IC SunsetThe developerWorks Connections platform will be sunset on December 31, 2019. On January 1, 2020, this community and its apps will no longer be available. More details available on our FAQ.
Topic
  • 16 replies
  • Latest Post - ‏2018-10-17T11:11:06Z by YannWang
YannWang
YannWang
10 Posts

Pinned topic How to utilize User Self-Care to reset ISAM users password

‏2018-06-27T08:00:37Z | isam scim

I am running ISAM on Docker and would like to utilize User Self-Care operations for ISAM users to reset their password by themselves.

It seems like that I need to configure SCIM first before I can use User Self-Care operations. According to below instruction, we can integrate ISAM & SCIM through Secure Access Control > Manage > SCIM Configuration

https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.4/com.ibm.isam.doc/admin/task/tsk_scim_isam_user.html

 

However, I don't see this option in my LMI menu. Is it because it is not available in ISAM on Docker? Or any other config is required? Any input would be much appreciated!

  • IAM.Jon
    IAM.Jon
    14 Posts
    ACCEPTED ANSWER

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-09-07T07:22:35Z  

    Hello,

    There's a known issue with SAM on Docker - it doesn't show the LMI screens for SCIM integration with SAM.  It might be a good idea to open a support case.

    As a workaround, I found could enable the SCIM integration with SAM using the Management REST API.

    Sent a PUT to https://{{lmi-hostname}}/mga/scim/configuration/urn:ietf:params:scim:schemas:extension:isam:1.0:User

    with this body:

    {
        "isam_domain": "Default",
        "update_native_users": true,
        "ldap_connection": "{{sam-ldap-server-connection}}"
    }

    [also requires LMI admin uid/pw in Basic Auth header with Content-Type and Accepts headers set to application/json.  I used Postman to build the request]

     

    Cheers... Jon.

  • AmesTrebing
    AmesTrebing
    3 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-09-05T18:41:35Z  

    I am running ISAM 9.0.5, and have the same problem.  I don't have "Secure Access Control" in the web LMI.   I'll post more when I find the answer. 

  • Rama_Rama
    Rama_Rama
    4 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-09-06T02:31:00Z  

    First step is to enable ISAM Setting under SCIM Configuration. You shall the image(i1.JPG) attached upon clicking onISAM User tab under SCIM configuration

     

    Second step is to enable an Authentication Policy under Secure Access Control > Policy > Authentication . Use the out of the box USC Password Reset Authentication Policy or create a custom authentication policy to suit your requirements by adding Authentication Mechanisms as needed. Attached is the image(i2.JPG) showing default USC Password Reset

     

     

    Hope this helps.

     

    Regards,

    Rama

    Attachments

    Updated on 2018-09-06T02:46:54Z at 2018-09-06T02:46:54Z by Rama_Rama
  • YannWang
    YannWang
    10 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-09-06T03:01:10Z  

    I am running ISAM 9.0.5, and have the same problem.  I don't have "Secure Access Control" in the web LMI.   I'll post more when I find the answer. 

    Much appreciate it!

  • YannWang
    YannWang
    10 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-09-06T08:13:42Z  
    • Rama_Rama
    • ‏2018-09-06T02:31:00Z

    First step is to enable ISAM Setting under SCIM Configuration. You shall the image(i1.JPG) attached upon clicking onISAM User tab under SCIM configuration

     

    Second step is to enable an Authentication Policy under Secure Access Control > Policy > Authentication . Use the out of the box USC Password Reset Authentication Policy or create a custom authentication policy to suit your requirements by adding Authentication Mechanisms as needed. Attached is the image(i2.JPG) showing default USC Password Reset

     

     

    Hope this helps.

     

    Regards,

    Rama

    Hi Rama,

     

    Thanks very much for your sharing. But I don't see "ISAM User" in my "SCIM Configuration". Any additional step did you take to enable this tag?

  • IAM.Jon
    IAM.Jon
    14 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-09-07T07:22:35Z  

    Hello,

    There's a known issue with SAM on Docker - it doesn't show the LMI screens for SCIM integration with SAM.  It might be a good idea to open a support case.

    As a workaround, I found could enable the SCIM integration with SAM using the Management REST API.

    Sent a PUT to https://{{lmi-hostname}}/mga/scim/configuration/urn:ietf:params:scim:schemas:extension:isam:1.0:User

    with this body:

    {
        "isam_domain": "Default",
        "update_native_users": true,
        "ldap_connection": "{{sam-ldap-server-connection}}"
    }

    [also requires LMI admin uid/pw in Basic Auth header with Content-Type and Accepts headers set to application/json.  I used Postman to build the request]

     

    Cheers... Jon.

  • IAM.Jon
    IAM.Jon
    14 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-09-07T07:25:51Z  

    I am running ISAM 9.0.5, and have the same problem.  I don't have "Secure Access Control" in the web LMI.   I'll post more when I find the answer. 

    If you don't see the "Secure Access Control" menu option in the LMI that probably means that you have not activated the "Advanced Access Control" add-on.  This is an extra-charge feature of Access Manager.

     

    Cheers... Jon.

  • AmesTrebing
    AmesTrebing
    3 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-09-07T14:28:03Z  
    • YannWang
    • ‏2018-09-06T03:01:10Z

    Much appreciate it!

    Correct - I found that you need to active the Advanced Access Control module for the  "Secure Access Control" menu option to appear.  To do this:

    1) In the software download portal, search for the activation key file.  I have ISAM version 9.0.5 installed so my key file looked like this: SAM_905_ADV_ACC_CTL_ACT_ML.txt.  I found it under the "Image" downloads.  If it is not there, you may need to purchase the module, contact IBM support.  

    2) Once you have the key file in ISAM, go to Manage System Settings -> Activated Modules, use the import tab to upload the activation key and enable the module.  The system will run off-line for a minute while updating the LMI interface, but will not stop the reverse proxy or policy service while doing so.  

  • AmesTrebing
    AmesTrebing
    3 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-09-07T19:43:20Z  
    • YannWang
    • ‏2018-09-06T03:01:10Z

    Much appreciate it!

    Yann - I found that you need to active the Advanced Access Control module for the  "Secure Access Control" menu option to appear.  To do this:

    1) In the software download portal, search for the activation key file.  I have ISAM version 9.0.5 installed so my key file looked like this: SAM_905_ADV_ACC_CTL_ACT_ML.txt.  I found it under the "Image" downloads.  If it is not there, you may need to purchase the module, contact IBM support.  

    2) Once you have the key file in ISAM, go to Manage System Settings -> Activated Modules, use the import tab to upload the activation key and enable the module.  The system will run off-line for a minute while updating the LMI interface, but will not stop the reverse proxy or policy service while doing so.  

  • YannWang
    YannWang
    10 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-10-09T08:04:37Z  
    • IAM.Jon
    • ‏2018-09-07T07:22:35Z

    Hello,

    There's a known issue with SAM on Docker - it doesn't show the LMI screens for SCIM integration with SAM.  It might be a good idea to open a support case.

    As a workaround, I found could enable the SCIM integration with SAM using the Management REST API.

    Sent a PUT to https://{{lmi-hostname}}/mga/scim/configuration/urn:ietf:params:scim:schemas:extension:isam:1.0:User

    with this body:

    {
        "isam_domain": "Default",
        "update_native_users": true,
        "ldap_connection": "{{sam-ldap-server-connection}}"
    }

    [also requires LMI admin uid/pw in Basic Auth header with Content-Type and Accepts headers set to application/json.  I used Postman to build the request]

     

    Cheers... Jon.

    Hi Jon,

    Thanks very much!  Sorry for late reply. I just get a chance to look at this after finishing the majority of my ISAM migration.

    I tried your workaround with below steps.

    1. Create json file enable_scim.json with the content you provided.

    {
        "isam_domain": "Default",
        "update_native_users": true,
        "ldap_connection": "{{sam-ldap-server-connection}}"
    }

    2. Run below commands from a Linux machine:

    CREDS="admin:<password>"
    LMI_HOST="<IP>:<Port>"

    curl -s -k -u "$CREDS" -H 'Accept: application/json' -X POST https://${LMI_HOST}/mga/scim/configuration/urn:ietf:params:scim:schemas:extension:isam:1.0:User --data-ascii @./enable_scim.json

    curl -s -k -u "$CREDS" -H 'Accept: application/json' -H 'Content-Type: application/json' -X PUT https://${LMI_HOST}/isam/pending_changes

     

    How do I know whether it is success or not? I still don't see "ISAM User" from LMI after this change.

  • YannWang
    YannWang
    10 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-10-09T08:09:35Z  

    Yann - I found that you need to active the Advanced Access Control module for the  "Secure Access Control" menu option to appear.  To do this:

    1) In the software download portal, search for the activation key file.  I have ISAM version 9.0.5 installed so my key file looked like this: SAM_905_ADV_ACC_CTL_ACT_ML.txt.  I found it under the "Image" downloads.  If it is not there, you may need to purchase the module, contact IBM support.  

    2) Once you have the key file in ISAM, go to Manage System Settings -> Activated Modules, use the import tab to upload the activation key and enable the module.  The system will run off-line for a minute while updating the LMI interface, but will not stop the reverse proxy or policy service while doing so.  

    Hi Ames,

    For ISAM on Docker, I couldn't see "ISAM User" under SCIM Configuration even after I activated the AAC module.  As per Jon this is a known issue.

  • IAM.Jon
    IAM.Jon
    14 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-10-09T13:50:05Z  
    • YannWang
    • ‏2018-10-09T08:04:37Z

    Hi Jon,

    Thanks very much!  Sorry for late reply. I just get a chance to look at this after finishing the majority of my ISAM migration.

    I tried your workaround with below steps.

    1. Create json file enable_scim.json with the content you provided.

    {
        "isam_domain": "Default",
        "update_native_users": true,
        "ldap_connection": "{{sam-ldap-server-connection}}"
    }

    2. Run below commands from a Linux machine:

    CREDS="admin:<password>"
    LMI_HOST="<IP>:<Port>"

    curl -s -k -u "$CREDS" -H 'Accept: application/json' -X POST https://${LMI_HOST}/mga/scim/configuration/urn:ietf:params:scim:schemas:extension:isam:1.0:User --data-ascii @./enable_scim.json

    curl -s -k -u "$CREDS" -H 'Accept: application/json' -H 'Content-Type: application/json' -X PUT https://${LMI_HOST}/isam/pending_changes

     

    How do I know whether it is success or not? I still don't see "ISAM User" from LMI after this change.

    Hello,

    When you run the curl command you should look for a "good" response code coming back (2xx).

    This does NOT turn on the page in LMI - but it does enable the SAM integration.

    If it's working you should be able to read and write ISAM information via SCIM interface by adding the ISAM schema to requests.

     

    Jon.

  • YannWang
    YannWang
    10 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-10-10T10:09:25Z  
    • IAM.Jon
    • ‏2018-10-09T13:50:05Z

    Hello,

    When you run the curl command you should look for a "good" response code coming back (2xx).

    This does NOT turn on the page in LMI - but it does enable the SAM integration.

    If it's working you should be able to read and write ISAM information via SCIM interface by adding the ISAM schema to requests.

     

    Jon.

    Hi Jon,

    I find that I have to define a Server Connect first. I can confirm the change was successful by querying the current ISAM User config.

    GET https://${LMI_HOST}/mga/scim/configuration/urn:ietf:params:scim:schemas:extension:isam:1.0:User

    But I am getting ldap_not_defined error when I do the testing through https://webseal_ip:port/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:uscPasswordReset

    [10/10/18 21:01:34:702 AEDT] 0000003e id=         com.ibm.isam.scim.common.LdapHandler                         > getServerConnection(ldapConn) ENTRY null null
    [10/10/18 21:01:34:702 AEDT] 0000003e id=         com.ibm.isam.scim.common.LdapHandler                         1 No LDAP connection defined in the database
    [10/10/18 21:01:34:702 AEDT] 0000003e id=         SystemErr                                                    R java.lang.IllegalArgumentException: ldap_not_defined

    Any idea about this?

  • IAM.Jon
    IAM.Jon
    14 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-10-11T03:05:59Z  
    • YannWang
    • ‏2018-10-10T10:09:25Z

    Hi Jon,

    I find that I have to define a Server Connect first. I can confirm the change was successful by querying the current ISAM User config.

    GET https://${LMI_HOST}/mga/scim/configuration/urn:ietf:params:scim:schemas:extension:isam:1.0:User

    But I am getting ldap_not_defined error when I do the testing through https://webseal_ip:port/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:uscPasswordReset

    [10/10/18 21:01:34:702 AEDT] 0000003e id=         com.ibm.isam.scim.common.LdapHandler                         > getServerConnection(ldapConn) ENTRY null null
    [10/10/18 21:01:34:702 AEDT] 0000003e id=         com.ibm.isam.scim.common.LdapHandler                         1 No LDAP connection defined in the database
    [10/10/18 21:01:34:702 AEDT] 0000003e id=         SystemErr                                                    R java.lang.IllegalArgumentException: ldap_not_defined

    Any idea about this?

    To set up the SAM integration you must create an LDAP connection and then add the name of this into the call to enable the SAM integration.  That LDAP Connection needs to point to the SAM primry directory (where secAuthority=Default lives).

     

    I'm pretty sure that's all I had to do.

     

    Where is the user with the password to change defined?  Is it primary directory or a federated directory?  If federated, what type of directory is this?

     

    Jon. 

  • YannWang
    YannWang
    10 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-10-11T05:18:04Z  
    • IAM.Jon
    • ‏2018-10-11T03:05:59Z

    To set up the SAM integration you must create an LDAP connection and then add the name of this into the call to enable the SAM integration.  That LDAP Connection needs to point to the SAM primry directory (where secAuthority=Default lives).

     

    I'm pretty sure that's all I had to do.

     

    Where is the user with the password to change defined?  Is it primary directory or a federated directory?  If federated, what type of directory is this?

     

    Jon. 

    My Server Connection config is:

    Name: isam_ldap

    Type: LDAP

    Host name: <LDAP server>

    Port: 389

    Bind DN: cn=root

    Bind password: <password of cn=root>

    SSL: false

    My ISAM User config is:

    {"isam_domain":"Default",

    "update_native_users":true,

    "ldap_connection":"isam_ldap",

    "connection_type":"ldap"}

    The LDAP server is the primary directory (and only one) of ISAM.

     

     

  • IAM.Jon
    IAM.Jon
    14 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-10-17T10:54:11Z  
    • YannWang
    • ‏2018-10-11T05:18:04Z

    My Server Connection config is:

    Name: isam_ldap

    Type: LDAP

    Host name: <LDAP server>

    Port: 389

    Bind DN: cn=root

    Bind password: <password of cn=root>

    SSL: false

    My ISAM User config is:

    {"isam_domain":"Default",

    "update_native_users":true,

    "ldap_connection":"isam_ldap",

    "connection_type":"ldap"}

    The LDAP server is the primary directory (and only one) of ISAM.

     

     

    I reconfigured my system to test.  It works.  I don't know what else to suggest.

    I created LDAP connection the same as yours (with name isam_ldap).  It uses SSL connection but is otherwise the same.

    Request to https://{{lmi-hostname}}/mga/server_connections/ldap/v1 returns:

    [
        {
            "connection": {
                "hostName": "openldap",
                "hostPort": "636",
                "bindDN": "cn=root,secAuthority=Default",
                "ssl": true,
                "sslTruststore": "Registry_Keystore.kdb",
                "sslAuthKey": ""
            },
            "connectionManager": {
                "maxPoolSize": 0
            },
            "type": "ldap",
            "name": "isam_ldap",
            "description": "",
            "uuid": "b1031b40-4a56-4f06-8ebe-0edc5cd4c55d"
        }
    ]

    Request to https://{{lmi-hostname}}/mga/scim/configuration/urn:ietf:params:scim:schemas:extension:isam:1.0:User returns:

    {
        "urn:ietf:params:scim:schemas:extension:isam:1.0:User": {
            "isam_domain": "Default",
            "update_native_users": true,
            "ldap_connection": "isam_ldap",
            "connection_type": "ldap"
        }
    }

    If you see the same responses then I don't know why it wouldn't work.  I assume you have published config and restarted all containers?

     

    Jon.

  • YannWang
    YannWang
    10 Posts

    Re: How to utilize User Self-Care to reset ISAM users password

    ‏2018-10-17T11:11:06Z  
    • IAM.Jon
    • ‏2018-10-17T10:54:11Z

    I reconfigured my system to test.  It works.  I don't know what else to suggest.

    I created LDAP connection the same as yours (with name isam_ldap).  It uses SSL connection but is otherwise the same.

    Request to https://{{lmi-hostname}}/mga/server_connections/ldap/v1 returns:

    [
        {
            "connection": {
                "hostName": "openldap",
                "hostPort": "636",
                "bindDN": "cn=root,secAuthority=Default",
                "ssl": true,
                "sslTruststore": "Registry_Keystore.kdb",
                "sslAuthKey": ""
            },
            "connectionManager": {
                "maxPoolSize": 0
            },
            "type": "ldap",
            "name": "isam_ldap",
            "description": "",
            "uuid": "b1031b40-4a56-4f06-8ebe-0edc5cd4c55d"
        }
    ]

    Request to https://{{lmi-hostname}}/mga/scim/configuration/urn:ietf:params:scim:schemas:extension:isam:1.0:User returns:

    {
        "urn:ietf:params:scim:schemas:extension:isam:1.0:User": {
            "isam_domain": "Default",
            "update_native_users": true,
            "ldap_connection": "isam_ldap",
            "connection_type": "ldap"
        }
    }

    If you see the same responses then I don't know why it wouldn't work.  I assume you have published config and restarted all containers?

     

    Jon.

    Hi Jon,

    Much appreciate your help. I will further investigate to see is it my environment issue.