IBM Security Access Manager Enterprise Single Sign-On Adapter … · viii IBM Security Access...

Version 6.0

IBM Security Access ManagerEnterprise Single Sign-On AdapterInstallation and Configuration Guide

SC27-4422-02

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 51.

Edition notice

Note: This edition applies to version 6.0 of IBM Security Identity Manager (product number 5724-C34) and to allsubsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2012, 2014.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Preface . . . . . . . . . . . . . . . ixAbout this publication . . . . . . . . . . . ixAccess to publications and terminology . . . . . ixAccessibility . . . . . . . . . . . . . . xTechnical training. . . . . . . . . . . . . xSupport information . . . . . . . . . . . . xStatement of Good Security Practices . . . . . . x

Chapter 1. Overview of the IBM SecurityAccess Manager Enterprise SingleSign-On Adapter . . . . . . . . . . . 1Features of the adapter . . . . . . . . . . . 1Architecture of the adapter . . . . . . . . . 1Integration with IBM Security Identity Manager . . 2Communications among IBM Security products . . 4Supported configurations . . . . . . . . . . 5

Chapter 2. Preparation for installing theIBM Security Access ManagerEnterprise Single Sign-On Adapter . . . 7Installation roadmap. . . . . . . . . . . . 7Prerequisites . . . . . . . . . . . . . . 8Installation worksheet for the adapter . . . . . . 8Software download for the adapter . . . . . . . 9

Chapter 3. Installation andconfiguration of the IBM SecurityAccess Manager Enterprise SingleSign-On Adapter . . . . . . . . . . 11Setup of Privileged Identity Management to workwith the adapter . . . . . . . . . . . . . 11

Determining whether the Group Sharing Accountfeature is installed . . . . . . . . . . . 11Removing the Group Sharing Account feature . . 12

Installation of the IBM Security Access ManagerEnterprise Single Sign-On Adapter . . . . . . 13

Verification of the Dispatcher installation . . . 14Installing the IBM Security Access ManagerEnterprise Single Sign-On Connector . . . . . 14Configuring the IBM Security Access ManagerEnterprise Single Sign-On IMS Server . . . . 14Configuring the SSL connection betweenDispatcher and the IMS Server . . . . . . . 15Start, stop, and restart of the adapter service . . 16

Importing the adapter profile into the IBM SecurityIdentity Manager server . . . . . . . . . . 16Verification of the adapter profile installation . . . 17Creating an IBM Security Access ManagerEnterprise Single Sign-On service . . . . . . . 17

Configuration of reconciliation operation for theadapter . . . . . . . . . . . . . . . 20

Configuration of IBM Security Access ManagerEnterprise Single Sign-On workflow extensions . . 21

Adding a workflow extension . . . . . . . 21Defining workflows with extensions . . . . . 22Defining the IBM Security Access ManagerEnterprise Single Sign-On Authentication ServiceID and Service Prerequisite . . . . . . . . 25JavaScript for Lotus Notes account type . . . . 27

Language package installation . . . . . . . . 28

Chapter 4. Taking the first steps afterinstallation . . . . . . . . . . . . . 29

Chapter 5. Troubleshooting of the IBMSecurity Access Manager EnterpriseSingle Sign-On Adapter installation . . 31Techniques for troubleshooting problems . . . . 31Runtime problems . . . . . . . . . . . . 33

Appendix A. Upgrading the IBMSecurity Access Manager EnterpriseSingle Sign-On Adapter . . . . . . . 37

Appendix B. Uninstalling the adapter 39Uninstalling the adapter from the Tivoli DirectoryIntegrator . . . . . . . . . . . . . . . 39Removing the adapter profile from the IBM SecurityIdentity Manager server . . . . . . . . . . 39

Appendix C. IBM Security AccessManager Enterprise Single Sign-OnAdapter Supported Attributes . . . . . 41Adapter attributes and object classes . . . . . . 41Adapter Configuration Properties . . . . . . . 41

Appendix D. Configuration of IBMSecurity Access Manager. . . . . . . 43AccessProfiles creation for IBM Security AccessManager . . . . . . . . . . . . . . . 43Configuring IBM Security Access Manager as anenterprise authentication service . . . . . . . 43

Appendix E. Support information . . . 45Searching knowledge bases . . . . . . . . . 45Obtaining a product fix . . . . . . . . . . 46Contacting IBM Support . . . . . . . . . . 46

© Copyright IBM Corp. 2012, 2014 iii

Appendix F. Accessibility features forIBM Security Identity Manager . . . . 49

Notices . . . . . . . . . . . . . . 51

Index . . . . . . . . . . . . . . . 55

iv IBM Security Access Manager Enterprise Single Sign-On Adapter Installation and Configuration Guide

Figures

1. IBM Security Access Manager Enterprise SingleSign-On Adapter architecture . . . . . . . 2

2. Provisioning process . . . . . . . . . . 33. Single server configuration . . . . . . . . 5

© Copyright IBM Corp. 2012, 2014 v

vi IBM Security Access Manager Enterprise Single Sign-On Adapter Installation and Configuration Guide

Tables

1. Installation roadmap . . . . . . . . . . 72. Prerequisites to install the adapter . . . . . 83. Required information to install the adapter 8

4. Runtime problems . . . . . . . . . . 335. Supported attributes . . . . . . . . . 416. Supported object classes . . . . . . . . 41

© Copyright IBM Corp. 2012, 2014 vii

viii IBM Security Access Manager Enterprise Single Sign-On Adapter Installation and Configuration Guide

Preface

About this publicationThis installation guide provides the basic information about installing andconfiguring the IBM Security Access Manager Enterprise Single Sign-On Adapterfor IBM® Security Identity Manager.

IBM Security Identity Manager was previously known as Tivoli® Identity Manager.

The IBM Security Access Manager Enterprise Single Sign-On Adapter enablesconnectivity between the IBM Security Identity Manager server and a Windowsdesktop. The IBM Security Identity Manager server is the server for your IBMSecurity Identity Manager product.

After the adapter is installed and configured, IBM Security Identity Managermanages access to directory server resources with your site security.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Identity Manager library.”v Links to “Online publications.”v A link to the “IBM Terminology website” on page x.

IBM Security Identity Manager library

For a complete listing of the IBM Security Identity Manager and IBM SecurityIdentity Manager Adapter documentation, see the online library(http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome).

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Identity Manager libraryThe product documentation site (http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome) displays the welcome page andnavigation for the library.

IBM Security Systems Documentation CentralIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product libraries and links to the onlinedocumentation for specific versions of each product.

IBM Publications CenterThe IBM Publications Center site ( http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss) offers customized search functionsto help you find all the IBM publications you need.

© Copyright IBM Corp. 2012, 2014 ix

http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome



https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20Security%20Systems%20Documentation%20Central/page/Welcome

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

Appendix E, “Support information,” on page 45 provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

Note: The Community and Support tab on the product information center canprovide additional support resources.

Statement of Good Security PracticesIT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

x IBM Security Access Manager Enterprise Single Sign-On Adapter Installation and Configuration Guide

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/probsub.html

Chapter 1. Overview of the IBM Security Access ManagerEnterprise Single Sign-On Adapter

An adapter provides an interface between a managed resource and the IBMSecurity Identity Manager server.

This adapter resides on the IBM Tivoli Directory Integrator. The IBM SecurityIdentity Manager server manages access to the resource with your security system.

The adapter uses the IBM Tivoli Directory Integrator to facilitate communicationbetween the IBM Security Identity Manager server and IBM Security AccessManager Enterprise Single Sign-On (enterprise single sign-on) Server. The adapterfunctions as a trusted virtual administrator on the target platform. It performs suchtasks as creating and deleting user IDs and managing user account credentials.

The following sections provide information about the IBM Security AccessManager Enterprise Single Sign-On Adapter:v “Features of the adapter”v “Architecture of the adapter”v “Integration with IBM Security Identity Manager” on page 2v “Communications among IBM Security products” on page 4v “Supported configurations” on page 5

Features of the adapterThis adapter automates several administrative tasks on the IBM Security AccessManager Enterprise Single Sign-On IMS™ Server.

You can use the adapter automation to:v Create users.v Create and delete user accounts.v Change user accounts passwords.v Reconcile users and user attributes.v Add, modify, and remove account credentials.

Architecture of the adapterIBM Security Identity Manager administers IBM Security Access ManagerEnterprise Single Sign-On user accounts.

You can add, delete, search for, suspend, or restore an account. You also canchange its password.

Note: You must have IBM Security Access Manager Enterprise Single Sign-On IMSServer version 8.2 or later to suspend or restore an account.

The adapter consists of Tivoli Directory Integrator AssemblyLines. When an initialrequest is made by IBM Security Identity Manager server to the adapter, the

© Copyright IBM Corp. 2012, 2014 1

AssemblyLines are loaded into the Tivoli Directory Integrator server. As a result,subsequent service requests do not require those same AssemblyLines to bereloaded.

The AssemblyLines use the Tivoli Directory Integrator components for usermanagement-related tasks on the IMS Server. This component utilization is doneremotely by SOAP over SSL. SOAP over SSL is the trusted IBM Security AccessManager Enterprise Single Sign-On Bridge agent.

The following diagram shows the various components for user management tasksin a Tivoli Directory Integrator environment.

For additional information about Tivoli Directory Integrator, see the IBM TivoliDirectory Integrator: Getting Started Guide.

Integration with IBM Security Identity ManagerIBM Security Access Manager Enterprise Single Sign-On integrates with both IBMSecurity Access Manager and IBM Security Identity Manager to provide a completeidentity and access management solution.

IBM Security Identity Manager provides the identity lifecycle management forapplication users. IBM Security Access Manager Enterprise Single Sign-Onprovides the real-time implementation of access security policies for users andapplications.

The integrated solution delivers seamless identity and access management thatprovides:v Application account provisioningv A centralized view of all application accountsv Sign-on and sign-off automationv Authentication managementv User-centric audit logs and reportingv Centralized deprovisioning of all accounts

IBM SecurityIdentity Manager

Server

Security AccessManager E-SSOConnector

Assembly Lines

Dispatcher

RMI callsIBM Security

Access ManagerE-SSO Server

Tivoli DirectoryIntegrator

Server

Figure 1. IBM Security Access Manager Enterprise Single Sign-On Adapter architecture

2 IBM Security Access Manager Enterprise Single Sign-On Adapter Installation and Configuration Guide

IBM Security Identity Manager is integrated with IBM Security Access ManagerEnterprise Single Sign-On so that you can automatically provision users created inIBM Security Identity Manager to the IMS Server.

This guide focuses on the IBM Security Identity Manager integration with IBMSecurity Access Manager Enterprise Single Sign-On. Application accounts that areprovisioned by IBM Security Identity Manager are automatically populated in thecorresponding IBM Security Access Manager Enterprise Single Sign-On wallets ofthe users. IBM Security Access Manager Enterprise Single Sign-On workflowextensions perform this task.

For information about intergation, see Appendix D, “Configuration of IBM SecurityAccess Manager,” on page 43.

The following figure illustrates the workflow of the provisioning process:

The IBM Security Identity Manager must communicate with the IMS Server topopulate and manage credentials in the wallet. The adapter and the WorkflowExtension are the interface engines that act as intermediaries between the IMSServer and IBM Security Identity Manager.

The IBM Security Access Manager Enterprise Single Sign-On service uses the TivoliDirectory Integrator assembly lines of the adapter. These assembly lines performIBM Security Access Manager Enterprise Single Sign-On tasks such as:v Creating a user.v Deleting a user.v Changing a user password.v Searching for users.

IBM Security Identity Manager connects to the IMS Server by using the IBMSecurity Access Manager Enterprise Single Sign-On workflow extension to addaccount credentials to the wallets of users.

Security AccessManager E-SSO

Workflow Extension

Tivoli DirectoryIntegrator Server

Security AccessManager E-SSO Adapter


Server

Security AccessManager E-SSOConnector

Workflow Engine

RMI DispatcherRMI / SSL

IBM SecurityAccess Manager

E-SSO IMS Server

SOAP

Figure 2. Provisioning process

Chapter 1. Overview of the IBM Security Access Manager Enterprise Single Sign-On Adapter 3

To enable single sign-on for all application accounts provisioned through IBMSecurity Identity Manager, you must:v Add the workflow extension to IBM Security Identity Manager.v Configure the IBM Security Access Manager Enterprise Single Sign-On Service

on IBM Security Identity Manager.

Note: If the IMS Server, version 8.1 or later, is configured for Enterprise Directorypassword synchronization, the Active Directory account must exist beforeprovisioning the ISAMESSO account.

Communications among IBM Security productsThe adapter requires communication between multiple IBM Security products.

IBM Security Identity Manager, IBM Security Access Manager, IBM Security AccessManager Enterprise Single Sign-On IMS Server, and AccessAgent communicate asfollows:1. When IBM Security Identity Manager provisions a new user:

a. It raises an event in the configured IBM Security Access Manager EnterpriseSingle Sign-On service.

b. The service invokes the corresponding assembly line of the adapter in TivoliDirectory Integrator.

c. The assembly line in Tivoli Directory Integrator communicates with the IMSServer.The IMS Server uses SOAP over HTTPS to create the IBM Security AccessManager Enterprise Single Sign-On user.

2. The IBM Security Access Manager Enterprise Single Sign-On WorkflowExtension is inserted into the workflow of each application creation workflow.a. After IBM Security Identity Manager provisions a new user account, the

IBM Security Access Manager Enterprise Single Sign-On workflow extensionis invoked.

b. The Workflow Extension passes the IBM Security Access Manager accountdata to the adapter.

c. The adapter passes the data to the IMS Server.d. The wallet of the user is populated with the new IBM Security Access

Manager account data.3. The user logs on to the wallet by presenting one or more authentication factors

to AccessAgent.a. AccessAgent obtains the wallet that contains the new IBM Security Access

Manager account data from the IMS Server.b. Users must cache their wallets on the client computers so that AccessAgent

can process their credentials.4. AccessAgent performs sign-on automation for all types of applications:

enterprise, personal, certificate-enabled, and any Windows user accounts.a. AccessAgent automatically fills in the appropriate user credentials when an

application is launched and logs the user on to the application.b. When an application integrated with IBM Security Access Manager is

launched, AccessAgent automatically fills the IBM Security Access Manageruser name and password in the basic authentication logon prompt. The userdoes not need to know them.

5. When IBM Security Identity Manager deprovisions a user:


a. It raises an event in the IBM Security Access Manager Enterprise SingleSign-On Service.

b. The delete assembly line in the adapter communicates with the IMS Serverto delete the user.

6. The deleted user can no longer log on to AccessAgent for single sign-on.

Supported configurationsThe adapter supports several configurations and is designed to operate with IBMSecurity Identity Manager.

The fundamental components of an adapter environment are:v IBM Security Identity Managerv Tivoli Directory Integrator serverv IBM Security Access Manager Enterprise Single Sign-On Adapter.

Forming part of each configuration, the IBM Security Access Manager EnterpriseSingle Sign-On Adapter must physically reside on the computer that runs theTivoli Directory Integrator server.

For a single server configuration, you must install the IBM Security IdentityManager, Tivoli Directory Integrator server, and the IBM Security Access ManagerEnterprise Single Sign-On Adapter on one server. The server communicates withthe IMS Server.

IBM SecurityAccess ManagerE-SSO Server


Serverwith

IBM TivoliDirectory Serverrunning Adapter

Figure 3. Single server configuration

Chapter 1. Overview of the IBM Security Access Manager Enterprise Single Sign-On Adapter 5

Chapter 2. Preparation for installing the IBM Security AccessManager Enterprise Single Sign-On Adapter

Installing and configuring the adapter involves several steps that you mustcomplete in the appropriate sequence. It also requires that you meet the hardwareand software prerequisites and download the software. Review the roadmapsbefore you begin the installation process.

Installation roadmapYou must complete the necessary steps to install the adapter. You must alsocomplete post-installation configuration tasks and verify the installation.

To install the adapter, complete the tasks that are listed in the following table:

Table 1. Installation roadmap

What to do Where to find more information

Preinstallation

Verify that the software and hardwarerequirements for the adapter that you wantto install are met.

See “Prerequisites” on page 8.

Collect the necessary information for theinstallation and configuration.

See “Installation worksheet for the adapter”on page 8.

Obtain the installation software. Download the software from PassportAdvantage®. See “Software download for theadapter” on page 9.

Installation

Install the adapter. See Chapter 3, “Installation andconfiguration of the IBM Security AccessManager Enterprise Single Sign-OnAdapter,” on page 11.

Import the adapter profile. See “Importing the adapter profile into theIBM Security Identity Manager server” onpage 16.

Configure the IMS Server. See “Configuring the IBM Security AccessManager Enterprise Single Sign-On IMSServer” on page 14.

Configure the SSL Connection betweenDispatcher and IBM Security AccessManager Enterprise Single Sign-On service.

See “Configuring the SSL connectionbetween Dispatcher and the IMS Server” onpage 15.

Create a service. See “Creating an IBM Security AccessManager Enterprise Single Sign-On service”on page 17.

Verify the profile installation. See “Verification of the adapter profileinstallation” on page 17.

Configure the workflow extensions. See “Configuration of IBM Security AccessManager Enterprise Single Sign-Onworkflow extensions” on page 21.

Post installation


Table 1. Installation roadmap (continued)

What to do Where to find more information

Verify that the adapter is working correctly. See Chapter 4, “Taking the first steps afterinstallation,” on page 29.

Install the language pack. See “Language package installation” on page28

For upgrading from previous versions of the adapter, see Appendix A, “Upgradingthe IBM Security Access Manager Enterprise Single Sign-On Adapter,” on page 37.

PrerequisitesYou must verify that all of the prerequisites are met before you install the adapter.

The following table identifies hardware, software, and authorization prerequisitesto install the adapter.

Table 2. Prerequisites to install the adapter

Prerequisite Description

Operating System The IBM Security Access Manager Enterprise SingleSign-On Adapter can be used on any operating systemthat is supported by Tivoli Directory Integrator.

Network Connectivity TCP/IP network

System Administrator Authority The person who installs the IBM Security AccessManager Enterprise Single Sign-On Adapter must havesystem administrator authority.

Tivoli Directory Integratorserver

For information about the minimal system requirementsand supported operating systems for Tivoli DirectoryIntegrator, see the IBM Tivoli Directory IntegratorAdministrator Guide.

IBM Security Identity Managerserver

Version 6.0

IBM Security Identity Manageradapter, also known as theDispatcher.

Obtain the dispatcher installer from the IBM PassportAdvantage website: http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm.

IBM Security Access ManagerEnterprise Single Sign-On IMSServer

For the supported version, see the IBM Security AccessManager Enterprise Single Sign-On Adapter ReleaseNotes.

Installation worksheet for the adapterUse the information from the adapter worksheet to install the adapter.

Table 3. Required information to install the adapter

Required information Description

An administrator account onthe managed resource.

The account must have sufficient administrative rights.

IMS Server ConfigurationUtility

The location of the web-based IMS Server ConfigurationUtility. See the IBM Security Access Manager forEnterprise Single Sign-On Administrator Guide for moredetails.


http://www-01.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

http://www-01.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

Table 3. Required information to install the adapter (continued)

Required information Description

IMS Server The IP address or host name and the SSL port number ofthe IMS Server.

Tivoli Directory Integrator homedirectory

The ITDI_HOME is the directory that contains thejars/connectors subdirectory for the adapter JAR files.

Adapters solution directory When you install the dispatcher, the adapter promptsyou to specify a file path for the solution directory. Formore information about the solution directory, see theDispatcher Installation and Configuration Guide.

Authentication Services to IBMSecurity Identity ManagerServices mapping

Create a list of services that you want to integrate withenterprise single sign-on. An existing AuthenticationService must be available on the IMS Server for each IBMSecurity Identity Manager Service you want to integrate.

Account Ownership Types to bemanaged

Determine whether your organization requires additionalownership types to be integrated. The individualownership type is automatically included.

Software download for the adapterDownload the software through your account at the IBM Passport Advantagewebsite.

Go to IBM Passport Advantage.

See the IBM Security Identity Manager Download Document for instructions.

Note:

You can also obtain additional adapter information from IBM Support.

Chapter 2. Preparation for installing the IBM Security Access Manager Enterprise Single Sign-On Adapter 9

http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

Chapter 3. Installation and configuration of the IBM SecurityAccess Manager Enterprise Single Sign-On Adapter

You must install and configure the adapter before IBM Security Access ManagerEnterprise Single Sign-On Adapter can communicate with IBM Security AccessManager.1. The following list is the suggested process:2. “Setup of Privileged Identity Management to work with the adapter.”3. “Installation of the IBM Security Access Manager Enterprise Single Sign-On

Adapter” on page 13.4. “Importing the adapter profile into the IBM Security Identity Manager server”

on page 16.5. “Creating an IBM Security Access Manager Enterprise Single Sign-On service”

on page 17.6. “Configuration of IBM Security Access Manager Enterprise Single Sign-On

workflow extensions” on page 21.

Setup of Privileged Identity Management to work with the adapterIBM Security Identity Manager deprecated Group Sharing Account in the version5.x adapters and replaced it with Privileged Identity Management. If the GroupSharing Accounts is installed, you must remove it from the service to usePrivileged Identity Management.

To determine whether you must remove the Group Sharing Account feature, see“Determining whether the Group Sharing Account feature is installed.”

For instructions about removing the Group Sharing Accounts from the IBMSecurity Identity Manager server, see “Removing the Group Sharing Accountfeature” on page 12.

Determining whether the Group Sharing Account feature isinstalled

Determine whether you must remove the deprecated Group Sharing Accountfeature.

Procedure1. Log on to the IBM Security Identity Manager server with an account that has

the authority to perform administrative tasks.2. In the My Work pane, click Manage Services.3. From the Service type menu, select ISAM ESSO Profile.4. Click Search.5. Click the IBM Security Access Manager Enterprise Single Sign-On service to

display the adapter service form.6. Click Group Sharing Accounts Setup.

v If this tab does not exist, the Group Sharing Accounts feature is not installed.v If the Mapping list is empty, the Group Sharing Accounts feature is installed,

but not configured.


v If content exists for the Mapping list, the Group Sharing Accounts feature isinstalled and configured.

What to do nextv If the Group Sharing Account feature is not installed, set up Privileged Identity

Management. See the IBM Security Privileged Identity Manager productdocumentation.

v If necessary, remove the Group Sharing Accounts feature. See “Removing theGroup Sharing Account feature.” Then, set up Privileged Identity Management.See the IBM Security Privileged Identity Manager product documentation.

Removing the Group Sharing Account featureIf the Group Sharing Accounts is installed, you must remove it from the service touse Privileged Identity Management.

Before you beginv Determine whether you must remove the Group Sharing Account feature. See

“Determining whether the Group Sharing Account feature is installed” on page11.

v Verify that the role is not used for any purpose other than the Group SharingAccount feature. If it is used for another purpose, back it up; you can restore itlater. To back up the roles in IBM Security Identity Manager, see the IBMSecurity Identity Manager Information Center. Search for "Data import andexport."

Procedure1. Remove all the members in the roles corresponding to the Group Sharing

Account. See the IBM Security Identity Manager Information Center. Search forremoving members from roles. The IBM Security Access Manager EnterpriseSingle Sign-On wallets of all the users of that role are cleared of the sharedaccount.

2. Remove all the roles corresponding to the Group Sharing Account. See the IBMSecurity Identity Manager Information Center. Search for removing roles.

3. Remove the Role Mapping from the ISAM ESSO Service.a. Click Manage Service.b. Search for and select the service that has the ISAM ESSO Profile service

type.c. Click Change.d. Click Group Sharing Account. If the Group Sharing Account tab is not

found, skip the next step.a. Delete all the mappings found in the list box.b. Click OK to close the form.

4. Restore the Change Password Workflow Extension for all the services that usedGroup Sharing Account feature.a. Click Configure System.b. Click Manage Operations.c. Select the appropriate Entity type or Entity that was previously modified

for Group Sharing Account.d. Click changePassword to launch the Workflow Extension editor for

changePassword.


e. In the Workflow Extension editor, click the node that is configured withchangeSharedAccountPasswordWithTAMESSO.

f. Take one of the following actions:v If you want to integrate this entity or entity type with IBM Security

Access Manager Enterprise Single Sign-On, change the Extension Name tochangeAccountPasswordWithTAMESSO.

v If you do not want to integrate it, remove the extension node and replaceit with the default change password extension.

g. Click Update.h. Click OK.i. Click Close.

5. Restore the Modify Person Workflow Extension for the Person entity.a. Click Configure System.b. Click Manage Operations.c. For the Operation Level, click Entity level.d. Select Person as the Entity type.e. Click modify to change operations such as specifying mail. The operation

diagram is displayed.f. Make the necessary changes to undo the modifications made for the Group

Sharing Account. See the Installation Guide of the specific version of theadapter that was used to set up the Group Sharing Account feature.

6. Remove the Workflow Extension from IBM Security Identity Manager.a. Edit the workflowextensions.xml file in the ITIM_HOME\data directory.b. Remove the following line:

<ACTIVITY ACTIVITYID="changeSharedAccountPasswordWithTAMESSO"LIMIT="600000">

c. Remove the XML:<ACTIVITY ACTIVITYID="isSharedRole" LIMIT="600000">

d. Restart the IBM Security Identity Manager application from either theWebSphere console or the WebSphere server.

Installation of the IBM Security Access Manager Enterprise SingleSign-On Adapter

You must perform several sequential tasks to install and configure the IBMSecurity Access Manager Enterprise Single Sign-On Adapter.

Perform the tasks in the following order:1. Verify that the Dispatcher is installed. See “Verification of the Dispatcher

installation” on page 14.2. Install the IBM Security Access Manager Enterprise Single Sign-On connector.

See “Installing the IBM Security Access Manager Enterprise Single Sign-OnConnector” on page 14.

3. Configure the IBM Security Access Manager Enterprise Single Sign-On IMSServer. See “Configuring the IBM Security Access Manager Enterprise SingleSign-On IMS Server” on page 14.

4. Configure the SSL connection between the Dispatcher and the IMS Server. See“Configuring the SSL connection between Dispatcher and the IMS Server” onpage 15.

Chapter 3. Installation and configuration of the IBM Security Access Manager Enterprise Single Sign-On Adapter 13

Verification of the Dispatcher installationYou must verify the installation of the IBM Security Identity Manager Dispatcherbefore you can install the adapter. Only one instance of the Dispatcher is requiredon the Tivoli Directory Integrator. The Dispatcher can service multiple adapters. Ifthis installation is the first Tivoli Directory Integrator-based adapter installation,you must install the Dispatcher before you install the adapter.

To determine whether the Dispatcher is installed, see the Dispatcher Installation andConfiguration Guide. Search for the topic "Verifying the installation".

You can obtain the dispatcher installer from the IBM Passport Advantage website,IBM Passport Advantage. For information about Dispatcher installation, see theDispatcher Installation and Configuration Guide.

Installing the IBM Security Access Manager Enterprise SingleSign-On Connector

You must install the connector to establish communication between the adapterand the Dispatcher.

Before you begin

Extract the files in the ISAMESSO_Adapter_6.0.x.zip file in the distribution packageto a temporary directory.

About this task

The IBM Security Access Manager Enterprise Single Sign-On Adapter ships with aSAMESSOConnector.jar connector file.

Procedure1. Copy SAMESSOConnector.jar file from the installation package to the Tivoli

Directory Integrator directory. The location depends on your operating system.

WindowsITDI_HOME\jars\connectors

UNIX or LinuxITDI_HOME/jars/connectors

2. Restart the Dispatcher service. See “Start, stop, and restart of the adapterservice” on page 16

Configuring the IBM Security Access Manager EnterpriseSingle Sign-On IMS Server

The IBM Security Access Manager Enterprise Single Sign-On provisioning agentmust authenticate with the IMS Server before it can call the provisioning services.

About this task

Authentication is through a shared secret between the provisioning agent and theIMS Server. Use the IMS Configuration Utility to configure these settings.

Procedure1. Start the IMS Configuration Utility.2. Click IMS Bridges on the left side under Advanced settings.


http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

3. Select IMS Bridge from the Add configuration group drop-down box4. Click Configure.5. Define a name and an IMS Bridge password, a shared secret, in the available

test input boxes.6. Enter an IMS Bridge IP address value. This address is the IP address of the

systems on which Tivoli Directory Integrator is installed.7. Click Add.8. Set the value for IMS Bridge Type to Provisioning.9. Click Add.

10. Log on to IBM Security Access Manager Enterprise Single Sign-OnAccessAdmin.

11. Navigate to System Policies > Sign up Policies > Option for specifyingsecret.

12. Choose Secret not required.13. Click Update.14. At the WebSphere console, restart the IMS Server application for the changes

to take effect.

Configuring the SSL connection between Dispatcher and theIMS Server

To enable communication between the adapter and the IMS Server, you mustconfigure keystores for the Dispatcher.

About this task

For more information about SSL configuration, see the Dispatcher Installation andConfiguration Guide.

Procedure1. Open a browser.2. Go to https://SAM_ESSO_server/. The SAM_ESSO_server is the IMS Server host

name.3. View the certificate.

v Click SSL lock.v If your browser reports that revocation information is not available, click

View Certificate.4. Click Certification Path

5. Select the CA Root certificate.6. Export the certificate into a file encoded in the Base64 format.7. Take one of the following actions:

v If the Dispatcher already has a configured keystore, use the keytool.exeprogram to import the IMS Server certificate.

v If the keystore is not configured, create it by running the following commandfrom a command prompt. Type the command on a single line.keytool -import -alias ims -file c:\TAMESSO.cer-keystore c:\truststore.jks -storepass passw0rd

8. Edit ITDI_HOME/timsol/solution.properties file to specify truststore andkeystore information. In the current release, only jks-type is supported:


# Keystore file information for the server authentication.# It is used to verify the server’s public key.# examplejavax.net.ssl.trustStore=truststore.jksjavax.net.ssl.trustStorePassword=passw0rdjavax.net.ssl.trustStoreclass=jks

Note: If these key properties are not configured yet, you can set truststore tothe same value that contains the IBM Security Access Manager E-SSO IMSServer certificate. Otherwise, you must import the IMS Server certificate to thetruststore specified in javax.net.ssl.trustStore.

9. After modifying the solution.properties file, restart the Dispatcher. See “Start,stop, and restart of the adapter service.”

Start, stop, and restart of the adapter serviceTo start, stop, or restart the adapter, you must start, stop, or restart the Dispatcher.

The adapter does not exist as an independent service or a process. The adapter isadded to the Dispatcher instance, which runs all the adapters that are installed onthe same Tivoli Directory Integrator instance.

See the topic about starting stopping, and restarting the dispatcher service in theDispatcher Installation and Configuration Guide.

Importing the adapter profile into the IBM Security Identity Managerserver

An IBM Security Identity Manager adapter profile defines the types of resourcesthat the IBM Security Identity Manager server can manage.

About this task

In this case, the profile creates an IBM Security Access Manager Enterprise SingleSign-On Adapter service on the IBM Security Identity Manager server. You mustimport the adapter profile into the IBM Security Identity Manager server beforeyou can use the adapter.

Before you import the adapter profile, verify that the following conditions are met:v The IBM Security Identity Manager server is installed and running.v You have root or Administrator authority on the IBM Security Identity Manager

server.

The adapter profile is the TAMESSOProfile.jar file, which is included in the adapterdistribution package.

Procedure1. Log in to the IBM Security Identity Manager server with an account that has

the authority to perform administrative tasks.2. Import the adapter profile by using the IBM Security Identity Manager import

feature. See the information center or the online help for specific instructionsabout importing the adapter profile.

3. If you are upgrading the adapter, restart the Dispatcher service.


What to do next

If you receive an error related to the schema when you import the adapter profile,see the trace.log file for more information. The trace.log file location is specifiedby the handler.file.fileDir property in the IBM Security Identity ManagerenRoleLogging.properties file. The enRoleLogging.properties file is installed inthe ITIM_HOME\data directory.

Verification of the adapter profile installationAfter you import the adapter profile, verify that the installation was successful.

An unsuccessful installation:v Might cause the adapter to function incorrectly.v Prevents you from creating a service with the adapter profile.

To verify that the adapter profile is successfully installed, create a service with theadapter profile. For more information about creating a service, see “Creating anIBM Security Access Manager Enterprise Single Sign-On service.”

If you cannot create a service with the adapter profile or open an account on theservice, the adapter profile is not installed correctly. You must import the adapterprofile again.

Creating an IBM Security Access Manager Enterprise Single Sign-Onservice

You must create a service for the adapter before the IBM Security Identity Managerserver can use the adapter to communicate with the managed resource.

About this task

To create or change a service, you must use the service form to provideinformation for the service. The actual service form fields might vary dependingon whether the service form is customized.

Procedure1. Log on to the IBM Security Identity Manager server with an account that has

the authority to perform administrative tasks.2. In the My Work pane, click Manage Services and click Create.3. On the Select the Type of Service page, select Security Access Manager E-SSO

profile.4. Click Next to display the adapter service form.5. Complete the following fields on the service form:

Adapter details tab

Service nameSpecify a name that defines this adapter service on the IBMSecurity Identity Manager server.

DescriptionOptional: Specify a description for this service.


Tivoli Directory Integrator locationSpecify the URL for the Tivoli Directory Integrator instance.Valid syntax is rmi://ip-address:port/ITDIDispatcher

whereip-address is the Tivoli Directory Integrator host.port is the port number for the Dispatcher.

If not specified, the default value is rmi://localhost:1099/ITDIDispatcher.

For information about changing the port number, see theDispatcher Installation and Configuration Guide.

OwnerSpecify an existing user ID for the service owner thatadministers the service instance. Click Search to find the nameof the user you want to assign as the owner of the service.Leave the field blank to specify that any user can be used inadministering the service instance.

Service prerequisiteSpecify an existing service instance or function that the serviceinstance requires. Click Search to find existing service instancesor functions that you want to assign as requirements for theservice instance. If a service has another service defined as aservice prerequisite, a user must have an existing account onthe service prerequisite. Otherwise the user cannot receive anew account on this service.

ISAM ESSO server details tab

ISAM ESSO Server DNS name (DNS host name or IP)Specify the host name of the IMS Server host computer only ifDNS is set up correctly. Otherwise, use the IP address. Test theconnection by using the ping command from the command lineon the host that runs the adapter.

ISAM ESSO Server PortSpecify the IMS Server port number. The default value is 9443.

Bridge NameSpecify the IMS Bridge Name configured in the IMS Server.This field is case-sensitive. The IMS Bridge Name must beentered exactly as shown in the IMS Configuration Utility.

Bridge PasswordSpecify the password for the IMS Bridge. The password is alsoreferred to as a share secret. This field is case-sensitive. Enterthe password exactly as configured in the IMS ConfigurationUtility.

Strip domain name from user ID during reconciliationSelect this check box to remove the domain name from user IDduring reconciliation.

Additional OwnershipTypes managed by ISAM ESSOType the name of additional Ownership Types that you wantIBM Security Access Manager Enterprise Single Sign-On tomanage.


By default, accounts that belong to Individual Ownership Typeare included when the following operations are performed on awallet credential:v Create an accountv Change passwordv Delete an account

Dispatcher Attributes tab

Disable AL CachingSelect the check box to disable the assembly line caching in thedispatcher for the service. The assembly lines for the add,modify, delete, and test operations are not cached.

AL FileSystem PathSpecify the file path from where the dispatcher loads theassembly lines. If you do not specify a file path, the dispatcherloads the assembly lines received from IBM Security IdentityManager. For example, you can specify the following file pathsto load the assembly lines from the profiles directory of theoperating system:

Windows operating systemsc:\Program Files\IBM\TDI\V7.0\profiles

UNIX and Linux operating systemssystem:/opt/IBM/TDI/V7.0/profiles

Max Connection CountSpecify the maximum number of assembly lines that thedispatcher can run simultaneously for the service. For example,enter 10 when you want the dispatcher to run a maximum of10 assembly lines simultaneously for the service. If you enter 0in the Max Connection Count field, the dispatcher does notlimit the number of assembly lines that are run simultaneouslyfor the service.

Status and information tabContains read only information about the adapter and managedresource. These fields are examples. The actual fields vary dependingon the type of adapter and how the service form is configured. Theadapter must be running to obtain the information. Click TestConnection to populate the fields.

If the connection fails, follow the instructions in the error message. Alsov Verify the adapter log to ensure that the IBM Security Identity

Manager test request was successfully sent to the adapter.v Verify the adapter configuration information.v Verify IBM Security Identity Manager service parameters for the

adapter profile. For example, verify the work station name or the IPaddress of the managed resource and the port.

Last status update: DateSpecifies the most recent date when the Status and informationtab was updated.

Last status update: TimeSpecifies the most recent time of the date when the Status andinformation tab was updated.


Managed resource statusSpecifies the status of the managed resource to which theadapter is connected.

Adapter versionSpecifies the version of the adapter that the service uses toprovision request to the managed resource.

Profile versionSpecifies the version of the profile that is installed on the IBMSecurity Identity Manager server.

TDI versionSpecifies the version of the Tivoli Directory Integrator on whichthe adapter is deployed.

Dispatcher versionSpecifies the version of the Dispatcher.

Installation platformSpecifies summary information about the operating system onwhich the adapter is installed.

Adapter accountSpecifies the account that runs the adapter binary file.

Adapter up time: DateSpecifies the date when the adapter started.

Adapter up time: TimeSpecifies the time of the date when the adapter started.

Adapter memory usageSpecifies the memory usage for running the adapter.

6. Click Finish.

Configuration of reconciliation operation for the adapterThis configuration is necessary only if you use the User Principal Name accountattribute.

The IBM Security Access Manager Enterprise Single Sign-On WebService APIadapter cannot retrieve this attribute from the service during reconciliation. Toavoid losing the User Principal Name attribute values, you must configure thereconciliation operation to exclude User Principal Name.

Reconciliation filters

The IMS Server reconciliation filters as case sensitive when performing a filteredreconciliation of IBM Security Access Manager Enterprise Single Sign-On accounts.

Perform a reconciliation with the (eruid=K*) filter in IBM Security IdentityManager. IBM Security Access Manager Enterprise Single Sign-On accounts thatstart with an uppercase letter K are returned. Accounts starting with a lowercaseletter k are removed.

To use a filter without case sensitivity, use both lower and uppercase in the filter.For example, (|(eruid=k*)(eruid=K*)). This filter returns all accounts that beginwith either an uppercase or lowercase k.


For more information about reconciliation, see the IBM Security Identity ManagerInformation Center.

Configuration of IBM Security Access Manager Enterprise SingleSign-On workflow extensions

You can create custom workflow extensions for IBM Security Access ManagerEnterprise Single Sign-On to define how to process requests. These customizedworkflow extensions are workflow objects in the IBM Security Identity Manager.

Adding a workflow extensionThis section describes how to add custom workflow extensions, which areworkflow objects in IBM Security Identity Manager.

Procedure1. Edit the workflowextensions.xml file under the ITIM_HOME\data directory to

add a workflow extension. Add the following workflow extension:

Note: This sample is provided as part of installation package asenc_workflow_sample.xml file.<ACTIVITY ACTIVITYID="createAccountWithTAMESSO" LIMIT="600000"><IMPLEMENTATION_TYPE><APPLICATIONCLASS_NAME="encentuate.bridges.wfe.EncentuateCltAppExtension"METHOD_NAME="createAccountWithTAMESSO" />

</IMPLEMENTATION_TYPE><PARAMETERS><IN_PARAMETERS PARAM_ID="owner" RELEVANT_DATA_ID="owner" class="Person" /><IN_PARAMETERS PARAM_ID="service" RELEVANT_DATA_ID="service" class="Service" /><IN_PARAMETERS PARAM_ID="account" RELEVANT_DATA_ID="account" class="Account" /></PARAMETERS><TRANSITION_RESTRICTION JOIN="XOR" /><SCRIPT EVENT="onComplete"><![CDATA[WorkflowRuntimeContext.setProcessResult(WorkflowRuntimeContext.getActivityResult());WorkflowRuntimeContext.setProcessResultDetail(WorkflowRuntimeContext.getActivityResultDetail()); ]] >

</SCRIPT></ACTIVITY>

<ACTIVITY ACTIVITYID="changePasswordWithTAMESSO" LIMIT="600000"><IMPLEMENTATION_TYPE><APPLICATIONCLASS_NAME="encentuate.bridges.wfe.EncentuateCltAppExtension"METHOD_NAME="changePasswordWithTAMESSO" />

</IMPLEMENTATION_TYPE><PARAMETERS><IN_PARAMETERS PARAM_ID="account" RELEVANT_DATA_ID="Entity" class="Account" /><IN_PARAMETERS PARAM_ID="notifyFlag" RELEVANT_DATA_ID="notifyFlag" class="String" /></PARAMETERS><TRANSITION_RESTRICTION JOIN="XOR" /><SCRIPT EVENT="onComplete"><![CDATA[WorkflowRuntimeContext.setProcessResult(WorkflowRuntimeContext

.getActivityResult());WorkflowRuntimeContext.setProcessResultDetail(WorkflowRuntimeContext.getActivityResultDetail()); ]] >


<ACTIVITY ACTIVITYID="deleteAccountWithTAMESSO" LIMIT="600000"><IMPLEMENTATION_TYPE><APPLICATIONCLASS_NAME="encentuate.bridges.wfe.EncentuateCltAppExtension"METHOD_NAME="deleteAccountWithTAMESSO" />

</IMPLEMENTATION_TYPE><PARAMETERS><IN_PARAMETERS PARAM_ID="account" RELEVANT_DATA_ID="Entity" class="Account" /></PARAMETERS><TRANSITION_RESTRICTION JOIN="XOR" /><SCRIPT EVENT="onComplete"><![CDATA[WorkflowRuntimeContext.setProcessResult(WorkflowRuntimeContext


.getActivityResult());WorkflowRuntimeContext.setProcessResultDetail(WorkflowRuntimeContext.getActivityResultDetail()); ]] >


2. Copy the SAMESSOWfe.jar file from the installation package to theWEBSPHERE_HOME\AppServer\profiles\SERVER_NAME\installedApps\NODE_NAME\ITIM.ear\app_web.war\WEB-INF\lib directory. If no directory exists, create one.

3. Extract the subforms.zip archive from the adapter package into a temporaryfolder.

4. Copy the folder and the files in subforms\samesso to the WEBSPHERE_HOME\AppServer\profiles\SERVER_NAME\installedApps\NODE_NAME\ITIM.ear\itim_console.war\subforms\samesso directory:

5. Restart the IBM Security Identity Manager application from the WebSphereconsole, or restart the WebSphere server itself.

What to do next

After a successful restart, define the workflow. See “Defining workflows withextensions.”

Defining workflows with extensionsDefine the workflow extension for each type of account integrated with the IBMSecurity Access Manager Enterprise Single Sign-On service. Include the accounttype.

Procedure1. Log on to IBM Security Identity Manager.2. Select Configure System > Manage Operations.3. For the Operation Level, click Entity level.

Note: If you want to integrate all account types with the service, click Entitytype level instead.

4. Select Account as the Entity type.5. Select the type of account you want to integrate with the service.

Note: If you want to integrate the ITIM Account with the service, selectIdentity Manager User as the Entity type.

6. Click Add to create an add operation if it does not exist. The operationdiagram is displayed.

7. Remove the transition from CREATEACCOUNT to End.8. Add an extension node between CREATEACCOUNT and End.


Note: Configure the properties of the default extension nodes for theseoperations with the following values:

Entity Operation ActivityID Extension Name

Account changePassword CHANGEPASSWORDWITHTAMESSO changePasswordWithTAMESSO

account delete DELETEACCOUNTWITHTAMESSO deleteAccountWithTAMESSO

ITIMaccount

add CREATEACCOUNTWITHTAMESSO createAccountWithTAMESSO

9. Double-click the new Extension node. A pop-up window displays all theextensions that were registered with workflowextensions.xml.

Properties: Extension Node

Postscript

Description

Join Type

CREATEACCOUNTWITHTAMESSO

Split Type AND

createAccountWithTAMESSO(Person owner, Service service, Account account)

General

*Activity ID

Activity Name

*Extension Name

AND OR OR

Input Parameters

ID

owner

service

account

Relevant Data ID

Search Relevant Data

Search Relevant Data

*Required Property † Accepts text template

Type

Output Parameters

ID Type

Ok Cancel

Relevant Data ID

owner

service

account

Person

Service

Account

10. In the Activity ID field type CREATEACCOUNTWITHTAMESSO.11. Select createAccountWithTAMESSO as the Extension Name.12. Click Ok and attach the transitions to the newly added extension.

Workflow Diagram

Approval

Mail

RFI

Operation

Loop

Extension

Start CREATEACCOUNT CREATEACCOUNTWITHAME880 End

Operation Name

Target

Add

Account

Operation Diagram

High Contrast Properties Update

Extension

Extension

13. Double-click the transition from CREATEACCOUNT toCREATEACCOUNTWITHTAMESSO to edit the properties.


14. Click Custom and type the following code:activity.resultSummary==activity.SUCCESS

*Required Property † Accepts text template

Ok Cancel

Name

Description

From

To

No Activity Name

(ID: CREATEACCOUNT)

No Activity Name

(ID: CREATEACCOUNTWITHAMESSO)

activity.resultSummary==activity.SUCCESS

Condition AcceptedApproved Custom

Properties: Transition

15. Click Ok to close the property window.16. Click Update and then click OK.17. Click Close to close the Operations window.18. Repeat Steps 2 - 12 for changePassword, and delete operations, or for the add

operation for the ITIM account.

Redefining IBM Security Access Manager Enterprise SingleSign-On account add operationYou must redefine the IBM Security Access Manager Enterprise Single Sign-Onaccount add operation to prevent duplicate accounts or multiple accounts per userfrom being created.

About this task

Each IBM Security Access Manager Enterprise Single Sign-On account mustcorrespond to only a single Person in IBM Security Identity Manager.

Procedure1. Select Configure System > Manage Operations.2. Click Entity level as the Operation Level.3. Select Account as the Entity type.4. Select ISAM ESSO Account for Entity

5. Click Refresh to get a list of operation changes from default.6. Take one of the following actions:

v If the add operation is not on the list, click Add and define the OperationName as add. Click Continue to modify the workflow.

v If the add operation is on the list, click the operation to modify theworkflow.

7. Modify the operation workflow.a. Add an Extension node between Start and CREATEACCOUNT.

b. Configure the extension node to use Extension NamenoExistingSSOAccount and provide an Activity ID, for exampleNOEXISTINGSSOACCOUNT. Set the Split Type to OR.


c. Double-click the transition from NOEXISTINGSSOACCOUNT toCREATEACCOUNT to edit the properties.

d. Click Custom and type the following code:activity.resultSummary==activity.SUCCESS

e. Create a transition from the NOEXISTINGSSOACCOUNT node to theEnd node.

f. Double-click the transition from NOEXISTINGSSOACCOUNT node toEnd node to edit the properties.

g. Click Custom and type the following code:if(activity.resultSummary==activity.FAILED){WorkflowRuntimeContext.setProcessResult(process.FAILED);return true;}

8. Click Update. The workflow is displayed.

Extension

ExtensionNOEXISTINGSSOACCOUNT

CREATEACCOUNT

Start

9. Click OK.10. Click Close to exit the Operations window.

Defining the IBM Security Access Manager Enterprise SingleSign-On Authentication Service ID and Service Prerequisite

For sign-on automation to work, all application services in IBM Security IdentityManager must have an IBM Security Access Manager Enterprise Single Sign-OnAuthentication Service ID. This ID is defined on its service form. You must alsoassign the service as a prerequisite service. Otherwise, sign-on automation does notwork.

About this task

No IBM Security Access Manager Enterprise Single Sign-On AuthenticationService ID and Service Prerequisite fields exist on the service form by default.You must create this field on the service form.

Procedure1. Log on to IBM Security Identity Manager.2. Click Configure System > Design Forms.3. Double-click Service and then double-click the specific service.4. From the Attribute List, double-click erservicessomapping. The attribute is

displayed in the service tab field on the design form.5. From the Properties menu, change the Label for this attribute to ISAM E-SSO

Authentication Service.6. Click the erservicessomapping attribute.7. Click Attributes > Change to > Subform. The Subform Editor window is

displayed.8. In the customServletURI field, type samesso/samesso.jsp.9. Click OK to close the Subform Editor window.


10. From the Attribute List, double-click erprerequisite. The attribute is displayedin the service tab field on the design form.

11. Click to select the erprerequisite attribute.12. Click Attributes > Change to > Search Control. The Search Control Editor

window is displayed.13. In the Category listbox, select Service.14. In the Type list, select Single Value.

15. Click OK to close the Search Control Editor window.16. Save the form template and close the Form Designer window.

What to do next

Configure the service. See “Configuring the service.”

Configuring the serviceYou must map an IBM Security Identity Manager service to a valid AuthenticationService ID in IBM Security Access Manager Enterprise Single Sign-On. After thismapping is complete, you can store account credentials in the wallet.

Before you begin

To obtain details about the authentication service ID:1. Log on to the IMS Configuration Utility.2. Select Authentication Services from the Basic Settings menu. A list of available

authentication services is displayed.3. Select the appropriate authentication service to view the authentication service

ID and the account data template.

About this task

When you modify an account attribute, the changes do not automaticallypropagate to the IBM Security Access Manager Enterprise Single Sign-On server.No workflow extension exists to trigger the adapter. When you change a secondkey or second secret value, you must explicitly change the password for thecorresponding account. If you specify a data template with second key or secondsecret attribute, a valid value for the corresponding attribute must exist for the Addand Change password operations to succeed.


the authority to perform administrative tasks.2. Click Managed Services.3. Click Search to view the available services.4. Click the service that requires IBM Security Access Manager Enterprise Single

Sign-On integration. The Change service pane is displayed.5. Locate the ISAM ESSO Authentication Service field.6. Click Details to display the SAMESSO Authentication Service Information

Subform.7. Type the authentication service ID in the Authentication Service ID field.8. Select the appropriate Account Data Template for that authentication service.9. If necessary, complete the Second Key attribute mapping and Second Secret

attribute mapping with the attribute name from the ITIM service or account


schema. The attribute value from the service or account is saved as the secondkey or second secret in IBM Security Access Manager Enterprise SingleSign-On. If the Second Key or Second Secret is a constant value, then add theprefix '@' in the text. For example: @sampleConstantValue

Tip: To get the attribute name from the service or account schema:a. Click Configure System > Manage Service Types.b. Select the service type corresponding to the service being integrated.c. Select the Service tab for the service schema or Account tab for account

schema.d. Click the attribute to view its schema name. Use the schema name for the

attribute mapping field.10. Click OK to save the configuration in the subform and close it.

Setting the service prerequisiteTo use IBM Security Access Manager Enterprise Single Sign-On with a service, youmust assign it as a service prerequisite for that service.

Before you begin

The Service prerequisite field must exist in the ITIM Service form template inLDAP.


the authority to perform administrative tasks.2. Click Managed Services.3. Click Search to view the available services.4. Click the service for which you want to provide Single Sign-On.5. On the General tab, locate Service Prerequisite.6. Click Search.7. Select the IBM Security Access Manager Enterprise Single Sign-On service that

you previously configured.8. Click OK.9. Click OK.

What to do next

Provide Single Sign-On for additional services. For more information aboutmanaging services, see the IBM Security Identity Manager Information Center.

JavaScript for Lotus Notes account typeThe attribute erUid might not be the value to be pass to the wallet.

The following JavaScript is an example that can be used for the Lotus Notesadd/changePassword/delete operations before calling the ENC* extensions.var acct = Entity.get();var fn = acct.getProperty(’ernotesfullname’);for(x=0;x<fn.length;x++){

if(fn[x].indexOf(’/’) != -1){var buff = new Array();var splt = fn[x].split(’/’);for(i=0;i<splt.length;i++){


var prt1 = splt[i].indexOf(’=’) + 1;var stri = splt[i].substring(prt1,splt[i].length);buff[i]= stri;}

var id = buff.join(’/’);acct.setProperty(’eruid’,id);Entity.set(acct);}

}

Language package installationThe adapters use a separate language package from the IBM Security IdentityManager.

See the IBM Security Identity Manager library and search for information aboutinstalling the adapter language pack.


Chapter 4. Taking the first steps after installation

After installing and configuring the adapter, you must verify that IBM SecurityIdentity Manager, the adapter, and the managed resource interact correctly.

About this task

These steps are performed in IBM Security Identity Manager. For informationabout reconciliation and account operations, see the IBM Security Identity ManagerInformation Center.

Procedure1. Perform a full reconciliation from the IBM Security Identity Manager server.2. Perform all supported operations on one account and verify that no errors were

reported.


Chapter 5. Troubleshooting of the IBM Security AccessManager Enterprise Single Sign-On Adapter installation

Troubleshooting is the process of determining why a product does not function asit is designed to function.

This chapter provides information and techniques for identifying and resolvingproblems related to the IBM Security Access Manager Enterprise Single Sign-OnAdapter. It also provides information about troubleshooting errors that might occurduring installation.

Techniques for troubleshooting problemsTroubleshooting is a systematic approach to solving a problem. The goal oftroubleshooting is to determine why something does not work as expected andhow to resolve the problem. Certain common techniques can help with the task oftroubleshooting.

The first step in the troubleshooting process is to describe the problem completely.Problem descriptions help you and the IBM technical-support representative knowwhere to start to find the cause of the problem. This step includes asking yourselfbasic questions:v What are the symptoms of the problem?v Where does the problem occur?v When does the problem occur?v Under which conditions does the problem occur?v Can the problem be reproduced?

The answers to these questions typically lead to a good description of the problem,which can then lead you to a problem resolution.

What are the symptoms of the problem?

When starting to describe a problem, the most obvious question is “What is theproblem?” This question might seem straightforward; however, you can break itdown into several more-focused questions that create a more descriptive picture ofthe problem. These questions can include:v Who, or what, is reporting the problem?v What are the error codes and messages?v How does the system fail? For example, is it a loop, hang, crash, performance

degradation, or incorrect result?

Where does the problem occur?

Determining where the problem originates is not always easy, but it is one of themost important steps in resolving a problem. Many layers of technology can existbetween the reporting and failing components. Networks, disks, and drivers areonly a few of the components to consider when you are investigating problems.

The following questions help you to focus on where the problem occurs to isolatethe problem layer:


v Is the problem specific to one platform or operating system, or is it commonacross multiple platforms or operating systems?

v Is the current environment and configuration supported?v Do all users have the problem?v For multi-site installations, do all sites have the problem?

If one layer reports the problem, the problem does not necessarily originate in thatlayer. Part of identifying where a problem originates is understanding theenvironment in which it exists. Take some time to completely describe the problemenvironment, including the operating system and version, all correspondingsoftware and versions, and hardware information. Confirm that you are runningwithin an environment that is a supported configuration. Many problems can betraced back to incompatible levels of software that are not intended to run togetheror are not fully tested together.

When does the problem occur?

Develop a detailed timeline of events that cause a failure, especially for those casesthat are one-time occurrences. You can most easily develop a timeline by workingbackward: Start at the time an error was reported. Be as precisely as possible, evendown to the millisecond. Work backward through the available logs andinformation. Typically, you need to look only as far as the first suspicious eventthat you find in a diagnostic log.

To develop a detailed timeline of events, answer these questions:v Does the problem happen only at a certain time of day or night?v How often does the problem happen?v What sequence of events leads up to the time that the problem is reported?v Does the problem happen after an environment change, such as upgrading or

installing software or hardware?

Responding to these types of questions can give you a frame of reference in whichto investigate the problem.

Under which conditions does the problem occur?

Knowing which systems and applications are running at the time that a problemoccurs is an important part of troubleshooting. These questions about yourenvironment can help you to identify the root cause of the problem:v Does the problem always occur when the same task is being performed?v Does a certain sequence of events need to happen for the problem to occur?v Do any other applications fail at the same time?

Answering these types of questions can help you explain the environment inwhich the problem occurs and correlate any dependencies. Remember that justbecause multiple problems might occur around the same time, the problems arenot necessarily related.

Can the problem be reproduced?

From a troubleshooting standpoint, the ideal problem is one that can bereproduced. Typically, when a problem can be reproduced you have a larger set of


tools or procedures at your disposal to help you investigate. Poblems that you canreproduce are often easier to debug and solve.

However, problems that you can reproduce can have a disadvantage: If theproblem is of significant business impact, you do not want it to recur. If possible,re-create the problem in a test or development environment, which typically offersyou more flexibility and control during your investigation.v Can the problem be re-created on a test system?v Do multiple users or applications encounter the same type of problem?v Can the problem be re-created by running a single command, a set of

commands, or a particular application?

For information about obtaining support, see Appendix E, “Support information,”on page 45.

Runtime problemsDuring the operation of IBM Security Identity Manager with IBM Security AccessManager Enterprise Single Sign-On, you might encounter errors. Use thisinformation and the information provided by the message to resolve the error.

Runtime problems and corrective actions are described in the following table.

Table 4. Runtime problems

Problem Corrective Action

Reconciliation does not return all IMS Serveraccounts. Reconciliation is successful but someaccounts are missing.

If the allocated JVM memory is not largeenough, an attempt to reconcile many accountswith the adapter results in log file errors. Thereconciliation process fails.

The adapter log files contain entries that stateErmPduAddEntry failed. TheWebSphere_install_dir/logs/itim.log filecontains java.lang.OutOfMemoryErrorexceptions.

For the adapter to reconcile manyaccounts successfully, you might need toincrease the WebSphere JVM memory. Thecomplete the following steps on theWebSphere host computer:Note: Do not increase the JVM memoryto a value higher than the systemmemory.

1. Log in to the administrative console.

2. Expand Servers in the left menu andselect Application Servers.

3. A table displays the names of knownapplication servers on your system.Click the link for your primaryapplication server.

4. Select Process Definition from theConfiguration tab.

5. Select the Java Virtual Machineproperty.

6. Enter a new value for the MaximumHeap Size. The default value is 256MB.

Chapter 5. Troubleshooting of the IBM Security Access Manager Enterprise Single Sign-On Adapter installation 33

Table 4. Runtime problems (continued)


Test Connection fails when creating the IBMSecurity Access Manager Enterprise SingleSign-On service. The following errors resultwhen attempting to establish a connection:

CTGIMU107W

The connection to the specifiedservice cannot be established.Verify the service information,and try again.

CTGIMT605E

An error occurred while processingthe CTGIMT401E An error occurredwhile starting the Test_TAMESSO_test-no-requestid_30cd36f8-28d9-11b2-10c6-00000a0203f0 agent. Error:CTGDIS084I Initialization of Testfailed: java.lang.Exception: [Test]CTGDIS025E Exception while loadingconfiguration: java.lang.Exception:[Test] CTGDIS497W Cannot find thejava class for system:/Connectors/ibmdi.TAMESSO. The jar file maybe corrupted... operation on theIBM Tivoli Directory Integratorserver. Error: {1}

An error similar to the following is printed inthe trace.log:

Exception while loadingconfiguration:java.lang.Exception:[Test] CTGDIS497WCannot find the java class forsystem:/Connectors/ibmdi.TAMESSO.The jar file may be corrupted.

Verify that you installed the IBM SecurityAccess Manager Enterprise SingleSign-On connector correctly. TheSAMESSOConnector.jar file is in theITDI_HOME/jars/connectors directory. Youmust restart the dispatcher after makingthis JAR file available. For completeinstallation procedures, see Chapter 3,“Installation and configuration of the IBMSecurity Access Manager Enterprise SingleSign-On Adapter,” on page 11.

IBM Security Access Manager Enterprise SingleSign-On Single Sign-On does not work for anapplication after you create or modify thecredentials with the adapter. The logon detailsthat are automatically completed for the userinclude the old password and therefore preventa successful logon. The wallet used byAccessAgent does not contain the updatedpassword.

Ensure that you synchronizedAccessAgent with IBM Security AccessManager Enterprise Single Sign-On todownload the latest credentials in to theuser’s wallet.

1. Right-click on the icon in the systemtray while AccessAgent is running.

2. Select Synchronize with IMS.

If this option is not available, you mustenable the WalletSyncManualEnabledregistry setting.

1. Type regedit on a command line.

2. Click HKEY_LOCAL_MACHINE >SOFTWARE > Encentuate > Temp

3. Set WalletSyncManualEnabled to 1.

4. Click File > Exit.

Try the synchronization steps again.


Table 4. Runtime problems (continued)


Error 1392509705 can occur when you add anIBM Security Access Manager Enterprise SingleSign-On account. A message similar to thefollowing is in the Result details section of theProcess Details screen for the add request:

ERROR [C:\Program Files\IBM\TDI\V7.1\timsol\ITIM_RMI.xml] - COMPONENT Add:ERROR Add user failed with error:1392509705

Ensure that

v The user account that you areattempting to add is a valid ActiveDirectory or LDAP user.

v The user name and user principal nameare the same as the ones defined inActive Directory.

v The password is correct if the IMSServer is configured to synchronize thepassword with Active Directory.

Error 1392509704 can occur when you add anIBM Security Access Manager Enterprise SingleSign-On account. A message similar to thefollowing is in the Result details section of theProcess Details screen for the add request:

ERROR [C:\Program Files\IBM\TDI\V7.1\timsol\ITIM_RMI.xml] - COMPONENT Add:ERROR Add user failed with error:1392509704

You must create the account in ActiveDirectory before you provision the IBMSecurity Access Manager Enterprise SingleSign-On account. The IMSAccount IDmust include the domain, if

v IBM Security Access ManagerEnterprise Single Sign-On is configuredfor Enterprise Directory passwordsynchronization.

v An IMSAccount is provisioned beforethe AD account.

For example: ibm.com\alblair.

An error can occur when you add an IBMSecurity Access Manager Enterprise SingleSign-On account. A message similar to thefollowing is in the Result details section of theProcess Details screen for the add request:

ERROR [C:\Program Files\IBM\TDI\V7.1\timsol\ITIM_RMI.xml] - COMPONENTOperationName: ERROR OperationNameuser failed with error:IntValue ResultCode

Go to https://isamesso_server_name/ims/ui/diagnostics for explanation of allIBM Security Access Manager EnterpriseSingle Sign-On error codes. Find out whatthe result code in the message means andthen fix the problem.

Chapter 5. Troubleshooting of the IBM Security Access Manager Enterprise Single Sign-On Adapter installation 35

Appendix A. Upgrading the IBM Security Access ManagerEnterprise Single Sign-On Adapter

If a previous version of this adapter is already installed on your system, you canupgrade it.

Before you begin

The upgrade path is from adapter version 5.1.10 to version 6.0. If your adapterlevel is earlier than 5.1.10, you must first upgrade the adapter to version 5.1.10. Nodirect upgrade paths for versions earlier than 5.1.10 exist.

You must have the following files:

From the adapter package

v SAMESSOConnector.jar

v subforms.zip

v enc_workflow_sample.xml

v SAMESSOWfe.jar

v The adapter profile in the TAMESSOProfile.jar

Before you import the new adapter profile, verify that the following conditions aremet:v The IBM Security Identity Manager server is installed and running.v You have root or Administrator authority on the IBM Security Identity Manager

server.

Procedure1. Upgrade the Security Access Manager E-SSO Connector.

a. Stop the Dispatcher service. See “Start, stop, and restart of the adapterservice” on page 16.

b. Delete sqljdbc.jar from the ITDI_HOME/jars/3rdparty/others directory.c. Replace the existing SAMESSOConnector.jar on Tivoli Directory Integrator

server with the SAMESSOConnector.jar from the adapter package.d. Start Dispatcher service.

2. Upgrade the SSL Configuration.If you upgraded the IMS Server or configured IMSBridge with some credentials,refresh the SSL configuration between the Dispatcher the IMS Server. See“Configuring the SSL connection between Dispatcher and the IMS Server” onpage 15.

3. On the IBM Security Access Manager Enterprise Single Sign-On product, enablethe changePassword operation.a. On the IBM Security Access Manager Enterprise Single Sign-On product, log

on to AccessAdmin.b. Navigate to System Policies > Sign up Policies > Option for specifying

secret.c. Choose Secret not required.d. Click update.


4. Upgrade the IBM Security Access Manager Enterprise Single Sign-On Profile.The adapter profile is contained within the JAR file, TAMESSOProfile.jar, whichis included in the IBM Security Access Manager Enterprise Single Sign-OnAdapter distribution package. To import the adapter profile, complete thefollowing steps:a. Import the adapter profile with the IBM Security Identity Manager import

feature. See “Importing the adapter profile into the IBM Security IdentityManager server” on page 16.

b. Restart the Dispatcher service.

Note: If you receive an error related to the schema when you import theadapter profile, see the trace.log file for information about the error. Thetrace.log file location is specified with the handler.file.fileDir property,which is defined in the IBM Security Identity ManagerenRoleLogging.properties file. The enRoleLogging.properties file isinstalled in the ISIM_HOME\data directory.

5. Perform a full reconciliation on the service.a. Log on to IBM Security Identity Manager.b. Click Manage Services.c. Click Search.d. Click the arrow icon next to ISAMESSO Service.e. Click Reconcile Now.

6. Upgrade the IBM Security Access Manager Enterprise Single Sign-On workflowextensions.a. Edit the workflowextensions.xml file in the ISIM_HOME\data directory. Use

the enc_workflow_sample.xml file from the installation package as anexample.

b. Remove the old SAMESSOWfe.jar file from the appropriate directory. ForTivoli Identity Manager 5.1:WEBSPHERE_HOME\AppServer\profiles\SERVER_NAME\

installedApps\NODE_NAME\ITIM.ear\app_web.war\WEB-INF\lib

c. Copy SAMESSOWfe.jar from the installation package to the appropriatedirectory.

d. Extract the subforms.zip archive from the adapter package into a temporarydirectory.

e. Copy the folder and the files in subforms\samesso to theWEBSPHERE_HOME\AppServer\profiles\SERVER_NAME\installedApps\NODE_NAME\ITIM.ear\itim_console.war\subforms\samesso directory.

f. Restart the IBM Security Identity Manager from the Websphere ApplicationServer console.

What to do next

Verify the upgrade installation. See Chapter 4, “Taking the first steps afterinstallation,” on page 29.


Appendix B. Uninstalling the adapter

To uninstall the adapter completely, you must uninstall it from the Tivoli DirectoryIntegrator server. You also must remove the adapter profile from the IBM SecurityIdentity Manager server.

Uninstalling the adapter from the Tivoli Directory IntegratorThe adapter installation process also installs the Tivoli Directory Integrator IBMSecurity Access Manager Enterprise Single Sign-On connector. Therefore, you mustremove the TAMESSOConnector.jar file from the Tivoli Directory Integrator

Procedure1. Stop the Dispatcher service. See “Start, stop, and restart of the adapter service”

on page 16.2. Remove the TAMESSOConnector.jar file from the ITDI_HOME/jars/connectors

directory.3. Start the Dispatcher service.

Removing the adapter profile from the IBM Security Identity Managerserver

You remove the adapter profile when you delete the service type from the IBMSecurity Identity Manager.

Before you begin

Before removing the adapter profile, ensure that no objects exist on the IBMSecurity Identity Manager server that reference the adapter profile.

Examples of objects on the IBM Security Identity Manager server that can referencethe adapter profile are:v Adapter service instancesv Policies referencing an adapter instance or the profilev Accounts

About this task

The Dispatcher component must be installed on your system for adapters tofunction correctly in a Tivoli Directory Integrator environment. When you deletethe adapter profile for the IBM Security Access Manager Enterprise Single Sign-OnAdapter, do not uninstall the Dispatcher.

For information about how to remove the adapter profile, see the IBM SecurityIdentity Manager Information Center. Search on deleting service types.


the authority to perform administrative tasks.2. From the navigation tree, click Configure System > Manage Service Types.

The Manage Service Types page is displayed.


3. Select the check box for service profile you want to delete.4. Click Delete.5. On the Confirm page, click Delete or click Cancel.

Results

A message indicates that you successfully deleted the service type.


Appendix C. IBM Security Access Manager Enterprise SingleSign-On Adapter Supported Attributes

This appendix provides information about attributes that you can use to configurethe adapter.v “Adapter attributes and object classes”v “Adapter Configuration Properties”

Adapter attributes and object classesAfter you install the adapter profile, the IBM Security Access Manager EnterpriseSingle Sign-On Adapter supports a standard set of attributes. You can use theseattributes to customize IBM Security Access Manager Enterprise Single Sign-Onservice and account forms. For information about creating forms, see the IBMSecurity Identity Manager Information Center.

The following tables show the standard attributes and object classes supported bythe adapter.

Table 5. Supported attributes

IBM SecurityIdentity ManagerName Attribute Name Description Data Type

Account Name eruid IBM Security AccessManager EnterpriseSingle Sign-On useraccount

String

Password erpassword IBM Security AccessManager EnterpriseSingle Sign-On userpassword

Password

User Principal Name ertamessoprincipalname User Principal Name inActive Directory

String

Table 6. Supported object classes

Description Object class name in schema Superior

Account class ertamessoaccount top

Service class ertamessoservice2 top

Adapter Configuration PropertiesFor information about setting Tivoli Directory Integrator configuration propertiesfor the operation of the adapter, see the Dispatcher Installation and ConfigurationGuide.


Appendix D. Configuration of IBM Security Access Manager

You can use the IBM Security Access Manager to manage your AccessProfiles.

This configuration is an optional configuration for organizations that use IBMSecurity Identity Manager with IBM Security Access Manager Enterprise SingleSign-On for provisioning.

Note: If you perform this configuration after you configured the adapter, you mustupdate the Authentication Services Mapping on the service form.

AccessProfiles creation for IBM Security Access ManagerThis section provides information about creating an AccessProfile for IBM SecurityAccess Manager.

You can create an AccessProfile for the IBM Security Access Manager basicauthentication logon prompt, which is displayed by Internet Explorer. It uses theIBM Security Access Manager dir_tam authentication service and the app_iexploreapplication.

AccessAgent uses AccessProfiles to recognize the IBM Security Access Managerbasic authentication logon prompt. AccessAgent automatically fills in the logonprompt with the IBM Security Access Manager user name and the password.Before using AccessStudio, log on to AccessAgent as the IBM Security AccessManager administrator.

To create AccessProfiles for IBM Security Access Manager, see the IBM SecurityAccess Manager Information Center. Search for AccessProfile.

Configuring IBM Security Access Manager as an enterpriseauthentication service

Configure IBM Security Access Manager as an enterprise authentication service inthe IMS Server so that AccessAgent can manage IBM Security Access Manager asan enterprise authentication service.

About this task

Audit logs are submitted to the IMS Server when users log on to IBM SecurityAccess Manager. Use the AccessAdmin web interface to configure the IMS Server.

Procedure1. Log on to AccessAgent as an administrator of IBM Security Access Manager.2. Launch AccessAdmin. Typically, you access it at https://imsserver, where

imsserver is the host name of the IMS Server.3. Click Authentication service policies in the left panel. The current list of

authentication services is shown in the right panel.4. In the right panel, under Personal Authentication Services, look for IBM

Security Access Manager.5. Select the check box.


6. Click Move to enterprise authentication services. IBM Security AccessManager is moved to the list of enterprise authentication services.


Appendix E. Support information

You have several options to obtain support for IBM products.v “Searching knowledge bases”v “Obtaining a product fix” on page 46v “Contacting IBM Support” on page 46

Searching knowledge basesYou can often find solutions to problems by searching IBM knowledge bases. Youcan optimize your results by using available resources, support tools, and searchmethods.

About this task

You can find useful information by searching the product documentation for IBMSecurity Identity Manager. However, sometimes you must look beyond the productdocumentation to answer your questions or resolve problems.

Procedure

To search knowledge bases for information that you need, use one or more of thefollowing approaches:1. Search for content by using the IBM Support Assistant (ISA).

ISA is a no-charge software serviceability workbench that helps you answerquestions and resolve problems with IBM software products. You can findinstructions for downloading and installing ISA on the ISA website.

2. Find the content that you need by using the IBM Support Portal.The IBM Support Portal is a unified, centralized view of all technical supporttools and information for all IBM systems, software, and services. The IBMSupport Portal lets you access the IBM electronic support portfolio from oneplace. You can tailor the pages to focus on the information and resources thatyou need for problem prevention and faster problem resolution. Familiarizeyourself with the IBM Support Portal by viewing the demo videos(https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos)about this tool. These videos introduce you to the IBM Support Portal, exploretroubleshooting and other resources, and demonstrate how you can tailor thepage by moving, adding, and deleting portlets.

3. Search for content about IBM Security Identity Manager by using one of thefollowing additional technical resources:v IBM Security Identity Manager version 6.0 technotes and APARs (problem

reports).v IBM Security Identity Manager Support website.v IBM Redbooks®.v IBM support communities (forums and newsgroups).

4. Search for content by using the IBM masthead search. You can use the IBMmasthead search by typing your search string into the Search field at the top ofany ibm.com® page.

5. Search for content by using any external search engine, such as Google, Yahoo,or Bing. If you use an external search engine, your results are more likely to


http://www.ibm.com/software/support/isa/

http://www.ibm.com/support/entry/portal/overview/software/tivoli/tivoli_identity_manager

https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos

http://www.ibm.com/support/search.wss?rs=644&apar=include&tc=SSTFWV&dc=DB520+D800+D900+DA900+DA800+DB550+D100&dtm&atrn=SWVersion&atrv=5.1

http://www.ibm.com/support/search.wss?rs=644&apar=include&tc=SSTFWV&dc=DB520+D800+D900+DA900+DA800+DB550+D100&dtm&atrn=SWVersion&atrv=5.1

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

http://publib-b.boulder.ibm.com/Redbooks.nsf/portals/Tivoli

http://www.ibm.com/software/sysmgmt/products/support/Tivoli_Communities.html

include information that is outside the ibm.com domain. However, sometimesyou can find useful problem-solving information about IBM products innewsgroups, forums, and blogs that are not on ibm.com.

Tip: Include “IBM” and the name of the product in your search if you arelooking for information about an IBM product.

Obtaining a product fixA product fix might be available to resolve your problem.

About this task

You can get fixes by following these steps:

Procedure1. Obtain the tools that are required to get the fix. You can obtain product fixes

from the Fix Central Site. See http://www.ibm.com/support/fixcentral/.2. Determine which fix you need.3. Download the fix. Open the download document and follow the link in the

“Download package” section.4. Apply the fix. Follow the instructions in the “Installation Instructions” section

of the download document.

Contacting IBM SupportIBM Support assists you with product defects, answers FAQs, and helps usersresolve problems with the product.

Before you begin

After trying to find your answer or solution by using other self-help options suchas technotes, you can contact IBM Support. Before contacting IBM Support, yourcompany or organization must have an active IBM software subscription andsupport contract, and you must be authorized to submit problems to IBM. Forinformation about the types of available support, see the Support portfolio topic inthe “Software Support Handbook”.

Procedure

To contact IBM Support about a problem:1. Define the problem, gather background information, and determine the severity

of the problem. For more information, see the Getting IBM support topic in theSoftware Support Handbook.

2. Gather diagnostic information.3. Submit the problem to IBM Support in one of the following ways:

v Using IBM Support Assistant (ISA):Any data that has been collected can be attached to the service request.Using ISA in this way can expedite the analysis and reduce the time toresolution.a. Download and install the ISA tool from the ISA website. See

http://www.ibm.com/software/support/isa/.b. Open ISA.


http://www.ibm.com/support/fixcentral/

http://www14.software.ibm.com/webapp/set2/sas/f/handbook/offerings.html

http://www14.software.ibm.com/webapp/set2/sas/f/handbook/getsupport.html

http://www.ibm.com/software/support/isa/

c. Click Collection and Send Data.d. Click the Service Requests tab.e. Click Open a New Service Request.

v Online through the IBM Support Portal: You can open, update, and view allof your service requests from the Service Request portlet on the ServiceRequest page.

v By telephone for critical, system down, or severity 1 issues: For the telephonenumber to call in your region, see the Directory of worldwide contacts webpage.

Results

If the problem that you submit is for a software defect or for missing or inaccuratedocumentation, IBM Support creates an Authorized Program Analysis Report(APAR). The APAR describes the problem in detail. Whenever possible, IBMSupport provides a workaround that you can implement until the APAR isresolved and a fix is delivered. IBM publishes resolved APARs on the IBM Supportwebsite daily, so that other users who experience the same problem can benefitfrom the same resolution.

Appendix E. Support information 47

http://www.ibm.com/software/support/

http://www.ibm.com/planetwide/

Appendix F. Accessibility features for IBM Security IdentityManager

Accessibility features help users who have a disability, such as restricted mobilityor limited vision, to use information technology products successfully.

Accessibility features

The following list includes the major accessibility features in IBM Security IdentityManager.v Support for the Freedom Scientific JAWS screen reader applicationv Keyboard-only operationv Interfaces that are commonly used by screen readersv Keys that are discernible by touch but do not activate just by touching themv Industry-standard devices for ports and connectorsv The attachment of alternative input and output devices

The IBM Security Identity Manager library, and its related publications, areaccessible.

Keyboard navigation

This product uses standard Microsoft Windows navigation keys.

Related accessibility information

The following keyboard navigation and accessibility features are available in theform designer:v You can use the tab keys and arrow keys to move between the user interface

controls.v You can use the Home, End, Page Up, and Page Down keys for more

navigation.v You can launch any applet, such as the form designer applet, in a separate

window to enable the Alt+Tab keystroke to toggle between that applet and theweb interface, and also to use more screen workspace. To launch the window,click Launch as a separate window.

v You can change the appearance of applets such as the form designer by usingthemes, which provide high contrast color schemes that help users with visionimpairments to differentiate between controls.

IBM and accessibility

See the IBM Human Ability and Accessibility Center For more information aboutthe commitment that IBM has to accessibility.


http://www.ibm.com/able

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment to


IBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

If you are viewing this information softcopy, the photographs and colorillustrations might not appear.

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at http://www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.

Notices 53

http://www.ibm.com/legal/copytrade.shtml

Java™ and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Privacy Policy Considerations

IBM Software products, including software as a service solutions, ("SoftwareOfferings") may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, and to tailor interactionswith the end user or for other purposes. In many cases, no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, see IBM's Privacy Policy at http://www.ibm.com/privacy andIBM’s Online Privacy Statement at http://www.ibm.com/privacy/details/us/ensections entitled "Cookies, Web Beacons and Other Technologies and SoftwareProducts and Software-as-a Service".


http://www.ibm.com/privacy

http://www.ibm.com/privacy/details/us/en

Index

Aaccessibility x, 49AccessProfiles, creation 43adapter

configuration properties 43adapters

architecture 1attributes 41configuration 11customization 41features 1installation

overview 11prerequisites 8worksheet 8

overview 1profiles

import 16installation verification 17removal 39

supported configurations 5uninstall 39upgrading from earlier versions 37

add operations, redefining workflowextensions 24

architectureoverview 1supported configurations 5

attributes 41

Ccommunication among IBM Security

products 4configuration

adapter 11for reconciliation 20for SSL 15for the IMS Server 14IBM Security Access Manager 43supported 5

connector, installation 14creation

of AccessProfiles 43of services 17, 26

customizationadapter 41

Ddefining an authentication service ID 25defining workflow extensions 22determining if group sharing accounts is

installed 11dispatcher installation,

verificationverify 14download, software 9

Eeducation xenterprise authentication service

configuring IBM Security AccessManager 43

Ggroup sharing account feature

installed, determining if 11removing 12

IIBM

Software Support xSupport Assistant x

IBM Security Access Managerconfiguring as an enterprise

authentication service 43IBM security products

communications among 4IBM Support Assistant 46identity management

privileged 11import

adapter profile 16IMS Server

configuring for single sign-on 14installation

adapter 11after installation 29connector 14first steps 29language pack 28prerequisites 8procedures 13roadmap 7troubleshooting 31uninstall 39worksheet 8

integrated solutions 2integrating

IBM Security Access Manager SingleSign-On 2

IBM Security Identity Manager 2ISA 46

JJavaScript

Lotus Notes account type 27

Kknowledge bases 45

Llanguage pack

installation 28same for adapters and server 28

Lotus Notes account typeJavaScript 27

Mmigration

to privileged identitymanagement 11

Nnotices 51

Oonline

publications ixterminology ix

overviewof the adapter 1

Pplanning the installation 7privileged identity management 11

migration 11problem-determination xprocedures for installing the adapter 13profile

removing 39publication ixpublications

accessing online ixlist of ix

Rreconciliation

configuring 20redefining the add operation 24removing group sharing account 12removing the adapter profile 39roadmap for installing 7roadmaps

installation 7runtime

troubleshooting 33

Sservice

configuring 26creating 17restart 16


service (continued)start 16stop 16

service formdefining an authentication service

ID 25service prerequisite 27service type

removal 39setting service prerequisites 27setting up privileged identity

management 11software

download 9website 9

SSL configuration 15support contact information 46supported configurations 5

Tterminology ixtraining xtroubleshooting

contacting support 46getting fixes 46identifying problems 31runtime problems 33searching knowledge bases 45support website xtechniques for 31

troubleshooting adapter installation 31troubleshooting and support

troubleshooting techniques 31

Uuninstall the adapter 39upgrading the adapter 37

Vverification

diapatcher installation 14profiles 17

Wworkflow extensions 21

adding 21addition 21defining 22redefining 24


��

Printed in USA

SC27-4422-02

IBM Security Access Manager Enterprise Single Sign-On Adapter … · viii IBM Security Access...

Documents

Transcript of IBM Security Access Manager Enterprise Single Sign-On Adapter … · viii IBM Security Access...