Modifying protocol configuration settings

The adapter uses the DAML protocol to communicate with the IBM® Security Identity server.

About this task

By default, when the adapter is installed, the DAML protocol is configured for a nonsecure environment. To configure a secure environment, use Secure Socket Layer (SSL) and install a certificate.

The DAML protocol is the only supported protocol that you can use. Do not add or remove a protocol.

Procedure

  1. Access the Agent Main Configuration menu.
  2. Type B. The DAML protocol is configured and available by default for the adapter. 
    Agent Protocol Configuration Menu
-----------------------------------
Available Protocols: DAML
Configured Protocols: DAML
A. Add Protocol.
B. Remove Protocol.
C. Configure Protocol.

X. Done

Select menu option
  3. At the Agent Protocol Configuration menu, type C to display the Configure Protocol Menu. 
    Configure Protocol Menu
-----------------------------------
A. DAML

X. Done

Select menu option:
  4. Type a letter to display the Protocol Properties menu for the configured protocol with protocol properties.

    The following screen is an example of the DAML protocol properties.

    DAML Protocol Properties
--------------------------------------------------------

A. USERNAME           ****** ;Authorized user name.
B. PASSWORD           ****** ;Authorized user password.
C. MAX_CONNECTIONS    100    ;Max Connections.
D. PORTNUMBER         45580  ;Protocol Server port number.
E. USE_SSL            FALSE  ;Use SSL secure connection.
F. SRV_NODENAME       –––––  ;Event Notif. Server name.
G. SRV_PORTNUMBER     9443   ;Event Notif. Server port number.
H. HOSTADDR           ANY    ;Listen on address < or "ANY" >
I. VALIDATE_CLIENT_CE FALSE  ;Require client certificate.
J. REQUIRE_CERT_REG   FALSE  ;Require registered certificate.
K. READ_TIMEOUT       0      ;Socked read timeout (seconds)
L. MIN_TLS_LEVEL      1.0    ;Minimum TLS level (0 for none)
X. Done
Select menu option:
  5. Follow these steps to change a protocol value:
    • Type the letter of the menu option for the protocol property to configure. The following table describes each property.
    • Take one of the following actions:
      • Change the property value and press Enter to display the Protocol Properties menu with the new value.
      • If you do not want to change the value, press Enter.
      Table 1. Options for the DAML protocol menu
      Option Configuration task
      A Displays the following prompt:

      Modify Property 'USERNAME':

      Type a user ID, for example, agent. The IBM Security Identity server uses this value to connect to the adapter. The default user ID is agent.
      B Displays the following prompt:

      Modify Property 'PASSWORD':

      Type a password, for example, agent. The IBM Security Identity server uses this value to connect to the adapter. The default password is agent.
      C Displays the following prompt:

      Modify Property 'MAX_CONNECTIONS':

      Enter the maximum number of concurrent open connections that the adapter supports. The default number is 100.
      D Displays the following prompt:

      Modify Property 'PORTNUMBER':

      Type a different port number.

      This value is the port number that the IBM Security Identity server uses to connect to the adapter. The default port number is 45580.
      E Displays the following prompt:

      Modify Property 'USE_SSL':

      TRUE specifies to use a secure SSL connection to connect the adapter. If you set USE_SSL to TRUE, you must install a certificate. FALSE, the default value, specifies not to use a secure SSL connection.

      Note: By default event notification requires USE_SSL set to TRUE. To use event notification, you must set USE_SSL to TRUE and add a certificate and key from the PKCS12 file in the adapter.
      F Displays the following prompt:

      Modify Property 'SRV_NODENAME':

      Type a server name or an IP address of the workstation where you installed the IBM Security Identity server.

      This value is the DNS name or the IP address of the IBM Security Identity server that is used for event notification and asynchronous request processing.

      Note: If your operating system supports Internet Protocol version 6 (IPv6) connections, you can specify an IPv6 server.
      G Displays the following prompt:

      Modify Property 'SRV_PORTNUMBER':

      Type a different port number to access the IBM Security Identity server.

      The adapter uses this port number to connect to the IBM Security Identity server. The default port number is 9443.
      H The HOSTADDR option is useful when the system where the adapter is running has more than one network adapter. You can select which IP address the adapter must listen to.

      The default value is ANY.
      I

      Displays the following prompt:

      Modify Property 'VALIDATE_CLIENT_CE':

      Specify TRUE for the IBM Security Identity server to send a certificate when it communicates with the adapter. When you set this option to TRUE, you must configure options D through I.

      Specify FALSE, the default value to enable the IBM Security Identity server to communicate with the adapter without a certificate.
      Note:
      • The property name is VALIDATE_CLIENT_CERT; however, it is truncated by the agentCfg to fit in the screen.
      • You must use certTool to install the appropriate CA certificates and optionally register the IBM Security Identity server certificate.
      J

      Displays the following prompt:

      Modify Property 'REQUIRE_CERT_REG':

      This value applies when option I is set to TRUE.

      Type TRUE to register the adapter with the client certificate from the IBM Security Identity server before it accepts an SSL connection.

      Type FALSE to verify the client certificate against the list of CA certificates. The default value is FALSE.

      K Displays the following prompt:

      Modify Property 'READ_TIMEOUT':

      Type the timeout value in seconds for IBM Security Identity Manager and the adapter connection.

      This option applies to setups that have a firewall between IBM Security Identity Manager and the adapter. This firewall has a timeout value that is less than the maximum connection age DAML property on IBM Security Identity Manager. When your transactions run longer than the firewall timeout, the firewall terminates the connection. The sudden termination of connections might leave the adapter with incorrect connection threads causing the adapter to crash.

      When the adapter halts randomly because of the specified setup, change the value for the READ_TIMEOUT. The value must be in seconds and less than the timeout value of the firewall.
      L

      This option controls the minimum TSL level that is used when SSL is enabled. The setting supersedes the values DISABLE_SSLV3 and DISABLE_TLS10. The valid settings for this value are:

      • 0: No restrictions. This setting allows SSLV3 connections which are known to have vulnerabilities.
      • 1.0: TLS 1.0 and higher are supported.
      • 1.1: TLS 1.1 and higher are supported.
      • 1.2: TLS 1.2 and higher are supported.
      • 1.3: TLS 1.3 and higher are supported.

      For backward compatibility, if MIN_TLS_LEVEL is not set, it will be set at startup based on the settings of DISABLE_SSLV3 and DISABLE_TLS10.
  6. Follow these steps at the prompt:
    • Change the property value and press Enter to display the Protocol Properties menu with the new value.
    • If you do not want to change the value, press Enter.
  7. Repeat step 5 to configure the other protocol properties.
  8. At the Protocol Properties menu, type X to exit.