IBM Tivoli Identity Manager IBM Tivoli Access Manager Combo Adapter 5.1.24 is available. Compatibility, installation, and other getting-started issues are addressed.
Welcome to the IBM Tivoli Identity Manager IBM Tivoli Access Manager Combo Adapter.
These Release Notes contain information for the following products that was not available when the IBM Tivoli Identity Manager manuals were printed:
· IBM Tivoli Identity Manager IBM Security Access Manager Adapter Installation and Configuration Guide
The IBM Tivoli Access Manager Combo Adapter is designed to create and manage accounts on the IBM Security Access Manager for Web server. The adapter runs in "agentless" mode and communicates using the IBM Security Access Manager registryDirect API and Admin API to the systems being managed.
IBM recommends the installation of this adapter (and the prerequisite IBM Tivoli Directory Integrator) on each node of IBM Tivoli Identity Manager WAS cluster. However, the ITAM Java Runtime Environment can only be configured for one ISAM server. If multiple IBM Tivoli Identity Manager Services are required, multiple instances of ITDI can be installed, each pointing to a different ITAM server. The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your IBM Tivoli Identity Manager Provisioning Policies and Approval Workflow process. Please refer to IBM Tivoli Identity Manager Knowledge Center for a discussion of these topics.
IBM Tivoli Identity Manager adapters are powerful tools that require Administrator Level authority.
Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from IBM Tivoli Identity Manager server will fail if the adapter is not given sufficient authority to perform the requested task.
IBM recommends that this adapter run with administrative (sec_master) permissions.
Adapter Version
|
Component |
Version |
|
Build Date |
2015 May 08 11.08.51 |
|
Adapter Version |
5.1.24 |
|
Component Versions |
Adapter build: 5.1.24.113 Profile: 5.1.24.113 Connector: 5.1.24.113 Dispatcher 5.1.35 (or higher, packaged separately) |
|
Documentation |
Tivoli Access Manager Combo Adapter |
New Features
|
Enhancement # (FITS) |
Description |
Items included in current release |
|
Add support for ISAM 9.0 |
|
Items included in 5.1.23 version |
|
| RFE17072 | Add ability to manage Max Password Age on each account |
| RFE56722 | Add ability to manage Max Concurrent Web Sessions on each account. The value must be an integer greater than zero, -3 for Displace, or -4 for Unlimited. |
| RFE33651 | Add ability to synchronize user password to GSO credentials during account create. |
| RFE61605 | Boolean flag attributes are always converted to lowercase before checking their value. |
Items included in 5.1.22 version |
|
| INT117543 | During an add using import, reset password valid flag if specified in request |
| RFE38245 | When creating an account by importing from the user registry, a password is no longer required to be provided |
Items included in 5.1.21 version |
|
| INT104055 | Support ISAM 8.0. |
Items included in 5.1.20 version |
|
| RFE17107 | TAM Combo should return "communication error" so that ISIM will retry transactions |
| RFE24649 | TIM adapter for TAMeb needs better support for High Availability environments. |
| MR0927103938 | Functional enhancement on retry behavior of TAM Combo Adapter. |
| RFE23085 | LDAP Fault Tolerance. |
| INT90344 | Support the use of Registry Direct API for all operations. |
Items included in 5.1.19 version |
|
| RFE27977 | Adapter should be able to reconcile the secPwdLastChanged attribute value from TAM ldap. See "Configuration Notes" for more detail. |
| INT61130 | Further improve the recon performance. |
Items included in 5.1.18 version |
|
| INT69654 | Support ISAM 7.0. |
Items included in 5.1.17 version |
|
| INT61483 | Document Registry API not reconciling all inetorgperson attributes by default. |
| INT62338 | Improve exception handling for reconciling malformed accounts. |
| INT60234 | Support password change and SSO cred sync during restore operation. |
| INT000016 | Make last login information available for detecting dormant accounts. |
| INT60157 | Add more debug logging around the use of various ITAM APIs. |
| INT48523 | Better handle password sync to SSO cred failures. |
| RFE7311 | Support SecPwdLastUsed attribute with ITAM combo. |
Items included in 5.1.15 version |
|
| INT49884 | Report RDN changes as errors instead of ignoring it. |
Items included in 5.1.14 version |
|
| INT47934 | Support reconciliations using ITAM 6.1.1 Registry Direct API for ITAM 6.1 deployments. |
| INT47711 | Merge adapter profiles into one. |
| INT45044 | Improve performance of change password operation requiring multiple SSO cred updates. |
| INT44852 | Add ITAM Combo dispatcher parameters tab. |
| INT47645 | Improve documentation around deletion of group membership when deleting ITAM account. |
| MR0304096333 | ITAM Connector: ITAM account password change performs unnecessary group attribute processing. |
Items included in 5.1.13 version |
|
| MR0824091226 | Allow GSO credentials to be removed from ITAM account without recon. |
| INT34391 | Update Release Notes to support the common ITIM Adapter format. |
| MR0523115431 | The debug lines for eritamldapconndebug and eritamtamconndebug should be uncommented in service.def. |
| INT033636 | Performance increase. |
| MR0121114310 | ITAM Combo: Enhance ITAM Combo Adapter Reconciliation performance. |
| MR0603116412 | Recons are slow when there are groups with large memberships. |
| MR0820104534 | When un-checking GSO User, and removing a credential gets warning. |
| INT000068 | Support for ITDI 7.1. |
| INT000023 | ITAM API & LDAP Recon get single value cn. |
| MR0225115739 | ITAM Combo Adapter always running full reconciliation against ITAM |
Closed Issues
|
CMVC# |
APAR# |
PMR# / Description |
Items closed in current version |
||
| INT123097 | Changes for RFE61605 caused new accounts to be provisioned as inactive if "eraccountstatus" was not included in the request. |
|
Items closed in 5.1.23 version |
||
| INT102186 | The previously deprecated LDAP profile has been removed. Any installations that were using the LDAP profile will need to review the ITAM Service configuration in ITIM after loading the new profile. The service form is different, and some fields will need to be set. |
|
Items closed in 5.1.22 version |
||
| INT113655 | Admin API recon failed at first account with an invalid secDN value.
It now works the same as the RegistryDirect API, which by default, will skip malformed accounts. |
|
| IV66665 | Usage of DateFormat is now thread safe |
|
| IV61599 | Additional fix for IV57391 when multiple entries have the same cn. |
|
Items closed in 5.1.21 version |
||
| IV55948 | The eritammaxfailedlogon value not returned during TAM API method reconcile if value is 0 on account in TAM. |
|
| IV59302 | "Not supported" exception when provisioning GSO credentials. |
|
| IV57391 | User create operation fails when there are multiple registry users with same cn. |
|
| IV58743 | 5.1.20 adapter no longer ignores empty cred password changes as it did with 5.1.18 or earlier. |
|
Items closed in 5.1.20 version |
||
| IV49202 | TAM Combo adapter doesn't sufficiently clarify details for SSL configuration and/or Windows 2008 R2 configuration setup. |
|
| INT97699 / IV51419 | Adapter reports "NoSuchMethodError" for "getLastPwdChange" when modifying or reconciling accounts for TAM 6.1. |
|
Items closed in 5.1.19 version |
||
| IV37130 | Multiple TAM Combo password change requests submitted at the same time can cause the ITDI RMI Dispatcher to hang. |
|
| DEF65419 | Fix documentation error for "Change Password on Next Login" attribute. See "Corrections to Installation Guide" for more detail. |
|
Items closed in 5.1.18 version |
||
| IV12423 | Managing passwords when restoring accounts. |
|
| IV24410 | ITAM Combo profile import issue with countryCode and userPrincipalName attribute. |
|
Items closed in 5.1.15 version |
||
| IV18596 | Error during change password when ITAM domain is not default. |
|
| DEF54233 | Profile upgrade causes null "ITAM Registry Type" error. |
|
| IV16868 | Conflicting attribute OID in schema of ITAM combo adapter during 5.0 to 5.1 version upgrade |
|
Items closed in 5.1.14 version |
||
| IV11692 | ITAM Combo Adapter does not handle "\", backslash, in ITAM DN. |
|
| IV09586 | Account with uppercase CN not reconciled using "ITAM Registry Direct API" |
|
Items closed in 5.1.13 version |
||
| 103752 | TDI Dispatcher text field incorrectly documented as optional. |
|
Items closed in 5.1.12 version |
||
None. |
||
Items closed in 5.1.11 version |
||
Updated release notes to refer to the Installation Guide (MR042110398). |
||
| 98115 | IZ68193 | Documentation update - The adapter does not support the modify of CN, UID or principal name |
| 100659 | IZ74337 | ITDI JavaScript error during change password results in requests hung in pending state in ITIM. |
| 36239 | PMR 54834,033,000 / Clarify ITAM JRTE configuration process. |
|
| IZ51203 | ITAM Combo always change password, even if eritamssosync is set to false. |
|
| 94235 | IZ63674 | PMR 91781,7TD,000,12428,227,000 / ITAM Combo looks up all users during a group modify |
Known Issues
|
CMVC# |
APAR# |
PMR# / Description |
| 85051 | When using the ITAM API method of reconciliation to reconcile ITAM accounts, if an ITAM account already in the ITIM registry becomes a malformed ITAM account then ITIM will identify this malformed ITAM account as no longer existing, and delete it from the ITIM registry. If the malformed ITAM account does not already exist within ITIM's known ITAM accounts, the account will not be added. This behavior does not provide any warning or failure message by ITIM. See the Installation guide for how to change the adapter configuration regarding this issue. |
|
During the creation of ITAM accounts when ITAM is configured against Windows Active Directory, the account is created as a GSO user even when the Single Signon Capability for the account is not checked (i.e. There is no request to create the account as a GSO user). This is a reflection of the operation of ITAM when administrating accounts. If GSO credentials are supplied with same request they will be created without warning that ITAM account doesn't have Single Signon Capability. |
||
| 93688 | When ITAM is configured against Windows Active Directory, ITAM account's common name (cn) must be the same as the first RDN value of the Distinguished Name. For example, when requesting a new ITAM Combo service account through the ITIM web console, the "Full name" specified in the Account form must be the same as the "cn" portion of the Distinguished Name. E.g. If a user has the Distinguished Name cn=JohnSmith,o=myCompany,c=com, then the "Full name" should also be set to JohnSmith. Not doing so could result in account modification issues. |
|
Adapter doesn't check syntax for any non-ITAM account attributes. This can result in those attributes not being set in the registry if their values have incorrect syntax. A possible consequence is that operations such as account creation may fail. |
||
In case that an account already has SSO credentials and the checkbox Single Signon Capability is disabled during MODIFY operation, this will delete credentials in ITAM registry, but not in ITIM. A reconciliation is needed to synchronize the account attributes. |
||
If password synchronization is configured to synchronize passwords from WebSEAL via ITIM to other person accounts, the synchronization with SSO credential passwords is not supported. The synchronization with SSO credential passwords is supported only if the password change is initiated from ITIM, and the corresponding TDI Assembly Line is executed. |
||
If password synchronization is configured to synchronize passwords from WebSEAL the "Change password on next login" checkbox on the account form cannot be reset. This is due to a current limitation of the ITIM Server. |
||
Due to the effort to merge two profiles into one, LDAP schema OID of an existing attribute had to change. When upgrading the adapter profile to 5.1.14 or later from 5.x.13 or earlier, the following change needs to be made in <tds_instance_home>/etc/V3.modifiedschema of ITIM's directory server prior to installing the new profile. Change |
Known Limitations
|
CMVC# |
APAR# |
PMR# / Description |
Adapter does not support modifying the last name (sn) attribute of ITAM account when ITAM Administration API is used since the API does not support modifying the last name. |
||
Management of non-standard ITAM account attributes is only available for user registries supported by Registry Direct API. |
||
IBM Security Access Manager Web Gateway appliance in standalone mode, PRIOR TO FP4, does not externalize the interface to its internal directory server. Consequently, Registry Direct API and managing non-standard ISAM account attributes are not supported by the adapter for the appliance versions 8.0 through 8.0.0.3. For example, the adapter cannot modify "mail" attribute of the user object stored in the appliance's internal directory server. In addition, only "TAM API" based reconciliation is supported for the appliance in standalone mode prior to FP4. |
||
Registry Direct API based reconciliation does not reconcile inetorgperson attributes by default. This is an optimization that was made in order to improve the performance of the reconciliation. In order to reconcile the inetorgperson attributes, edit "tamSearch" assemblyline in the profile to include the required attributes in the input mapping of the connector "tamIterRgy". Please refer to this technote for more details. |
||
The adapter does not support using multiple values for CN during the account add operation due to limitations in ITAM API. The default account form uses an editable text list, but this is for displaying reconciled CN values only in support of the feature INT000023. |
||
The adapter does not support the modification of UID, CN, principal name, and attribute(s) that form the Distinguished Name(DN). |
||
Custom containers are not supported when creating an IBM Security Access Manager group. IBM Security Access Manager specifies a default |
||
Filtered reconciliation on groups is not supported. |
||
When "Single Signon Capability" attribute is unchecked and an account modification request is submitted, the SSO credentials for the account are removed in ITAM but this is not reflected in ITIM. This is due to the RMI protocol not allowing the response to contain the updated account information. In order to work around this limitation, edit the "modify" operation workflow for "TAM Account" entity to delete "eritamcred" attribute when "eritamsinglesign" attribute is set to "false". For example, add a script element with the following script before "MODIFYACCOUNT" extension: var accountObj = account.get(); |
Known ITAM Issues
|
CMVC# |
APAR# |
PMR# / Description |
| IV71775 | The "com.tivoli.pd.rgy.jar" API library that can be downloaded from ISAM v8.0.1 appliance includes an incorrect search that will not return GSO enabled users during a reconciliation. This is corrected in the jar file available from the v8.0.1-FP1 appliance. |
|
Certain user management functions (e.g. enabling GSO) in ITAM do not work if the user ID contains "," and as such "," in the user ID is not supported by the adapter. |
||
When the Single Signon Capability of an ITAM user account is disabled (i.e. the user is no longer a GSO user), the GSO resource credentials for that account are also deleted. Hence when disabling the Single Signon Capability for a ITAM user account from ITIM, attempting to delete or modify resource credentials in the same request for that account results in "successful with warning" as the GSO credentials cannot be found. |
||
ITAM Java Admin API does not provide for a CN to be specified when creating a group. This is reflected in the adapter which does not manage this attribute when adding or modifying groups. |
||
If ITAM is configured against Windows Active Directory, an existing user or group description cannot be modified to a blank value. The description will remain unchanged. |
||
If ITAM is configured against Windows Active Directory, when importing an account using the pdadmin command line, the user name and first RDN value of the user DN must be the same. This issue is reflected in the adapter: User ID and first RDN value in the user Distinguished Name must be the same. |
||
If ITAM is configured against IBM Tivoli Directory Server 6.0, then Fix Pack 5 must be installed on the Directory Server. This fix pack addresses a problem that may affect adapter operation (APAR IO06328). |
See the IBM Tivoli Identity Manager Adapter Installation Guide for detailed instructions.
Corrections to Installation Guide
The following corrections to the Installation Guide apply to this release:
· For ITIM installation that uses Sun Directory Server, use itamprofileSunDS.jar to install the profile.
· In "Table 5. Standard attributes supported by the Tivoli Access Manager Combo Adapter", "Change Password on Next Login" attribute is incorrectly documented as "Do Not Change Password on Next Login".
· The section Configuring the Tivoli Access Manager Registry Direct API for Java System is now relevant to all operations as the adapter now uses Registry Direct API for all operations if configured to do so.
· In "Creating a Tivoli Access Manager Combo service", "Reconciliation Method" no longer exists in the service form and instead a new form field called "TAM API" has been added. Valid values are "TAM Administration API" and "Registry Direct API". This configuration specifies which TAM API the adapter should use for all its provisioning operations.
· In "Creating a Tivoli Access Manager Combo service", a new form field called "Enable GSO Support" has been added. If checked, the adapter will manage GSO related account attributes and resource objects. When managing GSO related attributes and object, the adapter will use TAM Administration API regardless of the value of "TAM API" field in the service form. This is due to Registry Direct API not supporting GSO management.
· In "Creating a Tivoli Access Manager Combo service", "Registry Setup" tab no longer exists as the user registry related configuration are now specified during the configuration of TAM API via SvrSslCfg.
· The sections "Customizing adapter to use non-default IBM Tivoli Access Manager configuration for user entry", "Customizing adapter to use non-default IBM Tivoli Access Manager configuration for group entry", "Customizing adapter to work with multiple directory servers" and "Configuring SSL for Tivoli Directory Integrator and Windows Active Directory" are no longer relevant as the adapter now only use ITAM API to communicate with the Access Manager Policy Server and the user registry.
Configuration Notes
The following configuration notes apply to this release:
Managing passwords when restoring accounts
How each restore action interacts with its corresponding managed resource depends on either the managed resource, or the business processes that you implement. Certain resources reject a password when a request is made to restore an account. In this case, you can configure IBM Tivoli Identity Manager to forego the new password requirement. You can set the TAM Combo Adapter to require a new password when the account is restored, if your company has a business process in place that dictates that the account restoration process must be accompanied by resetting the password.
In the service.def file, you can define whether a password is required as a new protocol option. When you import the adapter profile, if an option is not specified, the adapter profile importer determines the correct restoration password behavior from the schema.dsml file. Adapter profile components also enable remote services to find out if you discard a password that is entered by the user in a situation where multiple accounts on disparate resources are being restored. In this situation, only some of the accounts being restored might require a password. Remote services will discard the password from the restore action for those managed resources that do not require them.
Edit the service.def file to add the new protocol options, for example:
<property name="com.ibm.itim.remoteservices.ResourceProperties.PASSWORD_NOT_REQUIRED_ON_RESTORE">
<value>true</value>
</property>
<property name="com.ibm.itim.remoteservices.ResourceProperties.PASSWORD_NOT_ALLOWED_ON_RESTORE">
<value>false</value>
</property>
By adding the two options in the example above, you are ensuring that you will not be prompted for a password when an account is restored.
Enabling Last Login Information
For ITAM 6.1.1 or above, the adapter now supports reconciling the last login information for the purpose determining dormant accounts. However, in order to enable this feature, all ITAM servers must be configured to record the last login information. For example, in webseald.conf, ensure the following parameter is set:
enable-last-login = yes
In addition, the ITAM Policy Server must be configured to return the last login information. For example, in ivmgrd.conf, set the following parameter:
provide-last-login = yes
For more information, please refer to the ITAM documentation.
Password Last Changed Attribute
The adapter now supports reconciling the password last changed information from ITAM if ITAM is configured to record this information upon password change. A new attribute has been added to the account object:
Account form label: Password Last Changed
Schema name: eritampwdlastchanged
Data type: Directory String
This attribute is read-only and by default is not included in the account form.
Support for High Availability
Support for high availability is provided via the use of Access Manager’s Registry Direct API which eliminates the dependency on the Access Manager Policy Server. Registry Direct API can be configured against multiple directory servers for failover as well as load balancing. For more information about configuring Registry Direct API, see Appendix D. Registry Direct Java API ("Installation and configuration") in IBM
Tivoli Access Manager for e-business: Administration Java Classes Developer Reference.
Due to the limitations in Registry Direct API, high availability is not supported for
· Active Directory and Domino user registries
· ITAM versions older than 6.1.1 FP 6
· GSO management including the lifecycle management of GSO enabled accounts
Password Synchronization Adapter is only available with the appliance and is pre-installed on the appliance.
IBM Tivoli Identity Manager adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Getting Started
Customizing and extending adapters requires a number of additional skills.
The developer must be familiar with the following concepts and skills prior to beginning the modifications:
Installation Platform
The IBM Tivoli Identity Manager Adapter was built and tested on the following product versions.
Adapter Installation Platform:
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries.
Consult your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used.
Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead.
However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents.
You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication.
IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites.
The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment.
Therefore, the results obtained in other operating environments may vary significantly.
Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems.
Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary.
Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms.
You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written.
These examples have not been thoroughly tested under all conditions.
IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.
Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows:
© (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rights reserved.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.