Configuration of the Tivoli Access Manager Combo Adapter for Tivoli Identity Manager

IBM® Tivoli® Access Manager (TAM) user accounts can be provisioned by IBM Tivoli Identity Manager (TIM) using two different TIM-supported adapters: The standard TAM adapter or the new TAM Combo Adapter. This article helps to give the reader an understanding of the different configuration options that can be used when configuring the TAM Combo Adapter in a TIM environment.

Share:

John Robertson, Software Engineer, IBM

John Robertson is a Software Engineer and works for the Australian Development Laboratory as part of IBM Tivoli Security Development.



Zoran Radenkovic (zradenko@au1.ibm.com), Advisory Software Engineer, IBM

Zoran Radenkovic is an Advisory Software Engineer and also works for the Australian Development Laboratory as part of IBM Tivoli Security Development.



13 August 2007

Introduction

The TAM Combo adapter has been added to the suite of TIM adapters for TAM. It provides an integration solution that enables TAM and LDAP attributes to be managed through a single TIM account. The adapter also provides the option to manage additional attributes of the inetOrgPerson objectclass.

Both TAM and LDAP support the use of the inetOrgPerson objectclass. However, because of the different way each manages account objects and attributes, it is necessary to have two TIM accounts and custom-built scripts or tools to manage and synchronize related attributes. The TAM Combo adapter provides a customizable method to synchronize related TAM and LDAP attributes through a single account.

It is possible to extend the inetOrgPerson objectclass to allow TIM to provision this customized objectclass through the LDAP connector. However, providing these customized directory attributes or object classes requires a more advanced customization, which requires a more in-depth understanding of LDAP, TAM, IBM Tivoli Directory Integrator (TDI) and TIM. The intention of this article is to provide a description of a TIM customization that assumes the use of the default inetOrgPerson objectclass only.

Basic customization

Basic customization of the TAM Combo adapter assumes that the default inetOrgPerson object class will be used by the TIM and TAM deployments. As a result, no directory service schema changes are required. The TAM Combo adapter must be configured to manage attributes that aren't normally managed through TAM account administration.

Basic customization consists of three steps:

  • Addition of new attribute fields on the TAM account form
  • Retrieval of the form through the directory service
  • Re-packaging and re-importation of the amended TAM Combo profile

Enabling TAM Account Form attribute fields

Login to the TIM application through a Web browser. Go to the Configuration tab and select Form Customization. Select the itamaccount form (Figure 1).

Figure 1. TAM account form customization
TAM account form customization

Enable any fields that require from the Attribute List and assign them a suitable field editor type. In this example, we want to add a givenname field. Create it as an editabletextlist field so that it can be multi-valued (Figure 2).

Figure 2. Adding a new field to the TAM account form
Adding a new field to the TAM account form

Save the amended form (Figure 3).

Figure 3. Saving the amended TAM account form
Saving the amended TAM account form

Validating the basic configuration

Make sure that the TAM Combo service allows for the addition of accounts by selecting the "Import or Create user entry" (Figure 4.).

Figure 4. Select the method to add TAM accounts
Select the method to add TAM accounts

Test the changes by provisioning a new TAM account using the TAM Combo service.

For this example, provision a new TAM account for a TIM user. The TAM account User ID will be Manager, and will be known in TAM as Timothy Tam. He is also known as Tim, Timbo and Timmy (Figure 5). When the form is complete, submit the request to provision the TAM account, remembering to supply a suitable password.

Figure 5. Provision a TAM account
Provision a TAM account

When the request to provision the account has successfully undergone any workflow, test to see if Timothy Tam is now a TAM user by using the TAM PDAdmin tool:
pdadmin sec_master> user show Manager
Login ID: Manager
LDAP DN: uid=Manager,o=ibm,c=au
LDAP CN: Timothy Tam
LDAP SN: Tam
Description:
Is SecUser: Yes
Is GSO user: No
Account valid: Yes
Password valid: Yes

Check to see that the user has been created by the TIM directory service adapter using the ldapsearch command:
ldapsearch -h localhost -b "o=ibm,c=au" "uid=Manager"
uid=Manager,o=ibm,c=au
objectClass=inetOrgPerson
objectClass=top
objectClass=person
objectClass=organizationalPerson
givenName=Tim
givenName=Timmy
givenName=Timbo
uid=Manager
sn=Tam
cn=Timothy Tam

As can be seen in this example, the TAM Combo adapter has been extended to allow the maintenance of multiple given names for TAM users.

Updating the Profile Account Form

If you would like, it is possible to save the form that was created (Figure 3), so that the TAM Combo profile can be re-created later. This option provides a backup of the account form and can facilitate the deployment of the customized account form to another environment if required.

To do this, use ldapsearch to obtain the updated form. Use a suitable searchbase to export the eritamservice form from the erxml attribute. This will depend on the LDAP container you specified when you installed TIM (ou=<default organization short name>,dc=<Identity Manager DN Location>). For example:
ldapsearch -h localhost -b "ou=formTemplates,ou=itim,ou=tco,dc=com" -t "erformname=eritamservice" erxml

This will create a temporary file called something similar to ldapsearch-erxml-xxxxxx. Rename the file to eritamaccount.xml.

The original TAM Combo package contains the TAM Combo profile file called itamprofile.jar. To recreate the profile to include the new account form, do the following:

  1. Make a backup copy of your original itamprofile.jar.
  2. Extract the itamprofile.jar file to a temporary location as follows:
    jar xf itamprofile.jar
  3. This will produce two directories; itamprofile and META-INF. Delete the META-INF directory and its contents. It will be recreated automatically when repackaged as the TAM Combo profile later.
  4. Copy or move the new eritamaccount.xml file to overwrite the one just extracted in the itamprofile directory.
  5. From the parent directory of the itamprofile directory, jar the itamprofile directory back up again:
    jar cf itamprofile.jar itamprofile
    This will produce a new itamprofile.jar TAM Combo profile file.

Re-importing the new TAM Combo Profile

The newly created TAM Combo profile can be imported to a new TIM installation if required. This may be necessary when setting up a new test environment for example. Although TIM will preserve the changes that were made to the account form (Figure 3), in this case, and simply for demonstration purposes, the new profile will be re-imported simply to verify the changes that were made to the account form. To do this, begin by logging into the TIM application through a Web browser.

Go to the Import tab on the Configuration > Import/Export page and import the itamprofile.jar file you just created (Figure 6).

Figure 6. Import the TAM Combo profile
Import the TAM Combo profile

Go to the Configuration > Form Customization page and select the itamaccount form.

Check that the itamaccount form still contains the givenname attribute (Figure 7).

Figure 7. Check the TAM Combo form for the new attributes
Check the TAM Combo form for the new attributes

Conclusion

The new TAM Combo Adapter goes a step further in the integration of IBM Tivoli Identity Manager with IBM Tivoli Access Manager for e-Business. With the release of the TAM Combo Adapter, customers can manage a TAM account and all associated LDAP attributes (and customized attributes) in one place, using a single TAM account of the TIM person. This article provides a customization to the reader on how to use this combo adapter in a single configuration.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Tivoli (service management) on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Tivoli (service management), Tivoli
ArticleID=241637
ArticleTitle=Configuration of the Tivoli Access Manager Combo Adapter for Tivoli Identity Manager
publish-date=08132007