Installing the Password Synchronization plug-in

You must install the plug-in on all the Windows Directory Domain Controllers in the domain. To install the plug-in on the Windows Core Server, use the (-i console) or the (-i silent) install option because a GUI based installer is not supported.

Before you begin

  • Verify that your site meets all the prerequisite requirements. See Prerequisites.
  • Obtain a copy of the installation software. See Software download.
  • Obtain system administrator authority.

Procedure

  1. If you downloaded the installation software from Passport Advantage, perform the following steps:
    1. Create a temporary directory on the computer on which you want to install the software.
    2. Extract the contents of the compressed file into the temporary directory.
  2. Start the installation program with the SetupPwdSynch.exe file in the temporary directory.
    Note:
    • For Windows Core Server installation, use the following command:
      SetupPwdSynch.exe -i console 
    • When you install the Windows Password Synchronization plug-in with the Windows Remote Desktop, ensure that you open the remote desktop connection by using the command mstsc/console. If you do not do so, the following issue might occur:

      The Windows Password Synchronization plug-in is installed successfully. However, on restarting the domain controller the TivoliPwdSync DLL is not loaded and the PwdSync.log file is not created under the log directory of the plug-in.

  3. Select a language and click OK.
  4. On the Introduction window, click Next.
  5. Specify where you want to install the adapter in the Directory Name field. Perform one of the following actions:
    • Click Next for the default location.
    • Click Choose and navigate to a different directory and click Next.
  6. Choose the CA certificate file and click Next.
    For information about CA certificates installation after Password Synchronization plug-in installation, see Installing CA certificates.
  7. Review the installation settings in the Pre-Installation Summary window and do one of the following actions:
    • Click Previous and return to a previous window to change any of these settings.
    • Click Install when you are ready to begin the installation.
  8. Complete all of the text fields in the PFConfigwindow.
    Note:
    • The pfconfig utility cannot be run on the Windows Core Server. It is included as a separate executable program in the adapter package and can be used to remotely configure the plug-in.
    • For Windows Core Server installation:
      • Run the pfconfig utility after installation, on a machine that is a member of the domain hosted by the core machine. You need to be logged on with an account that has read/write access to the registry and read access to the system certificate store on the target server.
      • Click Change Host to select the remote host to configure and then complete the required information
    The PFConfigwindow has the following fields:
    Installation Path
    Specifies the installation path for the Password Synchronization plug-in. The value specified must match with the installation directory value entered earlier in the installation process.
    Host Name or IP
    Specifies the IP address for the IBM Security Verify Governance Identity Manager server.
    SSL Port Number
    Specifies the SSL port for the IBM Security Verify Governance Identity Manager server. The default SSL port for WebSphere® Application Server is 9443 on a single server setup. If you have a WebSphere Application Server cluster, the IBM HTTP Server must be configured for SSL. The default port for HTTP SSL is 443. For example, shreth.tivlab.austin.ibm.com:9443
    Note: For more information about configuring certificates, see Installing CA certificates.
    Connection Timeout

    This is the timeout value, in seconds, of the send and receive operations when communicating with the IBM Security Verify Governance Identity Manager server.

    User Certificate

    This field contains the serial number of the selected user certificate, which is used when the IBM Security Verify Governance Identity Manager server is configured for two-way SSL and requires a client certificate for the SSL handshake. Click the Select button to select a certificate from the system certificate store.

    Validate CN of server certificate to host name

    Select this option to verify that the CN of the subject name in the server certificate, received during the SSL handshake, is the same as the hostname of the IBM Security Verify Governance Identity Manager server.

    Registered Certificate
    Click this button to view details of the currently registered certificate, if any. The Registered Certificate dialog box includes options for registering and unregistering a certificate and for enabling verification of the registered certificate.
    Unregister

    Click this button to remove the currently registered certificate and to disable the registered certificate validation.

    Register New Cert
    Click this button to register a new certificate. A dialog box is displayed where you can select the certificate file. The file must contain a single certificate and must be in binary ( der ) format.
    Note: When you register a new certificate, the previously registered certificate is automatically removed.
    Enable Registered Cert Validation

    Select this option to enable the validation of the registered certificate after the SSL handshake.

    When you register a certificate, it is compared with the server certificate received in the SSL handshake. The certificates much match exactly. Only connections that have the registered certificate during the SSL handshake are allowed.

    Service DN
    At the Service DN field, click Configure Target Services. A list of configured target services is displayed.
    Note: One copy of the Password Synchronization client can monitor multiple base points. Enter each of the points by using the Target Services window.

    To edit a target service, click the service and click Edit. The Base Point and Service Target DN specifications are displayed. The base point in the Active Directory must match the Service Target DN on the IBM Security Verify Governance Identity Manager server.

    Base Point
    The base points specified must be identical to the base points configured in your Active Directory Adapter. The default base point is the root domain of the Active Directory.
    Example 1
    If the root of Active Directory is Cascades.Irvine.IBM.com, the Base Point must be specified as: 
    dc=Cascades,dc=Irvine,dc=IBM,dc=com
    Example 2
    If you installed the Windows Active Directory Adapter in an OU (organizational short name) of your Active Directory, Users, the Base Point is entered as: 
    cn=Users,dc=Cascades,dc=Irvine,dc=IBM,dc=com
    Service Target DN

    The format is:

    erservicename=nameofservice,o=organizationname
ou=organizationshortname,dc=com
    Note: Although DN formatting is used for the Service DN value, this DN is not the DN of the service that is being monitored. These values are parameter values to the Password Synchronization plug-in.
    erservicename
    Specifies the name of the target service used by the IBM Security Verify Governance Identity Manager server
    o
    Specifies the name of the organization on the IBM Security Verify Governance Identity Manager server
    ou
    Specifies the short name defined for the organization during installation and configuration of the IBM Security Verify Governance Identity Manager server. If this value is not known, it can be determined by opening the LDAP configuration tool for your product. Locate the new root suffix created during the IBM Security Verify Governance Identity Manager installation.
    dc=com
    Specifies the root of the directory tree.

    For example, if you installed the IBM Security Verify Governance Identity Manager server in the root LDAP suffix called ISIM and your Windows Active Directory service is named WinAD Corp Server and is installed in an organization named Finance Org, the IBM Security Verify Governance Identity Manager organization chart looks similar to the following diagram:

    • + ISIM Home
      • + Corporate Org
        • + IT Org Unit
        • + HR Org Unit
      • + Finance Org
        • + Accounts Payable Org Unit
    This Windows Active Directory Adapter example has the following Service DN value: 
    erservicename=WinAD Corp Server,o=Finance Org,
ou=ITIM,dc=com
    Principal
    Specifies the IBM Security Verify Governance Identity Manager account under which the password change requests are submitted. The account must have the proper authority to submit password change requests for the specified people. This authority is granted when you create the access control information (ACI) for the Principal account by granting read and write permissions to all the attributes that were listed.
    At a minimum, the principal must be granted read and write permissions to perform the following tasks for password synchronization:
    1. Search for the account that triggered the password synchronization
    2. Search for the owner of that account.
    3. Search for any accounts that are to have their passwords synchronized.
    4. Modify those same accounts, with write access to their password attributes.

    Create an account specifically for these types of requests.

    Refer to the IBM Security Verify Governance Identity Manager Information Center for more information about creating accounts and privileges.

    Password
    Specifies the password for the IBM Security Verify Governance Identity Manager account under which the password change requests are submitted
    Verify Password
    Specifies the verification field for the IBM Security Verify Governance Identity Manager account password
    Max Notify Thread Count
    Specifies the maximum number of Password Change requests which can be processed by the plug-in at any one time. The plug-in processes password synchronization requests in a multi-threaded manner. This value limits the number of threads to be created, so that requests can be processed in parallel.

    For example, if this value is specified as 15, then the Password Synchronization plug-in processes only 15 parallel password change requests at any one time. The next password change request after 15 fails.

    The default value for this parameter is 10.

    Enable Password Synchronization
    Specifies whether to enable or disable password synchronization.

    When password synchronization is enabled, all password change requests are sent to IBM Security Verify Governance Identity Manager to synchronize all passwords affected by the change request. When password synchronization is not enabled, the Password Synchronization plug-in ignores all password change requests on the managed resource.

    Enable Password Rules Verification
    Validates that the password complies with the password rules defined for the user.

    When this option is selected, the new password is checked against the password policy rules that is defined in the account. The password must be valid for all accounts. Otherwise, the password change fails with an error that indicates that the new password does not meet specified password rules. Refer to the IBM Security Verify Governance Identity Manager Information Center for more information about setting IBM Security Verify Governance Identity Manager password policies.

    Require Response
    This option is enabled only if Enable Password Rules Verification is selected. When this option is selected, passwords cannot be changed on IBM Security Verify Governance Identity Manager when it is unavailable.When this option is enabled password changes fail if the Identity server is down. All attempts to change the password results in an error, that indicates the password did not meet the password rule requirements.
    Enable Logging
    Allows administrators to enable logging for password change requests, which are sent to the Active Directory server.
    Number of log files

    This value controls the number of log files that are maintained.

    Max log file size

    This value controls the maximum size of the log files (in KB).

  9. In the Install Complete window, answer the question about restarting the system, and click Done.
  10. Restart the Active Directory server.
    Note:
    1. The connection information can be modified at a later time by running the pfconfig.exe program. This program opens the IBM Security Verify Governance Identity Manager Password Change Notification Configuration page.
    2. The Restart panel might not be displayed. For password synchronization to function correctly, you must install CA certificate and restart the system.
    3. When you change in SSL configuration such as by adding or removing a certificate, you must restart the system.

What to do next

After you finish the installation, you must install CA certificates. See Installing CA certificates.