IBM Tivoli Identity Manager Directory Integrator-Based RSA Authentication Manager Adapter 5.1.15 is available. Compatibility, installation, and other getting-started issues are addressed.
Installation and Configuration Notes
Customizing or Extending Adapter Features
These Release Notes contain information for the following products that was not available when the IBM Tivoli Identity Manager manuals were printed:
· RSA Authentication Manager 7.1 Adapter Installation and Configuration Guide
· Directory Integrator-Based RSA Authentication Manager 7.1 Adapter User Guide
The RSA Authentication Manager Adapter is designed to create and manage accounts user accounts in the RSA Authentication Manager server. The adapter runs in "agentless" mode and communicates with the RSA Authentication Manager through Enterprise Java Beans (EJBs).
IBM recommends this adapter (and the prerequisite Tivoli Directory Integrator) be installed on each node of an IBM Tivoli Identity Manager WebSphere cluster. A single copy of the adapter can handle multiple IBM Tivoli Identity Manager services. The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your IBM Tivoli Identity Manager Provisioning Policies and Approval Workflow process. Please refer to IBM Tivoli Identity Manager Information Center for a discussion of these topics.
IBM Tivoli Identity Manager adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from IBM Tivoli Identity Manager server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.
The ability to manage service groups is a new feature introduced in IBM Tivoli Identity Manager 5.1. By service groups, IBM Tivoli Identity Manager is referring to any logical entity that can group accounts together on the managed resource.
Managing service groups implies the following:
· Create service groups on the managed resource.
· Modify attributes of a service group.
· Delete a service group.
Notes:
· Modify service group name is not supported.
· The RSA Authentication Manager Adapter does not support service groups management.
|
Component |
Version |
|
Release Date |
2015 February 27 11.41.43 |
|
Adapter Version |
5.1.15 |
|
Component Versions |
Adapter build: 5.1.15.55 Profile: 5.1.15.55 Connector: 5.1.15.55 Dispatcher: 5.725 or higher (packaged separately) |
|
Documentation |
The following guides are available in the IBM Tivoli Identity Manager Information Center: · RSA Authentication Manager Adapter 7.1 Installation and Configuration Guide · Directory Integrator-Based RSA Authentication Manager 7.1 Adapter User Guide |
|
Enhancement # (FITS) |
Description |
|
|
Items included in the current release (5.1.15) |
|
RFE 53430 (29162) |
The adapter returns the serial number of the assigned tokens in recon'd account data.
See the Corrections to Installation Guide section for additional information.
|
|
RFE 58403 (31155) |
Adapter administrative tasks can be scoped by security domain. All principals and support data are reconciled from the specified security domain. Previously, administrative scoping was at realm-level only.
See the Corrections to Installation Guide section for additional information.
|
|
|
Items included in the 5.1.14 release |
|
RFE 55144 (29799)
|
The adapter returns token type as part of recon'd token data.
See the Corrections to Installation Guide section for additional information, including updated installation instructions.
|
|
|
Items included in the 5.1.13 release |
|
RFE 52801 |
RSA Authentication Manager 8.1 is supported.
See the Corrections to Installation Guide section for instructions on installing the RSA Authentication Manager Adapter for version 8.1 of the RSA Authentication Manager server.
|
|
|
Items included in the 5.1.12 release |
|
|
None |
|
|
Items included in the 5.1.11 release |
|
RFE 34875 RFE 20143
|
RSA Authentication Manager 8.0 is supported.
See the Corrections to Installation Guide section for additional information and new instructions for installing the current RSA Authentication Manager Adapter for versions 7.1 and 8.0 of the RSA Authentication Manager server.
|
|
RFE 16152 RFE 6567 |
RSA Auth Manager – Replacement Token
Allow the user to specify a particular replacement for an assigned token.
See the Configuration Notes section for additional information
|
|
RFE 17534 RFE 7687 |
Set SecurID PIN using the adapter
Allow the user to set the PIN for an assigned token.
See the Configuration Notes section for additional information
|
|
|
Items included in the 5.1.10 release |
|
|
Tivoli Directory Integrator v6.1.1 is no longer supported. Versions of RSA Authentication Manager 7.1 lower than SP4 are no longer supported.
|
|
|
Items included in the 5.1.9 release |
|
|
The adapter installer jar and executables have been discontinued. Adapter installation, uninstallation and reinstallation are now manual procedures. See the "Installation instructions for version 5.1.8 and later" section for additional information.
|
|
MR033011424
RTC 38929
|
Manage security domains of assigned tokens
|
|
|
Items included in the 5.1.8 release |
|
|
Not released
|
|
|
Items included in the 5.1.7 release |
|
N/A
|
The adapter has been updated to exploit iterative APIs to fetch principals, groups and tokens from the RSA Authentication Manager server v7.1 SP3 and later. These updates should help prevent OutOfMemoryErrors when recon’ing large numbers (>1000) of items. See the "Recon Batch Size and Recon Limit" note in "Configuration Notes" for additional information.
|
|
N/A
|
Tivoli Directory Integrator v7.1 (and later) is now supported and modified install/config steps are documented. See "Using the RSA Authentication Manager Adapter in Directory Integrator v7.1" for additional information.
|
|
|
Items included in the 5.1.6 release |
|
OSBD
|
Added support for AuthMan 7.1 SP4.
|
|
|
Items included in the 5.1.5 release |
|
N/A
|
Added support for AuthMan 7.1 SP3 "Batch Reconciliation" option.
See the Configuration Notes section for additional information.
|
|
OSDB
|
Added support for AuthMan 7.1 SP3.
|
|
|
Items included in the 5.1.4 release |
|
|
None
|
|
|
Items included in the 5.1.3 release |
|
|
Version 5.1.3 of this adapter now supports upgrading the connector if a prior version was installed.
|
|
|
Items included in the 5.1.2 release |
|
|
None
|
|
|
Items included in the 5.1.1 release |
|
|
Initial release
|
|
Internal# |
APAR# |
PMR# / Description |
|
|
|
Wrong status returned during filtered recon
When a filtered recon is executed using a filter like (eruid=name) and "name" is not found in the target resource, the adapter returns a FAILURE status. The adapter should return a SUCCESS status so that IBM Tivoli Identity Manager will remove the "name" service account from its datastore.
This issue will be fixed in a future release.
|
|
|
|
Object Class Violation Error on SendOnly Attributes
If the RSA Authentication Manager adapter fails to set one or more send-only attributes · erRsaAmT1ClearSecurIDPin · erRsaAmT2ClearSecurIDPin · erRsaAmT3ClearSecurIDPin · erServicePwd1 · erServicePwd2 · erServicePwd3 · erRsaAmT1RplNextToken · erRsaAmT2RplNextToken · erRsaAmT3RplNextToken on the RSA Authentication Manager server during an ADD or MODIFY operation, then the adapter will return the attribute in the failed attribute list and some versions of the IBM Tivoli Identity Manager will generate an "Object Class Violation" error. This is an IBM Tivoli Identity Manager server defect and will be addressed in a future server fix pack.
|
|
|
|
TDI Application Monitoring Console
When using the TDI Application Monitoring Console, the RMI traffic to TDI is routed to port 1099. This may affect the operation of the TIM TDI-based adapters. Two options are available:
1. Change the TIM Service form for the TDI-based adapters to specify port 1099 (instead of the default 16231), or
2. Configure the Application Monitoring Console to listen on port 16231 by modifying the api.remote.naming.port property in the TDI_SOLDIR/solution.properties file. The TDI_SOLDIR directory is described in the RSA Authentication Manager 7.1 Adapter Installation and Configuration Guide.
|
|
Internal# |
APAR# |
PMR# / Description |
|
|
|
RSA Authentication Manager Adapter impacts on TDI and other adapters
For the adapter to run correctly, several specific jar files are needed in the runtime environment. Some of these jars interfere with the operation of other adapters or with certain features of the Tivoli Directory Integrator (TDI). In particular, · The TDI 7.1.1 or SDI 7.2 REST service will not run when the RSA Authentication Manager 8.0 or 8.1 Adapter is installed and configured. · Do not install the RSA Authentication Manager Adapter in the same TDI environment with any of the following adapters: BlackBerry Enterprise Server, Google Apps or Salesforce.
|
|
|
|
No support for 2-way SSL or SOAP communication The adapter does not support two-way SSL communication with the RSA Authentication Manager server. The adapter also does not support the SOAP protocol when communicating with the RSA Authentication Manager server.
|
|
Internal# |
APAR# |
PMR# / Description |
See the IBM Tivoli Identity ManagerRSA Authentication Manager Adapter Installation Guide for detailed instructions.
The following corrections to the Installation Guide apply to this release:
Three new attributes are added to the erRsaAmAccount object class to hold the serial number of tokens assigned to a user account: erRsaAmT1SerialNumber, erRsaAmT2SerialNumber and erRsaAmT3SerialNumber.
The following entries should be added to Table 10 of Appendix A in the RSA Authentication Manager Adapter Installation and Configuration Guide:
|
Attribute name and definition
|
Data type |
Single-valued |
Permissions |
Required |
|
erRsaAmT1SerialNumber
Specifies the serial number of token 1 assigned to the user. |
String |
Yes |
R |
No |
|
erRsaAmT2SerialNumber
Specifies the serial number of token 2 assigned to the user. |
String |
Yes |
R |
No |
|
erRsaAmT3SerialNumber
Specifies the serial number of token 3 assigned to the user. |
String |
Yes |
R |
No |
When configuring an RSA Authentication Manager service, you can specify any security domain to administer, not just a top-level realm. The following changes are needed in the RSA Authentication Manager Adapter Installation and Configuration Guide.
The following changes are needed to bullet points under the Features of the adapter section:
· Creating user accounts in the specified security domain and its associated identity source.
· Reconciling support data for the security domain
Use the adapter to reconcile support data such as identity sources, security domains, groups, admin roles and tokens of the specified security domain.
The following changes replace material in the Creating a service section:
Security domain name (replaces Realm name)
Specify the name of the security domain that the user can administer and from which principals and support data should be reconciled. Administrative security domains are specific to an Authentication Manager server but each server is installed with a default top-level security domain (realm). The default realm name is SystemDomain. To specify a security domain that is defined somewhere under a realm, use the full path to the security domain with the ">" character as a delimiter between security domains in the hierarchy. For example, SystemDomain>Employees>Division1. To specify a top-level security domain (realm), just use the realm name. For example, SystemDomain.
Administrator Name
Specify the administrator user that is used to login to the resource and perform user management operations on the specified security domain.
The adapter now supports management of RSA Authentication Manager v7.1, v8.0 and v8.1 systems. The adapter installation steps differ depending on the version of RSA Authentication Manager that you are using. The following instructions replace the installation steps described in chapters 2 and 3 of the RSA Authentication Manager Adapter Installation and Configuration Guide.
I. Installing, uninstalling and re-installing the adapter in an RSA Authentication Manager 7.1 environment
Installing and configuring the adapter
Follow these instructions if you are installing and configuring the adapter in a new installation of the RSA Authentication Manager Adapter. Installation and configuration of the adapter consists of the following steps:
1. Install the RMI Dispatcher
2. Copy the connector jar, config.properties and the rsa_token_type.properties files to the Directory Integrator environment
3. Build a wlfullclient.jar file on the RSA Authentication Manager server
4. Copy the RSA Authentication Manager 7.1 runtime jar files to the Directory Integrator environment
5. Copy the license.bea file to the Directory Integrator environment
6. Update the RSA Authentication Manager config.properties file
7. If necessary, update the rsa_token_type.properties file
8. Enable secure communication between the adapter and the RSA Authentication Manager server
After completing the installation steps and verifying the installation, you can create an adapter user account, import the adapter profile and create a service as described in Chapter 3 of the RSA Authentication Manager 7.1 Adapter Installation and Configuration Guide.
Step 1: Install the RMI Dispatcher
If you have already installed the RMI Dispatcher for another adapter, you do not need to re-install it. Make sure the RMI Dispatcher service is stopped and go to the "Step 2: Copy the connector jar and config.properties to the Directory Integrator environment".
If the RMI Dispatcher is not yet installed in your Directory Integrator environment, download the dispatcher software from your account in IBM Passport Advantage Online. See the Directory Integrator RMI Dispatcher Installation and Configuration Guide for instructions on how to install the RMI Dispatcher and how to verify installation.
Before proceeding to the next adapter installation step, make sure that the RMI Dispatcher service is stopped. Instructions on how to start and stop the RMI Dispatcher are included in the dispatcher installation guide.
Step 2: Copy the connector jar, config.properties and rsa_token_types.properties files to the Directory Integrator environment
Download the adapter software from your account in IBM Passport Advantage Online. After downloading the software, perform the following steps:
1. Create a temporary directory on the computer in which you want to extract the adapter.
2. Extract the contents of the compressed file into the temporary directory.
3. Copy the connectors/am71/RsaAuthMgrConnector.jar file to the ITDI_HOME/jars/connectors directory. Note: You cannot use the am80 version of the connector jar in an RSA Authentication Manager 7.1 environment.
4. Copy the resource/config.properties file to the ITDI_HOME/timsol directory.
5. Copy the resource/rsa_token_types.properties file to the ITDI_HOME/timsol directory.
6. Restart the RMI Dispatcher service.
Step 3: Build a wlfullclient.jar file on the RSA Authentication Manager server
1. From a command prompt on the RSA Authentication Manager 7.1 server, change directory to RSA_AM_HOME/appserver/weblogic/server/lib/.
2. Execute the following command:
java -jar ../../../modules/com.bea.core.jarbuilder_1.0.0.0.jar -profile wlfullclient
3. The wlfullclient.jar file will be created in the RSA_AM_HOME/appserver/weblogic/server/lib directory.
Step 4: Copy the RSA Authentication Manager 7.1 runtime jar files to the Directory Integrator environment
Several jar files must be copied from the RSA Authentication Manager 7.1 server to the Directory Integrator environment. All of the files in the table below must be copied to the ITDI_HOME/jars/patches/rsa directory. For a new installation, you will have to create the ITDI_HOME/jars/patches/rsa directory.
It is important that these files, and only these files, be copied from the server system to the client environment. Note: Previous versions of this adapter installed RSA Authentication Manager jars into the ITDI_HOME/jars/3rdparty/rsa directory. This old location must be removed in its entirety before installing this version of the adapter.
|
JAR file |
Location in the RSA Authentication Manager 7.1 server |
|
am-client.jar |
RSA_AM_HOME/utils/jars |
|
am-server-o.jar |
RSA_AM_HOME/utils/jars |
|
axis-1.3.jar |
RSA_AM_HOME/utils/jars/thirdparty |
|
com.bea.core.process_5.3.0.0.jar |
RSA_AM_HOME/utils/jars/thirdparty |
|
commons-beanutils-1.7.0.jar |
RSA_AM_HOME/utils/jars/thirdparty |
|
commons-discovery-0.2.jar |
RSA_AM_HOME/utils/jars/thirdparty |
|
commons-lang-2.2.jar |
RSA_AM_HOME/utils/jars/thirdparty |
|
commons-logging-1.0.4.jar |
RSA_AM_HOME/utils/jars/thirdparty |
|
EccpressoAsn1.jar |
RSA_AM_HOME/appserver/weblogic/server/lib |
|
EccpressoCore.jar |
RSA_AM_HOME/appserver/weblogic/server/lib |
|
EccpressoJcae.jar |
RSA_AM_HOME/appserver/weblogic/server/lib |
|
iScreen-ognl-1-1-0rsa-2.jar |
RSA_AM_HOME/utils/jars/thirdparty |
|
ims-server-o.jar |
RSA_AM_HOME/utils/jars |
|
ims-client.jar |
RSA_AM_HOME/server/servers/Hostname_server/tmp/_WL_user/console-ims/.../war/WEB-INF/lib |
|
iScreen-1-1-0rsa-2.jar |
RSA_AM_HOME/utils/jars/thirdparty |
|
jdom-1.0.jar |
RSA_AM_HOME/utils/jars/thirdparty |
|
jsafe-3.6.jar |
RSA_AM_HOME/utils/jars/thirdparty |
|
jsafeJCE-3.6.jar |
RSA_AM_HOME/utils/jars/thirdparty |
|
ogni-2.6.7.jar |
RSA_AM_HOME/utils/jars/thirdparty |
|
spring-2.0.7.jar |
RSA_AM_HOME/utils/jars/thirdparty |
|
systemfields-o.jar |
RSA_AM_HOME/utils/jars |
|
ucm-client.jar |
RSA_AM_HOME/server/servers/Hostname_server/tmp/_WL_user/console-ims/.../war/WEB-INF/lib |
|
ucm-server.jar |
RSA_AM_HOME/utils/jars |
|
wlcipher.jar |
RSA_AM_HOME/appserver/weblogic/server/lib |
|
wlfullclient.jar |
RSA_AM_HOME/appserver/weblogic/server/lib |
Step 5: Copy the license.bea file to the Directory Integrator environment
An adapter can have the authority to manage an RSA Authentication Manager 7.1 server resource only when the server’s license.bea file is available. The JVM property bea.home is set to the path of the license.bea file through the connector.
Copy the RSA_AM_HOME/appserver/license.bea file from the RSA Authentication Manager server to the adapters solution directory (for example, ITDI_HOME/timsol).
Step 6: Update the RSA Authentication Manager config.properties file
The config.properties file contains key/value pairs needed to communicate with a particular RSA Authentication Manager server. In Step 2, you copied a file with placeholder values into the adapters solution directory. You must change the values of the following properties to those specific for yourRSA Authentication Manager instance:
java.naming.provider.url
com.rsa.cmdclient.user
com.rsa.cmdclient.user.password
The other properties should be left unmodified. Note that even though the adapter does not support SOAP protocol communication or two-way SSL authentication with the RSA Authentication Manager, the properties pertaining to SOAP and two-way SSL must still be present in the config.properties file.
To find the values for the com.rsa.cmdclient.user and com.rsa.cmdclient.user.password properties, run the rsautil command. From a command prompt on the RSA Authentication Manager server, change directory to RSA_AM_HOME/utils and execute the following command:
./rsautil manage-secrets --action listkeys
Find the values for the two properties and put them in the config.properties file.
Note: You can use forward slashes in paths even in a Windows environment. You should avoid using spaces in paths. Also, make sure there is no trailing whitespace on the values.
# JNDI factory class.
java.naming.factory.initial = weblogic.jndi.WLInitialContextFactory
# Server URL. NOTE: Replace local1 with the hostname of your Authentication
# Manager server
java.naming.provider.url = t3s://local1:7002
# User ID for process-level authentication. Replace CmdClient with the
# value from your environment.
com.rsa.cmdclient.user = CmdClient
# Password for process-level authentication. Replace password with the value
# from your environment.
com.rsa.cmdclient.user.password = password
# Password for Two-Way SSL client identity keystore
com.rsa.ssl.client.id.store.password = password
# Password for Two-Way SSL client identity private key
com.rsa.ssl.client.id.key.password = password
# Provider URL for Two-Way SSL client authentication
ims.ssl.client.provider.url = t3s://local1:7022
# Identity keystore for Two-Way SSL client authentication
ims.ssl.client.identity.keystore.filename = client-identity.jks
# Identity keystore private key alias for Two-Way SSL client authentication
ims.ssl.client.identity.key.alias = client-identity
# Identity keystore trusted root CA certificate alias
ims.ssl.client.root.ca.alias = root-ca
# SOAPCommandTargetBasicAuth provider URL
ims.soap.client.provider.url = https://local1:7002/ims-ws/services/CommandServer
Step 7: If necessary, update the rsa_token_types.properties file
The rsa_token_types.properties file is used to map integer value token types that are returned during reconciliation to descriptive token labels.
The file is in key=value format and by default has the following entries:
0= RSA SecurID Standard Card
1= RSA SecurID PINPad
2= RSA SecurID Key Fob
3=RSA Watch Token
4=RSA SecurID Software Token
5=RSA Smart Card ID Token
6=RSA SecurID modem
7=RSA Crypto Token
8=RSA Proteus Token
9=RSA USB Cosmo Token
10=RSA Flexible Token
These default entries should not be changed, but extra entries can be added if new token types are present in your Authentication Manager server. Most environments will not require changing this file.
Step 8: Enable secure communication between the adapter and the RSA Authentication Manager server
When you install RSA Authentication Manager 7.1, the system creates a self-signed server (root) certificate and stores it in an RSA_AM_HOME/server/security/server_name.jks file. You must export this root certificate and store it in a trust store in your Directory Integrator environment in order to enable secure communication between the adapter and the server it is managing. Follow these steps:
1. Export the root certificate
a. From a command prompt on the RSA Authentication Manager server, change directory to RSA_AM_HOME/appserver.
b. Execute
the following command:
jdk/jre/bin/keytool -export -keystore RSA_AM_HOME/server/security/server_name.jks
-file am_root.cer -alias rsa_am_ca
c. At the prompt for the keystore password, hit Enter without typing a password. Note: A warning screen is displayed, but the root certificate is exported.
d. The certificate file is RSA_AM_HOME/appserver/am_root.cert.
2. Create a trust store for the root certificate
a. Transfer the exported root certificate file to the Directory Integrator system.
b. Change directory to the adapters solution directory (for example, ITDI_HOME/timsol).
c. Execute
the following command:
../jvm/jre/bin/keytool -import -keystore rsaTruststore.jks
-storetype JKS -storepass your-password -alias rsa_am_ca -file path-to-exported-server-cert
The Java keytool displays a confirmation message that the certificate was added
to the trust store, which is created in the ITDI_HOME/timsol directory.
3. Set the –Dweblogic.security.SSL.trustedCAKeyStore=full-path-to-rsaTustStore.jks Java system property. The RMI Dispatcher will read this property and make it available to the RSA runtime. See the "Configuring the RMI Dispatcher JVM properties" section of the Directory Integrator RMI Dispatcher Installation and Configuration Guide for instructions on setting this property in your Directory Integrator environment.
Verifying the adapter installation and configuration
Use the table below to verify that you have installed and configured the RSA Authentication Manager Adapter correctly in your Directory Integrator environment.
|
Component |
Directory |
Comments |
|
RsaAuthMgrConnector.jar |
ITDI_HOME/jars/connectors |
|
|
am-client.jar |
ITDI_HOME/jars/patches/rsa |
No other jar files must exist in this directory. |
|
config.properties |
ITDI_HOME/timsol |
Make sure this file is configured to your environment. See the section "Update the RSA Authentication Manager config.properties file" above. |
|
rsa_token_types.properties |
ITDI_HOME/timsol |
|
|
rsaTruststore.jks |
ITDI_HOME/timsol |
Make sure this file contains the RSA Authentication Manager self-signed certificate. See the section "Enable secure communication between the adapter and the RSA Authentication Manager server" above. |
|
license.bea |
ITDI_HOME/timsol |
|
|
RMI Dispatcher properties |
ITDI_HOME/timsol/ibmdiservice.props (Windows) |
Make sure the JVM property weblogic.security.SSL.trustedCAKeyStore =full-path-to-rsa-truststore is defined using a –D flag. See the section "Configuring the RMI Dispatcher JVM properties" in the Directory Integrator RMI Dispatcher Installation and Configuration Guide for details. |
Uninstalling the adapter
To uninstall the RSA Authentication Manager Adapter from your Directory Integrator environment, follow these steps:
1. Stop the RMI Dispatcher service. See the Directory Integrator RMI Dispatcher Installation and Configuration Guide for instructions.
2. Remove the ITDI_HOME/jars/connectors/RsaAuthMgrConnector.jar file.
3. Remove the ITDI_HOME/jars/patches/rsa directory.
4. Remove the ITDI_HOME/timsol/license.bea file.
5. Remove the ITDI_HOME/timsol/config.properties file.
6. Remove the ITDI_HOME/timsol/rsa_token_types.properties file.
7. Remove the weblogic.security.SSL.trustedCAKeyStore RMI Dispatcher property. See the "Configuring the RMI Dispatcher JVM properties" section of the Directory Integrator RMI Dispatcher Installation and Configuration Guide for instructions on removing this property from your Directory Integrator environment.
8. Remove the ITDI_HOME/timsol/rsaTruststore.jks file.
9. Restart the RMI Dispatcher service. See the Directory Integrator RMI Dispatcher Installation and Configuration Guide for instructions.
Reinstalling the adapter
If your RSA Authentication Manager 7.1 server has changed or you are running an adapter version prior to 6.0.11, uninstall the adapter and install the new version. See the uninstallation and installation steps above. To reinstall the RSA Authentication Manager Adapter in your Directory Integrator if your RSA Authentication Manager 7.1 server has not changed and you are replacing an adapter version 6.0.11 or greater, follow these steps:
1. Stop the RMI Dispatcher service. See the Directory Integrator RMI Dispatcher Installation and Configuration Guide for instructions.
2. Create a temporary directory on the computer on which you want to extract the new adapter.
3. Extract the contents of the compressed file into the temporary directory.
4. Copy the connectors/am71/RsaAuthMgrConnector.jar file to the ITDI_HOME/jars/connectors directory, overwriting the old connector jar.
5. Restart the RMI Dispatcher service. See the Directory Integrator RMI Dispatcher Installation and Configuration Guide for instructions
II. Installing the adapter in an RSA Authentication Manager 8.0 or 8.1 environment
Installing and configuring the adapter
Follow these instructions if you are installing and configuring the adapter in a new installation of the RSA Authentication Manager Adapter. Installation and configuration of the adapter consists of the following steps:
1. Install the RMI Dispatcher
2. Copy the connector jar, config.properties and rsa_token_types.properties files to the Directory Integrator environment
3. Copy the RSA Authentication Manager 8.0 or 8.1 SDK jar files to the Directory Integrator environment
4. Update the RSA Authentication Manager config.properties file
5. If necessary, update the rsa_token_types.properties file
6. Enable secure communication between the adapter and the RSA Authentication Manager server
After completing the installation steps and verifying the installation, you can create an adapter user account, import the adapter profile and create a service as described in Chapter 3 of the RSA Authentication Manager 7.1 Adapter Installation and Configuration Guide.
Step 1: Install the RMI Dispatcher
If you have already installed the RMI Dispatcher for another adapter, you do not need to re-install it. Make sure the RMI Dispatcher service is stopped and go to the "Step 2: Copy the connector jar and config.properties to the Directory Integrator environment".
If the RMI Dispatcher is not yet installed in your Directory Integrator environment, download the dispatcher software from your account in IBM Passport Advantage Online. See the Directory Integrator RMI Dispatcher Installation and Configuration Guide for instructions on how to install the RMI Dispatcher and how to verify installation.
Before proceeding to the next adapter installation step, make sure that the RMI Dispatcher service is stopped. Instructions on how to start and stop the RMI Dispatcher are included in the dispatcher installation guide.
Step 2: Copy the connector jar, config.properties and rsa_token_types.properties files to the Directory Integrator environment
Download the adapter software from your account in IBM Passport Advantage Online. After downloading the software, perform the following steps:
1. Create a temporary directory on the computer in which you want to extract the adapter.
2. Extract the contents of the compressed file into the temporary directory.
3. If you are using RSA Authentication Manager 8.0, copy the connectors/am80/RsaAuthMgrConnector.jar file to the ITDI_HOME/jars/connectors directory. If you are using RSA Authentication Manager 8.1, copy the connectors/am81/RsaAuthMgrConnector.jar file to the ITDI_HOME/jars/connectors directory. Note: Use the connector jar that corresponds to your RSA Authentication Manager version.
4. Copy the resource/config.properties file to the ITDI_HOME/timsol directory.
5. Copy the resource/rsa_token_types.properties file to the ITDI_HOME/timsol directory
6. Restart the RMI Dispatcher service.
Step 3: Copy the RSA Authentication Manager 8.0 or 8.1 SDK jar files to the Directory Integrator environment
Several jar files must be copied from the RSA Authentication Manager 8.0 or 8.1 SDK to the Directory Integrator environment. All of the files in the table below must be copied to the ITDI_HOME/jars/patches/rsa directory. For a new installation, you will have to create the ITDI_HOME/jars/patches/rsa directory.
The RSA Authentication Manager 8.0 SDK is provided in the same software package as the RSA Authentication Manager 8.0 appliance. The RSA Authentication Manager 8.1 SDK is in its own software package and must be downloaded separately from the appliance.
It is important that these files, and only these files, be copied from the RSA_SDK_HOME/lib/java directory into the ITDI_HOME/jars/patches/rsa directory:
am-client.jar
commons-beanutils.jar
commons-discovery.jar
commons-lang.jar
commons-logging.jar
iScreen-ognl.jar
iScreen.jar
ognl.jar
spring-aop.jar
spring-asm.jar
spring-beans.jar
spring-context-support.jar
spring-context.jar
spring-core.jar
spring-expression.jar
wlfullclient.jar
Step 4: Update the RSA Authentication Manager config.properties file
The config.properties file contains key/value pairs needed to communicate with a particular RSA Authentication Manager server. In Step 2, you copied a file with placeholder values into the adapters solution directory. You must change the values of the following properties to those specific for yourRSA Authentication Manager instance:
java.naming.provider.url
com.rsa.cmdclient.user
com.rsa.cmdclient.user.password
The other properties should be left unmodified. Note that even though the adapter does not support SOAP protocol communication or two-way SSL authentication with the RSA Authentication Manager, the properties pertaining to SOAP and two-way SSL must still be present in the config.properties file.
To find the values for the com.rsa.cmdclient.user and com.rsa.cmdclient.user.password properties, run the rsautil command. From a command prompt on the RSA Authentication Manager server, change directory to RSA_AM_HOME/utils and execute the following command:
./rsautil manage-secrets --action listkeys
When prompted, type your Operations Console username and password. Find the values for the two properties and put them in the config.properties file.
Note: You can use forward slashes in paths even in a Windows environment. You should avoid using spaces in paths. Also, make sure there is no trailing whitespace on the values.
# JNDI factory class.
java.naming.factory.initial = weblogic.jndi.WLInitialContextFactory
# Server URL. NOTE: Replace local1 with the hostname of your Authentication
# Manager server
java.naming.provider.url = t3s://local1:7002
# User ID for process-level authentication. Replace CmdClient with the
# value from your environment.
com.rsa.cmdclient.user = CmdClient
# Password for process-level authentication. Replace password with the value
# from your environment.
com.rsa.cmdclient.user.password = password
# Password for Two-Way SSL client identity keystore
com.rsa.ssl.client.id.store.password = password
# Password for Two-Way SSL client identity private key
com.rsa.ssl.client.id.key.password = password
# Provider URL for Two-Way SSL client authentication
ims.ssl.client.provider.url = t3s://local1:7022
# Identity keystore for Two-Way SSL client authentication
ims.ssl.client.identity.keystore.filename = client-identity.jks
# Identity keystore private key alias for Two-Way SSL client authentication
ims.ssl.client.identity.key.alias = client-identity
# Identity keystore trusted root CA certificate alias
ims.ssl.client.root.ca.alias = root-ca
# SOAPCommandTargetBasicAuth provider URL
ims.soap.client.provider.url = https://local1:7002/ims-ws/services/CommandServer
Step 5: If necessary, update the rsa_token_types.properties file
The rsa_token_types.properties file is used to map integer value token types that are returned during reconciliation to descriptive token labels.
The file is in key=value format and by default has the following entries:
0= RSA SecurID Standard Card
1= RSA SecurID PINPad
2= RSA SecurID Key Fob
3=RSA Watch Token
4=RSA SecurID Software Token
5=RSA Smart Card ID Token
6=RSA SecurID modem
7=RSA Crypto Token
8=RSA Proteus Token
9=RSA USB Cosmo Token
10=RSA Flexible Token
These default entries should not be changed, but extra entries can be added if new token types are present in your Authentication Manager server. Most environments will not require changing this file.
Step 6: Enable secure communication between the adapter and the RSA Authentication Manager server
When you install RSA Authentication Manager 8.0 or 8.1, the system creates a self-signed server (root) certificate and stores it in an RSA_AM_HOME/server/security/biztier-identity.jks file. You must export this root certificate and store it in a trust store in your Directory Integrator environment in order to enable secure communication between the adapter and the server it is managing. Follow these steps:
1. Export the root certificate using Microsoft Internet Explorer
a. Launch Internet Explorer, and go to the following URL: https://rsa-authmgr-server-name:7002. The Error 404 page appears
b. Right click anywhere on the Error 404 page and select Properties.
c. In the Properties dialog box, click Certificates.
d. In the Certificate dialog box, select the Certification Path tab.
e. Click the top item in the certificate path.
f. Click View Certificate.
g. In the Certificate dialog box, click the Details tab.
h. Click Copy to File.
i. On the Certificate Export Wizard page, click Next.
j. On the Export File Format page, select DER encoded binary X.509 (.CER), and click Next.
k. On the File to Export page, click Browse.
l. Browse to a location to store the root certificate, enter am_root.cer in the File name field, make sure that Save as type is DER Encoded Binary X.509(*.cer), and click Save.
m. On the File to Export page, click Next.
n. On the Completing the Certificate Export page, click Finish.
o. Click OK.
2. Create a trust store for the root certificate
a. Transfer the exported root certificate file to the Directory Integrator system.
b. Change directory to the adapters solution directory (for example, ITDI_HOME/timsol).
c. Execute
the following command:
../jvm/jre/bin/keytool -import -keystore rsaTruststore.jks -storetype
JKS -storepass your-password -alias rsa_am_ca -file path-to-exported-server-cert
-trustcacerts
The Java keytool displays a confirmation message that the certificate was added
to the trust store, which is created in the ITDI_HOME/timsol directory.
3. Set the –Dweblogic.security.SSL.trustedCAKeyStore=full-path-to-rsaTustStore.jks Java system property. The RMI Dispatcher will read this property and make it available to the RSA runtime. See the "Configuring the RMI Dispatcher JVM properties" section of the Directory Integrator RMI Dispatcher Installation and Configuration Guide for instructions on setting this property in your Directory Integrator environment.
Verifying the adapter installation and configuration
Use the table below to verify that you have installed and configured the RSA Authentication Manager Adapter correctly in your Directory Integrator environment.
|
Component |
Directory |
Comments |
|
RsaAuthMgrConnector.jar |
ITDI_HOME/jars/connectors |
|
|
am-client.jar commons-beanutils.jar commons-discovery.jar commons-lang.jar commons-logging.jar iScreen-ognl.jar iScreen.jar ognl.jar spring-aop.jar spring-asm.jar spring-beans.jar spring-context-support.jar spring-context.jar spring-core.jar spring-expression.jar wlfullclient.jar |
ITDI_HOME/jars/patches/rsa |
No other jar files must exist in this directory. |
|
config.properties |
ITDI_HOME/timsol |
Make sure this file is configured to your environment. See the section "Update the RSA Authentication Manager config.properties file" above. |
|
rsa_token_types.properties |
ITDI_HOME/timsol |
|
|
rsaTruststore.jks |
ITDI_HOME/timsol |
Make sure this file contains the RSA Authentication Manager self-signed certificate. See the section "Enable secure communication between the adapter and the RSA Authentication Manager server" above. |
|
RMI Dispatcher properties |
ITDI_HOME/timsol/ibmdiservice.props (Windows) |
Make sure the JVM property weblogic.security.SSL.trustedCAKeyStore =full-path-to-rsa-truststore is defined using a –D flag. See the section "Configuring the RMI Dispatcher JVM properties" in the Directory Integrator RMI Dispatcher Installation and Configuration Guide for details. |
Uninstalling the adapter
To uninstall the RSA Authentication Manager Adapter from your Directory Integrator environment, follow these steps:
1. Stop the RMI Dispatcher service. See the Directory Integrator RMI Dispatcher Installation and Configuration Guide for instructions.
2. Remove the ITDI_HOME/jars/connectors/RsaAuthMgrConnector.jar file.
3. Remove the ITDI_HOME/timsol/config.properties file.
4. Remove the ITDI_HOME/timsol/rsa_token_types.properties file.
5. Remove the ITDI_HOME/jars/patches/rsa directory.
6. Remove the weblogic.security.SSL.trustedCAKeyStore RMI Dispatcher property. See the "Configuring the RMI Dispatcher JVM properties" section of the Directory Integrator RMI Dispatcher Installation and Configuration Guide for instructions on removing this property from your Directory Integrator environment.
7. Remove the ITDI_HOME/timsol/rsaTruststore.jks file.
8. Restart the RMI Dispatcher service. See the Directory Integrator RMI Dispatcher Installation and Configuration Guide for instructions.
Reinstalling the adapter
If your RSA Authentication Manager 8.0 or 8.1 server has changed or you are running an adapter version prior to 6.0.11, uninstall the adapter and install the new version. See the uninstallation and installation steps above. To reinstall the RSA Authentication Manager Adapter in your Directory Integrator if your RSA Authentication Manager 8.0 or 8.1 server has not changed and you are replacing an adapter version 6.0.11 or greater, follow these steps:
1. Stop the RMI Dispatcher service. See the Directory Integrator RMI Dispatcher Installation and Configuration Guide for instructions.
2. Create a temporary directory on the computer on which you want to extract the new adapter.
3. Extract the contents of the compressed file into the temporary directory.
4. Copy the connectors/am80/RsaAuthMgrConnector.jar or connectors/am81/RsaAuthMgrConnector.jar file to the ITDI_HOME/jars/connectors directory, overwriting the old connector jar.
5. Restart the RMI Dispatcher service. See the Directory Integrator RMI Dispatcher Installation and Configuration Guide for instructions
This table should be named "Adapter Components" and should reflect the contents of the TDI environment as described in the table in the Verifying the adapter installation and configuration section.
Corrections to the Attributes description section:
A new permission is added:
W = The value is specified during an account create or modify operation through IBM Security Identity Manager. The value is not stored in the Identity Manager LDAP, but is treated as a send-only attribute.
Corrections and additions to Table 9. Attributes for the erRsaAmAccount object class:
Note: The table lists changes and additions for Token 1 attributes. The same changes and additions apply to the corresponding attributes for Token 2 and Token 3.
|
Attribute name and definition |
Data type |
Single-valued |
Permissions |
Required |
|
erRsaAmT1Assign
The identifier of a token assigned to the user. |
String |
No
The schema defines this attribute as multi-valued, but it should never have more than one value. |
RW |
No |
|
erRsaAmT1StartDate
Specifies the date that token number 1 is active. |
Date |
Yes |
R |
No |
|
erRsaAmT1EnableDate
Specifies the last date that token number 1 was enabled or disabled. |
Date |
Yes |
R |
No |
|
erRsaAmT1LastLogonDate
Specifies the last date that token number 1 was used to authenticate a user. |
Date |
Yes |
R |
No |
|
erRsaAmT1Enable
On add or modify, specifies whether to enable token number 1. After recon, specifies whether token number 1 is enabled. |
Boolean |
Yes |
RW |
No |
|
erRsaAmT1ReqAuthPasscode
Specifies whether a passcode is needed when using token number 1 for authentication. |
Boolean |
Yes |
RW |
No |
|
erRsaAmT1ClearSecurIDPIN
On add or modify, specifies whether to clear the PIN for token number 1. |
Boolean |
Yes |
W |
No
This attribute is ignored if its value is false. |
|
erServicePwd1
On add or modify, specifies the PIN for token number 1. |
String |
Yes |
W |
No |
|
erRsaAmT1ReplacementToken
Specifies the name of the token to replace token number 1. |
String |
Yes |
RW |
No |
|
erRsaAmT1RplNextToken
On add or modify, specifies whether to replace token number 1 with the next available token. |
Boolean |
Yes |
W |
No
This attribute is ignored if its value is false. |
A new file is included as part of the installation package. The resources/rsa_toke_types.properties file must be copied to the ITDI_HOME/timsol directory where the adapter is installed. This file is used to map integer value token types that are returned during reconciliation to descriptive token labels.
The file is in key=value format and by default has the following entries:
0= RSA SecurID Standard Card
1= RSA SecurID PINPad
2= RSA SecurID Key Fob
3=RSA Watch Token
4=RSA SecurID Software Token
5=RSA Smart Card ID Token
6=RSA SecurID modem
7=RSA Crypto Token
8=RSA Proteus Token
9=RSA USB Cosmo Token
10=RSA Flexible Token
These default entries should not be changed, but extra entries can be added if new token types are added the target Authentication Manager server. Most environments will not require changing this file.
Two new attributes are added to the erRsaAmTokens object class:
|
Attribute name and definition |
Data type |
Single-valued |
Permissions |
Required |
|
erRsaAmTokenType The numerical value of type of token, as defined on the Authentication Manager server. |
String |
Yes |
R |
No |
|
erRsaAmTokenTypeDesc The description of the token type. |
String |
Yes |
R |
No |
These instructions are deprecated for this version of the adapter. Follow the instructions in section "Instructions for Installing the 5.1.11 Adapter in RSA Authentication Manager 7.1, 8.0 and 8.1 Environments".
These instructions are deprecated for this version of the adapter. Follow the instructions in section "Instructions for Installing the 5.1.11 Adapter in RSA Authentication Manager 7.1, 8.0 and 8.1 Environments".
In Chapter 1. "Overview of the RSA Authentication Manager 7.1 Adapter", under the "Supported configurations" section, second paragraph.
Replace the sentence "The server communicates with an RSA Authentication Manager 7.1 server, which is installed on a different server." with "The adapter communicates with an RSA Authentication Manager 7.1 server, which is installed on a different server."
These instructions are deprecated for this version of the adapter. Follow the instructions in section "Instructions for Installing the 5.1.11 Adapter in RSA Authentication Manager 7.1, 8.0 and 8.1 Environments".
Ignore the "Note to reviewers" text box.
The following configuration notes apply to this release:
When configuring an RSA Authentication Manager service, you can specify any security domain to administer, not just a top-level realm. For the most part, sections in the Directory Integrator-Based RSA Authentication Manager 7.1 Adapter User Guide that use the term realm should be understood to mean any security domain.
The RSA Authentication Manager Adapter allows you to specify an assigned token’s replacement by using the Replacement Token field on the token page of the account form. Use the Search button to display a list of tokens and select the desired unassigned token (one prefaced with "Unassigned-"). If a replacement has already been assigned, you can remove it by clearing this field during a modify operation.
You can specify or clear a replacement token for any or all of a user’s three possible assigned tokens. If you specify or clear a replacement token and check the Replace with next available token box, then the Replace with next available token request will fail.
Setting or clearing token attributes often have side-effects of changing other attributes. For example, setting a token’s replacement token will change the replacement from "Unassigned" to "Assigned". As another example, if you clear an assigned token that has a replacement, then the replacement automatically takes the place of the assigned token. It is best practice to recon support data after any token change.
The RSA Authentication Manager Adapter allows you to set an assigned token’s PIN by using the Token PIN field on the token page of the account form. You can specify a PIN for any or all of a user’s three possible assigned tokens, and each PIN must conform to the policy on the RSA Authentication Manager server. If you specify a PIN and check the Clear token PIN box, then the clear PIN request will fail.
The token PIN values cannot be recon’d and are not stored in the Identity Manager user repository; they are send-only attributes used on account add and modify operations. The three possible token PINs are represented by erServicePwd1, erServicePwd2 and erServicePwd3 attributes.
Setting or clearing token attributes often have side-effects of changing other attributes. For example, setting a token’s PIN will automatically set the token’s Is token PIN set? flag. It is best practice to recon support data after any token change.
An RSA Authentication Manager account is considered inactive when it is disabled, locked or both. When restoring an account, the user’s password must be provided in order to unlock the account. If the user’s password is not provided, the account will be enabled but will not be unlocked. If you wish to unlock user accounts during restore operations, you must ensure that a password is required.
See the "Managing passwords when restoring accounts" section of the adapter install guide for additional information on how to configure password requirements on a per-service type basis.
The following entries in Table 3 of the User Guide should be changed or added:
|
Attribute |
Description |
|
Clear token PIN |
Clears the PIN associated with this token. This attribute is ignored for account creation or when its value is false. |
|
Replace with next available token |
Indicates that the RSA Authentication Manager server must replace this token with the next available token. Do not select this option if Replacement Token is specified; if you do, this attribute will fail and will cause a non-successful return status. |
|
Replacement Token |
Identifier for the token to replace this token. You must select an unassigned token when specifying a replacement. |
|
Token PIN |
The PIN for this token. The PIN must adhere to any applicable policies on the RSA Authentication Manager server. |
In the "Specifying support data attributes" section, update the discussion of optional token attributes as follows:
Specifying the Clear Token PIN attribute
Instructs the RSA Authentication Manager to clear any existing PIN assigned to the token. Do not select this option if you are specifying the Token PIN field.
This attribute is send-only; its value is not directly stored in IBM Security Identity Manager. Specifying this attribute can affect the value of the Is token PIN set? and the Force PIN change on next login attributes. It is best practice to perform a recon after changing any token attributes.
Specifying the Replace With Next Available Token attribute
Replaces the existing token with the next available token on the RSA Authentication Manager server. The server selects a suitable replacement based on expiration date and modifies both the assigned and replacement tokens’ statuses. Do not select this option if you are specifying a token in the Replacement Token field.
This attribute is send-only; its value is not directly stored in IBM Security Identity Manager. This attribute can affect the value of the Replacement Token. It is best practice to perform a recon after changing any token attributes.
Specifying the Force PIN change on next login attribute
Forces the user to change the token PIN the next time the token is used to log on to the RSA Authentication Manager server. This attribute must only be set for tokens that require a passcode for authentication.
When you select the Force PIN change on next login check box from IBM Security Identity Manager, the adapter modifies the user account. The adapter sets the value of the Force PIN change on next login attribute on the RSA Authentication Manager server.
Specifying the Token PIN attribute
Sets or clears the PIN for the token in the RSA Authentication Manager server.
The PIN value cannot be recon’d and so this attribute is send-only; its value is not directly stored in IBM Security Identity Manager. This attribute can affect the value of the Is token PIN set? and the Force PIN change on next login attributes. It is best practice to perform a recon after changing any token attributes.
The following entry should be added in Table 5 of the User Guide:
|
Attribute name on the RSA Authentication Manager account form on IBM Security Identity Manager |
Attribute name on the Tivoli Directory Server |
Attribute name on the RSA Authentication Manager server |
|
Token PIN |
None. This value is not stored. |
None. This value is not displayed. |
To change the security domain of an assigned token, execute the following steps:
1. Navigate to the desired token page on the RSA Authentication Manager account form.
2. Click the "Search" button of the Security Domain (Token#) field.
3. Select a security domain and click "OK".
You can change a token’s security domain when you add or modify a user account. A full recon must be performed prior to changing an assigned token’s security domain so that the security domain list is populated.
The following attributes are added to Table 9 "Configuration properties of the adapter" in the RSA Authentication Manager 7.1 Adapter Installation and Configuration Guide:
|
Attribute name and definition |
Data type |
Single-valued |
Permissions |
Required |
|
erRsaAmT1SecurityDomain
Specifies the security domain for token number 1. |
String |
Yes |
RW |
Yes |
|
erRsaAmT2SecurityDomain
Specifies the security domain for token number 2. |
String |
Yes |
RW |
Yes |
|
erRsaAmT3SecurityDomain
Specifies the security domain for token number 3. |
String |
Yes |
RW |
Yes |
The following entry is added to Table 3 "Token attributes for adding user accounts" in the Directory Integrator-Based RSA Authentication Manager 7.1 Adapter User Guide:
|
Attribute |
Description |
|
Security Domain |
The security domain to which the token is assigned |
To upgrade the adapter from a 5.0 version to a 5.1.8 or later version, uninstall the 5.0 adapter and install the 5.1 adapter using the instructions above. In addition, you must import the 5.1 service type (profile) version after installing the adapter.
RSA Authentication Manager 7.1 SP3 (or later) supports reconciliation of principals, groups and tokens in batch mode. The adapter can detect if it is operating in an environment that supports batch mode operations; if so, the adapter will execute batch mode APIs, otherwise it will execute older, non-batch APIs. Recon of other supporting data (roles, security domains and identity sources) is always performed in non-batch mode, since there should not be large numbers of these objects.
The default batch size is 1000. You can change the default batch size by adding the erRsaAmBatchSize attribute to the RSA Authentication Manager service form. It will appear as the Recon Batch Size field. See the RSA Authentication Manager 7.1 Adapter Installation and Configuration Guide for instructions on changing the service form. The Recon Batch Size is ignored in SP2 (or earlier) environments.
The Recon Limit field on the RSA Authentication Manager service form is ignored in SP3 (or later) environments. It is used in SP2 (or earlier) environments and will limit the number of principals, groups or roles that are returned during a recon. In SP2 (or earlier) environments, reconciliation of large amounts of data might fail with a weblogic.socket.MaxMessageSizeExceededException. See the "Troubleshooting" section for details on how to work around this error.
The following troubleshooting notes apply to this version of the adapter.
|
Error message |
Possible cause |
Recommended action |
|
CommandException while making RSA AuthMgr connection: com.rsa.authn.AuthenticationCommandException: Access Denied
|
The maximum number of administrative connections allowed by the RSA Authentication Manager server is too small.
|
Increase the number of administrative connections allowed by the RSA Authentication Manager server. See the RSA Authentication Manager documentation for instructions. |
|
Error: Initialize Error: weblogic.socket.MaxMessageSizeExceededException: Incoming message of size: '10000080' bytes exceeds the configured maximum of: '10000000' bytes for protocol: 't3s' |
The size of the data (in bytes) sent from the RSA Authentication Manager during a user reconciliation exceeds the maximum message size configured for the t3s protocol. This can happen when large numbers of users are reconciled from RSA Authentication Manager. This might happen if you are running the SP2 (or earlier) version of RSA Authentication Manager 7.1. |
MaxMessageSize is one of the JAVA_OPTIONS parameters. You
must set this parameter to a value that is high enough to handle the maximum
number of user and token records that you expect the adapter to process
during reconciliation.
-Dweblogic.MaxMessageSize= MAX_MESSAGE_SIZE
On the Windows operating system 1. Change directories to the Drive:\ProgramFiles\IBM\TDI\V7.0\timsol\
For example: Jvmcmdoptions = -Dweblogic.MaxMessageSize=2000000000. 2. Locate the file ibmdisrv and edit the following line.
For example :
After setting the MaxMessageSize value as 2000000000 if
reconciliation operation fails with the error "java.lang.OutOfMemoryError"
then increase the Tivoli Directory Integrator java heap size as follows.
-Xms<initial heap size> -Xmx<maximum heap size>
Defaults are: -Xms32m -Xmx128m
On the Windows operating system 1. Change directories to the Drive:\ProgramFiles\IBM\TDI\V7.0\timsol\
2. Locate the file ibmdiservice.props and update the jvmcmdoptions property
For example: Jvmcmdoptions = -Xms64m –Xmx256m -Dweblogic.MaxMessageSize=2000000000.
On the UNIX operating system 1. Change directories to the /opt/IBM/TDI/V7.0/
2. Locate the file ibmdisrv and edit the following line.
"$TDI_JAVA_PROGRAM" $TDI_MIXEDMODE_FLAG -cp "$TDI_HOME_DIR/IDILoader.jar" "$LOG_4J" -Dweblogic.MaxMessageSize = 2000000000 com.ibm.di.loader.IDILoader com.ibm.di.server.RS "$@"
For example : "$TDI_JAVA_PROGRAM" $TDI_MIXEDMODE_FLAG -cp "$TDI_HOME_DIR/IDILoader.jar" "$LOG_4J" -Xms64m –Xmx256m -Dweblogic.MaxMessageSize = 2000000000 com.ibm.di.loader.IDILoader com.ibm.di.server.RS "$@". |
IBM Tivoli Identity Manager adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
· IBM Tivoli Identity Manager administration
· IBM Tivoli Directory Integrator management
· IBM Tivoli Directory Integrator Assembly Line development
· LDAP schema management
· Working knowledge of Java scripting language
· Working knowledge of LDAP object classes and attributes
· Working knowledge of XML document structure
Note: If the customization requires a new Tivoli Directory Integrator connector, the developer must also be familiar with Tivoli Directory Integrator connector development and working knowledge of Java programming language.
IBM Tivoli Identity Manager Resources:
Check the Learn section of the IBM Tivoli Identity Manager Support web site for links to training, publications, and demos.
Tivoli Directory Integrator Resources:
Check the Learn section of the IBM Tivoli Directory Integrator Support web site for links to training, publications, and demos.
IBM Tivoli Identity Manager Adapter Development:
Adapter Development Tool
The Adapter Development Tool, ADT, is a tool used by IBM Tivoli Identity Manager (ITIM) customers and consultants to create custom TIM adapters. It reduces adapter delivery time by about 50% and it helps in the development of custom adapters. The Adapter development tool is available on the IBM Open Process Automation Library (OPAL).
The integration to the Identity Manager server – the adapter framework – is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
The IBM Tivoli Identity Manager RSA Authentication Manager Adapter was built and tested on the following product versions.
Adapter Installation Platform:
This adapter installs into Tivoli Directory Integrator (TDI) and may be installed on any platform supported by the TDI product and supported by the target system libraries or client, where applicable. IBM recommends installing TDI on each node of the ITIM WAS Cluster and then installing this adapter on each instance of TDI. Supported TDI versions include:
IBM Tivoli Directory Integrator 7.1 with Fix Pack 5 or later
IBM Tivoli Directory Integrator 7.1.1 with Fix Pack 2 or later
Security Directory Integrator 7.2
Managed Resource:
RSA Authentication Manager 7.1 SP4
RSA Authentication Manager 8.0
RSA Authentication Manager 8.1
IBM Tivoli Identity Manager:
@PRODUCTNAME@ 5.1 with Fix Pack 3 or above
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user’s responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.
Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows:
© (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rights reserved.
If you are viewing this information in softcopy form, the photographs and color illustrations might not be displayed.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
End of Release Notes