Embed Size (px)
Citation preview
Tivoli® Identity Manager
LDAP Adapter Installation and Configuration Guide
Version 4.6
SC32-1754-00
���
Tivoli® Identity Manager
LDAP Adapter Installation and Configuration Guide
Version 4.6
SC32-1754-00
���
Note:
Before using this information and the product it supports, read the information in Appendix B, “Notices,” on page 37.
Second Edition (November 2006)
This edition applies to version 4.6 of this adapter and to all subsequent releases and modifications until otherwise
indicated in new editions.
© Copyright International Business Machines Corporation 2006. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . . v
Who should read this book . . . . . . . . . v
Publications and related information . . . . . . v
Tivoli Identity Manager library . . . . . . . v
Prerequisite product publications . . . . . . vii
Related publications . . . . . . . . . . viii
Accessing publications online . . . . . . . viii
Accessibility . . . . . . . . . . . . . . viii
Support information . . . . . . . . . . . viii
Conventions used in this book . . . . . . . . ix
Typeface conventions . . . . . . . . . . ix
Operating system differences . . . . . . . . ix
Definitions for HOME and other directory
variables . . . . . . . . . . . . . . ix
Chapter 1. Overview of the LDAP
adapter . . . . . . . . . . . . . . . 1
Features of the adapter . . . . . . . . . . . 1
Architecture of the adapter . . . . . . . . . 1
Supported configurations . . . . . . . . . . 2
Chapter 2. Installing and configuring the
LDAP adapter . . . . . . . . . . . . 3
Software and operating system requirements . . . 3
Installing the LDAP adapter . . . . . . . . . 3
Importing the adapter profile into the IBM Tivoli
Identity Manager server . . . . . . . . . . 4
Creating an LDAP service . . . . . . . . . . 5
Starting and stopping the adapter service . . . . . 6
Chapter 3. Configuring the LDAP
adapter . . . . . . . . . . . . . . . 9
Customizing the LDAP adapter profile . . . . . 9
Standard parameters . . . . . . . . . . . 10
Standard attributes . . . . . . . . . . . . 11
Configuration properties of the adapter . . . . . 11
Customizing operations for the directory server . . 12
Suspending user accounts . . . . . . . . 12
Restoring user accounts . . . . . . . . . 13
Searching for user accounts . . . . . . . . 13
Change the RDN attribute for the group account 13
Add support for a new user/group object class 14
Configure the base points . . . . . . . . . 14
Add support for a new directory server . . . . 14
Changing the port number for the RMI Dispatcher 14
Configuring logging for the adapter . . . . . . 14
Naming the log file . . . . . . . . . . . 15
Sizing the log file . . . . . . . . . . . 15
Configuring logging levels . . . . . . . . 15
Displaying logs in the user interface . . . . . 15
Appending information to an existing log file . . 16
Managing passwords when restoring accounts . . . 16
Chapter 4. Configuring SSL
authentication for the LDAP adapter . . 17
Overview of SSL and digital certificates . . . . . 17
Private keys, public keys, and digital certificates 18
Self-signed certificates . . . . . . . . . . 18
The use of SSL authentication . . . . . . . . 19
Configuring certificates for SSL authentication . . . 20
Configuring certificates for one-way SSL
authentication . . . . . . . . . . . . 20
Configuring certificates for two-way SSL
authentication . . . . . . . . . . . . 22
Chapter 5. Verifying the LDAP adapter
profile installation . . . . . . . . . . 25
Chapter 6. Troubleshooting the LDAP
adapter installation . . . . . . . . . 27
Warning and error messages . . . . . . . . . 27
Logging information format . . . . . . . . . 29
Chapter 7. Uninstalling the LDAP
adapter . . . . . . . . . . . . . . 31
Appendix A. Support information . . . 33
Searching knowledge bases . . . . . . . . . 33
Search the information center on your local
system or network . . . . . . . . . . . 33
Search the Internet . . . . . . . . . . . 33
Contacting IBM Software Support . . . . . . . 33
Determine the business impact of your problem 34
Describe your problem and gather background
information . . . . . . . . . . . . . 35
Submit your problem to IBM Software Support 35
Appendix B. Notices . . . . . . . . . 37
Trademarks . . . . . . . . . . . . . . 38
Index . . . . . . . . . . . . . . . 41
© Copyright IBM Corp. 2006 iii
iv IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Preface
This installation guide provides the basic information that you need to install and
configure the IBM® Tivoli® Identity Manager Lightweight Directory Access Protocol
Adapter (LDAP adapter). The LDAP adapter enables connectivity between the IBM
Tivoli Identity Manager server and a system running the directory server. The IBM
Tivoli Identity Manager server is the server for your Tivoli Identity Manager
product.
Who should read this book
This book is intended for directory server security administrators responsible for
installing software on their site’s computer systems. Readers are expected to
understand operating system concepts. The person completing the LDAP adapter
installation procedure must also be familiar with their site’s system standards.
Readers should be able to perform routine security administration tasks.
Publications and related information
Read the descriptions of the IBM Tivoli Identity Manager library. To determine
which additional publications you might find helpful, read the “Prerequisite
product publications” on page vii and the “Related publications” on page viii.
After you determine the publications you need, refer to the instructions in
“Accessing publications online” on page viii.
Tivoli Identity Manager library
The publications in the technical documentation library for your product are
organized into the following categories:
v Release information
v Online user assistance
v Server installation and configuration
v Problem determination
v Technical supplements
v Adapter installation and configuration
Release Information:
v Release Notes
Provides software and hardware requirements for the product, and additional
fix, patch, and other support information.
v Read This First card
Lists the publications for the product.
Online user assistance:
Provides online help topics and an information center for administrative tasks.
Server installation and configuration:
Provides installation and configuration information for the product server.
© Copyright IBM Corp. 2006 v
Problem determination:
Provides problem determination, logging, and message information for the
product.
Technical supplements:
The following technical supplements are provided by developers or by other
groups who are interested in this product:
v Performance and tuning information
Provides information needed to tune your production environment, available on
the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list to locate IBM Tivoli Identity
Manager products. Click the link for your product, and then browse the
information center for the Technical Supplements section.
v Redbooks™ and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM® developerWorks® Web address:
http://www.ibm.com/developerworks/
Adapter installation and configuration:
The technical documentation library also includes a set of platform-specific
installation documents for the adapter components of the product. Adapter
information is available on the Web at:
http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home
Click Support & downloads. Browse to the Downloads and drivers. Click the link
for the adapter.
Skills and training:
The following additional skills and technical training information were available at
the time that this manual was published:
v Virtual Skills Center for Tivoli® Software on the Web at:
http://www.cgselearning.com/tivoliskills/
v Tivoli Education Software Training Roadmaps on the Web at:
http://www.ibm.com/software/tivoli/education/eduroad_prod.html
v Tivoli Technical Exchange on the Web at:
vi IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html
Prerequisite product publications
To use the information in this book effectively, you must have knowledge of the
products that are prerequisites for your product. Publications are available from
the following locations:
v Operating systems
– IBM AIX
http://publib16.boulder.ibm.com/pseries/Ja_JP/infocenter/base/index.htm
– Solaris Operating Environment
http://docs.sun.com/app/docs/prod/solaris
– Red Hat Linux
http://www.redhat.com/docs/
– Microsoft® Windows® Server 2003
http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers
– IBM DB2 Universal Database
- Support: http://www.ibm.com/software/data/db2/udb/support.html
- Information center: http://publib.boulder.ibm.com/infocenter/db2help/index.jsp
- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main
- DB2® product family: http://www.ibm.com/software/data/db2
- Fix packs: http://www.ibm.com/software/data/db2/udb/support/downloadv8.html
- System requirements: http://www.ibm.com/software/data/db2/udb/sysreqs.html
– Oracle
http://www.oracle.com/technology/documentation/index.html
http://otn.oracle.com/tech/index.html
http://otn.oracle.com/tech/linux/index.html
– Microsoft SQL Server
http://www.msdn.com/library/
http://www.microsoft.com/sql/v Directory server applications
– IBM Directory Server http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm http://www.ibm.com/software/network/directory
– Sun ONE Directory Server
http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52v WebSphere Application Server
Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/
v WebSphere embedded messaging
Preface vii
http://www.ibm.com/software/integration/wmq/
v IBM HTTP Server
http://www.ibm.com/software/webservers/httpservers/library.html
Related publications
Information that is related to your product is available in the following
publications:
v The Tivoli Software Library provides a variety of Tivoli publications such as
white papers, datasheets, demonstrations, redbooks, and announcement letters.
The Tivoli Software Library is available on the Web at:
http://www.ibm.com/software/tivoli/literature/
v The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available from the
Glossary link of the Tivoli Software Library Web page at:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
Accessing publications online
IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli software information center
Web site. Access the Tivoli software information center at the following Web
address:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z list, and then click the link for your product to
access the product library.
Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe Reader to print letter-sized
pages on your paper.
Accessibility
The product documentation includes the following features to aid accessibility:
v Documentation is available in convertible PDF format to give the maximum
opportunity for users to apply screen-reader software.
v All images in the documentation are provided with alternative text so that users
with vision impairments can understand the contents of the images.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM
provides the following ways for you to obtain the support you need:
v Searching knowledge bases: You can search across a large collection of known
problems and workarounds, Technotes, and other information.
v Contacting IBM Software Support: If you still cannot solve your problem, and
you need to work with someone from IBM, you can use a variety of ways to
contact IBM Software Support.
For more information about these ways to resolve problems, see Appendix A,
“Support information,” on page 33.
viii IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Conventions used in this book
This reference uses several conventions for special terms and actions and for
operating system-dependent commands and paths.
Typeface conventions
This guide uses the following typeface conventions:
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as Tip:, and Operating system considerations:)
v Keywords and parameters in text
Italic
v Words defined in text
v Emphasis of words (words as words)
v New terms in text (except in a definition list)
v Variables and values you must provide
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Operating system differences
This guide uses the UNIX® convention for specifying environment variables and
for directory notation.
When using the Windows command line, replace $variable with %variable% for
environment variables and replace each forward slash (/) with a backslash (\) in
directory paths. The names of environment variables are not always the same in
Windows and UNIX. For example, %TEMP% in the Windows operating system is
equivalent to $tmp in a UNIX operating system.
Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
Definitions for HOME and other directory variables
The following table contains the default definitions that are used in this guide to
represent the HOME directory level for various product installation paths. You can
customize the installation directory and HOME directory for your specific
implementation. If this is the case, you need to make the appropriate substitution
for the definition of each variable represented in this table.
The value of path varies for these operating systems:
v Windows: drive:\Program Files
Preface ix
v AIX®: /usr
v Other UNIX: /opt
Path Variable Default Definition Description
DB_INSTANCE_HOME Windows:
path\IBM\SQLLIB
UNIX:
v AIX, Linux®: /home/dbinstancename
v Solaris: /export/home/dbinstancename
The directory that
contains the
database for your
Tivoli Identity
Manager product.
LDAP_HOME v For IBM Directory Server Version 5.2
Windows:
path\IBM\LDAP
UNIX:
path/IBM/LDAP
– AIX, Linux: path/ldap
– Solaris: path/IBMldaps
v For IBM Directory Server Version 6.0
Windows:
path\IBM\LDAP
UNIX:
/opt/IBM/ldap/
– AIX, Solaris: /opt/IBM/ldap/
– Linux: /opt/ibm/ldap/
v For Sun ONE Directory Server
Windows:
path\Sun\MPS
UNIX:
/var/Sun/mps
The directory that
contains the
directory server
code.
IDS_instance_HOME For IBM Directory Server Version 6.0
Windows:
drive\
idsslapd-instance_owner_name
The value of drive might be C:\. An
example of instance_owner_name might be
ldapdb2. For example, the log file might
be C:\idsslapd-ldapdb2\logs\ibmslapd.log.
UNIX:
INSTANCE_HOME/idsslapd-instance_name
On Linux and AIX systems, the default
home directory is the
/home/instance_name/idsslapd-instance_name directory. On Solaris
systems, for example, the directory is the
/export/home/ldapdb2/idsslapd-ldapdb2. directory.
The directory that
contains the IBM
Directory Server
Version 6.0 instance.
x IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Path Variable Default Definition Description
HTTP_HOME Windows:
path\IBMHttpServer
UNIX:
path/IBMHttpServer
The directory that
contains the IBM
HTTP Server code.
ITIM_HOME Windows:
path\IBM\itim
UNIX:
path/IBM/itim
The base directory
that contains the
Tivoli Identity
Manager code,
configuration, and
documentation.
WAS_HOME Windows:
path\WebSphere\AppServer
UNIX:
path/WebSphere/AppServer
The WebSphere
Application Server
home directory
WAS_MQ_HOME Windows:
path\ibm\WebSphere MQ
UNIX:
path/mqm
The directory that
contains the
WebSphere MQ
code.
WAS_NDM_HOME Windows:
path\WebSphere\DeploymentManager
UNIX:
path/WebSphere/DeploymentManager
The home directory
on the Deployment
Manager
ITDI_HOME Windows:
C:\Program Files\IBM\itim\itdi\home
UNIX:
path/IBM/itim/itdi/home
The ITDI_HOME directory contains the
jars/connectors subdirectory that contains
files for the adapters. For example, the
jars/connectors subdirectory contains the
files for the UNIX adapter.
Note: If Tivoli Directory Integrator is not
automatically installed with your Tivoli
Identity Manager product, the default
directory path for Tivoli Directory
Integrator might be as follows:
path/IBM/IBMDirectoryIntegrator
The directory where
Tivoli Directory
Integrator is
installed.
Tivoli_Common_Directory Windows:
path\ibm\tivoli\common\
UNIX:
path/ibm/tivoli/common/
The central location
for all
serviceability-related
files, such as logs
and first-failure data
capture
Preface xi
xii IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Chapter 1. Overview of the LDAP adapter
An adapter is a program that provides an interface between a managed resource
and the IBM Tivoli Identity Manager server. Adapters might or might not reside on
the managed resource and the IBM Tivoli Identity Manager server manages access
to the resource by using your security system. Adapters function as trusted virtual
administrators on the target platform, performing such tasks as creating login IDs,
suspending IDs, and performing other functions administrators normally run
manually. The adapter runs as a service, independent of whether or not a user is
logged on to the IBM Tivoli Identity Manager server.
The LDAP adapter enables communication between the IBM Tivoli Identity
Manager server and a network of systems running IBM Directory Server or Sun
ONE Directory Server. The following sections provide information about the LDAP
adapter:
v “Features of the adapter”
v “Architecture of the adapter”
v “Supported configurations” on page 2
Features of the adapter
You can use the LDAP adapter to automate the following administrative tasks:
v Creating new users on the directory server
v Modifying user attributes on the directory server
v Changing user account passwords on the directory server
v Suspending, restoring, and deleting user accounts on the directory server
v Reconciling user and group accounts on the directory server
Architecture of the adapter
IBM Tivoli Identity Manager communicates with the LDAP adapter to administer
user accounts. You can perform these actions on an account: Add, Delete, Modify,
Restore, and Suspend. You can also search for account information and change an
account password.
The LDAP adapter consists of AssemblyLines. When the first request from the IBM
Tivoli Identity Manager server is initiated to the LDAP adapter, the AssemblyLines
are loaded into the Tivoli Directory Integrator Server.
The AssemblyLines utilize the Tivoli Directory Integrator LDAP connector to
remotely perform user management related tasks on the directory server, using the
login user ID and password of a user that has administrator privileges.
Figure 1 on page 2 shows the various components that work together to complete
user management tasks in a Tivoli Directory Integrator environment.
© Copyright IBM Corp. 2006 1
For additional information about Tivoli Directory Integrator, see the IBM Tivoli
Directory Integrator 6.0: Getting Started Guide.
Supported configurations
The LDAP adapter supports different configurations. The fundamental components
in each environment are a IBM Tivoli Identity Manager server, a Tivoli Directory
Integrator Server, a directory server, and the LDAP adapter. In each configuration,
the LDAP adapter must reside directly on the server running the Tivoli Directory
Integrator Server.
For a single server configuration, you must install the IBM Tivoli Identity Manager
server, Tivoli Directory Integrator Server, and the LDAP adapter on one server. The
server communicates with IBM Directory Server or Sun ONE Directory Server,
which is installed on a different server. Refer to Figure 2.
For information about other supported configurations for the LDAP adapter, refer
to the IBM Tivoli Identity Manager, Version 4.6 Customization and Deployment Guide
for the LDAP Adapter white paper.
Figure 1. The architecture of the LDAP adapter
TivoliIdentity Manager ServerandTivoliDirectory Integrator Serverrunning LDAP Adapter
DirectoryServer
Figure 2. Example of a single server configuration
2 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Chapter 2. Installing and configuring the LDAP adapter
Some adapters might be installed automatically with your IBM Tivoli Identity
Manager product. If your adapter is automatically installed with the product, you
do not need to install the adapter. The LDAP adapter is automatically installed
with IBM Tivoli Identity Manager Express. The following sections provide
information for installing and configuring the adapter.
v “Software and operating system requirements”
v “Installing the LDAP adapter”
v “Importing the adapter profile into the IBM Tivoli Identity Manager server” on
page 4
v “Creating an LDAP service” on page 5
v “Starting and stopping the adapter service” on page 6
Software and operating system requirements
Table 1 identifies the software and operating system requirements for the LDAP
adapter. Verify that all of the requirements have been met before installing the
adapter.
Table 1. Requirements to run the adapter
Requirements Version
Tivoli Directory Integrator Server 6.0 Fix Pack 2 Hot Fix 8 or later
6.1 Fix Pack 1 Hot Fix 2 or later
IBM Tivoli Identity Manager server 4.6
Operating system The LDAP adapter can be used on any
operating system that is supported by Tivoli
Directory Integrator.
The LDAP adapter must be installed on the same system as the Tivoli Directory
Integrator Server. For information on the minimal system requirements and
supported operating systems for Tivoli Directory Integrator, refer to the IBM Tivoli
Directory Integrator 6.0: Administrator Guide.
Installing the LDAP adapter
If the LDAP adapter is not automatically installed with your IBM Tivoli Identity
Manager product, use the adapter installer to manually install the adapter. To
manually install the adapter, first ensure that the installer is run on the same
system as the Tivoli Directory Integrator Server. Then complete these steps.
Note: All directory paths apply to Windows operating systems. Change the
directory paths as needed for UNIX operating systems.
1. Download the LDAP adapter compressed file from the IBM Web site. Contact
your IBM account representative for the Web address and download
instructions.
2. Extract the contents of the compressed file into a temporary directory and
navigate to that directory.
© Copyright IBM Corp. 2006 3
3. Start the installation program using the setup.exe file in the temporary
directory. For example, select Run... from the Start menu and type
C:\Temp\setup.exe in the Open field.
4. On the Welcome window, click Next.
5. On the License Agreement window, review the license agreement and decide if
you accept the terms of the license. If you do, click Accept, and then click Next.
6. On the Tivoli Directory Integrator Based Adapter Installer window, specify the
location where Tivoli Directory Integrator is installed. You can accept the
default location, or click Browse to specify a different directory. Then, click
Next.
7. On the Installation Summary window, review the installation settings. Click
Back to change any of these settings. Otherwise, click Next to begin the
installation.
8. On the Installation Completed window, click Finish to exit the program.
Importing the adapter profile into the IBM Tivoli Identity Manager
server
An adapter profile defines the types of resources that the IBM Tivoli Identity
Manager server can manage. The profile is used to create an LDAP adapter service
on the IBM Tivoli Identity Manager server. You must import the adapter profile
into the IBM Tivoli Identity Manager server before using the LDAP adapter.
Before you import the adapter profile, verify that the following conditions are met:
v The IBM Tivoli Identity Manager server is installed and running.
v You have root or Administrator authority on the IBM Tivoli Identity Manager
server.
The adapter profile is included in the JAR file for the adapter, LdapProfile.jar. To
import the adapter profile, complete these steps:
1. Log in to the IBM Tivoli Identity Manager server using an account that has the
authority to perform administrative tasks.
IBM Tivoli Directory Integrator Based Dispatcher
Please specify the ITDI Home Directory
Directory Name:
C:\Program Files\IBM\IBMDirectoryIntegrator
< Back Next > Cancel
Browse
Figure 3. Tivoli Directory Integrator Based Adapter Installer window
4 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
2. Import the adapter profile using the import feature for your IBM Tivoli Identity
Manager product. Refer to the information center or the online help for specific
instructions about importing the adapter profile.
When you import the adapter profile, if you receive an error related to the schema,
refer to the trace.log file for information about the error. The trace.log file location
is specified using the handler.file.fileDir property defined in the IBM Tivoli
Identity Manager enRoleLogging.properties file. The enRoleLogging.properties file
is installed in the IBM Tivoli Identity Manager \data directory.
Creating an LDAP service
You must create a service for the LDAP adapter before the IBM Tivoli Identity
Manager server can use the adapter to communicate with the managed resource.
To create a service, complete these steps:
1. Log in to the IBM Tivoli Identity Manager server using an account that has the
authority to perform administrative tasks.
2. Create the service using the information for your IBM Tivoli Identity Manager
product. Refer to the information center or the online help for specific
instructions about creating a service.
To create or change a service, you must use the service form to provide
information for the service. Service forms might vary depending on the adapter.
The LDAP adapter service form contains the following fields:
Service name
Specify a name that defines this LDAP service on the IBM Tivoli Identity
Manager server.
Description
Optional: Specify a description for this service.
Tivoli Directory Integrator location
Optional: Specify the URL for the Tivoli Directory Integrator instance. Valid
syntax is rmi://ip-address:port/ITDIDispatcher, where ip-address is the
Tivoli Directory Integrator host and port is the port number for the RMI
Dispatcher. For example, you might specify the URL as
rmi://localhost:16231/ITDIDispatcher. See “Changing the port number
for the RMI Dispatcher” on page 14 for information about changing the
port number.
Users base DN
Specify the distinguished name (DN) of the container or base point where
the users are stored. The adapter creates new users under this DN. Also,
search operations return user account entries under this DN. For example,
you might specify the DN as ou=people or dc=com.
The users must be directly under this DN. If the users are in
sub-containers, search operations cannot locate them. To manage users in
multiple containers, create a service for each container.
Groups base DN
Specify the distinguished name (DN) of the container or base point where
the groups are stored. User membership, specified on the account form,
refers to groups in this DN. Also, search operations return group entries
under this DN. For example, you might specify the DN as ou=groups or
dc=com.
Chapter 2. Installing and configuring the LDAP adapter 5
The groups must be directly under this DN. If the groups are in
sub-containers, search operations cannot locate them. To manage groups in
multiple containers, create a service for each container.
Users RDN
Specify the relative distinguished name (RDN) attribute for users’ LDAP
entries.
Directory server location
Specify the location and port number of the LDAP adapter. Valid syntax is
Ldap://ip-address:port, where ip-address is the LDAP server host and port
is the LDAP port number. For example, you might specify the URL as
Ldap://9.38.215.218:389.
Administrator name
Specify the user name for the administrator.
Password
Specify the password for the administrator name.
Directory server name
Specify the type of directory server.
Starting and stopping the adapter service
After you edit the properties file for the adapter, you must stop and restart the
adapter service in order for the changes to take effect. The method used to stop
and restart the adapter depends on the operating system.
AIX The adapter installer creates a subsystem called ITIMAd when the adapter
is first installed. ITIM_RMI.xml is the configuration file. Use these
commands to start and stop the adapter service.
startsrc —s ITIMAd
stopsrc —c —s ITIMAd
The adapter service runs the ibmdisrv.bat command. The bat file starts a
Java process that does not stop when the adapter service is stopped. To
stop this process, obtain the process ID (PID) and then kill the process.
v To obtain the PID of the process, type this command: ps -ef|grep
<ITDI_HOME_DIR>/_jvm/jre/bin/, where ITDI_HOME_DIR is the
directory where Tivoli Directory Integrator is installed.
v To kill the process, type this command: kill -9 <pid>.
HP-UX
The adapter installer creates the <ITDI_SOL_DIR> directory,
whereITDI_SOL_DIR is the directory where Tivoli Directory Integrator is
installed. From this directory, type these commands to start, stop, and
restart the adapter service.
ITIMAd start
ITIMAd stop
ITIMAd restart
Linux or Solaris
The adapter installer automatically copies the ITIMAd script file to the
/etc/init.d/ directory when the adapter is installed. From the /etc/init.d/
directory, type these commands to start, stop, and restart the adapter
service.
ITIMAd start
6 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
ITIMAd stop
ITIMAd restart
Windows
From the Control Panel, select Administrative Tools > Services. From the
Services menu, you can start and stop the adapter service. The service
name is IBM IBM Tivoli Identity Manager Adapter.
Chapter 2. Installing and configuring the LDAP adapter 7
8 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Chapter 3. Configuring the LDAP adapter
This chapter describes the configuration options for the LDAP adapter. For more
detailed information about deploying and customizing the adapter, refer to the
customization white paper entitled IBM Tivoli Identity Manager, Version 4.6
Customization and Deployment Guide for the LDAP Adapter.
The LDAP adapter is designed to work with the inetOrgPerson object class, a
general purpose object class that contains attributes about people. If you are using
the inetOrgPerson schema for your directory, the LDAP adapter does not require
customization. If your directory uses the UID attribute as the relative distinguished
name (RDN), you do not need to customize the adapter. The UID attribute must be
the first component of the DN. For example, UID=Test User, ou=Accounting.
The LDAP adapter supports a standard set of attributes and object classes for
directory servers. Standard user provisioning operations such as add, delete,
modify, suspend, restore, change password, search and test are supported by the
LDAP adapter. Because directory server requirements vary, you might need to
customize or extend the LDAP schema to support additional attributes or object
classes.
The following sections provide information for configuring the adapter.
v “Customizing the LDAP adapter profile”
v “Standard parameters” on page 10
v “Standard attributes” on page 11
v “Configuration properties of the adapter” on page 11
v “Customizing operations for the directory server” on page 12
v “Changing the port number for the RMI Dispatcher” on page 14
v “Configuring logging for the adapter” on page 14
v “Managing passwords when restoring accounts” on page 16
Customizing the LDAP adapter profile
The LDAP adapter is designed to work with the inetOrgPerson object class, a
general purpose object class that contains attributes about people. If you are using
the inetOrgPerson schema for your directory, the LDAP adapter does not require
customization.
To customize the LDAP adapter profile, you must make changes to the LDAP
adapter JAR file, LdapProfile.jar. You might customize the adapter profile to make
changes to the adapter schema, account form, service form, or profile properties.
The LdapProfile.jar file is included in the LDAP adapter compressed file that you
downloaded from the IBM Web site. The LdapProfile.jar file contains the following
files:
v CustomLabels.properties
v erLDAPAccount.xml
v erLDAPRMIService.xml
v service.def
© Copyright IBM Corp. 2006 9
v schema.dsml
v LdapAL.xml
v LDAPAdd.xml
v LDAPDelete.xml
v LDAPModify.xml
v LDAPTest.xml
To edit the LdapProfile.jar file, complete these steps:
1. Log on to the system where the LDAP adapter is installed.
2. Copy the LdapProfile.jar file into a temporary directory.
3. Extract the contents of` the LdapProfile.jar file into the temporary directory by
running the following command:
#cd /tmp
jar -xvf LdapProfile.jar
The jar command extracts the files in the LDAPProfile directory.
4. Edit the file that you want to change.
After you edit the file, you must import the file into the IBM Tivoli Identity
Manager server for the changes to take effect.
To install the new attributes, and changes made to the file, complete these steps:
1. Create a new JAR file using the files in the /temp directory by running the
following commands:
#cd /tmp
jar -cvf LdapProfile.jar LdapProfile
2. Import the LdapProfile.jar file into the IBM Tivoli Identity Manager Application
Server. For more information on importing the LdapProfile.jar file, refer to
“Importing the adapter profile into the IBM Tivoli Identity Manager server” on
page 4.
3. Stop and start the directory server.
4. Stop and start the LDAP adapter service.
For more details about customizing the adapter profile, see the IBM Tivoli Identity
Manager, Version 4.6 Customization and Deployment Guide for the LDAP Adapter white
paper.
Standard parameters
The LDAP adapter is configured to use a standard set of parameters. The LDAP
resource must support referential integrity.
inetOrgPerson
The default object class used to create new users. The supporting object
classes are organizationalPerson, person, and top.
groupOfNames
The default object class used to assign users to groups.
10 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Standard attributes
After you install the adapter profile, the LDAP adapter supports a standard set of
attributes. Table 2 lists the standard inetOrgPerson attributes supported by the
LDAP adapter.
Table 2. Attributes supported by the LDAP adapter
businessCategory homePostalAddress preferredLanguage
carLicense initials registeredAddress
cn l roomNumber
departmentNumber mail secretary
description manager sn
destinationIndicator mobile st
displayName pager street
employeeNumber physicalDeliveryOfficeName telephoneNumber
employeeType postalAddress teletexTerminalIdentifier
facisimileTelephoneNumber postalCode telexNumber
givenName postOfficeBox title
homePhone preferreddeliverymethod userPassword
Configuration properties of the adapter
The global.properties and the itim_listener.properties files contain the configuration
properties for the adapters. To configure the properties for an adapter, you must
change one of these files. Table 3 lists the properties contained in the properties
files.
Table 3. Configuration properties for the adapter
Property Properties File Description
ALShutdownTimeout itim_listener.properties Specifies the amount of time, in
milliseconds, before the RMI
Dispatcher should shutdown
when a shutdown request is sent
to the dispatcher. All assembly
lines that are being maintained are
terminated when the dispatcher
shuts down. The default value
300,000 milliseconds, which is five
minutes.
com.ibm.di.dispatcher.bindName global.properties Specifies the RMI bind name to be
used. The default value is
ITDIDispatcher.
com.ibm.di.dispatcher.disableConntectorCache global.properties Specifies whether or not the RMI
Dispatcher should cache the
connection to the managed
resource so that no new
connections are established upon
subsequent calls. In this case, the
same connection is used for all
calls. The default value is true.
Chapter 3. Configuring the LDAP adapter 11
Table 3. Configuration properties for the adapter (continued)
Property Properties File Description
com.ibm.di.dispatcher.registryPort global.properties Specifies the port on which the
RMI Dispatcher listens for
provisioning requests from IBM
Tivoli Identity Manager. The
default value is 16231.
ConnectorSleepTimeOut itim_listener.properties Specifies the amount of time, in
milliseconds, to wait before
deleting connectors that have not
been used. The default value is
120,000 milliseconds, which is two
minutes.
MaximumConnectorsPerResource itim_listener.properties Specifies the maximum number of
connectors that exist for a
particular resource. The default
value is 10.
ReaperThreadTimeOut itim_listener.properties Specifies the amount of time, in
milliseconds, to wait between
successive runs of the connector
reaper thread. The default value is
300,000 milliseconds, which is five
minutes.
SearchALUnusedTimeout itim_listener.properties Specifies the amount of time, in
milliseconds, to wait before
deleting assembly lines that have
not been used. The default value
is 600,000 milliseconds, which is
10 minutes.
SearchReaperThreadTimeOut itim_listener.properties Specifies the amount of time, in
milliseconds, to release data from
memory. This property is used
during a reconciliation response.
The default value is 300,000
milliseconds, which is five
minutes.
SearchResultSetSize itim_listener.properties Specifies the number of records,
per response, returned during a
reconciliation between IBM Tivoli
Identity Manager and the adapter.
The default value is 100.
Customizing operations for the directory server
The operations described in this section were customized for either IBM Directory
Server or Sun ONE Directory Server. If you use a different directory server, you
must customize these operations for your server.
Suspending user accounts
The information below describes the default customization for the suspend
operation for either IBM Directory Server or Sun ONE Directory Server. If you use
a different directory server, you might need to change the default customization for
this operation.
12 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
userPassword
For IBM Directory Server, the userPassword attribute is deleted to disable a
user account.
nsaccountlock
For Sun ONE Directory Server, the nsaccountlock attribute is used to
suspend a user account. The default value is True.
Restoring user accounts
The information below describes the default customization for the restore
operation for either IBM Directory Server or Sun ONE Directory Server. If you use
a different directory server, you might need to change the default customization for
this operation.
userPassword
For IBM Directory Server, the userPassword attribute is used to set the
password for a user.
nsaccountlock
For Sun ONE Directory Server, the nsaccountlock attribute is used to
restore a user account. The default value is False.
Searching for user accounts
The information below describes the default customization for the search operation
for either IBM Directory Server or Sun ONE Directory Server. If you use a different
directory server, you might need to change the default customization for this
operation.
userPassword
For IBM Directory Server, the status of the account is based on the
userPassword attribute. When a search is performed, if userPassword is
mapped to erAccountStatus, the account is active and the value of
erAccountStatus is 0. If userPassword is not mapped to erAccountStatus,
the account is suspended and the value of erAccountStatus is 1.
nsaccountlock
For Sun ONE Directory Server, the status of an account is based on the
nsaccountlock attribute. When a search is performed, if nsaccountlock is set
to true, the account is disabled and the value of erAccountStatus is 1. If
nsaccountlock is set to false, the account is enabled and the value of
erAccountStatus is 0.
If a directory server other than IBM Directory Server or Sun ONE Directory Server
is used to manage resources, the suspend, restore, and search operations must be
customized. Complete these tasks to customize the above operations for a different
directory server.
1. “Change the RDN attribute for the group account”
2. “Add support for a new user/group object class” on page 14
3. “Configure the base points” on page 14
4. “Add support for a new directory server” on page 14
Change the RDN attribute for the group account
To change the RDN attribute for a group account, change the LDAPAdd.xml,
LDAPDelete.xml, LDAPModify.xml, and LDAPSearch.xml files to map the cn
attribute to the required RDN attribute.
Chapter 3. Configuring the LDAP adapter 13
Add support for a new user/group object class
To add support for a new user/group object class, complete these steps:
1. Change the schema.dsml file to use the new user/group object class.
2. Change the service.def file to use the new user/group object class.
3. Change the customLabels.properties file to synchronize the previous steps.
4. Change the LDAPAdd.xml, LDAPDelete.xml, LDAPModify.xml, and
LDAPSearch.xml files to use the new object classes.
Configure the base points
The base point for the LDAP adapter is the point in the directory server that is
used as the root for the adapter. The base point can be an organizational unit (OU)
or domain container (DC) base point.
To configure the base point, specify the appropriate base point (User or Group)
when you create or change a service using the adapter service form.
Add support for a new directory server
To add support for a new directory server, complete these steps:
1. Change the erLDAPRMIService.xml file to allow the directory server
drop-down menu to include the new server.
2. Change the service.def file to use the new user/group object class.
3. Change the customLabels.properties file to synchronize the previous steps.
4. Change the LDAPAdd.xml, LDAPDelete.xml, LDAPModify.xml, and
LDAPSearch.xml files to use the new object classes and the new directory
server.
Changing the port number for the RMI Dispatcher
If the Remote Method Invocation (RMI) Dispatcher is run as a service, by default,
the port number is 16231. The installer automatically sets this parameter in the
global.properties file.
If the Tivoli Directory Integrator home directory is the same directory as the IBM
Solutions directory, change the port number in the global.properties file. Otherwise,
change the port number in the solutions.properties file in the IBM Solutions
directory. To change the port number for the dispatcher, complete these steps.
1. Stop the service that is used to run the adapter.
2. Change the global.properties file or the solutions.properties file to use the
correct port number.
com.ibm.di.dispatcher.registryPort=16231
3. Start the service again.
Configuring logging for the adapter
Log files might provide information that is helpful for diagnosing and
troubleshooting problems with the adapter. The type of information collected in
your log file is determined by the settings in the log4j.properties file. To configure
logging for the adapter, you must update this file. The file is located in the ITDI
Solutions directory.
14 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
When multiple adapters are running on the same server where Tivoli Directory
Integrator is installed, logging information for the adapters is stored in the same
log file. The RMI Dispatcher logs are also stored in this log file. You cannot
configure logging to store information about the different components in different
log files.
After you complete the changes to the log4j.properties file, you must stop and
restart the service for the adapter to view the configuration changes.
The following sections contain information about configuring logging for the
adapter.
Naming the log file
The following entry in the log4j.properties file is used to configure the name of the
log file: log4j.appender.Default.file. To change the name of the log file, change the
value of the following entry in the log4j.properties file: log4j.appender.Default.file.
In the example below, the log file generated is ibmdi.log.
log4j.appender.Default.file=ibmdi.log
Sizing the log file
The following entry in the log4j.properties file is used to configure the maximum
size of the log file: log4j.appender.Default.MaxFileSize. For example,
log4j.appender.Default.MaxFileSize=8MB
The number of log files generated is determined by the
log4j.appender.Default.MaxBackupIndex entry. In the example below, the number
of log files generated is 10.
log4j.appender.Default.MaxBackupIndex=10
Configuring logging levels
The logging level is determined by the log4j.rootCategory attribute in the log file.
The four levels for logging information are ERROR, WARN, INFO, and DEBUG.
By default the logging level is set to INFO.
DEBUG
The DEBUG level logs all of the details related to a specific operation. This
is the highest level of logging. If logging is set to DEBUG, all other levels
of logging information are displayed in the log file.
ERROR
The ERROR level logs only error conditions. The ERROR level provides the
smallest amount of logging information.
INFO The INFO level logs information about workflow. It generally explains how
an operation occurs.
WARN
The WARNING level logs information when an operation completes
successfully but there are issues with the operation.
Displaying logs in the user interface
If the RMI Dispatcher is running from the command prompt by calling
ibmdisrv.bat (Windows only), the logs can be displayed in the user interface. To
display the logs in the user interface, change the value of the following entry in
the log4j.properties file: log4j.appender.Default. For example,
Chapter 3. Configuring the LDAP adapter 15
log4j.appender.Default=org.apache.log4j.ConsoleAppender
Appending information to an existing log file
By default, log file information is deleted and created again each time the RMI
Dispatcher starts. To append information to an existing log file before or after the
dispatcher starts, change the value of the following entry from false to true in the
log4j.properties file: log4j.appender.Default.append. For example,
log4j.appender.Default.append=true
Managing passwords when restoring accounts
When an account is restored from being previously suspended, you are prompted
to supply a new password for the reinstated account. However, in some cases you
might not want to supply a new password.
When IBM Directory Server is used to restore accounts, you are always prompted
to enter the new password. But when Sun ONE Directory Server is used to restore
an account, you are not required to enter a new password. For Sun ONE Directory
Server, the password requirement to restore an account on the directory server falls
into two categories: allowed and required.
How each restore action interacts with its corresponding managed resource
depends on either the managed resource, or the business processes that you
implement. Certain resources reject a password when a request is made to restore
an account. In this case, you can configure IBM Tivoli Identity Manager to forego
the new password requirement. You can set the LDAP adapter to require a new
password when the account is restored, if your company has a business process in
place that dictates that the account restoration process must be accompanied by
resetting the password.
In the service.def file, you can define whether or not a password is required as a
new protocol option. When you import the adapter profile, if an option is not
specified, the adapter profile importer determines the correct restoration password
behavior from the schema.dsml. Adapter profile components also enable remote
services to find out if you discard a password that is entered by the user in a
situation where multiple accounts on disparate resources are being restored. In this
scenario, only some of the accounts being restored might require a password.
Remote services will discard the password from the restore action for those
managed resources that do not require them.
Edit the service.def file to add the new protocol options, for example:
<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.
PASSWORD_NOT_REQUIRED_ON_RESTORE"><value>true</value>
</property>
<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.
PASSWORD_NOT_ALLOWED_ON_RESTORE"><value>false</value>
</property>
By adding the two options in the example above, you are ensuring that you will
not be prompted for a password when an account is restored.
16 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Chapter 4. Configuring SSL authentication for the LDAP
adapter
In order to establish a secure connection between the adapter and the IBM Tivoli
Identity Manager server, you must configure Tivoli Directory Integrator and the
IBM Tivoli Identity Manager server to use the Secure Sockets Layer (SSL)
authentication. SSL authentication provides encryption of the data exchanged
between two applications. Encryption makes data transmitted over the network
intelligible only to the intended recipient.
Note: If you are using a single server configuration, you do not need to use SSL
authentication. For information about using a single server configuration,
refer to “Supported configurations” on page 2.
By configuring Tivoli Directory Integrator for SSL, you ensure that the IBM Tivoli
Identity Manager server verifies the identity of the adapter before a secure
connection is established. You can configure SSL authentication for connections that
originate from the IBM Tivoli Identity Manager server. The IBM Tivoli Identity
Manager server initiates a connection to the adapter in order to set or retrieve the
value of a managed attribute on the adapter.
In a production environment, you must enable SSL security; however, for testing
purposes you might want to disable SSL. If an external application that
communicates with the adapter (such as the IBM Tivoli Identity Manager server) is
set to use server authentication, you must enable SSL for Tivoli Directory
Integrator to verify the certificate that the application presents.
This chapter contains an overview of SSL authentication, certificates, and how to
enable SSL authentication using the iKeyman command.
Overview of SSL and digital certificates
When you deploy IBM Tivoli Identity Manager in an enterprise network, you must
secure communication between the IBM Tivoli Identity Manager server and the
software products and components with which the server communicates. The
industry-standard SSL protocol uses signed digital certificates from a certificate
authority (CA) to secure communication in a IBM Tivoli Identity Manager
deployment.
A signed digital certificate is an industry-standard method of verifying the
authenticity of an entity, such as a server, client, or application. Signed certificates
are issued by a third-party certificate authority for a fee. Some utilities, such as the
iKeyman utility, can also issue signed certificates.
Signed digital certificates enable two applications connecting in a network to
authenticate each other’s identity. For example, an application acting as an SSL
server presents its credentials in a signed digital certificate to verify to an SSL
client that it is the entity it claims to be. An application acting as an SSL server can
also be configured to require the application acting as an SSL client to present its
credentials in a certificate, thereby completing a two-way exchange of certificates.
© Copyright IBM Corp. 2006 17
A CA certificate must be installed to verify the origin of a signed digital certificate.
When an application receives another application’s signed certificate, it uses a CA
certificate to verify the originator of the certificate. Many applications, such as Web
browsers, are configured with the CA certificates of well−known certificate
authorities to eliminate or reduce the task of distributing CA certificates
throughout the security zones in a network.
Private keys, public keys, and digital certificates
Keys, digital certificates, and trusted certificate authorities are used to establish and
verify the identities of applications. SSL uses public key encryption technology for
authentication.
Public key encryption requires that a public key and a private key be generated for
an application. Data encrypted with the public key can only be decrypted using
the corresponding private key. Data encrypted with the private key can only be
decrypted using the corresponding public key. The private key is stored in a key
database file that is password-protected. Only the owner of the private key can
access the private key to decrypt messages that are encrypted using the
corresponding public key.
In order to ensure maximum security, a certificate is issued by a third-party
certificate authority. A certificate contains the following information to verify the
identity of an entity:
Organizational information
This section of the certificate contains information that uniquely identifies
the owner of the certificate, such as organizational name and address. You
supply this information when you generate a certificate using a certificate
management utility.
Public key
The receiver of the certificate uses the public key to decipher encrypted
text sent by the certificate owner to verify its identity. A public key has a
corresponding private key that encrypts the text.
Certificate authority’s distinguished name
The issuer of the certificate identifies itself with this information.
Digital signature
The issuer of the certificate signs it with a digital signature to verify its
authenticity. This signature is compared to the signature on the
corresponding CA certificate to verify that the certificate originated from a
trusted certificate authority.
Web browsers, servers, and other SSL-enabled applications generally accept as
genuine any digital certificate that is signed by a trusted certificate authority and is
otherwise valid. For example, a digital certificate can be invalidated because it has
expired or the CA certificate used to verify it has expired, or because the
distinguished name in the digital certificate of the server does not match the
distinguished name specified by the client.
Self-signed certificates
You can use self-signed certificates to test an SSL configuration before you create
and install a signed certificate issued by a certificate authority. A self-signed
certificate contains a public key, information about the owner of the certificate, and
the owner’s signature. It has an associated private key, but it does not verify the
origin of the certificate through a third-party certificate authority. Once you
18 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
generate a self-signed certificate on an SSL server application, you must extract it
and add it to the certificate registry of the SSL client application.
This procedure is the equivalent of installing a CA certificate that corresponds to a
server certificate. However, you do not include the private key in the file when
you extract a self-signed certificate to use as the equivalent of a CA certificate.
Use a key management utility, such as the iKeyman utility, to generate a
self-signed certificate and a private key, to extract a self-signed certificate, and to
add a self-signed certificate.
Where and how you choose to use self-signed certificates depends on your security
requirements. In order to achieve the highest level of authentication between
critical software components, do not use self-signed certificates, or use them
selectively. For example, you can choose to authenticate applications that protect
server data with signed digital certificates, and use self-signed certificates to
authenticate Web browsers or IBM Tivoli Identity Manager adapters.
If you are using self-signed certificates, in the following procedures you can
substitute a self-signed certificate for a certificate and CA certificate pair.
The use of SSL authentication
When a Tivoli Directory Integrator component is used as a server, SSL mandates
that a keystore be defined for and used by Tivoli Directory Integrator. When a
Tivoli Directory Integrator component is used as a client, SSL mandates that a
truststore be defined for and used by Tivoli Directory Integrator.
A keystore is a database of private keys and the associated certificates needed to
authenticate the corresponding public keys. Digital certificates are stored in a
keystore file. A keystore also manages certificates from trusted entities.
A truststore is a database of public keys for target servers. A truststore file is a key
database file that contains the public keys for target servers. The public key is
stored as a signer certificate. If the target uses a self-signed certificate, you must
extract the public certificate from the server keystore file.
The global.properties file or the solutions.properties file specifies the properties for
the Tivoli Directory Integrator Server and the Tivoli Directory Integrator
components running on the Tivoli Directory Integrator Server. If the solutions
directory does not exist, these properties are defined in the global.properties file. If
the solutions directory exists, the properties are defined in the solutions.properties
file in the ITDI Solutions Directory.
To use SSL authentication for Tivoli Directory Integrator, complete these steps:
1. From the <ITDI_HOME> directory, edit the global.properties file. The example
below includes the values that must be changed. Substitute the actual keystore
for the keystore provided in the example.
v javax.net.ssl.keyStore= C:\itdicertkeys\idiserver.jks
v javax.net.ssl.keyStorePassword=secret
v javax.net.ssl.keyStoreType=JKS
v
v javax.net.ssl.trustStore= C:\itdicertkeys\idiserver.jks
v javax.net.ssl.trustStorePassword=secret
Chapter 4. Configuring SSL authentication for the LDAP adapter 19
v javax.net.ssl.trustStoreType=JKS
v
v api.remote.on=false
v javax.net.debug=ssl
v com.ibm.di.dispatcher.ssl=true
v
2. From the <ITDI_HOME>\_jvm\jre\lib\security\ directory (for example,
C:\Program Files\IBM\itim\itdi\home\_jvm\jre\lib\security\), make these
changes to the java.security file:
v security.provider.1=com.ibm.jsse.IBMJSSEProvider
v security.provider.2=com.ibm.crypto.provider.IBMJCE
v security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
v security.provider.4=com.ibm.security.cert.IBMCertPathv ## SSLServerSocketFactory Provider
v ssl.ServerSocketFactory.provider=com.ibm.jsse.JSSEServerSocketFactory3. Restart the service you created for the adapter. In the imdi.log file, ensure that
the value for ssl is true (for example, ssl=true), and the RMI Dispatcher is using
the SecureRMIServerFactory.
Configuring certificates for SSL authentication
Use the following procedures to configure Tivoli Directory Integrator for one-way
or two-way SSL authentication using signed certificates. In order to perform these
procedures, use a key management tool.
Configuring certificates for one-way SSL authentication
In this scenario, the IBM Tivoli Identity Manager server and Tivoli Directory
Integrator are set to use SSL. Client authentication is not set on either application.
The IBM Tivoli Identity Manager server operates as the SSL client and initiates the
connection. Tivoli Directory Integrator operates as the SSL server and responds by
sending its signed certificate to the IBM Tivoli Identity Manager server. The IBM
Tivoli Identity Manager server uses the CA certificate that is installed to validate
the certificate sent by Tivoli Directory Integrator.
In Figure 4, Application A operates as the IBM Tivoli Identity Manager server, and
Application B operates as Tivoli Directory Integrator.
Hello
Tivoli Identity ManagerServer (SSL client)
KeystoreCA
CertificateA
1
Send Certificate B
Tivoli Directory Integrator(SSL server)
CertificateA
Verify
Figure 4. One-way SSL authentication (server authentication)
20 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
In order to configure one-way SSL, complete these tasks for each application. The
tasks use the iKeyman key management utility. Read the documentation for the
iKeyman utility for additional information about using the utility.
For Tivoli Directory Integrator, complete these tasks:
1. Create a new keystore file. (A keystore file is a key database file that contains
both public keys and private keys.)
a. Start the key management utility (iKeyman) if it is not already running.
b. Open a new key database file by clicking Key Database File > New from
the menu bar.
c. Select the default Key Database Type: JKS (default), PKCS12, and JCEKS.
This is the key file format (or the value of com.ibm.ssl.keyStoreType
property in the sas.client.props file) when you configure the SSL setting for
your application.
d. Type the Key Database File Name and Location.
The full path of this key database file is used as the key file name (or the
value of the com.ibm.ssl.keyStore property in the sas.client.props file) when
you configure the SSL setting for your application.
e. Click OK to continue.
f. Type a password to restrict access to the file.
This password is used as the key file password (or the value of
com.ibm.ssl.keyStorePassword property in the sas.client.props file) when you
configure the SSL setting for your application. Do not set an expiration date
on the password or save the password to a file; you must then reset the
password when it expires or protect the password file. This password is
used only to release the information stored by the key management utility
during run time.
g. Click OK to create the keystore file.
The tool displays all of the available default signer certificates. These
certificates are the public keys of the most common certificate authorities
(CAs). You can add, view or delete signer certificates from this panel.2. Create a self-signed personal certificate by completing these steps.
Note: In order to create a self-signed certificate for a keystore, you must have
already created the keystore file.
a. Start the key management utility (iKeyman), if it is not already running.
b. From the menubar, select Create > New Self-Signed Certificate
c. Select the version and the key size for your application
d. Type the appropriate information for your self-signed certificate:
Key Label
Type this in the Key Label field: itdiserver. The key label is used to
uniquely identify the certificate within the keystore file. If you have
only one certificate in each keystore file, you can assign any value
to the label. However, it is good practice to use a unique label
related to the server name.
Common Name
Type the name of your system in the Common Name field. This
name is the primary, universal identity for the certificate; it should
uniquely identify the principal that it represents. For example, for
WebSphere® Application Server, certificates frequently represent
server principals, and the common convention is to use common
Chapter 4. Configuring SSL authentication for the LDAP adapter 21
names of the form host_name and server_name. The common name
must be valid in the configured user registry for the secured
WebSphere environment.
Organization
Type the name of your organization in the Organization field.e. Click OK to create the self-signed personal certificate.
Your key database file now contains a self-signed personal certificate.3. Extract the server certificate by completing these steps:
a. Start the key management utility ( iKeyman), if it is not already running.
b. Open the keystore file from which the public certificate will be extracted.
c. Select Personal Certificates.
d. Click Extract Certificate.
e. Click Binary DER as the Data type.
f. Type this Certificate File Name: itdiserver.der.
g. Type this Location: C:\itdicertkeys
h. Click OK to extract the server certificate into the specified file.4. Copy the itdiserver.der file to the same directory where IBM Tivoli Identity
Manager is installed (for example, C:\itdicertkeys).
For the IBM Tivoli Identity Manager server, complete one of these tasks:
v If you are configuring the use of a signed certificate issued by a well-known CA,
ensure that the IBM Tivoli Identity Manager server has stored the root certificate
of the CA (CA certificate) in its keystore. If the keystore does not contain the CA
certificate, extract the CA certificate from the adapter and add it to the keystore
of the server.
v If you are configuring the use of self-signed certificates:
– If you generated the self-signed certificate on the IBM Tivoli Identity Manager
server, the certificate is already installed in its keystore.
– If you generated the self-signed certificate using the key management utility
of another application, extract the certificate from that application’s keystore
and add it to the keystore of the IBM Tivoli Identity Manager server.
Configuring certificates for two-way SSL authentication
In this scenario, the IBM Tivoli Identity Manager server and Tivoli Directory
Integrator are set to use SSL and the adapter is set to use client authentication.
After sending its certificate to the IBM Tivoli Identity Manager server, Tivoli
Directory Integrator requests identity verification from the server, which sends its
signed certificate to Tivoli Directory Integrator. Both applications are configured
with signed certificates and corresponding CA certificates.
In Figure 5 on page 23, the IBM Tivoli Identity Manager server operates as
Application A, and Tivoli Directory Integrator operates as Application B.
22 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
The following procedure assumes that you have already configured Tivoli
Directory Integrator and the IBM Tivoli Identity Manager server for one-way SSL
authentication using the procedure described in “Configuring certificates for
one-way SSL authentication” on page 20. Therefore, if you are using signed
certificates from a CA:
v Tivoli Directory Integrator is configured with a private key and a signed
certificate that was issued by a CA.
v The IBM Tivoli Identity Manager server is configured with the CA certificate of
the CA that issued the signed certificate of Tivoli Directory Integrator.
In order to complete the certificate configuration for two-way SSL, perform the
following tasks:
1. On the IBM Tivoli Identity Manager server, create a CSR and private key,
obtain a certificate from a CA, install the CA certificate, install the newly signed
certificate, and extract the CA certificate to a temporary file.
2. On Tivoli Directory Integrator, add the CA certificate that was extracted from
the keystore of the IBM Tivoli Identity Manager server to Tivoli Directory
Integrator.
When you have finished the two-way certificate configuration, each application has
its own certificate and private key and the CA certificate of the CA that issued the
certificates for each application.
CHello
KeystoreCA
CertificateA
CertificateB
CertificateA
CACertificate
B
Send Certificate A
Tivoli Directory Integrator(SSL server) C
Tivoli Identity ManagerServer (SSL client)
Send Certificate AVerify
Verify
Send Certificate B
Figure 5. Two-way SSL authentication (client authentication)
Chapter 4. Configuring SSL authentication for the LDAP adapter 23
24 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Chapter 5. Verifying the LDAP adapter profile installation
If the LDAP adapter profile is not already installed on your system, you must
import the adapter profile. See “Importing the adapter profile into the IBM Tivoli
Identity Manager server” on page 4 for information about importing the adapter
profile.
After you install the adapter profile, verify that the adapter profile was
successfully installed. If the adapter profile is not installed correctly, the adapter
might not function as it is intended to function.
To verify that the adapter profile was successfully installed, complete these steps.
v Create a service using the LDAP adapter profile.
v Open an account on the service.
If you are unable to create a service using the LDAP adapter profile or open an
account on the service, the adapter profile is not installed correctly. You might need
to import the adapter profile again.
© Copyright IBM Corp. 2006 25
26 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Chapter 6. Troubleshooting the LDAP adapter installation
Troubleshooting is the process of determining why a product does not function as
it is designed to function. This chapter provides information and techniques for
identifying and resolving problems related to the LDAP adapter. It also provides
information about troubleshooting errors that might occur during installation.
Warning and error messages
A warning or error might be displayed in the user interface to provide information
that the user needs to know about the adapter or when an error occurs. Table 4
contains warnings or errors which might be displayed in the user interface if the
LDAP adapter is installed on your system.
Table 4. Warning and error messages
Warning or error message Recommended Action
No login or an invalid credential was supplied in the
request.
The adapter cannot bind to a naming context or is
unable to initialize because invalid credentials were
provided. To fix this problem, ensure that:
v The managed resource is functioning properly and that
you are connected to the correct resource.
v The naming context is correct if the naming context is
customized.
v The administrator ID specified on the service form is
correct.
v The administrator password specified on the service
form is correct.
An error occurred while establishing communication
with the Tivoli Directory Integrator Server.
Tivoli Identity Manager cannot establish a connection
with Tivoli Directory Integrator. To fix this problem,
ensure that:
v Tivoli Directory Integrator is running
v The URL specified on the service form for Tivoli
Directory Integrator is correct.
Insufficient ’add’ privilege The administrator ID that is specified on the service form
does not have privileges to add a user under the base
DN. You must change the administrator ID to an
administrator ID that has the correct privileges or assign
privileges for the specified administrator ID.
Entry Already Exists or
exception:javax.naming.NameAlreadyBoundException
The user has already been added to the resource. This
error might occur if you are attempting to add a user to
the directory server and Tivoli Identity Manager is not
synchronized with the resource. To fix this problem,
schedule a reconciliation between Tivoli Identity
Manager and the resource. See the online help for
information about scheduling a reconciliation.
© Copyright IBM Corp. 2006 27
Table 4. Warning and error messages (continued)
Warning or error message Recommended Action
Unknown Error while adding entry on resource This error might occur for several reasons. To fix this
problem, ensure that:
v The administrator ID specified on the service form is
correct.
v The administrator password specified on the service
form is correct.
v The base point is correct, if it is customized.
v The administrator ID has the correct privileges to
modify a user account under the base DN.
v The network connection is not slow.
Cannot add user to specific group If you cannot add a user to a group, ensure that the
specified group was created on the resource.
User not found This error might occur when you attempt to add, modify,
delete, or search for a user. This error might also occur if
you attempt to change the password for a user. To fix the
problem, ensure that:
v The server that is specified for the adapter is correct.
v The administrator ID specified on the service form is
correct.
v The administrator password specified on the service
form is correct.
v The base point is correct, if it is customized.
If the error continues to occur, check to ensure that
v The user was created on the directory server.
v The user was not moved or deleted from the directory
server.
To fix the problem, add the user to the directory server
and then schedule a reconciliation. See the online help
for information about scheduling a reconciliation.
Unknown error while modifying entry on resource This error might occur for several reasons. To fix this
problem, ensure that:
v The administrator ID specified on the service form is
correct.
v The administrator password specified on the service
form is correct.
v The base point is correct, if it is customized.
v The administrator ID has the correct privileges to
modify a user account under the base DN.
v The network connection is not slow.
28 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Table 4. Warning and error messages (continued)
Warning or error message Recommended Action
Error adding user to group If you cannot add a user to a group, ensure that
v The user was created on the resource.
v The user is not already a member of the group.
v The group was created on the resource.
If the user does not exist on the resource, you must
create the user. If a user is already a member of a group,
you cannot add the user to the group. If the group does
not exist on the resource, you must add the group to the
resource before you can add a user to the group. See the
online help for information about creating groups or
adding users to groups.
Insufficient ’delete’ privilege The administrator ID that is specified on the service form
does not have privileges to delete a user under the base
DN. You must change the administrator ID to an
administrator ID that has the correct privileges or assign
privileges for the specified administrator ID.
Search failed This error might occur for several reasons. To fix the
problem, ensure that:
v The network connection is not slow.
v The resource is not overloaded with network traffic.
v Tivoli Directory Integrator has sufficient memory, if
you have a large number of users and groups.
Logging information format
Logs added to the log file for the adapter or the RMI Dispatcher have the
following format:
<Log Level> [<Assembly Line_ProfileName>_<Request Id>]_
[<Connector Name>] - <message>
Log Level
Specifies the logging level that you configured for the adapter. The options
are DEBUG, ERROR, INFO, and WARN. See“Configuring logging for the
adapter” on page 14 for information about using the log4j.properties file to
configure logging.
Assembly Line
Specifies the name of the assembly line that is logging the information.
ProfileName
Specifies the name of the profile. Profile names might vary based on the
adapter that is running or the operating system.
Request ID
Specifies the number of the request. Request number is used to uniquely
identify a specific request.
Connector Name
Specifies the connector for the adapter.
message
Specifies the actual message information.
The example below is an actual message that might be displayed in a log file:
Chapter 6. Troubleshooting the LDAP adapter installation 29
INFO [AssemblyLine.AssemblyLines/LDAPAdd_Ldapprofile_518536692232324188_
91ea4bb8-2801-11b2-91ba-00000a2c0670.1297881434 - Load Attribute Map
30 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Chapter 7. Uninstalling the LDAP adapter
Before you remove the adapter, inform your users that the LDAP adapter will be
unavailable. If the server is taken offline, adapter requests that were completed
might not be recovered when the server is back online.
To remove the LDAP adapter, complete these steps:
1. Stop the adapter service.
2. Remove the adapter. For specific information about uninstalling the adapter, see
the online help or the information center for your Tivoli Identity Manager
product.
Note: The RMI Dispatcher component must be installed on your system in order
for adapters to function correctly in a Tivoli Directory Integrator
environment. If you delete the adapter profile for the LDAP adapter, do not
uninstall the RMI Dispatcher.
© Copyright IBM Corp. 2006 31
32 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Appendix A. Support information
This section describes the following options for obtaining support for IBM
products:
v “Searching knowledge bases”
v “Contacting IBM Software Support”
Searching knowledge bases
If you have a problem with your IBM software, you want it resolved quickly. Begin
by searching the available knowledge bases to determine whether the resolution to
your problem is already documented.
Search the information center on your local system or
network
IBM provides extensive documentation that can be installed on your local
computer or on an intranet server. You can use the search function of this
information center to query conceptual information, instructions for completing
tasks, reference information, and support documents.
Search the Internet
If you cannot find an answer to your question in the information center, search the
Internet for the latest, most complete information that might help you resolve your
problem. To locate Internet resources for your product, open one of the following
Web sites:
v Performance and tuning information
Provides information needed to tune your production environment, available on
the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list to locate IBM Tivoli Identity
Manager products. Click the link for your product, and then browse the
information center for the Technical Supplements section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web address:
http://www.ibm.com/developerworks/
Contacting IBM Software Support
IBM Software Support provides assistance with product defects.
© Copyright IBM Corp. 2006 33
Before contacting IBM Software Support, your company must have an active IBM
software maintenance contract, and you must be authorized to submit problems to
IBM. The type of software maintenance contract that you need depends on the
type of product you have:
v For IBM distributed software products (including, but not limited to, Tivoli,
Lotus®, and Rational® products, as well as DB2 and WebSphere products that
run on Windows or UNIX operating systems), enroll in Passport Advantage® in
one of the following ways:
– Online: Go to the Passport Advantage Web page (http://www.lotus.com/services/passport.nsf/WebDocs/ Passport_Advantage_Home) and click How
to Enroll
– By phone: For the phone number to call in your country, go to the IBM
Software Support Web site (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region.
v For IBM eServer™ software products (including, but not limited to, DB2 and
WebSphere products that run in zSeries®, pSeries®, and iSeries™ environments),
you can purchase a software maintenance agreement by working directly with
an IBM sales representative or an IBM Business Partner. For more information
about support for eServer software products, go to the IBM Technical Support
Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).
If you are not sure what type of software maintenance contract you need, call
1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to
the contacts page of the IBM Software Support Handbook on the Web
(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of
your geographic region for phone numbers of people who provide support for
your location.
Follow the steps in this topic to contact IBM Software Support:
1. Determine the business impact of your problem.
2. Describe your problem and gather background information.
3. Submit your problem to IBM Software Support.
Determine the business impact of your problem
When you report a problem to IBM, you are asked to supply a severity level.
Therefore, you need to understand and assess the business impact of the problem
you are reporting. Use the following criteria:
Severity 1 Critical business impact: You are unable to use the program,
resulting in a critical impact on operations. This condition
requires an immediate solution.
Severity 2 Significant business impact: The program is usable but is
severely limited.
Severity 3 Some business impact: The program is usable with less
significant features (not critical to operations) unavailable.
Severity 4 Minimal business impact: The problem causes little impact on
operations, or a reasonable circumvention to the problem has
been implemented.
34 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Describe your problem and gather background information
When explaining a problem to IBM, be as specific as possible. Include all relevant
background information so that IBM Software Support specialists can help you
solve the problem efficiently. To save time, know the answers to these questions:
v What software versions were you running when the problem occurred?
v Do you have logs, traces, and messages that are related to the problem
symptoms? IBM Software Support is likely to ask for this information.
v Can the problem be re-created? If so, what steps led to the failure?
v Have any changes been made to the system? (For example, hardware, operating
system, networking software, and so on.)
v Are you currently using a workaround for this problem? If so, please be
prepared to explain it when you report the problem.
Submit your problem to IBM Software Support
You can submit your problem in one of two ways:
v Online: Go to the ″Submit and track problems″ page on the IBM Software
Support site (http://www.ibm.com/software/support/probsub.html). Enter
your information into the appropriate problem submission tool.
v By phone: For the phone number to call in your country, go to the contacts page
of the IBM Software Support Handbook on the Web (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your
geographic region.
If the problem you submit is for a software defect or for missing or inaccurate
documentation, IBM Software Support creates an Authorized Program Analysis
Report (APAR). The APAR describes the problem in detail. Whenever possible,
IBM Software Support provides a workaround for you to implement until the
APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the
IBM product support Web pages daily, so that other users who experience the
same problem can benefit from the same resolutions.
For more information about problem resolution, see Searching knowledge bases.
Appendix A. Support information 35
36 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Appendix B. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2006 37
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both:
IBM
IBM logo
ibm.com
AIX
AS/400
DB2
Domino
i5/OS
Informix
iSeries
Linux
Lotus
Lotus Notes
MQSeries
Notes
OS/400
Power PC
Tivoli
38 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Tivoli logo
Universal Database
WebSphere
Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel®, Intel Inside® (logos), MMX and Pentium® are trademarks of Intel
Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
Java™ and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or
both.
Other company, product, and service names may be trademarks or service marks
of others.
Appendix B. Notices 39
40 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Index
Special charactersITDI_HOME
Tivoli Directory Integrator server installation directory xi
Aaccessibility
pdf format, for screen-reader software viii
statement for documentation viii
text, alternative for document images viii
adapterattributes 11
configuration 3
customization 9
customization steps 9
features 1
installation 3
installation overview 1
parameters 10
supported configurations 2
uninstall 31
adapter configuration 3
adapter customization 9
adapter installation 3
adapter overview 1
adapter profileverifying installation 25
architectural overviewsupported configurations 2
attributes 11
Bbooks
see publications viii
Ccertificate authority
definition 17
certificatescertificate management tools 19
definition 17
overview 17
private keys and digital certificates 18
self-signed 18
client authentication 20, 22
configurationadapter 3
SSL 20
supported 2
conventionsHOME directory
ITDI_HOME xi
Tivoli_Common_Directory xi
DB_INSTANCE_HOME x
HTTP_HOME xi
ITIM_HOME xi
LDAP_HOME x
conventions (continued)HOME directory (continued)
WAS_HOME xi
WAS_MQ_HOME xi
WAS_NDM_HOME xi
typeface ix
UNIX variable, directory notation ix
used in this document ix
customer supportsee Software Support 33
customizationadapter 9
directory server 12
customizingdirectory server 12
DDB_INSTANCE_HOME
DB2 UDB installation directory x
definition x
directoryITDI_HOME xi
DB_INSTANCE_HOME x
HTTP_HOME xi
installationDB2 UDB x
IBM Directory Server x
IBM HTTP Server xi
Tivoli Directory Integrator server xi
WebSphere Application Server base product xi
WebSphere Application Server Network Deployment
product xi
WebSphere MQ xi
installation for Sun ONE Directory Server x
ITIM_HOME xi
LDAP_HOME x
names, UNIX notation ix
WAS_HOME xi
WAS_MQ_HOME xi
WAS_NDM_HOME xi
directory servercustomize 12
customizing 12
directory server customizationsuspend account 12
disabilities, using documentation viii
documentsIBM Tivoli Identity Manager library v
related viii
Eencryption
SSL 17, 18
environment variableUNIX notation ix
© Copyright IBM Corp. 2006 41
Hhome directories
ITDI_HOME xi
DB_INSTANCE_HOME x
HTTP_HOME xi
ITIM_HOME xi
LDAP_HOME x
WAS_HOME xi
WAS_MQ_HOME xi
WAS_NDM_HOME xi
HTTP_HOMEdefinition xi
IBM HTTP Server installation directory xi
IIBM Tivoli Identity Manager server
communication with Tivoli Directory Integrator 22
SSL communication 22
iKeyman utility 17
importadapter profile 4
information centers, searching to find software problem
resolution 33
installationadapter 3
directoryDB2 UDB x
IBM Directory Server x
IBM HTTP Server xi
Sun ONE Directory Server x
Tivoli Directory Integrator server xi
WebSphere Application Server base product xi
WebSphere Application Server Network Deployment
product xi
WebSphere MQ xi
profile 4
troubleshooting 27
uninstall 31
Internet, searching to find software problem resolution 33
ITDI_HOMEdefinition xi
ITIM_HOMEdefinition xi
directory xi
Kkey management utility
iKeyman 17
knowledge bases, searching to find software problem
resolution 33
LLDAP_HOME
definition x
IBM Directory Server installation directory x
Sun ONE Directory Server installation directory x
logstrace.log file 5
Mmanuals
see publications viii
Oone-way configuration
SSLclient 20
online publicationsaccessing viii
operating system requirements 3
Pparameters
adapter 10
path names, notation ix
pdf format, for screen-reader software viii
private keydefinition 17
problem determinationdescribing problem for IBM Software Support 35
determining business impact for IBM Software Support 34
submitting problem to IBM Software Support 35
profile installationverification 25
protocolSSL
one-way configuration 20
overview 17
two-way configuration 22
public key 18
publicationsaccessing online viii
IBM Tivoli Identity Manager library v
related viii
Rrestoring accounts
password requirements 16
Sself-signed certificate 18
software requirements 3
Software Supportcontacting 33
describing problem for IBM Software Support 35
determining business impact for IBM Software Support 34
submitting problem to IBM Software Support 35
SSLcertificate installation 17
encryption 17
one-way configuration 20
overview 17
private keys and digital certificates 18
self-signed certificates 18
two-way configuration 22
SSL authentication 19
supported configurations 2
42 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
Ttext, alternative for document images viii
Tivoli Identity Manager Servercommunication with Tivoli Directory Integrator 20
importing adapter profile 4
SSL communication 20
Tivoli software information center viii
Tivoli_Common_Directorydefinition xi
trace.log file 5
troubleshooting adapter installation 27
two-way configurationSSL
client 22
typeface conventions ix
Uuninstallation 31
updatingadapter profile 9
upgradeadapter profile 4
Vverification
adapter profile install 25
operating system requirements 3
software requirements 3
WWAS_HOME
definition xi
WebSphere Application Server base installation
directory xi
WAS_MQ_HOMEdefinition xi
WebSphere MQ installation directory xi
WAS_NDM_HOMEdefinition xi
WebSphere Application Server Network Deployment
installation directory xi
Index 43
44 IBM Tivoli Identity Manager: LDAP Adapter Installation and Configuration Guide
����
Printed in USA
SC32-1754-00
