Changing protocol configuration settings

The adapter uses the DAML protocol to communicate with the IBM® Security Identity server.

About this task

By default, when the adapter is installed, the DAML protocol is configured for a nonsecure environment. To configure a secure environment, use Secure Shell Layer (SSL) and install a certificate. For more information, see Installing the certificate.

The DAML protocol is the only supported protocol that you can use. Do not add or remove a protocol.

To configure the DAML protocol for the adapter, perform the following steps:

Procedure

  1. Access the Agent Main Configuration Menu, if you have not already done so. See Starting the adapter configuration tool.
  2. Type B. The DAML protocol is configured and available by default for the adapter. 
    Agent Protocol Configuration Menu
-----------------------------------
Available Protocols: DAML
Configured Protocols: DAML
A. Add Protocol.
B. Remove Protocol.
C. Configure Protocol.

X. Done

Select menu option
  3. At the Agent Protocol Configuration Menu, type C to display the Configure Protocol Menu.
  4. Type A to display the Protocol Properties Menu for the configured protocol with protocol properties. The following screen is an example of the DAML protocol properties. 
    DAML Protocol Properties
--------------------------------------------------------------------
A. USERNAME             ****** ;Authorized user name.
B. PASSWORD             ****** ;Authorized user password.
C. MAX_CONNECTIONS      100    ;Max Connections.
D. PORTNUMBER           45580  ;Protocol Server port number.
E. USE_SSL              FALSE  ;Use SSL secure connection.
F. SRV_NODENAME         9.38.215.20 ;Event Notif. Server name.
G. SRV_PORTNUMBER       9443 ;Event Notif. Server port number.
H. HOSTADDR             ANY;Listen on address (or "ANY")
I. VALIDATE_CLIENT_CE   FALSE ;Require client certificate.
J. REQUIRE_CERT_REG	   FALSE ;Require registered certificate.
K. READ_TIMEOUT         0 ;Socket read timeout (seconds)
L. DISABLE_TLS10        TRUE ;Disable TLS 1.0 and earlier
M. DISABLE_TLS11        TRUE ;Disable TLS 1.1 and earlier
N. DISABLE_TLS12        TRUE ;Disable TLS 1.2 and earlier

X. Done	

Select menu option:
  5. Follow these steps to change a protocol value:
    • Type the letter of the menu option for the protocol property to configure. Table 1 describes each property.
    • Take one of the following actions:
      • Change the property value and press Enter to display the Protocol Properties Menu with the new value.
      • If you do not want to change the value, press Enter.
    Table 1. Options for the DAML protocol menu
    Option Configuration task
    A Displays the following prompt:
    Modify Property 'USERNAME':

    Type a User ID, for example, admin.

    The IBM Security Identity server uses this value to connect to the adapter.
    B Displays the following prompt
    Modify Property 'PASSWORD':

    Type a password, for example, admin.

    The IBM Security Identity server uses this value to connect to the adapter.
    C Displays the following prompt: 
    Modify Property 'MAX_CONNECTIONS':
    Enter the maximum number of concurrent open connections that the adapter supports.
    The default value is 100.
    Note: This setting is sufficient and does not require adjustment.
    D Displays the following prompt:
    Modify Property 'PORTNUMBER':

    Type a different port number.

    The IBM Security Identity server uses the port number to connect to the adapter. The default port number is 45580. For more information, see Adapter interactions with the IBM Security Identity server.
    E Displays the following prompt: 
    Modify Property 'USE_SSL':
    TRUE specifies to use a secure SSL connection to connect the adapter. If you set USE_SSL to TRUE, you must install a certificate. For more information, see Installing the certificate.

    FALSE, the default value, specifies not to use a secure SSL connection.
    F Displays the following prompt:
    Modify Property 'SRV_NODENAME':

    Type a server name or an IP address of the workstation where you have installed the IBM Security Identity server.

    This value is the DNS name or the IP address of the IBM Security Identity server that is used for event notification and asynchronous request processing.

    Note: If your platform supports Internet Protocol version 6 (IPv6) connections, you can specify an IPv6 server.
    G Displays the following prompt:
    Modify Property 'SRV_PORTNUMBER':

    Type a different port number to access the IBM Security Identity server.

    The adapter uses this port number to connect to the IBM Security Identity server. The default port number is 9443.
    H The HOSTADDR option is useful when the system, where the adapter is running, has more than one network adapter. You can select which IP address the adapter must listen to. The default value is ANY.
    I
    Displays the following prompt:
    Modify Property 'VALIDATE_CLIENT_CE':

    Specify TRUE for the IBM Security Identity server to send a certificate when it communicates with the adapter. When you set this option to TRUE, you must configure options D through I.

    Specify FALSE, the default value, to let the IBM Security Identity server communicate with the adapter without a certificate.
    Note:
    • The property name is VALIDATE_CLIENT_CERT, however, it is truncated by the agentCfg to fit in the screen.
    • You must use certTool to install the appropriate CA certificates and optionally register the IBM Security Identity server certificate. For more information about using the certTool, see Starting certTool.
    J
    Displays the following prompt:
    Modify Property 'REQUIRE_CERT_REG':

    This value applies when option I is set to TRUE.

    Type TRUE to register the adapter with the client certificate from the IBM Security Identity server before it accepts an SSL connection.

    Type FALSE to verify the client certificate against the list of CA certificates. The default value is FALSE.

    For more information about certificates, see Configuring SSL authentication.
    K
    Displays the following prompt: 
    Modify Property 'READ_TIMEOUT':

    Specify the timeout value in seconds. The default value is 0 which specifies that no read timeout is set.

    Note: READ_TIMEOUT prevents open threads in the adapter, which might cause "hang" problems. The open threads might be caused by firewall or network connection problems and might be seen as TCP/IP ClosWait connections that remain on the adapter.
    Note:

    If you encounter such problems, set the value of READ_TIMEOUT to a time longer than the IBM Security Identity server timeout, but less than any firewall timeout. The IBM Security Identity server timeout is specified by the maximum connection age DAML property.

    The adapter must be restarted because READ_TIMEOUT is set at adapter initialization.
    L
    Displays the following prompt: 
    Modify Property 'DISABLE_TLS10':

    Type FALSE to use the TLSv1.0 protocol to connect the adapter.

    The default value is TRUE.
    M
    Displays the following prompt: 
    Modify Property 'DISABLE_TLS11':

    Type FALSE to use the TLSv1.1 protocol to connect the adapter.

    The default value is TRUE.
    N
    Displays the following prompt: 
    Modify Property 'DISABLE_TLS12':

    Type FALSE to use the TLSv1.2 protocol to connect the adapter.

    The default value is FALSE.
  6. Repeat step 5 to configure the other protocol properties.
  7. At the Protocol Properties Menu, type X to exit.