Federated User Registry configuration on ISAM 8

Troubleshooting

Problem

'How to' setup and configure the new feature of Federated User Registries within IBM Security Access Manager for Web 8.0 appliance.

Resolving The Problem

STATEMENT OF INTENT

This document serves as a 'How to' example for configuration of a Federated User Registry for use with IBM Security Access Manager for Web 8.0.

For this example, the ISAM 8.0.1 server is installed and running on the appliance with hostname 'management', using a local policy server and registry. The federated user registry used is Active Directory from Microsoft running on Windows 2008 R2 server, which is using the hostname of 'adsystem'. It is assumed that the Active Directory server is up and running and networked properly.

**Note** If remote Policy Server, this federation would also need to be configured on all appliances within the Access Manager Realm.

FEDERATED USER REGISTRY CONFIGURATION ON ISAM 8.0.1

1. To federate Active Directory as a user registry within Access Manager for Web 8, lets first verify what users a default installation of Access Manager will create.

The Administrator can access PDADMIN and do a user list of the existing users.

In this example, the Policy Server has been configured (ivmgrd/master) along with the administrator 'sec_master' and two WebSEAL users.

The goal would be to also show the Active Directory users within this same 'user list' view.

2. On the Active Directory servers, a couple of test users have been created 'John Doe' and 'Lance Clinton'. This will assist in verifying that the federation has been successful.

3. To start configuration of the Federated User Registry, first log into the LMI via a browser.

4. Access the Runtime Component configuration panel within the LMI.

5. Under the 'Manage' pull-down, select the 'Federated Directories' option.

6. Create a 'New' Federated Directory.

7. Input the Active Directory servers specific information to properly bind and then click 'Save' to continue.

**NOTE** This information is unique to each environment and consultation with your Active Directory Administrator might be necessary. In this example, the BIND-DN used is the server administrator. This user can be anything with Read and Write Access. Also note, SSL is not being used in this example, but is required if password changes from Access Manager is needed.

**NOTE** If the correct suffix is not known, this technical document can assist in determining the correct context.
Correct suffix for use with ISAM 8 Federated User Registry, using AD

8. Verify, that the specific settings are correct, then select 'Close'.

9. These changes need to be deployed. 'Deploy' the changes to the configuration file and follow the instructions to activate changes.

10. The LMI successfully updated the ldap.conf with most of the specific information needed to complete the federation, however; a few more steps are needed. Please access the ldap.conf directly.

11. This is what the ldap.conf file looks like right after configuration.

****************************************************************************************
[server:adsystem]
host = adsystem.lance.net
port = 389
bind-dn = cn=Administrator,cn=Users,dc=lance,dc=net
ssl-enabled = no
suffix = dc=lance,dc=net

# The following configuration item is contained within the obfuscated
# database and as such is obfuscated within this file. If the value is
# modified within this configuration file the corresponding change will
# be applied to the obfuscated database.

bind-pwd = **obfuscated**
****************************************************************************************

However, more work needs to be done to the ldap.conf file. The basic user needs to be configured.

To do this, first turn on the basic user by enabling basic-user-support and then setting the basic-user-principal-attribute to 'uid' in the [ldap] stanza, at the beginning of the ldap.conf file.

****************************************************************************************
Example:
# Basic user support enablement. Basic user support allows the use of LDAP
# users without the need to import them into IBM Security Access Manager.
basic-user-support = yes

# If Basic user support is enabled, this option specifies the attribute that
# the server uses to identify Basic users in the registry. This option is used
# in combination with user-search-filter.
basic-user-principal-attribute = uid
****************************************************************************************

It will also be necessary to add one more entry into the config file.

Under the newly create Federated User Registry stanza, add another basic-user-principal attribute

basic-user-principal-attribute = sAMAccountName

Therefore, the ldap.conf file will look like this:

****************************************************************************************
[server:adsystem]
host = adsystem.lance.net
port = 389
bind-dn = cn=Administrator,cn=Users,dc=lance,dc=net
basic-user-principal-attribute = sAMAccountName
ssl-enabled = no
suffix = dc=lance,dc=net

# The following configuration item is contained within the obfuscated
# database and as such is obfuscated within this file. If the value is
# modified within this configuration file the corresponding change will
# be applied to the obfuscated database.

bind-pwd = **obfuscated**
****************************************************************************************

**NOTE** The basic-user-principal-attribute can be any attribute the administrator sees fit to use as the login identity within Access Manager. For this example, the sAMAccountName is being used.

12. Save changes to the configuration. Deploy and and restart the Runtime and WebSEAL instances

13. Verify the configuration and do another user list within PDADMIN

As listed above, the user list command now shows more users, along with the two test users created in Active Directory earlier, 'Lance Clinton' and 'John Doe'.

**NOTE** If any federated directory is unavailable ISAM will report:

HPDIA0119W Authentication mechanism is not available.

Added in 8.0.1.2, a new option 'ignore-if-down=yes' can be set within the stanza for the federated directory located in the ldap.conf file. This will allow the authentications to continue if one or more of the federated directories are down. This must be set for each federated directory as there is not a global option.

14. These users should now be active and allowed access via WebSEAL. Open up a browser and verify a successful authentication.

SUCCESS!!!!!

Related Information

AD registry support configuration

Correct suffix for use with ISAM 8 Federated User Regis

Ignore-if-down

YouTube Video Demo

Federated User Registry Open Mic Replay

[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WebSeal AMP Appliance","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"8.0;8.0.0.4;8.0.0.5;8.0.1;8.0.1.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym

ITAM ISAM SAM TAM

Was this topic helpful?

Document Information

Modified date:
16 June 2018

UID

swg21694502

Tips