Onboarding the iSeries Application

Edit online

Provision users from Verify to On-Premises iSeries® adapter.

Before you begin

  1. Configure the identity agent for authentication in Verify. See, Configuring through the Verify user interface.
  2. Deploy and configure the IBM® Verify Identity Brokerage On-Premises component.

Procedure

  1. Log in as administrator on IBM Verify.
  2. Select Applications > Applications and click Add application.
  3. Search application type as the name set for the uploaded application profile from the menu and click Add application.
    For example, if the iSeries profile was uploaded with name iSeries, then the application is found with iSeries(custom).
  4. In the Add applications page, select the General tab, and specify the required details.
  5. Select the Account lifecycle tab.
  6. Specify the provisioning and deprovisioning policies.
    Parameters Description
    Provision accounts

    Provision accounts are Disabled by default, which means the account creation is performed outside of IBM Verify.

    Select the Enabled option to automatically provision an account when the entitlement is assigned to a user. Password generations and email notification features are available for the account that is created using IBM Verify.
    Deprovision accounts

    Deprovision accounts is Disabled by default, which means account removal is performed outside of IBM Verify.

    Select the Enabled option in to automatically deprovision an account when entitlement is removed from a user.
    Account password
    Sync user's Cloud Directory password
    This option is available if Password sync is enabled on the Cloud Directory. It uses the Cloud Directory password when a regular user is provisioned to the application. Federated users receive a generated password when provisioned to the application.
    Generate password
    This option generates a random password for the provisioned account. The password is based on the Cloud Directory password policy.
    None
    This option provisions the account without a password.
    Send email notification This option is available when you select the Generate password option. When you select the Send email notification option an email notification with the auto-generated password is sent to your email address after the account is provisioned successfully.
    Grace period (days) Set the grace period in days for which deprovisioned account is kept as suspended before deleting it permanently.
    Deprovision action Delete the account. This field is available only if the deprovision account field is enabled.
  7. In General section, select Application profile from the drop-down. If the profile does not exist you must create one. For more information see, Managing identity adapter application profiles.
  8. Specify the API authentication details.
    Parameters Description
    Tivoli® Directory Integrator location URL for the IBM VerifyDirectory Integrator instance. For example, rmi://<ip-address>:<port>/ITDIDispatcher, where ip-address is the IBM Verify Directory Integrator host and port is the port number for the RMI Dispatcher.
    URL Specify the location and port number of the directory server on the IBM i system. Valid syntax is: ldap://<ip-address>:<port>, where ip-address is the IBM i server host and port is the IBM i LDAP port number. For example, you might specify the URL as ldap://irvas02.eng.irvine.ibm.com:389.

    If SSL is enabled, then the syntax is: ldaps://ip-address:SSLPort. For example, you might specify the URL as ldaps://irvas02.eng.irvine.ibm.com:636
    Administrator name Specify the iSeries User ID.
    Note: The user profile must have *SECADM, *ALLOBJ special authorities
    User Container base DN Specify the distinguished name (DN) of the container or base point where the user profiles are stored. The adapter creates new users under this DN. Also, search operations return user account entries under this DN. For example, you might specify the DN as cn=accounts,os400-sys=irvas02.eng.irvine.ibm.com.
    Value of OWNOBJOPT parm for delete Specify the type of operations that are being done on the owned objects of the user profile that is being deleted. This field is a text field and can be one of the following values: *NODLT

    If the user owns any objects other than the message queue associated with the user profile, the owned objects for the user profile do not change. The user profile is not deleted. If the user owns only the message queue associated with the profile, then the message queue and the profile are deleted. *DLT

    The objects owned by the user profile are deleted. If the deletion of the objects is successful, the user enrollment information is removed from OfficeVision*. *CHGOWN username

    The owned objects for the user profile have ownership transferred to the user profile specified in username. If the transfer of all owned objects is successful, the user profile is deleted.
    Password Specify the password for the administrator.
    Identity agent Select an Identity Agent of type provisioning from the drop-down using which the application profile is discovered.
    Description Optional field. Add the description if needed.
    Use SSL Communication with LDAP? This check box is used to specify whether SSL authentication is to be used between Security Directory Integrator and the IBM i Directory Server
  9. Click Test Connection to test the connection to the iSeries on premises. The connection needs to be successful to provision or reconcile accounts on the iSeries application.
  10. Map the target iSeries attributes to the Verify attributes as required. Select the Keep updated check box for the attributes that need to be updated on the target.

  11. Select the Account sync tab.
  12. In the Adoption policy section, add one or more attribute pairs that need to match for the account sync process to assign iSeries accounts to their respective account owners on Verify.

  13. In the Remediation Policies section, choose a remediation policy to remediate non-compliant accounts automatically.
  14. Click Save.
  15. After the application is saved, specify the authorization policy on the Entitlements tab.