IBM Tivoli Directory Integrator enables synchronization, transformation, and migration of generic and identity data across heterogeneous systems. Tivoli Directory Integrator helps organizations maintain consistent and trusted data across multiple resources and provides:
- Plug-ins for several popular identity stores such as IBM Tivoli Directory Server, Domino (Http Password only), Microsoft™ Active Directory, and SunOne. These plug-ins securely capture passwords and make them available for processing for AssemblyLines.
- An infrastructure and several ready-to-use components for solutions that synchronize user passwords in heterogeneous software environments.
A password synchronization solution built with Tivoli Directory Integrator can intercept password changes on several systems. Synchronization is achieved through the Tivoli Directory Integrator AssemblyLines, which can be configured to propagate the intercepted passwords to desired systems.
IBM Tivoli Identity Manager provides the software and services to deploy policy-based provisioning solutions. This product helps companies automate the process of giving employees, contractors, and business partners access rights to applications they need, whether in a closed enterprise environment or across a virtual or extended enterprise.
With Tivoli Identity Manager you can efficiently manage policies, which are sets of organizational rules and logic, for passwords. A password policy defines the password strength rules that are used to determine whether a new password is valid. Tivoli Identity Manager password policies let you control the way passwords can be changed or generated, synchronized, and set throughout the system.
The Tivoli Identity Manager integration for the password synchronizer allows intercepted passwords to be verified by a password management policy defined in Tivoli Identity Manager prior to synchronization. Password synchronization incorporates password complexity checking using Tivoli Identity Manager password policies.
In this article, learn how the Tivoli Directory Integrator Password Synchronizer Plug-in can be integrated with Tivoli Identity Manager for password strength validation through Tivoli Identity Manager's password policies prior to synchronization. Follow along with detailed steps for:
- Installing and configuring Tivoli Directory Integrator password plug-ins
- Configuring Tivoli Identity Manager middleware
- Installing and configuring Tivoli Identity Manager
- Configuring Tivoli Directory Integrator for password synchronizer
- Configuring Tivoli Identity Manager password policies
- Testing Tivoli Directory Integrator password plug-ins
Install and configure Tivoli Directory Integrator password plug-ins
This section describes how to install a Tivoli Directory Integrator password plug-in and configure the Tivoli Directory Integrator-based Tivoli Directory Server password synchronizer.
- Run the Tivoli Directory Integrator Installer. From the Choose Install Set window, select the
Custom option, as in Figure 1, and click Next.
Figure 1. Tivoli Directory Integrator installation wizard
- The Install Set window opens. Click Choose Install Set, then
check the box for
Password Synchronization Plugins, as in Figure 2. Complete
the installation by following the rest of the instructions in the installation
Figure 2. Select password plug-in
The Tivoli Directory Integrator password plug-in installation is complete.
The Tivoli Identity Manager password synchronizer decorator classes are supported by the following password synchronizers:
- Password Synchronizer for Windows™
- Password Synchronizer for IBM Tivoli Directory Server
- Password Synchronizer for Sun Directory Server
- Password Synchronizer for UNIX® and Linux®
The Domino HTTP password synchronizer does not support integration with Tivoli Identity Manager. Custom password policies can be created on the Domino server. Using those password policies, the passwords can be validated before they are stored.
Configuring Tivoli Directory Server password plug-ins
The Tivoli Directory Server password synchronizer intercepts changes to LDAP passwords. The first step is to register the plug-in with the IBM Directory Server.
- Make sure the Tivoli Directory Server server is not running. Edit the IBM Directory Server configuration file <ids_dir>/etc/ibmslapd.conf.
- Find the section dn: cn=Directory, cn=RDBM Backends,
cn=IBM Directory,cn=Schemas, cn=Configuration.
Add the information in Listing 1 as one line.
Listing 1. ibmslapd.conf
Win32 ibm-slapdPlugin: preoperation "<TDI_Install_dir>\pwd_plugins\tds\ idspwsync.dll" PWSyncInit "<TDI_Install_dir>\pwd_plugins\tds\ pwsync.props" AIX64 ibm-slapdPlugin: preoperation "<TDI_Install_dir>/pwd_plugins/tds/ libidspwsync_64.a.so "PWSyncInit "<TDI_Install_dir>/pwd_plugins/tds/ pwsync.props" Linux32 ibm-slapdPlugin: preoperation "<TDI_Install_dir>/pwd_plugins/tds/ libidspwsync.so" PWSyncInit "<TDI_Install_dir>/pwd_plugins/tds/ pwsync.props".
- Start a Tivoli Directory Server instance and ensure that Tivoli Directory Server is running in normal mode. It should not be running in Config mode.
- If the Tivoli Directory Server server is running in Config mode, check the Tivoli Directory Server log (plugin.log/proxy.log) for error details and take appropriate action.
Configure Tivoli Identity Manager middleware
This section describes how to configure the middleware (DB2 and Tivoli Directory Server) required for Tivoli Identity Manager installation and configuration.
- Ensure that DB2 and Tivoli Directory Server are installed correctly with the minimum fix pack required.
- Launch the Middleware Configuration Utility for Tivoli Identity Manager.
- The window entitled Middleware Configuration Utility for IBM Tivoli Identity
Manager 5.1 displays. In this window, check the boxes for Configure IBM
DB2 Universal Database and Configure IBM
Tivoli Directory Server, then click Next, as in Figure 3.
Figure 3. Middleware installation wizard
- The next window entitled IBM DB2 Universal Database Configuration Options
opens, as shown in Figure 4. In this window, complete the required details
for IBM DB2 configuration with the following information, then click Next.
- DB2 administrator ID/instance name:
- DB2 administrator password:
- DB2 server database home:
E:, or wherever your DB server is installed
- DB2 database name:
- ITIM Database User ID:
- Password for ITIM Database User ID:
Figure 4. Configure IBM DB2
- DB2 administrator ID/instance name:
- The prompt window to configure DB2 displays. In this window, click
Yes, as shown in Figure 5.
Figure 5. Select Yes to configure DB2
After DB2 configuration is complete, the Tivoli Directory Server configuration window
opens, as shown in Figure 6. Complete the required details to configure the Tivoli
Directory Server instance with the following information, then click
- Directory server administrator ID/Instance Name:
- Directory server administrator password:
- Directory server database home:
- Directory server database name:
- Encryption seed:
Figure 6. Configure Tivoli Directory Server
- Directory server administrator ID/Instance Name:
- The continuation of the Tivoli Directory Server instance configuration window displays.
Complete the required details, as shown in Figure 7, using the
following information, then click Next.
- Administrator DN:
- Administrator DN password:
- User-defined suffix:
- Non-SSL port:
Figure 7. Configure Tivoli Directory Server instance, continued
- Administrator DN:
- The Summary window opens, as shown in Figure 8. In this window,
and wait for the Tivoli Identity Manager configuration to progress.
Figure 8. Middleware installation summary
- The window stating the process completed successfully displays, as
shown in Figure 9. Click Finish.
Figure 9. Middleware installation and configuration completed
Your Tivoli Identity Manager middleware is now installed and configured.
Install and configure Tivoli Identity Manager
This section provides details on installing and configuring Tivoli Identity Manager.
- Ensure that the IBM WebSphere Application Server, with the required fixpack, is installed before launching the Tivoli Identity Manager installation wizard.
- Launch the Tivoli Identity Manager installation wizard, as shown in Figure 10. Select your
language, then click OK.
Figure 10. Tivoli Identity Manager installation wizard
- The Installation Directory window opens. In this
window, specify the installation path, as shown in Figure 11, and click
Next. The default path is: C:\Program Files\IBM\itim.
Figure 11. Tivoli Identity Manager installation path
- In the resulting Installation Type window, shown in
Figure 12, select
Tivoli Identity Manager deployment on the Single WebSphere Application
Server instance and click Next.
Figure 12. Select Single WebSphere Application Server
- The Installation Directory of WebSphere
Application Server window opens, as shown in Figure 13. In this window, specify
the path where WebSphere Application Server is installed and click
Next. The default path is: C:\Program Files\IBM\WebSphere\AppServer.
Figure 13. Specify WebSphere Application Server installation path
- The Database Type window opens, as shown in Figure 14. In this
window, select IBM DB2 Universal Database as the server for
the Tivoli Identity Manager
data repository. Click Next.
Figure 14. Configure DB2 as a repository
- The Keystore Password then opens, as shown in Figure 15.
In this window, specify your Keystore password, confirm the password,
and click Next.
Figure 15. Keystore password
The Do you want to install Agentless Adapters? window opens, as shown in Figure 16. In this window, select
Do Not Install Agentless adapters and click Next.
Figure 16. Select non AgentLess Adapter
- The Single Server Pre-Installation Summary window opens,
as in Figure 17. Review the summary and click Install.
Figure 17. Tivoli Identity Manager installation summary
- The Installing IBM Tivoli Identity Manager
window opens (Figure 18). Enter the appropriate values for the parameters listed
below for the IBM DB2 database created
Tivoli Identity Manager middleware and click Test.
- DB2 Database Server Host Name
- DB2 Database Port Number
- DB2 Database Name
- DB2 Database Admin ID
- DB2 Database Admin Password
Figure 18. Specify DB2 details
- After the DB2 connections test is successful, the window
Configuring IBM Tivoli Identity Manager Database window opens, as in Figure 19.
This window asks for the Tivoli Identity Manager user and password required for configuring DB2 for Tivoli Identity Manager.
Specify the following values, then click
- Tivoli Identity Manager User ID
- Tivoli Identity Manager User password
Figure 19. Configure DB2 for Tivoli Identity Manager
After the DB2 configuration is complete, the Tivoli Directory Server
instance configuration window, Input LDAP Server
opens (Figure 20). Specify details for
the Tivoli Directory Server instance for the following parameters. This information has
to be the same information you specified
when you installed and configured the
middleware. Click Test.
- Principal DN
- Principal DN password
- LDAP Server Host Name
- LDAP Server Port
Figure 20. Specify Tivoli Directory Server details
- After the Tivoli Directory Server test has run successfully, the Input Directory Information
window opens. In this window, specify the Tivoli Identity Manager directory
information for the following parameters for configuring with
Tivoli Directory Server.
- Number of hash buckets
- Name of Your Organization
- Default Org Short Name
- Identity Manager DN Location
Click Continue and wait until the installation is complete.
Figure 21. Configure Tivoli Directory Server for Tivoli Identity Manager
- After the successful installation, the Install IBM
Tivoli Identity Manager
Completed window opens, as shown in Figure 22. Click Done.
Figure 22. Tivoli Identity Manager installation and configuration complete
You've now completed the Tivoli Identity Manager installation and configuration.
Configure Tivoli Directory Integrator Password Synchronizer
This section explains how to integrate Tivoli Directory Integrator with Tivoli Identity Manager for the Tivoli Directory Server Password Synchronizer.
Tivoli Directory Integrator can be integrated with Tivoli Identity Manager for the Sun Directory Server password synchronizer, the IBM Tivoli Directory Server Password Synchronizer, the Windows password synchronizer, and password synchronizers for UNIX and Linux.
The Tivoli Identity Manager integration for the password synchronizers allows synchronized passwords to be verified by a Tivoli Identity Manager server's password strength servlet prior to synchronization. This allows password synchronization to incorporate password complexity checking using Tivoli Identity Manager password policies.
Before starting configuration, ensure that the Password Plugin for Tivoli Directory Server is installed.
- Edit the pwsync.props file from the <TDI_Install_Dir>/pwd_plugins/tds/ directory.
Modify the Tivoli Identity Manager Integration section of the file, as shown in Figure 23, with the Tivoli Identity Manager URL,
PrincipleName, password, and Tivoli Identity Manager service Name below.
- itimPrincipalName=ITIM Manager
- itimPrincipalPassword=ITIM Manager password is encrypted using the encryptPasswd.bat/sh utility (see EncryptPassword utility).
- itimSourceDN=erservicename=TDIPasswordService, o=IBM, ou=IBM, dc=com
Figure 23. pwsync.props
The Tivoli Identity Manager password URL can be either or https (SSL communication).
For Tivoli Directory Integrator to Tivoli Identity Manager communication over SSL, you need to create and extract certificates from Tivoli Identity Manager, which is deployed on WebSphere Application Server, and import these certificates into Tivoli Directory Integrator certificates.
- Click here for details on tasks to be performed on Tivoli Identity Manager (WebSphere Application Server).
- Click here for details on tasks to be performed on Tivoli Directory Integrator.
After you've completed the previous two steps, go to the pwsync.props file and modify the SSL configuration properties with appropriate values, as shown in Listing 2.
Listing 2. pwsync.props - SSL configuration properties
# SSL configuration properties # # javax.net.ssl.trustStore= # javax.net.ssl.trustStorePassword= # javax.net.ssl.trustStoreType= # javax.net.ssl.keyStore= # javax.net.ssl.keyStorePassword= # javax.net.ssl.keyStoreType=
Restart the Tivoli Directory Server and Tivoli Directory Integrator server.
The passwords referenced in the pwsync.props file must be encrypted using the EncryptPassword utility, as shown in Listing 3.
Listing 3. EncryptPassword utility
Similarly, the following should also be encrypted using the encryptPasswd.bat/sh script:
If these values are not encrypted, you'll see the error shown in Listing 4.
Listing 4. Error while changing password
com.ibm.di.plugin.pwstore.itim.policy.MalformedResponseException: org.xml.sax.SAXParseException: Element type "SYNCH_PSWDS_RESP" must be followed by either attribute specifications, ">" or "/>".
itimSourceDN/ServiceDN is the name of the service against which the
password check would be performed. The format is:
- Specifies the name of the target service used by the IBM Tivoli Identity Manager server.
- Specifies the name of the organization on the IBM Tivoli Identity Manager server.
- Specifies the short name defined for the organization during installation and configuration of the Tivoli Identity Manager server. If this value is not known, it can be determined by opening the LDAP configuration tool for your product. Locate the new root suffix created during the Tivoli Identity Manager installation.
- Specifies the root of the directory tree.
Although DN formatting is used for the Service DN value, this DN is not the DN of the service that is being monitored. These values are parameter values to the Password Synchronization plug-in.
For example, if you installed the Tivoli Identity Manager server in the root LDAP suffix called ISIM, and your Windows Active Directory service is named WinAD Corp Server and is installed in an organization named Finance Org, the Tivoli Identity Manager organization chart looks similar to Figure 24.
Figure 24. ITIMSourceDN/ServiceDN
This Windows Active Directory Adapter example has the Service DN value shown in Listing 5.
Listing 5. ITIMSourceDN/ServiceDN example
erservicename=WinAD Corp Server,o=Finance Org, ou=ITIM,dc=com
Configure the Password Synchronizer to use a Tivoli Identity Manager
Decorator by setting the
pwsync.props to one of the Decorator classnames in Listing 6.
Listing 6. pwsync.props
com.ibm.di.plugin.pwstore.ldap.LDAPPasswordStoreITIMDecorator com.ibm.di.plugin.pwstore.ldap.JMSPasswordStoreITIMDecorator com.ibm.di.plugin.pwstore.log.LogPasswordStoreITIMDecorator
For testing purposes, we selected
LogPasswordStoreITIMDecorator, which should not be used in
a production environment.
You must configure LDAP/JMS for production use, as in
Figure 25, using
Figure 25. pwsync.props
When Tivoli Identity Manager integration is enabled,
checkRepository must be set to true in the Password Synchronizer
configuration file (pwsync.props).
- After pwsync.props is updated, restart the Tivoli Directory Server instance. Ensure Tivoli Directory Server is running in normal mode; it should not be running in Config mode.
- If the Tivoli Directory Server server is running in Config mode, check the Tivoli Directory Server log plugin.log/proxy.log for error details.
Configure Tivoli Identity Manager password policies
Use the steps in this section to set up the password policies for Tivoli Identity Manager.
- Log in to the Tivoli Identity Manager console, as in Figure 26. Typically, the URL is
Figure 26. Log in to Tivoli Identity Manager Console
- After you're logged in to the Tivoli Identity Manager console the Home window displays.
In this window, select Manage policies > Manage
Password Policies, then click Create to create a new password
policy, as in Figure 27.
Figure 27. Manage Password Policy
- The window entitled Manage Password Policies opens. From the
General tab in this window, create a new password policy by entering
TDIPasswordPolicyin the Name field and
IBMin the Business Unit field, as shown in Figure 28. Click the Targets tab.
Figure 28. Define password policy
- The Targets window opens. In this window, select the available
ITIM Service and click Add, as shown in Figure 29.
This service name is the same one you'll be using in the Tivoli Directory Integrator pwsync.props in the
Figure 29. Add Target service
- The Rules window opens. In this window, define the
new password policy by completing the fields using the following information, as
shown in Figure 30. Some fields are intentionally left blank. Click Apply, then click OK.
- Minimum length: 8
- Maximum length:
- Maximum repeated characters: 2
- Minimum repeated characters: 1
- Minimum alphabetic characters:
- Minimum numeric characters: 1
- Characters not allowed:
- Required characters:
- Restricted to characters:
- Starts with characters:
- Repeated history length:
- Reversed history length:
- Disallow username: No
Figure 30. Define Policy Rules
The Tivoli Identity Manager password policy is now configured.
Test the Tivoli Directory Integrator password plug-ins
This section describes how the Tivoli Directory Server user password changes are intercepted by the Tivoli Directory Integrator password plug-in and how these passwords are validated by Tivoli Identity Manager using the password policies.
- Ensure that Tivoli Directory Server, the Tivoli Directory Integrator proxy, and the Tivoli Identity Manager services are running correctly.
Using the LDAP Client, try to modify the user password for user
test1. It should have
userpasswordas an attribute, as in Listing 7.
- The command will fail and provide the message
ldap_modify:plugin function failed. The password for user test1 is
test1, which is not a length of 8. It also doesn't have any special characters, which is defined in the Tivoli Identity Manager password policies section.
Listing 7. ldapmodify command
idsldapmodify.cmd -p 1389 -D cn=root -w password dn: cn=test1,o=ibm,c=in objectClass: top objectClass: person objectClass: organizationalPerson cn: test1 sn: test1 userpassword: test1 Results:- Operation 0 modifying entry cn=test1,o=ibm,c=in ldap_modify: Unknown error ldap_modify: additional info: plugin function failed
- Check the proxy.log file for details. You will see
com.ibm.itim.policy.passwordpolicyAuthority.PASSWORD_RULE_VIOLATION, as shown in Figure 31.
Figure 31. Proxy.log output
- Check the plugin.log file, which will show the following results, as
shown in Figure 32.
The Proxy response represents error.
Pre-operation on modify:PWPROXY_ERROR_PROTOCOL_PASSWORD_OP_FAILED.
Pre-operation on modify: Will cancel LDAP Modify operation for 'cn=test1,o=ibm,c=in'.
Figure 32. Plugin.log output
- Try to change the Tivoli Directory Server user password with an
appropriate password, per the policy, as shown in Listing 8.
Listing 8. ldapmodify command
idsldapmodify.cmd -p 1389 -D cn=root -w password dn: cn=nagesh,o=ibm,c=in objectClass: top objectClass: person objectClass: organizationalPerson cn: nagesh sn: bhagwat userpassword: passw0rd# Results:- Operation 0 modifying entry cn=nagesh,o=ibm,c=in
- Check the proxy.log file, which will show the result
Storing the password notification for user: 'cn=nagesh,o=ibm,c=in' with password: 'passw0rd#'', as shown in Figure 33.
Figure 33. Proxy.log output
- Check the plugin.log file, which will show
PostModOperation: Proxy response is successful, as shown in Figure 34.
Figure 34. Plugin.log output
Similarly, users can specify
- Users need to configure LDAP as a password store in the pwsyn.props
file. (See LDAP as a Password Store in Resources for more details.)
The password will be stored under the LDAP Server. Users can read the password from the LDAP Server using the Tivoli Directory Integrator LDAP connector and can update into other data sources, thus achieving password synchronization.
For more details on how to read the password from the LDAP Server, see Appendix A in Synchronizing users between Microsoft Active Directory Server and IBM Domino Server using Tivoli Directory Integrator.
- Users need to configure JMS as a password
store in the pwsyn.props file. (For more details, see
JMS Password Store.)
The password will be stored under MQe. Users can read the password from MQe using the Tivoli Directory Integrator MQe/JMS Password store connector and can update into other data sources, thus achieving password synchronization.
For more details and a sample solution that reads a password from MQe and updates it into the Active directory, see Section 4, "Creating Tivoli Directory Integrator AssemblyLine" in Password Synchronization between Microsoft Active Directories using Tivoli Directory Integrator.
You're now finished integrating the Tivoli Directory Integrator Password Plug-in with Tivoli Identity Manager for the password strength validation through Tivoli Identity Manager's password policies prior to synchronization.
This article walked you through a step-by-step solution for integrating the Tivoli Directory Integrator password synchronizer with Tivoli Identity Manager for password policy strength and validation before passwords get into the password store for further synchronization.
- IBM Tivoli Directory Integrator Password Synchronization Plug-ins Guide: Describes the procedural steps that are required to achieve password synchronization between IBM Tivoli Directory Integrator and a number of IBM and third-party products.
- IBM Directory Server Password Synchronizer: Read about the configuration and operation of the IBM Tivoli Directory Integrator Directory Server Password Synchronizer.
- Tivoli Identity Manager Integration: Describes the configuration of the Tivoli Identity Manager Integration for the Sun Directory Server Password Synchronizer, IBM Directory Server Password Synchronizer, Windows™ Password Synchronizer and Password Synchronizer for UNIX® and Linux®.
- IBM Tivoli Identity Manager Server Installation and Configuration Guide: Contains information for system and security administrators who install, maintain, or administer software on their computer systems.
- IBM Tivoli Identity Manager documentation: Explore the Tivoli Identity Manager Version 5.1 information center for documentation and what's new.
- Follow developerWorks on Twitter.
- Get more information on security topics in the Security site on developerWorks.
Get products and technologies
- Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently.
Dig deeper into Security on developerWorks
Get samples, articles, product docs, and community resources to help build, deploy, and manage your cloud apps.
Software development in the cloud. Register today to create a project.
Evaluate IBM software and solutions, and transform challenges into opportunities.