IBM Security Verify Adapter v10.0.3 for Google Workspace is available. Compatibility, installation, and other getting-started issues are addressed.
Copyright International Business Machines
Corporation 2003, 2022 All rights reserved.
US Government Users Restricted
Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
· Preface
· Adapter Features and Purpose
· Installation and Configuration Notes
· Customizing or Extending Adapter Features
· Notices
Welcome to the IBM Security Verify Google Workspace Adapter.
These Release Notes contain information for the following products that was not available when the IBM Security Verify manuals were printed:
· IBM Security Verify Google Workspace Adapter Installation and Configuration Guide
The Google Workspace Adapter is designed to create and manage User Accounts on the Google Workspace domain. The adapter runs in "agentless" mode and communicates using Google Directory API to the Google Workspace Domain being managed.
IBM Security Verify Adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the IBM Security Verify server will fail if the Adapter is not given sufficient authority to perform the requested task. IBM recommends that this Adapter run with administrative (root) permissions.
Review and agree to the terms of the IBM Security Verify Governance Adapter license prior to using this product.
The license can be viewed from the “license” folder included in the product package.
Adapter Version
Component |
Version |
Build Date |
2024 March 22 17.23.56 |
Adapter Version |
10.0.3 |
Component Versions |
Adapter build: 10.0.3.5 Profile: 10.0.3.5 Connector: 10.0.3.5 Dispatcher 7.0.34 or higher (packaged separately) |
aDocumentation |
The following guides will be made available in the IBM Knowledge Centre · Google Workspace Adapter Installation and Configuration Guide |
New Features
Internal# |
Enhancement # (RFE) |
Description |
|
|
Items included in current release (10.0.3) |
|
|
None |
|
|
Items included in release (10.0.2) |
|
RTC 189259 |
Supporting label changes from Google Apps to Google Workspace |
|
|
Items included in release (10.0.1) |
|
|
None |
|
|
Items included in 7.1.11 release |
|
|
None |
|
|
Items included in 7.1.10 release |
|
|
None |
|
|
Items included in 7.1.9 release |
|
|
None |
|
|
Items included in 7.1.8 release |
|
|
N/A |
|
|
Items included in 7.1.7 release |
|
INT154246 |
Support additional attributes and custom attributes in Google Apps |
|
|
Items included in 7.1.6 release |
|
|
Support for IGI 5.2.2 |
|
|
Items included in 7.0.5 release |
|
INT106146 |
Implement exponential back-off for "user rate exceeded" error. |
|
|
Items included in 7.0.4 release |
|
INT99294 |
Support non-primary domains. |
|
INT99913 |
Migrate to the new Google Directory API. |
|
|
Items included in 7.0.3 release |
|
RFE38223 |
Support Managing Alias/Nickname. |
|
RFE38222 |
Support Managing Organisation Unit (OU) |
|
|
Items included in 7.0.2 release |
|
RFE28276 |
Support Rename of Google App Account User ID 'eruid' attribute. |
|
INT69809 |
Support Google Data Java Client Library version 1.47.1 |
|
|
Items included in 7.0.1 release |
|
|
Initial release. |
Closed Issues
Internal# |
KnownIssue# / Case# |
Description |
|
|
Items included in current release (10.0.3) |
SVGAD-1268 BUG 4202 |
DT257756 / TS014297306 |
Google adapter not returning error back to ISVG when group update fails |
|
|
Items included in release (10.0.2) |
None |
||
|
|
Items included in release (10.0.1) |
RTC 188724 Bug 3475 |
DOC APAR IJ31796 TS005083303 |
correct location/path to download required google apis |
RTC 187873 Bug 3354 |
APAR IJ29180 |
Problem with Google proxy |
|
|
Items included in 7.1.11 release |
RTC 185053 Bug 3037 |
|
Release Notes - Supported Configurations Incorrect |
|
|
Items included in 7.1.10 release |
RTC 182041 |
|
Internal -GoogleApps adapter Mapping file change for IGI 5.2.5 - eruid target attribute should be mapped to only CODE governance attribute by default |
|
|
Items included in 7.1.9 release |
|
RTC 176347 Bug 2575 IJ06784 |
D - As a GoogleApps adapter developer I need to update the adapter so that it reconciles complete data from multiple domains |
|
|
Items closed in 7.1.8 version |
|
|
Work around google defect that causes recon to fail with unexpected error when quota limit is reached |
|
|
Items closed in 7.0.5 version |
|
IV57415 |
The reconciliation gets only 100 accounts (one page). |
|
|
Items closed in 7.0.1 version |
|
|
Initial release. |
Known Issues
Internal# |
APAR# |
Case# / Description |
N/A |
N/A |
Character usage (usernames, passwords, names) limitation. Refer to the section "Character usage (usernames, passwords, groups, names)" in Google Workspace Administrator Help. |
N/A |
N/A |
Both the Group ID and User ID are not UTF-8 supported. |
N/A |
N/A |
Google Data Java Client needs to be copied into the TDI_HOME\jvm\jre\lib\ext\directory. |
N/A |
N/A |
Group Name cannot be updated during a group modify operation. IBM Security Verify does not allow changing value of the attribute that is mapped to ergroupname. |
N/A |
N/A |
The existing Group Description cannot be modified to an empty string. This is a known limitation of the Google Workspace Group Provisioning API. The adapter does not accept an empty string or null value. |
N/A |
N/A |
Adapter does not support NickName. |
Known Limitations
Internal# |
APAR# |
Case# / Description |
|
|
Adapter does not currently support management of group email permissions as a result of migrating the code to use the Google’s new Directory API. |
See the IBM Security Verify Governance Application Adapters for SCIM Adapter Installation and Configuration guide.
Chapter 1: Overview
No updates for the current release
Chapter 2: Planning
Prerequisites:
Directory Integrator:
Remove 7.2 + FP6 + 7.2.0-ISS-SDI-LA0019 from the description
Identity server:
Update description as below:
The following servers are supported:
- IBM Security Verify Governance Identity Manager
- IBM Security Verify Governance
Chapter 3: Installing
Installing third-party client libraries
1. The currently supported version can be found in the release notes for the version of the adapter that you are installing.
2. Go to the Google Developers website and search for the Google Directory API Java Client Library package that is listed in the Google Workspace Adapter Release Notes.
3. Go to the Google Developers website and search for the Google Groups Settings API Java Client Library package.
4. Most other jars can be downloaded from the https://mvnrepository.com website.
5. The guava be found at: https://mvnrepository.com/artifact/com.google.guava/guava
6. The gson jar can be found at https://mvnrepository.com/artifact/com.google.code.gson/gson
7. The jar file can be found at https://mvnrepository.com/artifact/commons-codec/commons-codec.
8. Copy these files into ITDI_HOME\jars\patches directory.
9. Restart the Dispatcher service.
10. For information about starting and stopping the service, see the Dispatcher Installation and Configuration Guide.
Installing in the Verify Governance Virtual Appliance
( Please add this new section at knowledge centre (under Installing > Installing in the Verify Governance Virtual Appliance) for Azure AD Adapter to describe installation procedure of adapter in Verify Governance Virtual Appliance: https://www.ibm.com/docs/en/svgaa?topic=ldap-installing-in-virtual-appliance. Please add this below note as well after adding the description.)
Note: While uploading the Adapter package, you may receive System Error: A file included in the SDI Adapter zip already exists on the system and the Server Message log under Appliance tab of VA will have a reference to error com.ibm.identity.sdi.SDIManagementService E File ibm.com_IBM_Security_Verify_Governance_xxxx.swidtag found in the adapter zip at location ILMT-Tags/ already exists in system. This is because, you can install the same swidtags only once. So, if another adapter of the same type is installed, remove the swidtags.
The ibm.com_IBM_Security_Verify_Governance_Enterprise-xxxx.swidtag file is common to all adapters. In addition to the common swidtag file, an application adapter needs ibm.com_IBM_Security_Verify_Governance_Application_Adapters-xxxx.swidtag file and an infra adapter needs ibm.com_IBM_Security_Verify_Governance_Lifecycle-xxxx.swidtag and ibm.com_IBM_Security_Verify_Governance_Compliance-xxxx.swidtag files. So, if an application adapter is already installed and this is an infra adapter, then only install the infra-specific swidtags and the other way around. Please visit IBM Security Verify Governance Adapters v10.x link to identify the adapter type of the installed adapters.
Chapter 4: Upgrading
Upgrading the adapter binaries or connector
Take backup of adapter binaries or connector
Procedure:
Take backup of below files before performing upgrade:
<SDI-HOME>/jars/connectors/GoogleAppsConnector.jar
Note: Stop the dispatcher service before the upgrading the connector and start it again after the upgrade is complete.
Upgrade adapter binaries or connector
Procedure:
Copy GoogleAppsConnector.jar from the adapter package to the <SDI-HOME>/jars/connectors directory.
Upgrading the adapter profile
Read the adapter Release Notes for any specific instructions before you import a new adapter profile.
There is GoogleAppsProfile.jar included in the Google Workspace Adapter distribution package.
Note: Restart the Dispatcher service after importing the profile. Restarting the Dispatcher clears the assembly lines cache and ensures that the dispatcher runs the assembly lines from the updated adapter profile.
Chapter 5: Configuring
Enabling TLSv1.2 in Security Directory Integrator
Procedure:
1. Apply recommended fix packs and limited availability (LA) versions on the Security Directory Integrator. See Recommended fixes for IBM Tivoli Directory Integrator (TDI) & IBM Security Directory Integrator (SDI).
2. After applying the appropriate updates, modify the /solution.properties file by appending the following text to the bottom of the file:
#####################
# # Protocols to enforce SSL protocols in a SDI Server
# # Optional values for com.ibm.di.SSL* property (TLSv1, TLSv1.1, TLSv1.2). # # This can be a multi-valued comma separated property
# # Optional values for com.ibm.jsse2.overrideDefaultProtocol property (SSL_TLSv2, TLSv1,TLSv11,TLSv12).
# # This is a single value property.
#####################
-
com.ibm.di.SSLProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.di.SSLServerProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.jsse2.overrideDefaultProtocol=TLSv1
com.ibm.jsse2.overrideDefaultTLS=true
#####################
Customizing the adapter
The adapters can be customized or extended or both. The type and method of this customization varies depending on the adapter.
Customizing and extending adapters requires a number of skills. The developer must be familiar with the following concepts and skills:
- IBM Security Verify Governance Identity Manager administration
- IBM Security Verify Governance administration
- IBM Security Directory Integrator management
- Security Directory Integrator Assembly Line development
- LDAP schema management
- Working knowledge of Java™ scripting language
- Working knowledge of LDAP object classes and attributes
- Working knowledge of XML document structure
Note: If the customization requires a new Security Directory Integrator connector, the developer must also be familiar with Security Directory Integrator connector development and working knowledge of Java programming language.
Support for custom adapters
The integration to IBM Security Verify Governance servers "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
Chapter 6: Troubleshooting
Enabling DEBUG Logs on SDI Server
Procedure:
1. Stop the SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_HOME_Directory>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
to
<Root level="debug">
From-7.2.0-ISS-SDI-FP0011
4. To enable TCB block in debug
5. Append the line com.ibm.di.logging.close=false in the <SDI_HOME_Directory>/etc/global.properties file.
6. Start the SDI Server process
7. Re-create the problem and collect the <SDI_Solution_Dir>/logs/ibmdi.log
Chapter 7: Reference
No updates for the current release
The IBM Security Verify Governance Adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Refer to the IBM Security Verify Governance Adapter Development and Customization Guide
Support for Customized Adapters
The integration to the IBM Security Verify Server "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a case is opened.
Supported third-party client libraries:
· google-api-services-groupssettings-v1-rev20190315-1.27.0
· google-http-client-1.27.0
· google-api-client-1.27.0
· commons-codec-1.11
· commons-logging-1.2
· google-api-services-admin-directory-directory_v1-rev118-1.25.0
· google-http-client-jackson2-1.42.3
· google-oauth-client-1.34.1
· google-oauth-client-jetty-1.34.1
· gson-2.10
· guava-31.1-jre
· httpclient-4.5.14
· httpcore-4.4.16
· jackson-core-2.14.1
· jetty-server-11.0.12
· jetty-util-11.0.12
Installation Platform
The IBM Security Verify Governance Adapter for Google Workspace was built and tested on the following product versions.
Adapter Installation Platform:
Due to continuous Java security updates that may be applied to your IBM Security Verify Governance server and IBM Security Verify Governance Identity Manager server, the following SDI releases are the officially supported versions:
- Security Directory Integrator 7.2 + FP09
- Security Directory Integrator 7.2 + FP12
Note: Earlier versions of SDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapters. Please refer to the adapter's installation and configuration guides for the latest update on IBM Security Directory Integrator versions and fix packs
Managed Resource:
Google Workspace : Google Workspace Premier, Education, and Partner Edition with Directory API version 1.27
Google Directory API Java Client Library : 1.27
Google Groups Settings API Java Client Library: 1.27
IBM Security Verify Governance Identity Manager v10.0
IBM Security Verify Governance v10.0
This information was developed
for products and services offered in the U.S.A. IBM may not offer the products,
services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services
currently available in your area. Any reference to an IBM product, program, or
service is not intended to state or imply that only that IBM product, program,
or service may be used. Any functionally equivalent product, program, or
service that does not infringe any IBM intellectual property right may be used
instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have
patents or pending patent applications covering subject matter described in
this document. The furnishing of this document does not give you any license to
these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include technical
inaccuracies or typographical errors. Changes are periodically made to the information
herein; these changes will be incorporated in new editions of the publication.
IBM may make improvements and/or changes in the product(s) and/or the
program(s) described in this publication at any time without notice.
Any references in
this information to non-IBM Web sites are provided for convenience only and do
not in any manner serve as an endorsement of those Web sites. The materials at
those Web sites are not part of the materials for this IBM product and use of those
Web sites is at your own risk.
IBM may use or
distribute any of the information you supply in any way it believes appropriate
without incurring any obligation to you.
Licensees of this
program who wish to have information about it for the purpose of enabling: (i)
the exchange of information between independently created programs and other
programs (including this one) and (ii) the mutual use of the information which
has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject
to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed
program described in this information and all licensed material available for
it are provided by IBM under terms of the IBM Customer Agreement, IBM
International Program License Agreement, or any equivalent agreement between
us.
Any performance
data contained herein was determined in a controlled environment. Therefore,
the results obtained in other operating environments may vary significantly.
Some measurements may have been made on development-level systems and there is
no guarantee that these measurements will be the same on generally available
systems. Furthermore, some measurements may have been estimated through extrapolation.
Actual results may vary. Users of this document should verify the applicable
data for their specific environment.
Information
concerning non-IBM products was obtained from the suppliers of those products,
their published announcements or other publicly available sources. IBM has not
tested those products and cannot confirm the accuracy of performance,
compatibility or any other claims related to non-IBM products. Questions on the
capabilities of non-IBM products should be addressed to the suppliers of those
products.
Trademarks
IBM, the IBM logo,
and ibm.com are trademarks or registered trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current list of
IBM trademarks is available on the Web at "Copyright and trademark
information" at www.ibm.com/legal/copytrade.shtml.
Microsoft,
Windows, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.
Java and all
Java-based trademarks and logos are trademarks or registered trademarks of
Oracle and/or its affiliates.