Topic
  • 6 replies
  • Latest Post - ‏2018-08-20T06:24:21Z by franzw
Ab11
Ab11
6 Posts

Pinned topic Basics of ISIM 7 Virtual Appliance

‏2018-06-13T21:12:35Z | apps file google upload

Hello,

 Newbie question. I am new to the Security Identity Manager virtual appliance and stuck on some basic issues with the virtual appliance. I am trying to get the Google Apps connector working with the ISIM server and I cannot seem to figure out how I can upload files to the ISIM server. All the documentation I have found seems to assume I have access to the server and the directory structure to I can upload various files/libraries.

I started with the google apps connector for the SDI and could not figure out how to install it on the virtual appliance. So I gave up the idea of using the SDI already installed on the virtual appliance and instead setup a separate server with SDI and installed the dispatcher and connectors on it.

But then I got to configuring the Google apps service in the identity manager web console and it requires the  "Client Key Path" which as I understand it is a path to the .p12 file I downloaded from google apps but I cannot seem to figure out how/where to upload that onto the ISIM VA server. I tried the "custom file management" and "external library" etc and it would not accept the file.

 
I tried looking around a lot and could not find any information anywhere. It is probably something very simple and self evident but I cannot seem to figure that one out. Please help.

 

  • franzw
    franzw
    484 Posts
    ACCEPTED ANSWER

    Re: Basics of ISIM 7 Virtual Appliance

    ‏2018-06-15T06:17:48Z  

    Adapters that requires files to be added to the adapter needs to run on an external adapter instance. So you will need to install TDI on a separate server or utilize your data layer server for this purpose.

    HTH

    Regards

    Franz Wolfhagen

  • franzw
    franzw
    484 Posts
    ACCEPTED ANSWER

    Re: Basics of ISIM 7 Virtual Appliance

    ‏2018-06-21T06:38:17Z  
    • Ab11
    • ‏2018-06-19T14:47:36Z

    Anyone have insight on how to configure the Google Apps Profile in Identity Manager and provide the path to the "Client Key Path" field? Do we need to upload the key to the Identity Manager Virtual appliance somehow?

    I have not worked with that exact adapter - but it should be documented in the formal documentation of the adapter - if not you are entitled to raise a PMR - remember that this forum is not an official support forum - it is professionals helping each other :-)

    But let me try to walk you through the reasoning you need to apply....

    There are 2 sets of communication involved here - from ISIM (VA) to the Adapter and from the Adapter to the managed endpoint (Google Apps). Now - if Google Apps requires a certificate in the communication it does not make sense that this is something "internal" to the ISIM system - it is something that happens between the adapter and Google. So the logical conclusion is that the certificate must be part of the Adapter (TDI) - so you need to have a keystore defined there (or using the default provided which is a bad idea unless you secure them (change password, remove CA certificates etc. - this is the usual SSL tasks to secure/limit the communication).

    You should of course also secure the communication between the adapter TDI and ISIM. This is also documented in the adapter documentation - but here the Google certificate is not part of the equation...

    HTH

    Regards

    Franz Wolfhagen

  • franzw
    franzw
    484 Posts

    Re: Basics of ISIM 7 Virtual Appliance

    ‏2018-06-15T06:17:48Z  

    Adapters that requires files to be added to the adapter needs to run on an external adapter instance. So you will need to install TDI on a separate server or utilize your data layer server for this purpose.

    HTH

    Regards

    Franz Wolfhagen

  • Ab11
    Ab11
    6 Posts

    Re: Basics of ISIM 7 Virtual Appliance

    ‏2018-06-15T13:11:06Z  
    • franzw
    • ‏2018-06-15T06:17:48Z

    Adapters that requires files to be added to the adapter needs to run on an external adapter instance. So you will need to install TDI on a separate server or utilize your data layer server for this purpose.

    HTH

    Regards

    Franz Wolfhagen

    Hi Franz,

     Thanks for your reply. I did end up installing the adapter on a separate SDI server but I am stuck in the process where I am configuring the Google Apps service in SIM console where it asks for "Client Key Path". My assumption is this is a path to the google .p12 file which needs to be on the SIM Virtual appliance? Is that not the case?

     

    Thanks,

    Ab.

  • Ab11
    Ab11
    6 Posts

    Re: Basics of ISIM 7 Virtual Appliance

    ‏2018-06-19T14:47:36Z  

    Anyone have insight on how to configure the Google Apps Profile in Identity Manager and provide the path to the "Client Key Path" field? Do we need to upload the key to the Identity Manager Virtual appliance somehow?

  • franzw
    franzw
    484 Posts

    Re: Basics of ISIM 7 Virtual Appliance

    ‏2018-06-21T06:38:17Z  
    • Ab11
    • ‏2018-06-19T14:47:36Z

    Anyone have insight on how to configure the Google Apps Profile in Identity Manager and provide the path to the "Client Key Path" field? Do we need to upload the key to the Identity Manager Virtual appliance somehow?

    I have not worked with that exact adapter - but it should be documented in the formal documentation of the adapter - if not you are entitled to raise a PMR - remember that this forum is not an official support forum - it is professionals helping each other :-)

    But let me try to walk you through the reasoning you need to apply....

    There are 2 sets of communication involved here - from ISIM (VA) to the Adapter and from the Adapter to the managed endpoint (Google Apps). Now - if Google Apps requires a certificate in the communication it does not make sense that this is something "internal" to the ISIM system - it is something that happens between the adapter and Google. So the logical conclusion is that the certificate must be part of the Adapter (TDI) - so you need to have a keystore defined there (or using the default provided which is a bad idea unless you secure them (change password, remove CA certificates etc. - this is the usual SSL tasks to secure/limit the communication).

    You should of course also secure the communication between the adapter TDI and ISIM. This is also documented in the adapter documentation - but here the Google certificate is not part of the equation...

    HTH

    Regards

    Franz Wolfhagen

  • Ab11
    Ab11
    6 Posts

    Re: Basics of ISIM 7 Virtual Appliance

    ‏2018-08-17T19:28:17Z  

    Just wanted to update the question in the event anyone else is struggling with he basic questions as I was. I took franz advise and created a ticket with support and got confirmed answers right away - very quick, very convenient - If someone hasn't used support before, I highly recommend using them more often.

     

    Support basically confirmed everything Franz said above.

    1. To use the Google Apps adapter you will need to install IBM SDI + Dispatcher + enable SSL communications + GoogleApps connectors on a separate server: The ISIM VA has IBM SDI installed on it and is fully functional but can only be used with the default connectors that are installed on it. If you need to install additional adapters you need to setup a SDI on a separate server. If you were not using the virtual appliance you could have installed additional adapters on the ISIM server but that is not possible with the VA.

     

    2. The Google apps certificate in stored on the SDI server and you provide a path to it in the ISIM service profile: As mentioned above - The ISIM uses the connection to the SDI dispatcher (ITDIDispatcher) and invokes the appropriate assemblyline related to the adapter/profile you are running. That is all ISIM does. The SDI instance will initiate all connections to you target systems (GoogleApps etc) Hence all configuration/property files etc live on SDI. ISIM will simply tell SDI which configuration files it will use per service that you setup. Hence these details need to be configured on the ISIM service profile with the understanding it  is referring to all paths wrt the SDI server. The SDI on the VA will not let you upload these types of files so if your adapter needs any custom files uploaded you will always have to use a separate SDI server.

     

    3. In turned out my issue wasn't with the file path - I had tried both paths but would not work. My issues were:

     a. A networking issue between ISIM and SDI - It turns out it needs to communicate on more ports than TCP 1099. It would connect to SDI and I could see the activity on the firewall logs but then would do nothing. It never initiated the Google Apps connector and gave a very generic error. Long story short out networking team monitored the traffic and added additional rules to enable this.

    b. The way the Google Apps cred was authorized on the domain - We plugged in the text username for the developer cred which got automatically converted to the numeric id in the google apps admin console. We when we double checked all settings it always looked correct. After involving Google support they said to delete that authorization and to add a new one explicitly using the numeric user id which worked.

     

    4. IBM support is great, If you're stuck don't hesitate to call them.

     

  • franzw
    franzw
    484 Posts

    Re: Basics of ISIM 7 Virtual Appliance

    ‏2018-08-20T06:24:21Z  
    • Ab11
    • ‏2018-08-17T19:28:17Z

    Just wanted to update the question in the event anyone else is struggling with he basic questions as I was. I took franz advise and created a ticket with support and got confirmed answers right away - very quick, very convenient - If someone hasn't used support before, I highly recommend using them more often.

     

    Support basically confirmed everything Franz said above.

    1. To use the Google Apps adapter you will need to install IBM SDI + Dispatcher + enable SSL communications + GoogleApps connectors on a separate server: The ISIM VA has IBM SDI installed on it and is fully functional but can only be used with the default connectors that are installed on it. If you need to install additional adapters you need to setup a SDI on a separate server. If you were not using the virtual appliance you could have installed additional adapters on the ISIM server but that is not possible with the VA.

     

    2. The Google apps certificate in stored on the SDI server and you provide a path to it in the ISIM service profile: As mentioned above - The ISIM uses the connection to the SDI dispatcher (ITDIDispatcher) and invokes the appropriate assemblyline related to the adapter/profile you are running. That is all ISIM does. The SDI instance will initiate all connections to you target systems (GoogleApps etc) Hence all configuration/property files etc live on SDI. ISIM will simply tell SDI which configuration files it will use per service that you setup. Hence these details need to be configured on the ISIM service profile with the understanding it  is referring to all paths wrt the SDI server. The SDI on the VA will not let you upload these types of files so if your adapter needs any custom files uploaded you will always have to use a separate SDI server.

     

    3. In turned out my issue wasn't with the file path - I had tried both paths but would not work. My issues were:

     a. A networking issue between ISIM and SDI - It turns out it needs to communicate on more ports than TCP 1099. It would connect to SDI and I could see the activity on the firewall logs but then would do nothing. It never initiated the Google Apps connector and gave a very generic error. Long story short out networking team monitored the traffic and added additional rules to enable this.

    b. The way the Google Apps cred was authorized on the domain - We plugged in the text username for the developer cred which got automatically converted to the numeric id in the google apps admin console. We when we double checked all settings it always looked correct. After involving Google support they said to delete that authorization and to add a new one explicitly using the numeric user id which worked.

     

    4. IBM support is great, If you're stuck don't hesitate to call them.

     

    Good to see that I am not out of line with my IBM Support colleagues - and thanks for confirming this.

    Just for the record - I am answering here as a practitioner in the field and I can not speak for IBM in this sense. Of course I try to be inline with IBM official statements - so if you are in doubt do as here - use IBM Support if you need the official statement on a problem.

    And I know that a statement like yours are making the life of our support people a lot better - it is not always the most pleasant job to have - so when they get the message that they are really are delivering value the sun shines a little warmer :-)

    Regards

    Franz Wolfhagen