Directory Integrator, Version 7.1.1
This section describes how to configure the JMS Password Store.
Properties pertaining to the JMS Password Store are set in the plug-ins general configuration file: pwsync.props. By default there is one file per each plug-in, for example, TDI_Install_dir/pwd_plugins/tds/pwsync.props
The encyptPasswd utility expects that the password is passed as a parameter. The encrypted password is printed on the standard output.
For a complete list of the configuration parameters, their explanation and the encryptPasswd utility, see Password plug-ins common configuration and utilities.
In the pwsync.props file:
For more information about password message security, see Password message security.
An extract of the JMS Password Store configuration section of the pwsync.props file follows:
#
# This is the configuration file of the Password Synchronizer.
# It is used by all parts of the Password Synchronizer: the Plug-in,
# the Proxy and the Password Store component.
#
# Enter (name)=(value) to set configuration properties.
#
# Follow the Java properties file format. Backslashes must be escaped:
# e.g. instead of 'c:\myfile.txt' type 'c:\\myfile.txt'.
#
# Executable (binary or shell script) used to start the Java Proxy.
# If this property is set, both 'jvmPath' and 'jvmClassPath' will be ignored.
proxyStartExe=C:\\Program Files\\IBM\\TDI\\V7.1.1/pwd_plugins/bin/startProxy.bat
# Port number, on which the Java Proxy listens for commands.
serverPort=18001
# The log file of the Plug-in part of the Password Synchronizer.
# If empty, no logging will be done.
logFile=C:\\Program Files\\IBM\\TDI\\V7.1.1/pwd_plugins/windows/plugin.log
# Whether to reject password changes if the Password Store is down.
checkRepository=true
# The log file of the Java Proxy part of the Password Synchronizer. If empty,
no logging will be done.
javaLogFile=C:\\Program Files\\IBM\\TDI\\V7.1.1/pwd_plugins/windows/proxy.log
# Turn on debug logging for all parts of the Password Synchronizer.
debug=true
# Custom data that will be send with each password change.
# This string can be used to uniquely identify the machine or product that generates
the changes (e.g. machine IP, application name and version).
#customData=machine1
#
# User filtering configuration
#
# A list of Windows groups. If a user is a member of some group on the list, the
user will be accepted
# by the user filter (assuming the user is not excluded by some of the exclude lists).
# Group names must be separated by semicolons. Redundant white-spaces are not allowed.
# includeGroups=
# A list of Windows groups. If a user is a member of some group on the list, the user
will not be accepted
# by the user filter.
# Group names must be separated by semicolons. Redundant white-spaces are not allowed.
# excludeGroups=
# A list of DN suffixes. If a user's Distinguished Name matches some suffix on the list, the user will be
# accepted by the user filter (assuming the user is not excluded by some of the exclude lists).
# DN suffixes must be separated by semicolons. Redundant white-spaces are not allowed.
# includeDNs=
# A list of DN suffixes. If a user's Distinguished Name matches some suffix on
the list, the user will not
# be accepted by the user filter.
# DN suffixes must be separated by semicolons. Redundant white-spaces are not allowed.
# excludeDNs=
# Types of the accounts for which password changes will be reported.
# It is a space-delimited list of account types. Recoginzed account types are:
# NORMAL_ACCOUNT
# TEMP_DUPLICATE_ACCOUNT
# INTERDOMAIN_TRUST_ACCOUNT
# WORKSTATION_TRUST_ACCOUNT
# SERVER_TRUST_ACCOUNT
#
# accountTypes=NORMAL_ACCOUNT
#
# The Password Store component
#
# Specify the full name of the Java class.
# Choose one of the following:
# com.ibm.di.plugin.pwstore.log.LogPasswordStore
# com.ibm.di.plugin.pwstore.jms.JMSPasswordStore
# com.ibm.di.plugin.pwstore.ldap.LDAPPasswordStore
#
# LogPasswordStore is for testing purposes only - you should NEVER use it in
production environment.
#
syncClass=com.ibm.di.plugin.pwstore.log.LogPasswordStore
#
# Public key encryption of passwords
#
# encrypt=true
# encryptKeyStoreFilePath=
# encryptKeyStoreFilePassword=
# encryptKeyStoreCertificate=
# 'encryptKeyPassword' is required by the LDAP Password Store (the rest do not need it)
# encryptKeyPassword=
#
# PKCS7 encapsulation of passwords
#
# pkcs7=true
# pkcs7KeyStoreFilePath=
# pkcs7KeyStoreFilePassword=
# pkcs7MqeStoreCertificateAlias=
# pkcs7MqeConnectorCertificateAlias=
#
# SSL configuration properties
#
# javax.net.ssl.trustStore=
# javax.net.ssl.trustStorePassword=
# javax.net.ssl.trustStoreType=
# javax.net.ssl.keyStore=
# javax.net.ssl.keyStorePassword=
# javax.net.ssl.keyStoreType=
#
# LDAP Password Store Configuration
#
# LDAP server host
# ldap.hostname=localhost
# LDAP server port
# ldap.port=389
# LDAP bind dn
# ldap.admindn=cn=root
# LDAP bind password
# This field must be encoded. Use the 'encryptPasswd' utility.
# ldap.password=0c0bf0e3146b
# If set to true, password changes will be committed synchronously to the Password
Store when
# a password change notification is received. The source of the password change
will be blocked
# until the password change is written to the Password Store.
#
# If set to false, the commit will be asynchronous. Use the 'ldap.delayMillis'
property to configure
# the time to wait before committing the password change.
# ldap.waitForStore=true
# Time to wait (in milliseconds), before committing the password change to the
Password Store.
# Will be ignored if 'waitForStore' is set to true.
# ldap.delayMillis=2000
# Use SSL for LDAP communication.
# If set to true, JSSE must be configured (set the javax.net.ssl.trustStore and
javax.net.ssl.keyStore properties).
# ldap.ssl=false
# Location in the LDAP directory tree, where the Password Synchronizer will store
data.
# ldap.suffix=dc=carnd11,o=ibm,c=us
# Name of an LDAP object class used to hold information for a given user.
# ldap.schemaPersonObjectName=ibm-diPerson
# Name of an LDAP attribute which represents user identifier.
# This attribute must be a member of the object class specified by the
'ldap.schemaPersonObjectName' property.
# ldap.schemaUseridAttributeName=ibm-diUserId
# Name of an LDAP attribute which represents user password.
# This attribute must be a member of the object class specified by
the 'ldap.schemaPersonObjectName' property.
# ldap.schemaPasswordAttributeName=ibm-diPassword
#
# MQe Password Store Configuration
#
# JMS driver, used to establish connecton to the message broker.
# jmsDriverClass=com.ibm.di.plugin.pwstore.jms.driver.IBMMQe
# The path to the .ini file of the MQe QueueManager.
# mqe.file.ini=
# The TCP/IP port that is used when the MQe Connector sends notifications to the
Storage Component.
# mqe.notify.port=41002
#
# ActiveMQ Password Store Configuration
#
# JMS driver, used to establish connecton to the message broker.
# jmsDriverClass=com.ibm.di.plugin.pwstore.jms.driver.ActiveMQ
# JMS Server address (jms.broker=tcp://<activeMQhost>:61616 or
jms.broker=ssl://<activeMQhost>:61617)
# jms.broker=
#
# Websphere MQ Password Store Configuration
#
# JMS driver, used to establish connecton to the message broker.
# jmsDriverClass=com.ibm.di.plugin.pwstore.jms.driver.IBMMQ
# The ID of this client. This value is used when connecting to a broker.
# Most brokers do not allow clients to have the same ID.
# jms.clientId=
# JMS Server address (ip host and tcp port number).
# jms.broker=<host>:<port>
# Login username for the password queue.
# jms.username=
# Login password for password queue.
# This field must be encoded. Use the 'encryptPasswd' utility.
# jms.password=
# MQ Server Channel
# jms.serverChannel=
# Queue Manager Name
# jms.qManager=
# Turn on SSL
# jms.sslUseFlag=false
# SSL cipher suite
# (See the WebSphere MQ documentation for a full list of supported cipher suites).
# jms.sslCipher=SSL_RSA_WITH_RC4_128_MD5
#
# Tivoli Identity Manager Integration
#
# Passwords will be be verified by a Tivoli Identity Manager Server's Password Strength
Servlet prior to synchronization.
# To enable TIM integration, set the 'syncClass' property to one of the following:
# com.ibm.di.plugin.pwstore.log.LogPasswordStoreITIMDecorator
# com.ibm.di.plugin.pwstore.jms.JMSPasswordStoreITIMDecorator
# com.ibm.di.plugin.pwstore.ldap.LDAPPasswordStoreITIMDecorator
# URL of the Tivoli Identity Manager hosted Password Strength Servlet.
# Note: If https is used, the javax.net.ssl.trustStore* properties must be set. Where the specified truststore contains the Tivoli Identity Manager Server's certificate.
# itimPasswordUrl=https://<host>:<port>/passwordsynch/synch
# Tivoli Identity Manager user account permitted to perform a password check.
# itimPrincipalName=
# The password for the Tivoli Identity Manager user acount specified by the 'itimPrincipalName' property.
# itimPrincipalPassword=
# The Tivoli Identity Manager service name against which the password check would be performed.
# itimSourceDN=erservicename=TDIPasswordService, o=IBM, ou=IBM, dc=comIn this section, the following parameters merit attention:
The path to the .ini file generated by the MQe Configuration Utility (usually C:\\Program Files\\IBM\\TDI\\V7.1.1\\pwd_plugins\\tds\\MQePWStore\\pwstore_client.ini).
The TCP/IP port that is used when the JMS Password Connector sends notifications to the MQe Driver on behalf of the JMS Password Store. Default value is 41002.