IBM Security Identity Manager: BlackBerry Enterprise...

IBM Security Identity ManagerVersion 7.0

BlackBerry Enterprise Server AdapterInstallation and Configuration Guide

IBM

ii IBM Security Identity Manager: BlackBerry Enterprise Server Adapter Installation and Configuration Guide

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Chapter 1. Overview . . . . . . . . . 1Features of the adapter . . . . . . . . . . . 1Architecture of the adapter . . . . . . . . . 1Supported configurations . . . . . . . . . . 2

Chapter 2. Planning. . . . . . . . . . 5Roadmap for IBM Tivoli Directory Integrator basedadapters, for IBM Security Identity Manager 7.x . . 5Prerequisites . . . . . . . . . . . . . . 6Prerequisites for running the adapter . . . . . . 8Software downloads . . . . . . . . . . . . 8Installation worksheet . . . . . . . . . . . 8

Chapter 3. Installing . . . . . . . . . 11Installing the dispatcher . . . . . . . . . . 11Installing the adapter binaries or connector . . . . 11Verifying the version of Tivoli Directory Integrator 12Exporting and importing the BlackBerry EnterpriseServer SSL certificate . . . . . . . . . . . 12Verifying the adapter installation . . . . . . . 13Restarting the adapter service . . . . . . . . 14Importing the adapter profile . . . . . . . . 14Creating an adapter service/target. . . . . . . 15Service/Target form details . . . . . . . . . 17Installing the adapter language package . . . . . 20

Verifying that the adapter is working correctly . . 20

Chapter 4. Upgrading . . . . . . . . 21Upgrading the adapter binaries or connector . . . 21Upgrading the adapter profile . . . . . . . . 21

Chapter 5. Configuring . . . . . . . . 23Customizing the adapter . . . . . . . . . . 23

Editing adapter profiles on the UNIX or Linuxoperating system . . . . . . . . . . . 23Modification of the maximum length of theaccount form attributes . . . . . . . . . 23Creating a JAR file and importing the profile onthe IBM Security Identity Manager . . . . . 24

Chapter 6. Troubleshooting . . . . . . 27Techniques for troubleshooting problems . . . . 27Exception messages. . . . . . . . . . . . 29Known limitations . . . . . . . . . . . . 30

Chapter 7. Uninstalling . . . . . . . . 33Removing the adapter binaries or connector . . . 33Deleting the adapter profile . . . . . . . . . 33

Chapter 8. Reference . . . . . . . . 35Adapter attributes and object classes . . . . . . 35

Index . . . . . . . . . . . . . . . 39

iii

iv IBM Security Identity Manager: BlackBerry Enterprise Server Adapter Installation and Configuration Guide

Figures

1. The architecture of the BlackBerry EnterpriseServer Adapter . . . . . . . . . . . . 2

2. Example of a single server configuration . . . 23. Example of multiple server configuration 3

v

vi IBM Security Identity Manager: BlackBerry Enterprise Server Adapter Installation and Configuration Guide

Tables

1. Prerequisites to install the adapter . . . . . 72. BlackBerry Enterprise Server Adapter

prerequisites . . . . . . . . . . . . 83. Required information to install the adapter 94. Adapter component . . . . . . . . . . 135. Attributes for the erBESAccount object class 35

6. Attributes for the erBESRMIService object class 377. Attributes for the erBESGroup object class 378. Attributes for the erBESRole object class 389. Attributes for the erBESITPolicy object class 38

10. Attributes for the erBESSWConfig object class 38

vii

viii IBM Security Identity Manager: BlackBerry Enterprise Server Adapter Installation and Configuration Guide

Chapter 1. Overview

An adapter is an interface between a managed resource and the IBM® SecurityIdentity server.

An adapter, which might or might not reside on the managed resource, functionsas a trusted virtual administrator for the resource. Adapters perform tasks suchcreating, suspending, and restoring user accounts, and other administrativefunctions that are performed manually. An adapter runs as a service,independently of whether you are logged on to the IBM Security Identity server.

The BlackBerry Enterprise Server Adapter enables communication between theIBM Security Identity server and the BlackBerry Enterprise Server.

Features of the adapterThe adapter automates several administrative and management tasks.v Creating BlackBerry-enabled user accounts from accounts that exist in the

BlackBerry Enterprise Server underlying messaging service.v Creating BlackBerry-enabled administrative user accounts. The adapter does not

manage administrative accounts that are not BlackBerry-enabled.v Modifying user account attributes such as activation passwords, groups, IT

policy, and software configurations.v Modifying login passwords for BlackBerry-enabled administrative user accounts.v Suspending, restoring, and deleting user accounts.v Reconciling user accounts and other data such as groups, roles, IT policies, and

software configurations

Architecture of the adapterSeveral components are involved in running and using the adapter. Install all thesecomponents so that the adapter can function correctly.v The Dispatcherv The Tivoli® Directory Integrator connectorv IBM Security Identity Adapter profile

You must install the Dispatcher and the adapter profile; however, the TivoliDirectory Integrator connector might already be installed with the base TivoliDirectory Integrator product.

Figure 1 on page 2 describes the components that work together to complete theuser account management tasks in a Tivoli Directory Integrator environment.

1

Supported configurationsThe adapter supports both single and multiple server configurations.v The IBM Security Identity serverv The Tivoli Directory Integrator serverv The managed resourcev The adapter

The adapter must reside directly on the server that runs the Tivoli DirectoryIntegrator server.

Single server configuration

In a single server configuration, install the following products on the same server:v IBM Security Identity serverv Tivoli Directory Integrator serverv BlackBerry Enterprise Server Adapter

This server communicates with the BlackBerry Enterprise Server server. TheBlackBerry Enterprise Server server is installed on a different server as described inFigure 2.

RMI callsIBM SecurityIdentityServer

DispatcherService(an instanceof the IBMTivoliDirectoryIntegrator)

Adapterresource

Figure 1. The architecture of the BlackBerry Enterprise Server Adapter

IBM SecurityIdentity Server

Tivoli DirectoryIntegrator Server

Adapter

Managedresource

Figure 2. Example of a single server configuration

2 IBM Security Identity Manager: BlackBerry Enterprise Server Adapter Installation and Configuration Guide

Multiple server configuration

In a multiple server configuration, the IBM Security Identity server, the BlackBerryEnterprise Server Adapter, and the BlackBerry Enterprise Server are installed ondifferent servers. Install the Tivoli Directory Integrator server and the BlackBerryEnterprise Server Adapter on the same server as described Figure 3.

IBM SecurityIdentity Managerserver

Security DirectoryIntegrator server Managed

resource

Adapter

Figure 3. Example of multiple server configuration

Chapter 1. Overview 3

Chapter 2. Planning

Installing and configuring the adapter involves several steps that you mustcomplete in a specific sequence. Follow the roadmap for the main tasks.

Roadmap for IBM Tivoli Directory Integrator based adapters, for IBMSecurity Identity Manager 7.x

Follow this section when using the guide to install, configure, troubleshoot, oruninstall the adapter.

Pre-installation

Complete these tasks.1. Verify that your environment meets the software and hardware requirements

for the adapter. See Prerequisites.2. Obtain the installation software. See Software downloads.3. Obtain the necessary information for the installation and configuration. See

Installation worksheet.

Installation

Complete these tasks.1. Install the dispatcher.2. Install the adapter binaries or connector.3. Install 3rd party client libraries.4. Set up the adapter environment.5. Restart the adapter service.6. Import the adapter profile.7. Create an adapter service/target.8. Install the adapter language package.9. Verify that the adapter is working correctly.

Upgrade

To upgrade the adapter, do a full installation of the adapter. Follow the Installationroadmap.

Configuration

Complete these tasks.1. Configure secure communication between the IBM Security Identity server and

the adapter.a. Configure 1-way authentication.b. Configure 2-way authentication.

2. Configure secure communication between the adapter and the managed target.a. Configure 1-way authentication.b. Configure 2-way authentication.

5

3. Configure the adapter.4. Modify the adapter profiles.5. Customize the adapter.

Troubleshooting

See the following topics.v Techniques for troubleshooting problemsv Configure debuggingv Logsv Error messages and problem solving

Uninstallation

Complete these tasks.1. Stop the adapter service.2. Remove the adapter binaries or connector.3. Remove 3rd party client libraries.4. Delete the adapter service/target.5. Delete the adapter profile.

Reference

See the following topics.v Adapter attributes and object classesv Adapter attributes by operationsv Special attributes

PrerequisitesVerify that your environment meets the software and hardware requirements forthe adapter.

The following table identifies the software and operating system prerequisites forthe adapter installation.

Ensure that you install the adapter on the same workstation as the Tivoli DirectoryIntegrator server.


Table 1. Prerequisites to install the adapter

Prerequisite Description

Directory Integrator v IBM Tivoli Directory Integrator Version7.1.1 + 7.1.1-TIV-TDI-FP0004 +7.2.0-ISS-SDI-LA0008

v IBM Security Directory Integrator Version7.2

Note:

v Earlier versions of IBM Tivoli DirectoryIntegrator that are still supported mightfunction properly. However, to resolveany communication errors, you mustupgrade your Directory Integrator releaseto the versions that the adapter officiallysupports.

v The adapter supports IBM SecurityDirectory Integrator 7.2, which is availableonly to customers who have the correctentitlement. Contact your IBMrepresentative to find out whether youhave the entitlement to download IBMSecurity Directory Integrator 7.2.

IBM Security Identity server The following servers are supported:

v IBM Security Identity Manager serverVersion 6.0

v IBM Security Identity Manager serverVersion 7.0

v IBM Security Privileged Identity ManagerVersion 2.0

v IBM Security Identity Governance andIntelligence server Version 5.2.2

BlackBerry Enterprise Server for Domino Version 5.0.3

System Administrator authority To complete the adapter installationprocedure, you must have systemadministrator authority.

Tivoli Directory Integrator adapters solutiondirectory

A Tivoli Directory Integrator adapterssolution directory is a Tivoli DirectoryIntegrator work directory for adapters.

For more information, see the DispatcherInstallation and Configuration Guide.

BlackBerry Enterprise Server For either:

v Lotus Domino

v Microsoft Exchange

For information about the prerequisites and supported operating systems for TivoliDirectory Integrator, see the IBM Tivoli Directory Integrator 7.1: Administrator Guide.

Chapter 2. Planning 7

Prerequisites for running the adapterThe following table lists the requirements to run the BlackBerry Enterprise ServerAdapter.

Table 2. BlackBerry Enterprise Server Adapter prerequisites

Requirement Description Task

Export and Import the SSLCertificate.

Export the SSL certificate fromthe managed resource andimport it to the certificateauthority (CA) truststore of theTivoli Directory IntegratorJava™ Virtual Machine (JVM).

See “Exporting and importing the BlackBerryEnterprise Server SSL certificate” on page 12.

Create a separate Tivoli DirectoryIntegrator environment for theBlackBerry Enterprise Serverconnector.

Best practice is to run theBlackBerry Enterprise Serverconnector in its own TivoliDirectory Integratorenvironment.

In the Tivoli Directory Integrator environment,delete the ITDI_HOME/jars/3rdparty/IBM/axis2directory. Failure to remove this directorycauses the connector to fail.

Software downloadsDownload the software through your account at the IBM Passport Advantage®

website.

Go to IBM Passport Advantage.

See the corresponding IBM Security Identity server Download Document forinstructions.

Note:

You can also obtain additional adapter information from IBM Support.

Installation worksheetThe installation worksheet lists the information that is required to install andconfigure the adapter. Complete this worksheet before you start the installationprocedure for ease of reference. Make a copy of the worksheet for each adapterinstance you install.


http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

Table 3. Required information to install the adapter

Required information Description Value

Tivoli DirectoryIntegrator HomeDirectory

The ITDI_HOME directory containsthe jars/connectors subdirectory thatcontains adapter JAR files. Forexample, the jars/connectorssubdirectory contains the JAR file forthe UNIX adapter.

If Tivoli DirectoryIntegrator is automaticallyinstalled with your product,the default directory pathfor Tivoli DirectoryIntegrator is as follows:

Windows:

v for version 7.1:

drive\ProgramFiles\IBM\TDI\V7.1

UNIX:

v for version 7.1:

/opt/IBM/TDI/V7.1

Adapters solutiondirectory

When you install the dispatcher, theinstaller prompts you to specify a filepath for the solution directory. Formore information about the solutiondirectory, see the DispatcherInstallation and Configuration Guide.

The default solutiondirectory is at:

Windows:

v for version 7.1:

drive\ProgramFiles\IBM\TDI\V7.1\timsol

UNIX:

v for version 7.1:

/opt/IBM/TDI/V7.1/timsol

Chapter 2. Planning 9

Chapter 3. Installing

Installing the adapter mainly involves importing the adapter profile and creatingan adapter service. Depending on the adapter, several other tasks can be involvedto completely install it.

All IBM Tivoli Directory Integrator based adapters require the Dispatcher for theadapters to function correctly. If the Dispatcher is installed from a previousinstallation, do not reinstall it unless the Dispatcher is upgraded. See Installing thedispatcher.

Depending on your adapter, the Tivoli Directory Integrator connector mightalready be installed as part of the Tivoli Directory Integrator product and nofurther action is required. If the connector is not pre-installed, install it after theDispatcher.

Installing the dispatcherIf this is the first Tivoli Directory Integrator-based adapter installation, you mustinstall the RMI Dispatcher before you install the adapter. Install the RMIDispatcher on the same Tivoli Directory Integrator server where you want to installthe adapter.

If you already installed the RMI Dispatcher for another adapter, you do not needto reinstall it.

If you have not yet installed the RMI Dispatcher in the Tivoli Directory Integratorenvironment, download the Dispatcher installer from the IBM Passport Advantagewebsite. For more information about the installation, see the Dispatcher Installationand Configuration Guide.

Installing the adapter binaries or connectorThe connector might or might not be available with the base Tivoli DirectoryIntegrator or Security Directory Integrator product. The connector is required toestablish communication between the adapter and the Dispatcher.

Before you beginv Verify that your site meets all the prerequisite requirements. See “Prerequisites”

on page 6 and “Prerequisites for running the adapter” on page 8.

Note: The ITDI_HOME/jars/3rdparty/IBM/axis2 directory must be removed fromthe Tivoli Directory Integrator environment. You can either delete it or move itto a location outside of the Tivoli Directory Integrator environment. If theBlackBerry Enterprise Server Adapter is uninstalled, you might need to restorethis directory.

v The Dispatcher must be installed.

Procedure1. Create a temporary directory on the workstation where you want to extract the

adapter.

11

http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

2. Extract the contents of the compressed file in the temporary directory. Theextracted files are typically:ibmdita.csslicenselicense/LA... more licenses...license/LI_zh_TW... doc files ...ReleaseNotes-BES-6.0.htmlconnectorsconnectors/dominoconnectors/domino/BESConnector.jarconnectors/exchangeconnectors/exchange/BESConnector.jarBESProfile.jar

3. Copy the appropriate BESConnector.jar file for your system to theITDI_HOME/jars/connectors directory.v For BlackBerry Enterprise Server for IBM Lotus Domino, copy the

connectors/domino/BESConnector.jar

v For BlackBerry Enterprise Server for Microsoft Exchange, copy theconnectors/exchange/BESConnector.jar file

4. Restart the adapter service.

Verifying the version of Tivoli Directory IntegratorBefore you install the adapter, ensure that the Tivoli Directory Integrator is asupported version.

Procedure1. Navigate to the build.properties file in the ITDI_HOME\etc\ directory on a

Windows operating system.2. Open the file in text editor, such as Notepad and check the value of the Version

property. For example, if fix pack 1 is installed on the base version of TivoliDirectory Integrator 7.1, then the value of Version property is 7.1.0.1.

Exporting and importing the BlackBerry Enterprise Server SSLcertificate

You must download the certificate from the BlackBerry Administrative Server andimport it to the CA certificate keystore.

Before you begin

Go to the BlackBerry Getting Started website to ensure that you have the mostcurrent instructions for downloading the certificate. http://docs.blackberry.com/en/developers/deliverables/25822/Download_a_copy_of_the_SSL_cert_of_the_BAS_1430255_11.jsp

About this task

Perform the following steps to download and import the BlackBerry EnterpriseServer SSL certificate.


http://docs.blackberry.com/en/developers/deliverables/25822/Download_a_copy_of_the_SSL_cert_of_the_BAS_1430255_11.jsp



Procedurev To download the BlackBerry Enterprise Server root certificate:

1. Create a temporary directory. For example, C:\temp\baa.2. In a browser, open the BlackBerry Administration Service. Go to

https://servername/webconsole/app. Servername represents the fullyqualified domain name (FQDN) or the IP address of the server that hosts theBlackBerry Administration Service.

3. Click File > Properties.4. In the Properties window, click Certificates.5. Click Details.6. Click Copy to File.7. Follow the screen instructions to copy the certificate in DER encoded binary

format to the temporary directory that you created.

The certificate is copied to C:\temp\baa\bascert.cer.v To import the server root certificate:

Note: You must provide your CA certificate keystore password to import theserver root certificate.1. Locate the server root certificate file that you exported from BlackBerry

Enterprise Server and copy it to the target host.2. Import the certificate to the local CA certificate keystore.

a. Change directories to ITDI_HOME/jvm/jre/bin directory.b. Type: keytool -import -trustcacerts -file \temp\baa\bascert.cer

-keystore ITDI_HOME/timsol/serverapi/testadmin.jks -storepassadministrator -alias bas

Note: The default password for the testadmin.jks keystore isadministrator.

The Java keytool displays a confirmation that the certificate is added to thekeystore.

Verifying the adapter installationIf the adapter is installed correctly, you can verify that the components exist in thespecified directories.

Table 4. Adapter component

Adapter component Directory

BESConnector.jarOn the Windows operating system

ITDI_HOME\jars\connectors\

On the UNIX operating systemITDI_HOME/jars/connectors/

To upgrade the BlackBerry Enterprise Server connector, copy the newBESConnector.jar file over the existing one. Restart the Tivoli Directory Integratorserver.

Chapter 3. Installing 13

Verifying the BlackBerry Enterprise Server environment

The adapter supports two versions of the connector. One for the Lotus Dominoenvironment and the other for the Microsoft Exchange environment. Use themanifest file to verify that the correct BESConnector.jar file is installed for yourenvironment.1. Issue the command:

jar xvf BESConnector.jar META-INF/MANIFEST.MF

2. Open the META-INF/MANIFEST.MF file with an editor.3. Verify that the Implementation is correct for your environment.

Implementation-Title: IBM Security Identity Manager BlackBerry Enterprise Serverfor Lotus Domino Adapter Connector

orImplementation-Title: IBM Security Identity Manager BlackBerry Enterprise Serverfor Microsoft Exchange Adapter Connector

Restarting the adapter serviceVarious installation and configuration tasks might require the adapter to berestarted to apply the changes. For example, you must restart the adapter if thereare changes in the adapter profile, connector, or assembly lines. To restart theadapter, restart the Dispatcher.

The adapter does not exist as an independent service or a process. The adapter isadded to the Dispatcher instance, which runs all the adapters that are installed onthe same Security Directory Integrator instance.

See the topic about starting, stopping, and restarting the Dispatcher service in theDispatcher Installation and Configuration Guide.

Importing the adapter profileAn adapter profile defines the types of resources that the IBM Security Identityserver can manage. It is packaged with the IBM Security Identity Adapter. Use theadapter profile to create an adapter service on IBM Security Identity server andestablish communication with the adapter.

Before you beginv You have root or administrator authority on the IBM Security Identity Manager

server.v The file to be imported must be a Java archive (JAR) file. The

<Adapter>Profile.jar file includes all the files that are required to define theadapter schema, account form, service/target form, and profile properties. Ifnecessary, you can extract the files from the JAR file, modify the files, andrepackage the JAR file with the updated files.The JAR file for IBM SecurityIdentity Manager is located in the top level folder of the installation package.

About this task

Service definition files are also called adapter profile files.

If the adapter profile is not installed correctly, the adapter cannot functioncorrectly. You cannot create a service with the adapter profile or open an account


on the service. You must import the adapter profile again.

Procedure1. Log on to the IBM Security Identity Manager server by using an account that

has the authority to perform administrative tasks.2. From the navigation tree, select Configure System > Manage Service Types.

The Manage Service Types page is displayed.3. On the Manage Service Types page, click Import. The Import Service Type page

is displayed.4. On the Import Service Type page, complete these steps:

a. In the Service Definition File field, type the directory location of the<Adapter>Profile.jar file, or click Browse to locate the file. For example, ifyou are installing the IBM Security Identity Adapter for a Windows serverthat runs Active Directory, locate and import the ADProfileJAR file.

b. Click OK to import the file.

Results

A message indicates that you successfully submitted a request to import a servicetype.

What to do nextv The import occurs asynchronously, which means it might take some time for the

service type to load into the IBM Security Identity server from the propertiesfiles and to be available in other pages. On the Manage Service Types page, clickRefresh to see the new service type. If the service type status is Failed, checkthe log files to determine why the import failed.

v If you receive a schema-related error, see the trace.log file for informationabout it. The trace.log file location is specified by the handler.file.fileDirproperty that is defined in the enRoleLogging.properties file. TheenRoleLogging.properties file is in the IBM Security Identity serverHOME\datadirectory. .

Creating an adapter service/targetAfter you import the adapter profile on the IBM Security Identity server, create aservice/target so that IBM Security Identity server can communicate with themanaged resource.

Before you begin

Complete “Importing the adapter profile” on page 14.

About this task

You must create an administrative user account for the adapter on the managedresource. You can provide the account information such as administrator name andpassword when you create the adapter service. Ensure that the account hassufficient privileges to administer the users. For information about creating anadministrative account, see the documentation for the managed resource.

To create or change a service, you must use the service form to provideinformation for the service. Service forms might vary depending on the adapter.The service name and description that you provide for each service are displayed


on the console. Therefore, it is important to provide values that make sense to yourusers and administrators.

Procedure1. From the navigation tree, click Manage Services. The Select a Service page is

displayed.2. On the Select a Service page, click Create. The Create a Service wizard is

displayed.3. On the Select the Type of Service page, click Search to locate a business unit.

The Business Unit page is displayed.4. On the Business Unit page, complete these steps:

a. Type information about the business unit in the Search information field.b. Select a business type from the Search by list, and then click Search. A list

of business units that matches the search criteria is displayed.If the table contains multiple pages, you can do the following tasks:v Click the arrow to go to the next page.v Type the number of the page that you want to view and click Go.

c. In the Business Units table, select business unit in which you want tocreate the service, and then click OK. The Select the Type of Service pageis displayed, and the business unit that you specified is displayed in theBusiness unit field.

5. On the Select the Type of Service page, select a service type, and then clickNext.If the table contains multiple pages, you can do the following tasks:v Click the arrow to go to the next page.v Type the number of the page that you want to view and click Go.

6. On either the Service Information or General Information page, specify theappropriate values for the service instance. The content of the GeneralInformation page depends on the type of service that you are creating. Thecreation of some services might require more steps.

7. On the Authentication page, configure authentication (either password-basedor key-based) for the service, and then click Next or Finish. TheAuthentication page is displayed only if you are creating a POSIX serviceinstance.

8. On the Dispatcher Attributes page, specify information about the dispatcherattributes, and then click Next or OK. The Dispatcher Attributes page isdisplayed only for IBM Security Directory Integrator based services.

9. Optional: On the Access Information page, select the Define an Access checkbox to activate the access definition fields. Select the type of access you wantto enable. Specify the expected access information and any other optionalinformation such as description, search terms, more information, or badges.

10. On the Status and Information page, view information about the adapter andmanaged resource, and then click Next or Finish. The adapter must berunning to obtain the information.

11. On the Configure Policy page, select a provisioning policy option, and thenclick Next or Finish. The provisioning policy determines the ownership typesavailable for accounts. The default provisioning policy enables only Individualownership type accounts. Additional ownership types can be added bycreating entitlements on the provisioning policy.


Note: If you are creating a service for an identity feed, the Configure Policypage is not displayed.

12. Optional: On the Reconcile Supporting Data page, either do an immediatereconciliation for the service, or schedule a supporting data reconciliation, andthen click Finish. The Reconcile Supporting Data page is displayed for allservices except for identity feed services.The supporting data only reconciliation option retrieves only the supportingdata for accounts. The supporting data includes groups that are defined onthe service. The type of supporting data is defined in the adapter guide.

13. Optional: On the Service Information or General Information page, click TestConnection to validate that the data in the fields is correct, and then clickNext or Finish. If the connection fails, contact the analyst who is responsiblefor the computer on which the managed resource runs.

Results

A message is displayed, indicating that you successfully created the serviceinstance for a specific service type.

Service/Target form detailsComplete the service/target form fields.

On the General Information tab:

Service NameSpecify a name that defines the adapter service on the IBMSecurity Identity server.

Note: Do not use forward (/) or backward slashes (\) in theservice name.

Description Specify a description that identifies the service for yourenvironment.

Tivoli Directory Integrator location

Specify the URL for the IBM Tivoli Directory Integrator instance.The valid syntax for the URL is rmi://ip-address:port/ITDIDispatcher, where ip-address is the IBM Tivoli DirectoryIntegrator host and port is the port number for the RMI Dispatcher.

The default URL for the default SDI1 instance isrmi://localhost:1099/ITDIDispatcher.

Server Host NameSpecify the name of the host that is running the BlackBerryEnterprise Server.

Administrator NameSpecify the administrator user that is used to log in to the resourceand perform user management operations. Make sure that theadministrator user has Security Administrator authority on theBlackBerry Enterprise Server.

Note: If you use the Active Directory authenticator type, do notuse a domain-qualified administrator name. That is, do not use theDomainName\UserName format, just use UserName.


PasswordSpecify the password for administrator user.

Authentication DomainSpecify the authentication domain to use when the userauthenticates to the BlackBerry Enterprise Server. This field is notrequired for all authenticator types. Active Directory authenticationrequires an authentication domain, but BlackBerry AdministrationService authentication does not.

Authenticator TypeSpecify the type of authentication to use to access the BlackBerryEnterprise Server. The following are examples of authenticatortypes.v Active Directoryv BlackBerry Administration Servicev Domino mailbox

Note: This field is not case-sensitive.

On the Dispatcher Attributes tab:

AL FileSystem PathSpecify the file path from where the dispatcher loads the assemblylines. If you do not specify a file path, the dispatcher loads theassembly lines that are received from IBM Security Identity server.You can specify a file path such as the following to load theassembly lines from the profiles directory of the Windowsoperating system: c:\Program Files\IBM\TDI\V7.1\profiles or youcan specify the following file path to load the assembly lines fromthe profiles directory of the UNIX and Linux operating systems:/opt/IBM/TDI/V7.1/profiles. You must extract the assembly linefiles from the profile JAR file. Use a command such asjar xvf BESProfile.jar

extracts the filesBESProfileBESProfile/BESAdd.xmlBESProfile/BESDelete.xmlBESProfile/BESModify.xmlBESProfile/BESSearch.xmlBESProfile/BESTest.xmlBESProfile/CustomLabels.propertiesBESProfile/erBESAccount.xmlBESProfile/erBESRMIService.xmlBESProfile/schema.dsmlBESProfile/service.def

You must copy the assembly line files to the location that youspecify for the AL FileSystem Path.

Max Connection CountSpecify the maximum number of assembly lines that the dispatchercan execute simultaneously for the service. If you enter 0 in the


Max Connection Count field, the dispatcher does not limit thenumber of assembly lines that are executed simultaneously for theservice.

Disable AL CachingSelect the check box to disable the assembly line caching in thedispatcher for the service. The assembly lines for the reconciliationand test operations are not cached.

On the Status and information tabContains read only information about the adapter and managed resource.These fields are examples. The actual fields vary depending on the type ofadapter and how the service form is configured. The adapter must berunning to obtain the information. Click Test Connection to populate thefields.

Last status update: DateSpecifies the most recent date when the Status and information tabwas updated.

Last status update: TimeSpecifies the most recent time of the date when the Status andinformation tab was updated.

Managed resource status Specifies the status of the managed resource that the adapter isconnected to.

Adapter version Specifies the version of the adapter that the service uses toprovision request to the managed resource.

Profile version Specifies the version of the profile that is installed in the IBMSecurity Identity server.

TDI version Specifies the version of the Tivoli Directory Integrator on which theadapter is deployed.

Dispatcher version Specifies the version of the Dispatcher.

Installation platformSpecifies summary information about the operating system wherethe adapter is installed.

Adapter account Specifies the account that running the adapter binary file.

Adapter up time: Date Specifies the date when the adapter started.

Adapter up time: Time Specifies the time of the date when the adapter started.

Adapter memory usage Specifies the memory usage for running the adapter.

If the connection fails, follow the instructions in the error message. Alsov Verify the adapter log to ensure that the test request was successfully

sent to the adapter.


v Verify the adapter configuration information.v Verify service parameters for the adapter profile, such as the work

station name or the IP address of the managed resource, and the port.

Installing the adapter language packageThe adapters use a separate language package from IBM Security IdentityManager.

See Installing the adapter language pack from the IBM Security Identity Managerproduct documentation.

Verifying that the adapter is working correctlyAfter you install and configure the adapter, verify that the installation andconfiguration are correct.

Procedure1. Test the connection for the service that you created on the IBM Security Identity

server.2. Run a full reconciliation from the IBM Security Identity server.3. Run all supported operations such as add, modify, and delete on one user

account.4. Verify the ibmdi.log file after each operation to ensure that no errors are

reported.5. Verify the trace.log file to ensure that no errors are reported when you run an

adapter operation.


Chapter 4. Upgrading

Upgrading an IBM Tivoli Directory Integrator-based adapter involves tasks such asupgrading the dispatcher, the connector, and the adapter profile. Depending on theadapter, some of these tasks might not be applicable. Other tasks might also berequired to complete the upgrade.

Upgrading the adapter binaries or connectorThe new adapter package might require you to upgrade the connector.

Before you begin

Read the Release Notes to obtain the version level of the new connector.

Procedure1. Determine the version level of the installed connector

a. Change to a temporary directory.b. Copy the BESConnector.jar file from the ITDI_HOME/jars/connectors

directory.c. Extract the manifest file by issuing the command:

jar xvf BESConnector.jar META-INF/MANIFEST.MF

d. Change to the META-INF directory and examine the MANIFEST.MF file todetermine the version number of the connector. This example shows asample of the manifest file contents.Manifest-Version: 1.0Ant-Version: Apache Ant 1.8.0Created-By: pxi3260sr9fp2-20110625_01 (SR9 FP2) (IBM Corporation)Implementation-Vendor: IBMImplementation-Title: IBM Security Identity Manager BlackBerry Enterprise Server for Microsoft Exchange Adapter ConnectorImplementation-Version: 6.0.1.1

2. If the required version in the Release Notes is higher than the version installed,copy the appropriate BESConnector.jar file for your system to theITDI_HOME/jars/connectors directory.v For BlackBerry Enterprise Server for IBM Lotus Domino, copy the

connectors/domino/BESConnector.jar

v For BlackBerry Enterprise Server for Microsoft Exchange, copy theconnectors/exchange/BESConnector.jar file

3. Restart the Tivoli Directory Integrator server.

What to do next

If required, upgrade the adapter profile.

Upgrading the adapter profileRead the adapter Release Notes for any specific instructions before you import anew adapter profile.

21

If you specified an AL FileSystem Path when you defined the service, ensure toreplace the old assembly line files with the new ones.

Note: Restart the Dispatcher service after importing the profile. Restarting theDispatcher clears the assembly lines cache and ensures that the dispatcher runs theassembly lines from the updated adapter profile.

If you upgraded the connector, the cache is already clear. Restarting the TivoliDirectory Integrator server is not required.


Chapter 5. Configuring

After you install the adapter, configure it to function correctly. Configuration isbased on your requirements or preference.

Customizing the adapterThe BlackBerry Enterprise Server Adapter has configuration options to edit theprofile, modify account form attributes, and create JAR files.

See the IBM Security Dispatcher Installation and Configuration Guide for moreconfiguration options such as:v JVM propertiesv Dispatcher filteringv Dispatcher propertiesv Dispatcher port numberv Logging configurationsv Secure Sockets Layer (SSL) communication

Editing adapter profiles on the UNIX or Linux operatingsystem

The adapter profile .jar file might contain ASCII files that are created by using theMS-DOS ASCII format.

About this task

If you edit an MS-DOS ASCII file on the UNIX operating system, you might see acharacter ^M at the end of each line. These characters indicate new lines of text inMS-DOS. The characters can interfere with the running of the file on UNIX orLinux systems. You can use tools, such as dos2unix, to remove the ^M characters.You can also use text editors, such as the vi editor, to remove the charactersmanually.

Example

You can use the vi editor to remove the ^M characters. From the vi commandmode, run the following command and press Enter::%s/^M//g

When you use this command, enter ^M or Ctrl-M by pressing ^v^M or Ctrl V CtrlM sequentially. The ^v instructs the vi editor to use the next keystroke instead ofissuing it as a command.

Modification of the maximum length of the account formattributes

To modify the maximum length of the attributes on the account form, you mustmodify the schema.dsml file with the required length.

23

For example, the default value for the maximum length of the Email Addressattribute is 240. To change the value of the attribute to 256, modify the schema.dsmlfile as:Old profile:

<attribute-type single-value = "true" ><name>erBESEmailAddr</name><description>BES user email address</description><object-identifier>1.3.6.1.4.1.6054.3.161.2.6</object-identifier><syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax></attribute-type>

Modified profile:

<attribute-type single-value = "true" ><name>erBESEmailAddr</name><description>BES user email address</description><object-identifier>1.3.6.1.4.1.6054.3.161.2.6</object-identifier><syntax>1.3.6.1.4.1.1466.115.121.1.15{256}</syntax></attribute-type>

If the attribute is already defined in LDAP and contains data, you must change thelength in LDAP manually. If the attribute does not exist or does not contain data,the attribute is created with the new length when the profile is imported.

Creating a JAR file and importing the profile on the IBMSecurity Identity Manager

After you modify the schema.dsml or any other profile files, you must import thesefiles into IBM Security Identity Manager for the changes to take effect.

About this task

If you are upgrading an existing adapter profile, the new adapter profile schema isnot reflected immediately. You must stop and start the IBM Security IdentityManager server to refresh the cache and the adapter schema. For more informationabout upgrading an existing adapter, see Chapter 4, “Upgrading,” on page 21.

Procedure1. Extract the contents of the BESProfile.jar file into the temporary directory by

running the following command:cd c:\tempjar -xvf BESProfile.jar

The jar command creates the c:\temp\BESProfile directory.2. Update the profile files.3. Create a JAR file by using the files in the \temp directory by running the

following commands:cd c:\tempjar -cvf BESProfile.jar BESProfile

4. Import the BESProfile.jar file into the IBM Security Identity Manager server.For more information about importing the file, see Importing the adapterprofile.

5. Stop and start the IBM Security Identity Manager server.

Chapter 5. Configuring 25

Chapter 6. Troubleshooting

Troubleshooting is a systematic approach to solving a problem. The goal oftroubleshooting is to determine why something does not work as expected andhow to resolve the problem. This topic provides information and techniques foridentifying and resolving problems that are related to the adapter, includingtroubleshooting errors that might occur during the adapter installation.

Techniques for troubleshooting problemsCertain common techniques can help with the task of troubleshooting. The firststep in the troubleshooting process is to describe the problem completely.

Problem descriptions help you and the IBM technical-support representative findthe cause of the problem. This step includes asking yourself basic questions:v What are the symptoms of the problem?v Where does the problem occur?v When does the problem occur?v Under which conditions does the problem occur?v Can the problem be reproduced?

The answers to these questions typically lead to a good description of the problem,which can then lead you to a problem resolution.

What are the symptoms of the problem?

When you start to describe a problem, the most obvious question is “What is theproblem?” This question might seem straightforward; however, you can break itdown into several more-focused questions that create a more descriptive picture ofthe problem. These questions can include:v Who, or what, is reporting the problem?v What are the error codes and messages?v How does the system fail? For example, is it a loop, hang, crash, performance

degradation, or incorrect result?

Where does the problem occur?

Determining where the problem originates is not always easy, but it is one of themost important steps in resolving a problem. Many layers of technology can existbetween the reporting and failing components. Networks, disks, and drivers areonly a few of the components to consider when you are investigating problems.

The following questions help you to focus on where the problem occurs to isolatethe problem layer:v Is the problem specific to one operating system, or is it common across multiple

operating systems?v Is the current environment and configuration supported?v Do all users have the problem?v (For multi-site installations.) Do all sites have the problem?

27

If one layer reports the problem, the problem does not necessarily originate in thatlayer. Part of identifying where a problem originates is understanding theenvironment in which it exists. Take some time to completely describe the problemenvironment, including the operating system and version, all correspondingsoftware and versions, and hardware information. Confirm that you are runningwithin an environment that is a supported configuration. Many problems can betraced back to incompatible levels of software that are not intended to run togetheror are not fully tested together.

When does the problem occur?

Develop a detailed timeline of events that lead up to a failure, especially for thosecases that are one-time occurrences. You can most easily develop a timeline byworking backward: Start at the time an error was reported (as precisely as possible,even down to the millisecond), and work backward through the available logs andinformation. Typically, you use the first suspicious event that you find in adiagnostic log.

To develop a detailed timeline of events, answer these questions:v Does the problem happen only at a certain time of day or night?v How often does the problem happen?v What sequence of events leads up to the time that the problem is reported?v Does the problem happen after an environment change, such as upgrading or

installing software or hardware?

Responding to these types of questions can give you a frame of reference in whichto investigate the problem.

Under which conditions does the problem occur?

Knowing which systems and applications are running at the time that a problemoccurs is an important part of troubleshooting. These questions about yourenvironment can help you to identify the root cause of the problem:v Does the problem always occur when the same task is being done?v Is a certain sequence of events required for the problem to occur?v Do any other applications fail at the same time?

Answering these types of questions can help you explain the environment inwhich the problem occurs and correlate any dependencies. Remember that justbecause multiple problems might occur around the same time, the problems arenot necessarily related.

Can the problem be reproduced?

From a troubleshooting standpoint, the ideal problem is one that can bereproduced. Typically, when a problem can be reproduced you have a larger set oftools or procedures at your disposal to help you investigate. Problems that you canreproduce are often easier to debug and solve.

However, problems that you can reproduce can have a disadvantage: If theproblem is of significant business impact, you do not want it to recur. If possible,re-create the problem in a test or development environment, which typically offersyou more flexibility and control during your investigation.v Can the problem be re-created on a test system?


v Do multiple users or applications have the same type of problem?v Can the problem be re-created by running a single command, a set of

commands, or a particular application?

Exception messagesException messages are recorded in the ITDI_HOME/timsol/logs/ibmdi.log file.

BES connector error

Console error messageCTGIMT605E An error occurred while processing the search operation onthe IBM Tivoli Directory Integrator server. Error: {1}

Exception thrown2012-01-06 14:37:23,359 ERROR [C__Program Files_IBM_TDI_V7.1_timsol_ITIM_RMI.xml] -recordErrorMessage():794 Assembly line start exception occured.FunctionName: executeALSearchStart(): AssemblyLineName: <<BESSearch>>Exception Class:com.ibm.di.dispatcher.rmi.AdaptersALStartException<<com.ibm.di.dispatcher.rmi.AdaptersALStartException><statusCode=2><reasonCode=100><com.ibm.di.dispatcher.FAIL_START_AL><[BESSearch_bes_3800246034950427093_071e2618-29e1-11b2-c5bd-00000930a5dc, javax.xml.bind.MarshalException - with linked exception:[javax.xml.bind.JAXBException: com.rim.com_rim_bes_bas.EncodeUsername is not known tothis context]]>>

At com.ibm.di.dispatcher.rmi.RMIDispatcherImpl.startAssemblyLine(RMIDispatcherImpl.java:1350)at com.ibm.di.dispatcher.rmi.RMIDispatcherImpl.executeALSearchStart(RMIDispatcherImpl.java:2546)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)at java.lang.reflect.Method.invoke(Method.java:600)at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:310)at sun.rmi.transport.Transport$1.run(Transport.java:171)at java.security.AccessController.doPrivileged(AccessController.java:284)at sun.rmi.transport.Transport.serviceCall(Transport.java:167)at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:547)at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:802)at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:661)at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)at java.lang.Thread.run(Thread.java:736)

Probable causeThe ITDI_HOME/jars/3rdparty/IBM/axis2 directory was not deleted fromthe BES connector Tivoli Directory Integrator environment.

Corrective actionDelete the directory from the environment and run the operation again.

If it is not feasible to remove the axis2 directory, then the Apache CXFdistribution must be downloaded and installed into theITDI_HOME/jars/patches directory. Download the latest available binarydistribution from the Apache CXF site.

Note: The classes from the Apache CXF distribution take precedence overthose classes in the axis2 distribution. Connectors depending on axis2might no longer work.

BES environment error

Console error messagesCTGIMU107W The connection to the specified service cannot beestablished. Verify the service information, and try again.

CTGIMT001E The following error occurred. Error: Failed to read aresponse: javax.xml.bind.UnmarshalException - with linkedcom.rim.com_rim_bes_bas.ServiceInstanceType - with linked exception:[java.lang.InstantiationException]]

Chapter 6. Troubleshooting 29

http://cxf.apache.org/

Probable causeThe BESConnector.jar file is not correct for the environment. For example,the Lotus Domino version of the BESConnector.jar file is installed for aMicrosoft Exchange environment.

Corrective actionReplace the BESConnector.jar file in ITDI_HOME/jars/connectors directorywith the correct connector.

RSA adapter error

Console error messageCTGIMT605E An error occurred while processing the CTGIMT401E Anerror occurred while starting the BESTest_bes_test-no-requestid_0091a9fe-29e2-11b2-8f1d-00000930a5dc agent. Error:java.lang.NoClassDefFoundError: com.sun.xml.ws.spi.ProviderImploperation on the IBM Tivoli Directory Integrator server. Error: {1}

Exception thrown2012-01-11 10:52:15,140 ERROR [C__Program Files_IBM_TDI_V7.1_timsol_ITIM_RMI.xml] -recordErrorMessage():794 Assembly line start exception occured.FunctionName: executeALRequest(): AssemblyLineName: <<BESTest>>Exception Class:com.ibm.di.dispatcher.rmi.AdaptersALStartException<<com.ibm.di.dispatcher.rmi.AdaptersALStartException><statusCode=2><reasonCode=100><com.ibm.di.dispatcher.FAIL_START_AL><[BESTest_bes_test-no-requestid_0091a9fe-29e2-11b2-8f1d00000930a5dc,java.lang.NoClassDefFoundError: com.sun.xml.ws.spi.ProviderImpl]>>

At com.ibm.di.dispatcher.rmi.RMIDispatcherImpl.startAssemblyLine(RMIDispatcherImpl.java:1350)at com.ibm.di.dispatcher.rmi.RMIDispatcherImpl.executeALRequest(RMIDispatcherImpl.java:2032)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)at java.lang.reflect.Method.invoke(Method.java:600)at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:310)at sun.rmi.transport.Transport$1.run(Transport.java:171)at java.security.AccessController.doPrivileged(AccessController.java:284)at sun.rmi.transport.Transport.serviceCall(Transport.java:167)at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:547)at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:802)at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:661)at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)at java.lang.Thread.run(Thread.java:736)

Probable causeThe RSA Authentication Manager adapter is installed in the same TivoliDirectory Integrator environment as the BES adapter.

Corrective actionMove the RSA JAR files from the ITDI_HOME/jvm/jre/lb/ext directory andinto a directory under ITDI_HOME/jars/3rdparty.

Known limitationsThe BlackBerry Enterprise Server adapter requires special configuration in the IBMTivoli Directory Integrator environment. This configuration does not support theweb services protocol that is provided by the Dispatcher.

If you try to use the dispatcher web services interface, you receive ajava.net.ConnectException: Connection refusederror on your web services client.

When you start the Dispatcher, you might see an error like the following in theITDI_HOME/timsol/logs/ibmdi.log file. You can ignore this error.

2012-07-25 16:07:38,734 ERROR [AssemblyLine.AssemblyLines/ITDIRMI_Dispatcher_Boot_AL.1]- [Boot_RMIDispatcher] CTGDIS809E handleException- cannot handle exception , scriptjava.lang.NoClassDefFoundError: org.apache.axis2.AxisFault


at java.lang.J9VMInternals.verifyImpl(Native Method)at java.lang.J9VMInternals.verify(J9VMInternals.java:72)at java.lang.J9VMInternals.initialize(J9VMInternals.java:134)at com.ibm.idm.dispatcher.webservices.SoapServerFactory.startInstance(SoapServerFactory.java:33)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)at java.lang.reflect.Method.invoke(Method.java:600)at com.ibm.jscript.types.JavaAccessObject.call(JavaAccessObject.java:298)at com.ibm.jscript.types.FBSObject.call(FBSObject.java:153)at com.ibm.jscript.ASTTree.ASTCall.interpret(ASTCall.java:151)at com.ibm.jscript.ASTTree.ASTProgram.interpretEx(ASTProgram.java:102)at com.ibm.jscript.JSExpression.interpretExpression(JSExpression.java:399)at com.ibm.jscript.JSExpression.evaluateValue(JSExpression.java:249)at com.ibm.jscript.JSExpression.evaluateValue(JSExpression.java:236)at com.ibm.jscript.JSExpression.evaluateValue(JSExpression.java:239)at com.ibm.jscript.JSInterpreter.interpret(JSInterpreter.java:53)at com.ibm.di.script.ScriptEngine.interpret(ScriptEngine.java:886)at com.ibm.di.script.ScriptEngine.interpret(ScriptEngine.java:871)at com.ibm.di.server.ScriptComponent.add1(ScriptComponent.java:244)at com.ibm.di.server.ScriptComponent.add(ScriptComponent.java:210)at com.ibm.di.server.AssemblyLine.msExecuteNextConnector(AssemblyLine.java:3748)at com.ibm.di.server.AssemblyLine.executeMainStep(AssemblyLine.java:3376)at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:3007)at com.ibm.di.server.AssemblyLine.executeMainLoop(AssemblyLine.java:2990)at com.ibm.di.server.AssemblyLine.executeAL(AssemblyLine.java:2957)at com.ibm.di.server.AssemblyLine.run(AssemblyLine.java:1305)

Caused by: java.lang.ClassNotFoundException: org.apache.axis2.AxisFaultat java.lang.ClassNotFoundException.<init>(ClassNotFoundException.java:77)at java.net.URLClassLoader.findClass(URLClassLoader.java:383)at java.lang.ClassLoader.loadClass(ClassLoader.java:652)at java.lang.ClassLoader.loadClass(ClassLoader.java:618)... 27 more

Chapter 6. Troubleshooting 31

Chapter 7. Uninstalling

To remove an adapter from the IBM Security Identity server for any reason, youmust remove all the components that were added during installation. Uninstallingan IBM Tivoli Directory Integrator based adapter mainly involves removing theconnector file, and the adapter profile from the IBM Security Identity server.Depending on the adapter, some of these tasks might not be applicable, or therecan be other tasks.

Removing the adapter binaries or connectorUse this task to remove the connector file for the BlackBerry Enterprise ServerAdapter.

About this task

To uninstall the Dispatcher, see the Dispatcher Installation and Configuration Guide.

To remove the BlackBerry Enterprise Server Adapter, complete these steps:

Procedure1. Stop the adapter service.2. Delete the ITDI_HOME/jars/connectors/BESConnector.jar file.3. Restore the axis2 directory to the ITDI_HOME/jars/3rd party/IBM directory. This

directory is the directory that was removed from the ITDI_HOME/jars/3rdparty/IBM directory when the BESConnector.jar file was installed.

Note: If instead of removing the axis2 directory you installed the Apache CXFdistribution in your Tivoli Directory Integrator environment, delete the ApacheCXF distribution. For information about Apache CXF distribution, see "BESconnector error" in “Exception messages” on page 29.

4. Start the adapter service.

Deleting the adapter profileRemove the adapter service/target type from the IBM Security Identity server.Before you delete the adapter profile, ensure that no objects exist on the IBMSecurity Identity server that reference the adapter profile.

Objects on the IBM Security Identity server that can reference the adapter profile:v Adapter service instancesv Policies referencing an adapter instance or the profilev Accounts

Note: The Dispatcher component must be installed on your system for adapters tofunction correctly in a Tivoli Directory Integrator environment. When you deletethe adapter profile, do not uninstall the Dispatcher.

For specific information about how to delete the adapter profile, see the IBMSecurity Identity Manager product documentation.

33

Chapter 8. Reference

Reference information is organized to help you locate particular facts quickly, suchas adapter attributes, registry settings, and environment variables.

Adapter attributes and object classesAdapter attributes and object classes are required for customization, creatingprovisioning rules, and understanding what service/target attributes are supportedby the adapter. The IBM Security Identity server communicates with the adapterby using attributes, which are included in transmission packets that are sent over anetwork.This topic is not applicable for this adapter.

The combination of attributes depends on the type of action that the IBM SecurityIdentity server server requests from the BlackBerry Enterprise Server Adapter.

Table 5 is a listing of the attributes that are used by the BlackBerry EnterpriseServer Adapter. The table gives a brief description and corresponding values of theattribute.

Use this key for the permissions column.R = The value is read from BES. You cannot set or change it through

IBM Security Identityserver.AR = The value is specified during the account create operation through

IBM Security Identityserver. After creation the value is read only.RW = The value is specified during the account create operation through

IBM Security Identityserver. You can modify the value through the

account modify operation.

erBESAccount class attributes

Table 5. Attributes for the erBESAccount object class

Attribute name and definition Data typeSingle-valued Permissions Required

eruid

Specifies a unique identifier (ID) for the BlackBerry user.

String Yes AR Yes

erBESUid

Specifies the BES user unique numeric identifier.

String Yes R No

erBESLoginName

Specifies the BES administrative user login name.

String Yes AR No

erBESFirstName

Specifies the given name of the BES user.

String Yes R No

erBESLastName

Specifies the family name of the BES user.

String Yes R No

35

Table 5. Attributes for the erBESAccount object class (continued)


erBESUserState

Specifies the state of a BES user account.

String Yes R No

erBESEmailAddr

Specifies the email address of the BES user.

String Yes AR No

erBESLastContactDate

Specifies the last contact date of the user account.

Date Yes R No

erBESSWTokens

Specifies the BES user account software tokens.

String No R No

erBESGroups

Specifies the BES user account groups.

String Yes RW No

erBESInitialRole

Specifies the initial role for the BES administrative useraccounts.

String Yes AR No

erBESRoles

Specifies the BES user account roles.

String No R No

erBESITPolicy

Specifies the initial IT policy of the user account.

String Yes RW No

erBESSWConfigs

Specifies the software configurations of the BES user account.

String No RW No

erBESAccessControlRules

Specifies the BES user account access control rules.

String No R No

erBESVPNConfigs

Specifies the BES user account VPN configurations.

String No R No

erBESWLANConfigs

Specifies the BES user account WLAN (WiFi) configurations.

String No R No

erBESDevices

Specifies the BES user account devices.

String No R No

erBESDisplayName

Specifies the display name of the BES user account.

String Yes R No

erBESActivationPassword

Specifies the password that is used to activate the BES useraccount.

String Yes RW No

erBESActivationPasswordExpiryHours

Specifies in hours, the lifetime of the BES user accountactivation password.

Integer Yes RW No


Table 5. Attributes for the erBESAccount object class (continued)


erBESGenActivationPassword

Specifies to generate an activation password for a BES user andto send it in an email.

Boolean Yes RW No

erBESActivationState

Specifies the activation state of the BES user account. The statuscan be password set, ongoing, completed, failed, orunsupported. If no activation password is sent to the account,the activation state is empty.

String Yes R No

erBESClearActivationPassword

Specifies whether to clear the activation password for a BESuser.

Boolean Yes RW No

erBESRMIService class attributes

Table 6. Attributes for the erBESRMIService object class

Attribute name and definitionDatatype

Single-valued Permissions Required

erBESServerHostname

Specifies the BlackBerry Enterprise Server host name.

String Yes AR Yes

erBESDomain

Specifies the authentication domain.

String Yes RW No, unlesstheauthenticatortype requiresa domain.

erBESAuthenticatorType

Specifies the authentication type. For example, Active Directory,BlackBerry Administration Service, or Domino mailbox.

String Yes RW Yes

erBESALFilesystemPath

Specifies the file system location of the AL files.

String Yes RW No

erBESMaxConnectionCnt

Specifies the maximum number of connections that TivoliDirectory Integrator can make to this BES server.

Integer Yes RW No

erBESDisableALCache

Specifies to not perform AL caching.

Boolean Yes RW No

erBESGroup class attributes

Table 7. Attributes for the erBESGroup object class


erBESGroupName

Specifies the BES group name.

String Yes R Yes

Chapter 8. Reference 37

Table 7. Attributes for the erBESGroup object class (continued)


erBESGroupId

Specifies the identifier (ID) of the BES group.

String Yes R Yes

erBESRole class attributes

Table 8. Attributes for the erBESRole object class


erBESRoleName

Specifies the name of the BES role.

String Yes R Yes

erBESRoleId

Specifies the identifier (ID) of the BES role.

String Yes R Yes

erBESITPolicy class attributes

Table 9. Attributes for the erBESITPolicy object class


erBESITPolicyName

Specifies the name of the BES IT policy.

String Yes R Yes

erBESITPolicyId

Specifies identifier (ID) of the BES IT policy.

String Yes R Yes

erBESSWConfig class attributes

Table 10. Attributes for the erBESSWConfig object class


erBESSWConfigName

Specifies the BES software configuration name.

String Yes R Yes

erBESSWConfigId

Specifies the identifier (ID) of the BES software configuration.

String Yes R Yes


Index

Aaccount forms

modifying attributes 24adapter

architecture 1attributes 35components 1configuration 23features 1installation 11

troubleshooting 27verify 13verifying 20warnings 27

installation planning 5installation worksheet 9installing 11overview 1preqrequisites 8requirements 8supported configurations 2uninstall 33upgrading 21

adaptersremoving profiles 33

architecture 1attributes

account forms, modify 24adapter 35by object class 35

BBlackBerry SSL certificate

exporting 12importing 12

Ccomponents 1configuring

adapter 23connector

files, remove 33upgrading 21

creatingJAR files 24services 15

Ddirectory integrator

version number, verify 12dispatcher

installation 11download, software 8

Eexception messages 29

Ffiles

JAR 24first steps, post-installation 23forms

modifying account attributes 24

Iimporting

JAR files 24installation

adapter 11first steps 23language pack 20uninstall 33verification

adapter 20verify 13worksheet 9

JJAR files

create 24

Kknown limitations 30

Llanguage pack

installation 20same for adapters and server 20

limitations 30

MMS-DOS ASCII characters 23

Oobject class attributes 35operating system prerequisites 6overview

adapter 1

Pplanning for installation 5post-installation first steps 23

prerequisitesfor the adapter 8

profileediting on UNIX or Linux 23

profilesupgrading 22

Rremoving

adapter profiles 33removing connector files 33requirements

adapter 8

Sservice

restart 14start 14stop 14

service, creating 15software

download 8website 8

software requirements 6SSL certificate

blackberry 12supported configurations

adapter 2overview 2

Ttroubleshooting

exception messages 29identifying problems 27known limitations 30techniques for 27

troubleshooting and supporttroubleshooting techniques 27

Uuninstallation 33uninstalling

from the directory integrator 33upgrades

adapter 21connector 21profile 22

Vverification

dispatcher installation 11installation 20operating system prerequisites 6operating system requirements 6

39

verification (continued)software prerequisites 6software requirements 6

version number, directory integrator 12vi command 23


IBM®

Printed in USA

IBM Security Identity Manager: BlackBerry Enterprise...

Documents

Transcript of IBM Security Identity Manager: BlackBerry Enterprise...