Example for adding a list of identifiers to an EIM domain

  1. Create a file named 'employees.txt' containing identity information in a format similar to the following:
    # Sample eimadmin input file
#
#    User id Birth      Type   Created         First    Nickname  Full       Dept              Hire       Empl
#              date             by             name               name                         date       num
#
     UN     ;UI       ; UD    ;UI     ;        IN     ; IN       ;IU        ;    II  ;         II       ; ID   ;
021P SMITH   1959-08-01 TSO    ADMIN1  NO  NO  Joseph   Joe       J.C.Smith  DEPTD01  14:20:16 1990-04-11 004321 
022P JONES   1968-05-03 TSO    ADMIN1  NO  NO  Robert   Bob       R.Z.Jones  DEPTD01  16:01:57 1988-02-16 001234 
023F JONES2  1965-10-15 BATCH  ADMIN4  NO  NO  Robert             R.Z.Jones  DEPTD01  14:12:20 1988-02-16 001234 
024P SMITH   1973-11-26        ADMIN3  NO  NO  Joseph   Joe       J.Smith                      1990-04-11 004321 
025F BROWN   1970-04-11 TSO    ADMIN3  NO  NO  Charles  Chuck                DEPTD01  09:47:57 1995-01-10 003210 

# The following entry was added manually 11/08/01 by ADMINX
026P                           ADMINX          James    Jim       J.Z.Clark      D03           2001-12-22 000012
    Note:
    1. The exported database can contain information that the eimadmin utility does not use. The two columns with "NO" and the column with times between the two II values are such information.
    2. There can be only one UN (registry user name), UD (user description), IU (unique identifier), and ID (identifier description).
    3. There can be multiple values for UI, IN, and II (user information, non-unique identifier, and identifier information, respectively).
  2. Add the identifiers by using the following eimadmin command:
    eimadmin 
-aI 
-h ldap://my.server 
-b "cn=EIM admin,o=My Company, c=US"  
-d "ibm-eimDomainName=My Employees,o=My Company, c=US" < employees.txt
> addemployees.out 2> addemployees.err
    Note: Since the -w flag was omitted, the issuer of the eimadmin command is prompted for the password.
    If the unique identifiers were not previously defined, the output file is the following:
    ITY4020 eimadmin (v1) started Mon May 20 10:50:58 2002 
eimadmin 
-aI 
-h ldap://my.server 
-b "cn=EIM admin,o=My Company, c=US"
-d "ibm-eimDomainName=My Employees,o=My Company, c=US"

ITY4022 6 records processed -- 4  successful; 2 failed.
ITY4021 Processing ended normally.
    The error file addemployees.err contains the following:
    ITY4030 Service eimAddIdentifier() returned error 117 -- ITY0019 EIM identifier already exists by this name.
ITY4028 Error occurred while processing input line 9.

023F JONES2   1985-10-15 BATCH    ADMIN4    NO   NO   Robert        R.Z.Jones DEPTD01  14:12:20 1988-02-16 001234 
ITY4012 Unique identifier not specified.
ITY4028 Error occurred while processing input line 11.

025F BROWN    1990-04-11 TSO      ADMIN3    NO   NO   Charles Chuck           DEPTD01  09:47:57 1995-01-10 003210
  3. List the identifiers using the same input file by entering the following command: 
    eimadmin 
-lI 
-h ldap://my.server 
-b "cn=EIM admin,o=My Company, c=US"  
-d "ibm-eimDomainName=My Employees,o=My Company, c=US" < employees.txt
> listids.out 2> listids.err
    The file listids.out contains output such as the following: 
    ITY4020 eimadmin (v1) started 2001/10/30 at 15:09:00 with options eimadmin -lI 
     -hldap://my.server -b "cn=EIM admin,o=My Company, c=US" 
    -d "ibm-eimDomainName=My Employees,o=My Company, c=US"
unique identifier: J.C.Smith
 other identifier: J.C.Smith
 other identifier: Joseph
 other identifier: Joe
      description: 004321
      information: D01
      information: 1990-04-11

unique identifier: R.Z.Jones
 other identifier: R.Z.Jones
 other identifier: Robert
 other identifier: Bob
      description: 001234
      information: D01
      information: 1988-02-16

unique identifier: R.Z.Jones
 other identifier: R.Z.Jones
 other identifier: Robert
 other identifier: Bob
      description: 001234
      information: D01
      information: 1988-02-16
       
unique identifier: J.Smith
 other identifier: J.Smith
 other identifier: Joseph
 other identifier: Joe
      description: 004321
      information: 1990-04-11

unique identifier: J.Z.W.Clark
 other identifier: J.Z.W.Clark
 other identifier: James
 other identifier: Jim
      description: 000012
      information: D03
      information: 2001-12-22

.
.
.

ITY4022 6 records processed -- 6 successful; 0 failed.
ITY4021 Processing ended normally.

    While a unique identifier is required for the add action, the eimadmin list action accepts a non-unique identifier when a unique identifier is not provided. The utility searches for entries with the non-unique identifier 'Charles', the first non-unique identifier that appears in the data line. No list output is returned for this line because no matches are found in the domain.

    Note:
    1. Notice that the entry for 'R.Z.Jones' is duplicated in the list output. This occurs because there are two data lines with the same unique identifier. The utility processes each line separately, in order of appearance, without recognizing similarities between them.
    2. Also notice within each identifier entry that a non-unique value ("other identifier") duplicates the unique identifier value. This is the manner in which the information is stored in LDAP. Do not attempt to remove the duplicate value.
  4. You might want to create a number of default registry policies or certificate filter policies using the eim admin input file capability. The following example creates default registry policies for three registry: REG1, REG2, and REG3X509. The following input file, registryPolicies defines the default policies: 
    # default registry policies for REG1, REG2, and REG3X509
# RS - Source registries
# RG - Target registries
# UN - User names in the target registries
# PT - Policy type
RS    ;    RG	    ;   UN     ;		  PT      ;
REG1       REG2       PUBLIC        REGISTRY
REG1       REG3X509   PUBLIC        REGISTRY
#
REG2       REG1       PUBLIC
REG2       REG3X509   PUBLIC        REGISTRY
#
REG3X509   REG1       PUBLIC			  REGISTRY
REG3X509   REG2       PUBLIC        REGISTRY
    and the following command will cause the updates to be made to the EIM domain: 
    eimadmin -aY -d ibm-eimDomainName=My Employees, o= My Company, c=US -h
ldap://my.server -b "cn=EIM admin,o=My Company,c=US" -w secret <
registryPolicies
    The REG3X509 registry is an X509 registry so a number of certificate filter policies are defined as well. The following input file, registryFilterPolicies defines the default certificate filter policies: 
    # default certificate filter policies for an X509 registry
# RS - Source registry
# FI - Issuer's filter value
# RG - Target registry
# UN - User name in the target registry
# PT - Policy type
RS     ;     FI                                    ; RG      ;        UN        ;     PT       ;
REG3X509     C=US                                    REG1             PUBLIC          FILTER    
REG3X509     C=US                                    REG2             PUBLIC          FILTER    
REG3X509     O=A Certificate Authority, L=Internet   REG1             PUBLIC          FILTER    
REG3X509     O=A Certificate Authority, L=Internet   REG2             PUBLIC          FILTER
    and the following command will cause the updates to be made to the EIM domain: 
    eimadmin -aY -d ibm-eimDomainName=My Employees, o= My Company, c=US -h
ldap://my.server -b "cn=EIM admin,o=My Company,c=US" -w secret <
registryFilterPolicies
    Before the policies take effect, the domain and registries must have policies enabled. The following command will enable policies at the domain level: 
    eimadmin -mD -B POLICY -d ibm-eimDomainName=My Employees, o= My Company, c=US
-h ldap://my.server -b "cn=EIM admin,o=My Company,c=US" -w secret
    Another input file, registryEnable, can be used to enable policies for each registry in the domain: 
    # enable the policies in the registries
# RN - Registry name
# RB - Registry attribute
RN   ;     RB    ; 
REG1       POLICY
REG2       POLICY
REG3X509   POLICY
    and the following command will make the udpates to the registries:
    eimadmin -mR -d ibm-eimDomainName=My Employees, o= My Company, c=US -h
ldap://my.server -b "cn=EIM admin,o=My Company,c=US" -w secret < registryEnable
  5. Associations between identifiers and certificates can be created by using the input file capability of eimadmin. In this example, the current directory contains three files with the certificates of three users. The input file, certMappings contains the information required to define the relationships with EIM identifiers:
    # Mappings between identifiers and certificates in files
# IU - Unique identifier
# UC - Certificate file name containing the user's certificate
IU    ;       UC   ; 
John Day    ./JohnDayCert  
Jill Jack   ./JillJackCert 
Jane Day    ./JaneDayCert
    By issuing the following command, the source associations between the users name in the certificates and their EIM identifiers will be added to the domain:
    eimadmin -aA -r REG3X509 -s SOURCE -d ibm-eimDomainName=My Employees, o= My
Company, c=US -h ldap://my.server -b "cn=EIM admin,o=My Company,c=US" -w secret <
certMappings
    Note: In order for this to work, the registry must have a registry type of X509.