purpose
Installation and Configuration Notes
These Release Notes contain information for the following products that was not available when the IBM Security Identity Server manuals were printed:
The Dispatcher Component is designed to support integration between Security Directory Integrator and Security Identity Adapter. The Dispatcher is shipped with each Directory Integrator based adapter and is updated to the current release version with each adapter release. This package provides the Dispatcher as a separately shipped component to fast-track upgrade and maintenance delivery.
Review and agree to the terms of the IBM Security Identity Adapter License prior to using this product.
The license can be viewed from the "license" folder included in the product package.
Component |
Version |
Release Date |
2020 September 03 10.33.01 |
Package Version |
7.1.40 |
Component Versions |
Dispatcher build: 7.1.40.107 |
Documentation |
The following guide is available in the IBM Knowledge Centre · Dispatcher Installation and Configuration Guide |
Enhancement # (RFE) |
Description |
|
Items included in Current version (7.1.40) |
|
None |
|
Items included in 7.1.39 version |
RTC 163389
|
Ensure that Dispatcher should be forward compatible with Java 8 |
|
Items included in current version (7.1.38) |
69879,821,821 RFE 101574 RTC 155972 |
Dispatcher enhancements for better problem message transport.
|
RTC 153754 / 158915 / 158749 / 160519 |
FIPS 140-2 compliance for SDI/TDI Adapters. |
|
Items included in 7.1.37 version |
|
None |
|
Items included in 7.1.36 version |
RTC 151778 |
Add Support for Identity Governance and Intelligence (IGI) v5.2.2
This adapter is now designed for use with IBM Security Identity Manager, Privileged Identity Manager, and Identity Governance and Intelligence. |
|
Items included in 7.0.35 version |
|
None
|
|
Items included in 7.0.34 version |
|
None
|
|
Items included in7.0.33 version |
|
None
|
|
Items included in 7.0.32 version |
|
Initial Release |
Internal# |
APAR# |
Case# / Description |
|
|
Items closed in current version (7.1.40) |
RTC
187417 |
IJ27308 |
Case TS003630892/ LDAP recon is causing Dispatcher OOM after upgrading from 6.0.30 to 6.0.39 |
RTC 187199 |
|
Case TS003550734/ Issue with case-sensitive filtering in RMI Dispatcher |
|
|
Items closed in 7.1.39 version |
RTC 161480/ 161481
|
|
PEN TEST - Enable JVM security by adding RMI authentication The Java RMI on the provided adapter system provides a remote unauthenticated command injection as the root user on the system. To resolve this, changes have been made to installer to set following three properties during dispatcher installation: 1. {protect}-systemqueue.auth.username 2. {protect}-systemqueue.auth.password 3. systemqueue.on=false These properties enables authentication on systemqueue which TDI Server uses for communication.
For details refer Installation and Configuration Notes section.
|
RTC 162896 |
|
PEN TEST - Adapters are not installed with SSL encryption enabled by default By Default communication with adapters is unencrypted, default communication of sensitive information needs to be encrypted out of the box, with only options to disable encryption. To enable encryption in TDI system, we set following property to true during dispatcher installation: com.ibm.di.dispatcher.ssl=true By setting this property it enables one-way SSL on TDI-ISIM environment. End user has to configure the SSL setup manually.
For details refer Installation and Configuration Notes section.
|
|
|
Items closed in current version (7.1.38) |
|
|
None |
|
|
Items closed in 7.1.37 version |
PMR: 83722,695,760 Bug 2209 RTC 153767
|
IV91236 |
Assembly line cache maintenance is stopped once a request was failed.
|
PMR: 82636,033,724 Bug 2213 RTC 153767
|
IV91236 |
Dispatcher not closing cached Assembly Lines, so keeping connections open |
PMR: 82462,033,724 Bug 2176 RTC 153767
|
IV91236 |
RMI Dispatcher throwing IndexOutOfBoundsException |
Internal Bug 1987 RTC 138914 |
|
ISIM: Documentation wrong for RMI Dispatcher for cluster environments
|
|
|
Items closed in 7.1.36 version |
|
|
None |
|
|
Items closed in 7.0.35 version |
Internal Bug 2047 |
|
Internal report of logging issue in latest dispatcher
|
PMR: 51402,227,000 |
RTC 145426 |
JMX remote connect dispatcher question/issue- System property was set with host name containing only IP address to resolve the JMX remote connect issue.
|
|
|
Items closed in 7.0.34 version |
PMR: 00492,499,000 |
RTC 137454 |
SSL connections fail to initialize in Dispatcher
For details, refer the "Installation and Configuration Notes, Corrections to Install Guide" section.
|
|
|
Items closed in 7.0.33 version |
Internal Bug 1813 |
|
When "ITIMAd stop" is executed, respective logs should be appended in ITIMAd_stdout.log file.
|
Internal Bug 1771 |
RTC 12560 |
Submit for doc update for 6.0/7.0 dispatcher docs for ITIMAd reference in /etc/init.2 |
Internal Bug 1794 |
RTC 124532
|
SSL configuration steps incorrect in Dispatcher Install guide |
|
IV74585 |
RMI Dispatcher still seems to double the value of AssemblylineCacheTimeout (6.0.32)
|
|
|
Items included in 7.0.32 version |
|
|
Initial Release |
Internal# |
APAR# |
Case# / Description |
|
|
Dispatcher installation issue on Windows Server 2012 Platform Installation of dispatcher on Windows Server 2012 fails. In order to install it, the following steps must be followed:
1. Navigate to the folder ITDI_HOME/jvm/jre/bin 2. Right click on the java.exe 3. Select properties and navigate to the Compatibility Tab. 4. Select the checkbox for "Run this program in compatibility mode for:" 5. Select the "Windows 7" option from the dropdown menu. 6. Apply the changes 7. Run the installer using java –jar DispatcherInstall.jar command from the command prompt.
|
|
|
Service creation fails after test operation is fired, when dispatcher is installed over SDI 7.2.
This problem occurs because SDI 7.2 returns a longer value of the adapter platform than the permissible value, after the test operation is fired. In order to fix this issue, you must add the following to your adapter schema file. (schema.dsml):
<!-- ******************************************************** --> <!-- erAdapterPlatform --> <!-- ******************************************************** --> <attribute-type single-value="true"> <name>erAdapterPlatform</name> <description>Adapter installation platform</description> <object-identifier>1.3.6.1.4.1.6054.3.1.2.122</object-identifier> <syntax>1.3.6.1.4.1.1466.115.121.1.15{2048}</syntax> </attribute-type>
Note: Do not add the above if you are using PeopleSoft Adapter (8.5.3)
|
|
|
Reconciliation Operation Issue The reconciliation operation happens in the form of batches. The batch size is dependent on the "SearchResultSetSize" attribute, specified in the "itim_listener.properties" file. Thus, the first batch would be reconciliation of "#" accounts, where "#" is nothing but the value specified in the "SearchResultSetSize", and subsequent batches too would be present for reconciliation of the remaining accounts, each batch of the size "#". Now, if an error or timeout occurs while the first batch of accounts is being executed, one would be able to witness that the request has failed along with the relevant error message. However, if error or timeout occurs while the subsequent batches are being processed, the request would fail, but no error message would be seen along, as in the previous case. This is a server side issue, ISIM recon limitation. |
See the IBM Security Identity Server for Dispatcher Installation Guide for detailed instructions.
The following corrections to the Installation Guide apply to this release:
Add the below ‘Enabling the FIPS mode’ section in Chapter 4, after ‘Configuring logging for the adapter’ section.
The keystore file created should be copied to TIMSOL folder and/or the encryption/decryption should be with the newly generated FIPS compliant keystore file.
Note: If FIPS mode is enabled, changes done to any authentication attributes in solution.properties file may not get affected directly and we may get error related decryption in ibmdi.log file. To resolve this error we have to re-encrypt the solution.properties file with key created for FIPS mode.
Sample command for encryption is:
cryptoutils -input ../timsol/solution.properties -output ../timsol/solution.properties
-mode encrypt_props -keystore ../server.jck -storepass mypass -alias server
-transformation AES/CBC/PKCS5Padding -storetype jceks -keypass mykeypass
The adapters use a separate language package from the IBM Security Identity Server. See the IBM Security Identity Server library and search for information about installing the adapter language pack.
Add below content after #5 in “Installing the Dispatcher in GUI mode section”:
6. Enter the Dispatcher Instance Name. Click Next.
7. Enter the Port number. Click Next.
8. Provide credentials to secure access to the Java Virtual Machine. For more information refer Enabling JVM Security(Hyperlink to this section in dispatcher guide). Click Next.
9. Select SSL level. When the check-box is checked the SSL is enabled. If you wish to disable SSL then deselect the check-box Enable SSL. If you disable SSL the communication therefore will be unencrypted i.e. in plain text. For more information refer “Configuring SSL communication”(Hyperlink to this section in dispatcher guide).
**End1**
Add the following content in Table 5. in “Installing the Dispatcher in silent mode”:
**start2**
Parameter |
Description |
- DUSER_SYSQUEUE_USERNAME_INPUT_RESULT
|
This parameter provides the username for JVM security. |
-DUSER_SYSQUEUE_PASSWORD_INPUT_RESULT
|
This parameter provides the Password for JVM security. |
-DUSER_SYSQUEUE_REPASSWORD_INPUT_RESULT
|
This parameter provides the retype password filed for JVM security. |
-DUSER_INPUT_RESULTS_FOR_SSL=Enable
|
Provides SSL level; default value is Enable |
Also change the example for this section:
To install the adapter in silent mode and with one or more custom settings,
use the -D parameter. For example:
ITDI_HOME/jvm/jre/bin/java
-jar DispatcherInstall.jar -i silent
-DUSER_INSTALL_DIR="/opt/IBM/TDI/V7.1"
-DUSER_SELECTED_SOLDIR="/opt/IBM/TDI/V7.1/timsol"
-DUSER_INPUT_RMI_PORTNUMBER=1099 -DUSER_INPUT_WS_PORTNUMBER=8081 - DUSER_SYSQUEUE_USERNAME_INPUT_RESULT=”disp_user” -DUSER_SYSQUEUE_PASSWORD_INPUT_RESULT= “admin@123” -DUSER_SYSQUEUE_REPASSWORD_INPUT_RESULT= “admin@123”
-DUSER_INPUT_RESULTS_FOR_SSL=Enable
**End2**
**Start3**
As an adapter manages sensitive data of the users it is essential that communication should be encrypted. The SSL facilitates the encrypted communications between an adapter and end resource. SSL requires certificates to be installed.
During installation you may see the panel Enable SSL. The check-box is present on a panel. It is by default checked. When the check-box is checked the SSL is enabled. If you wish to disable SSL then deselect the check-box Enable SSL. If you disable SSL the communication therefore will be unencrypted i.e. in plain text. Whether SSL is enabled or disabled can be verified after installation.
The property "com.ibm.di.dispatcher.ssl" in solution.properties is set to true if SSL is enabled otherwise it is set to false.
**End3**
**Start4**
Since WAS and Dispatcher server communicates using RMI. It’s mandatory to secure the JVM.
In order to do so, default dispatcher installation is prompted with providing strong credentials for JVM security. These credentials will be required by an outside RMI process to access the RMI stub. You can always modify the existing credentials by changing following properties in solutions.properties file:
{protect}-systemqueue.auth.username
{protect}-systemqueue.auth.password
systemqueue.on=false
**End4**
The IBM Security Identity Server for Dispatcher was built and tested on the following product versions.
Dispatcher Installation Platform:
This component installs into Tivoli Directory Integrator and may be installed on any platform supported by the product. IBM recommends installing Security Directory Integrator on each node of the Identity Server WebShere cluster and then installing this adapter on each instance of Security Directory Integrator. Supported Security Directory Integrator versions include:
Dispatcher Installation Platform:
Due to continuous Java security updates that may be applied to your ISIM or PIM servers, the following SDI releases are the officially supported versions:
· Security Directory Integrator 7.2 + FP6 + 7.2.0-ISS-SDI-LA0019
Earlier versions of TDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapter.
Note: The adapter supports IBM Security Directory Integrator 7.2, which is available only to customers who have the correct
Entitlement. Contact your IBM representative to find out if you have the entitlement to download IBM Security Directory Integrator 7.2.
Managed Resource:
N/A
IBM Security Identity Manager:
ISIM v7.0.x
IBM Security Privileged Identity Manager (PIM):
ISPIM 2.x
Identity Governance and Intelligence (IGI):
IGI 5.2.x
This
information was developed for products and services offered in the U.S.A. IBM
may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right
may be used instead. However, it is the user's responsibility to evaluate and
verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include
technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions
of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms
and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some measurements
may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered
trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of
IBM or other companies. A current list of IBM trademarks is available on the
Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
End of Release Notes