===============================================================================
IBM Tivoli Identity Manager for IBM Tivoli Access Manager Combo Adapter
Release Notes
===============================================================================
Tam Combo Adapter: 4.6.11 = ifimitam8.0 02
Build Date : 14 September 2010 08.44.34
(C) Copyright International Business Machines Corporation 2006, 2010.
All rights reserved.
U.S. Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
===============================================================================
CONTENTS
===============================================================================
1. Preface
2. New Features
3. Closed Issues
4. Known TAM Combo Adapter Issues
5. Known Issues in ITIM affecting the adapter
6. Known Issues in ITAM affecting the adapter
7. Installation
8. Uninstallation
9. Supported Platforms
10. Password Synchronization Issues
===============================================================================
1. PREFACE
===============================================================================
Welcome to Tivoli Identity Manager Access Manager Combo Adapter
Note: When viewing these Release Notes as text, set the font to monospace for
better viewing
This file contains information for the following products that was not
available when the Identity Manager manuals were printed.
===============================================================================
2. NEW FEATURES
===============================================================================
CMVC MR# Description
----- ----- --------------
- - Improve logging performance
===============================================================================
3. CLOSED ISSUES
===============================================================================
APAR# PMR# CMVC Description
----- ------------- ------ --------------
- - - Updated release notes to refer to the
Installation Guide (MR042110398)
IZ68193 - 98115 Documentation update - The adapter does not
support the modify of CN, UID or principal name
IZ74337 - 100659 ITDI JavaScript error during change password
results in requests hung in pending state in
ITIM
- 54834,033,000 36239 Clarify TAM JRTE configuration process
IZ51203 - - TAM Combo always changes password, even when
eritamssosync is set to false.
IZ63674 91781,7TD,000 94235 TAM Combo looks up all users during a group modify
12428,227,000
===============================================================================
4. KNOWN TAM COMBO ADAPTER ISSUES
===============================================================================
CMVC Description
----- --------------
95735 When TAM is configured against Windows Active Directory, the adapter
reconciliation returns the incorrect Description user attribute.
In Active Directory, there are two Description attributes. The adapter
should return the Description attribute that is managed by the
TAM API and pdadmin command line. It currently returns the alternate
Description attribute.
85051 When using the TAM API method of reconciliation to reconcile TAM
accounts, if a TAM account already in the TIM registry becomes a
malformed TAM account then TIM will identify this malformed TAM account
as no longer existing, and delete it from the TIM registry. If the
malformed TAM account does not already exist within TIM's known TAM
accounts, the account will not be added. This behavior does not provide
any warning or failure message by TIM.
See Installation guide for how to change configuration regarding this
issue.
- During the creation of TAM accounts when TAM is configured against
Windows Active Directory, the account is created as a GSO user even when
the Single Signon Capability for the account is not checked (i.e. There
is no request to create the account as a GSO user). This is a reflection
of the operation of TAM when administrating accounts. If GSO credentials
are supplied with same request they will be created without warning that
TAM account doesn't have Single Signon Capability.
- If the password supplied during the restoration of a TAM account does
not confirm to the TAM password policy, the account will be restored and
the password will not be changed from that when the account was
suspended. This is as designed. However, when using TIM 4.6 (only), no
warning will be presented to this effect.
93688 When TAM is configured against Windows Active Directory TAM account's
common name (cn) must be the same as the first RDN value of the
Distinguished Name.
For example, when requesting a new TAM Combo Service account through the
ITIM web console, the "Full name" specified in the Account form must be
the same as the "cn" portion of the Distinguished Name.
E.g. If a user has the Distinguished Name cn=JohnSmith,o=myCompany,c=com,
then the "Full name" should also be set to JohnSmith.
Not doing so could result in account modification issues.
93626 Adapter is preserving group membership when an account is deleted
from TAM, but not removed from the registry. If a new account
is imported using same user Distinguished Name, it will have same group
membership as the deleted account.
- Adapter doesn't check syntax for any non-TAM account attributes. This
can result in those attributes not being set in the registry if their
values have incorrect syntax. A possible consequence is that
operations such as account creation may fail.
- In case that account already have SSO credentials and checkbox Single
Signon Capability is disabled during MODIFY operation, this will delete
credentials in TAM registry, but not in TIM. The reconciliation is needed
to synchronize the account attributes.
===============================================================================
5. KNOWN TAM COMBO ADAPTER LIMITATIONS
===============================================================================
- The adapter does not support the modification of UID, CN, principal name,
and attribute(s) that form the Distinguished Name(DN)
===============================================================================
6. KNOWN ITIM ISSUES AFFECTING THE TAM COMBO ADAPTER
===============================================================================
CMVC Description
----- --------------
73411 Uninstalling UMD component doesn't remove the entry from Web.xml files.
(see UN-INSTALLATION below)
- When reconciling large numbers of accounts it is possible that the ssl
connection between the TDI TAM connector and the TAM Policy Server can
timeout. This may be remedied by decreasing the SearchResultSetSize in
the RMI Dispatcher's itim_listener.properties file or by changing the
ssl session timeout.
- The "Change password on next login" checkbox on the account form cannot
be reset (set to false) after the password has been changed.
- Changing Single Signon capability to false deletes the account's SSO
credentials. However, this cannot be reflected in ITIM until a recon
is performed.
- The UMD Form will not install into TIM Express. Addition or
modification of SSO credentials is not possible under TIM 4.6 Express.
- If ITIM and TAM are out of synch (for example the groups listed are
different), the user account may be displayed in ITIM with incorrect
support data after running an account request. This can be avoided and
resolved by reconciling both systems.
- When restoring a user account in TIM 4.6, if the password change is not
successful, TIM reports the restore request as a success if the user
account has been set to Active. This occurs even though the adapter
returns "success with warning" and logs the reason message for
unsuccessful password change.
===============================================================================
7. KNOWN ITAM ISSUES AFFECTING THE TAM COMBO ADAPTER
===============================================================================
CMVC Description
----- --------------
- When the Single Signon Capability of a TAM user account is disabled (i.e.
the user is no longer a GSO user), the GSO resource credentials for that
account are also deleted. Hence when disabling the Single Signon
Capability for a TAM Combo user account from TIM, attempting to delete or
modify resource credentials in the same request for that account results
in "successful with warning" as the GSO credentials cannot be found
- If TAM is configured against Windows Active Directory, when importing an
account using the pdadmin command line, the user name and first RDN value
of the user DN must be the same. This issue is reflected in the adapter:
User ID and first RDN value in the user Distinguished Name must be the same
- If TAM is configured against IBM Tivoli Directory Server 6.0, Fix Pack 5
must be installed on the Directory Server. This fix pack addresses a
problem that may affect adapter operation (APAR IO06328)
===============================================================================
8. INSTALLATION
===============================================================================
For detailed installation instructions please see the Installation Guide.
8.1 Upgrading
--------------
This section provides information for upgrading from previous adapter versions.
These instructions supplement the Installation Guide.
8.1.1 Upgrading from TAM Combo Adapter version 4.6.5 or earlier
---------------------------------------------------------------
1. Before importing the profile of TAM Combo adapter version 4.6.6 or above
into Tivoli Identity Manager, change the existing OID for attribute
eritammgmtdomain in the Directory Server instance's v3.modifiedschema
(or equivalent in SunOne) from
1.3.6.1.4.1.6054.3.141.2.27 to
1.3.6.1.4.1.6054.3.141.2.30.
2. Restart the directory server and ITIM before importing the new TAM Combo
profile.
This is required due to the changed OID of an existing attribute,
eritammgmtdomain, in the adapter profile's schema.dsml file:
With version 4.6.5 and below:
eritammgmtdomain
TAM Management Domain Name
1.3.6.1.4.1.6054.3.141.2.27
1.3.6.1.4.1.1466.115.121.1.15
With version 4.6.6 and above:
eritammgmtdomain
TAM Management Domain Name
1.3.6.1.4.1.6054.3.141.2.30
1.3.6.1.4.1.1466.115.121.1.15
===============================================================================
9. UN-INSTALLATION
===============================================================================
For detailed instructions please see the Installation Guide.
Note: Removing the User Mapping Data Activation
1. When removing the User Mapping Data Activation (UMD), you must first run
the uninstall application located in the _uninst_umd directory of the
Websphere home directory.
2. If present, remove the reference to the umd.jar in both of the
MANIFEST.MF files located in: -
a. /installedApps/Node_name/
enRole.ear/app_web.war/META-INF
b. /config/cells/Node_name/
applications/enRole.ear/deployments/enRole/app_web.war/META-INF
3. Locate the following web.xml files: --
a. /installedApps//enRole.ear/app_web.war/
WEB-INF/web.xml
b. /config/cells//applications/enRole.ear/
deployments/enRole/app_web.war/WEB-INF/web.xml
If present in the web.xml files above, remove the following blocks: --
a.
UMDServlet
Renders the UI to manage User Mapping Data in a sub form
com.ibm.itim.webclient.formviewer.usermapping.UMDServlet
b.
UMDServlet
/umdservlet
===============================================================================
10. SUPPORTED PLATFORMS
===============================================================================
The Identity Manager Combo Adapter is supported on all TDI-based OS platforms.
Please note that some TAM versions are not supported on some JREs associated
with some Operating Systems. Please see the TAM Combo Installation Guide for
further information.
TDI 6.0 is not supported.
===============================================================================
11. PASSWORD SYNCHRONIZATION ISSUES
===============================================================================
If password synchronization is configured to synchronize passwords from WebSEAL
via ITIM to other person accounts, the synchronization with SSO credential
passwords is not supported. The synchronization with SSO credential passwords
is supported only if the password change is initiated from ITIM, and the
corresponding TDI Assembly Line is executed.
If password synchronization is configured to synchronize passwords from WebSEAL
the "Change password on next login" checkbox on the account form cannot be
reset. This is due to a current limitation of the ITIM Server.
===============================================================================
~~~End of Release File~~~