IBM Security Identity Manager IBM Security Access Manager Adapter 6.0.28 is available. Compatibility, installation, and other getting-started issues are addressed.
Welcome to the IBM Security Identity Manager IBM Security Access Manager Adapter, previously known as IBM Tivoli Access Manager Combo Adapter.
These Release Notes contain information for the following products that was not available when the IBM Security Identity Manager manuals were printed:
· IBM Security Identity Manager IBM Security Access Manager Adapter Installation and Configuration Guide
The IBM Security Access Manager Adapter is
designed to create and manage accounts on the IBM Security Access Manager for
Web server. The adapter runs in "agentless" mode and communicates
using the IBM Security Access Manager RegistryDirect API and LDAP protocol to
the systems being managed.
IBM recommends the installation of this adapter (and the prerequisite IBM
Security Directory Integrator) on each node of IBM Security Identity Manager
WAS cluster. However, the ISAM Java Runtime Environment can only be configured
for one ISAM server. If multiple IBM Security Identity Manager Services are required, multiple
instances of ISDI can be installed, each pointing to a different ISAM server.
The deployment configuration is based, in part, on the topology of your network
domain, but the primary factor is the planned structure of your IBM Security
Identity Manager Provisioning Policies and Approval Workflow process. Please
refer to IBM Security Identity Manager Knowledge Center for a discussion of
these topics.
IBM Security Identity Manager adapters are powerful tools that require
Administrator Level authority. Adapters operate much like a human system
administrator, creating accounts, permissions and home directories. Operations
requested from IBM Security Identity Manager server will fail if the adapter is
not given sufficient authority to perform the requested task. IBM recommends
that this adapter run with administrative (sec_master) permissions.
Review and agree to the terms of the IBM Security Identity Manager Adapter License prior to using this product. The license can be viewed from the "license" folder included in the adapter package.
Adapter Version
|
Component |
Version |
|
Build Date |
2019 September 17 18.09.43 |
|
Adapter Version |
6.0.28 |
|
Component Versions |
Adapter build: 6.0.28.125 Profile: 6.0.28.125 Connector: 6.0.28.125 Dispatcher 6.0.39 (or higher, packaged separately) |
|
Documentation |
The following guides are available in the IBM Security Identity Manager 6.0 Knowledge Center:
·IBM Security Access Manager Adapter Installation and Configuration Guide |
New Features
|
Internal#
|
Enhancement # (RFE) |
Description |
|
|
|
Items included in current release |
|
RTC 183244 |
Internal - ISAM 9.0.7 support |
|
|
|
|
Items included in 6.0.27 version |
|
|
|
None |
|
|
|
Items included in 6.0.26 version |
|
|
Usage of Admin API deprecated
See “Add admin API option on service forms” section for more info. |
|
|
|
|
Items included in 6.0.25 version |
|
|
Add support for ISAM 9.0 |
|
|
|
RFE76110 |
Add ability to manage Disable Time Interval on each account |
|
|
INT126053 |
*** CHANGE IN DEFAULT BEHAVIOR *** |
|
|
|
Items included in 6.0.24 version |
|
|
None |
|
|
|
|
Items included in 6.0.23 version |
|
|
RFE17072 |
Add ability to manage Max Password Age on each account |
|
|
RFE56722 |
Add ability to manage Max Concurrent Web Sessions on each account. The value must be an integer greater than zero, -3 for Displace, or -4 for Unlimited. |
|
|
RFE33651 |
Add ability to synchronize user password to GSO
credentials during account create. |
|
|
RFE61605 |
Boolean flag attributes are always converted to lowercase before checking their value. |
|
|
|
Items included in 6.0.22 version |
|
|
INT117543 |
During an add using import, reset password valid flag if specified in request |
|
|
RFE38245 |
When creating an account by importing from the user registry, a password is no longer required to be provided |
|
|
|
Items included in 6.0.21 version |
|
|
INT104055 |
Support IBM Security Access Manager 8.0. |
|
|
|
Items included in 6.0.20 version |
|
|
RFE17107 |
TAM Combo should return "communication error" so that ISIM will retry transactions |
|
|
RFE24649 |
TIM adapter for TAMeb needs better support for High Availability environments. |
|
|
MR0927103938 |
Functional enhancement on retry behavior of TAM Combo Adapter. |
|
|
RFE23085 |
LDAP Fault Tolerance. |
|
|
INT90344 |
Support the use of Registry Direct API for all operations. |
|
|
|
Items included in 6.0.19 version |
|
|
RFE27977 |
Adapter should be able to reconcile the secPwdLastChanged attribute value from TAM ldap. |
|
|
INT61130 |
Further improve the recon performance. |
|
|
|
Items included in 6.0.18 version |
|
|
INT69654 |
Support ISAM 7.0. |
|
|
|
Items included in 6.0.17 version |
|
|
INT61483 |
Document Registry API not reconciling all inetorgperson
attributes by default. |
|
|
INT62338 |
Improve exception handling for reconciling malformed accounts. |
|
|
INT60234 |
Support password change and SSO cred sync during restore operation. |
|
|
INT000016 |
Make last login information available for detecting
dormant accounts. |
|
|
INT60157 |
Add more debug logging around the use of various ITAM APIs. |
|
|
INT48523 |
Better handle password sync to SSO cred failures. |
|
|
RFE7311 |
Support SecPwdLastUsed attribute with ITAM combo. |
|
|
|
Items included in 6.0.16 version |
|
|
|
Initial release. |
Closed Issues
|
Internal# |
APAR# |
Case# / Description |
|
|
|
Items closed in current version |
|
|
|
None |
|
|
|
Items closed in 6.0.27 version |
|
RTC 182698, Bug 2802 |
IJ13310 |
As an ISAM adapter developer, I must ensure that the adapter re-uses the LDAP connections, Bugz 2802, APAR IJ13310 |
|
|
|
Items closed in 6.0.26 version |
|
|
|
None |
|
|
|
Items closed in 6.0.25 version |
|
|
IV74759 |
Attempting to modify account with a non-existent group results in whole request failing. |
|
|
|
Items closed in 6.0.24 version |
|
INT123097 |
|
Changes for RFE61605 caused new accounts to be provisioned as inactive if "eraccountstatus" was not included in the request. |
|
|
|
Items closed in 6.0.23 version |
|
INT102186 |
|
The previously deprecated LDAP profile has been removed. Any installations that were using the LDAP profile will need to review the ISAM Service configuration in ISIM after loading the new profile. The service form is different, and some fields will need to be set. |
|
|
|
Items closed in 6.0.22 version |
|
INT113655 |
|
Admin API recon failed at first account with an invalid
secDN value. It now works the same as the RegistryDirect API, which by
default, will skip malformed accounts. |
|
|
IV66665 |
Usage of DateFormat is now thread safe |
|
|
IV61599 |
Additional fix for IV57391 when multiple entries have the same cn |
|
|
|
Items closed in 6.0.21 version |
|
|
IV55948 |
The eritammaxfailedlogon value not returned during TAM API method reconcile if value is 0 on account in TAM. |
|
|
IV59302 |
"Not supported" exception when provisioning GSO credentials. |
|
|
IV57391 |
User create operation fails when there are multiple registry users with same cn. |
|
|
IV58743 |
6.0.20 adapter no longer ignores empty cred password changes as it did with 6.0.18 or earlier. |
|
|
|
Items closed in 6.0.20 version |
|
|
IV49202 |
TAM Combo adapter doesn't sufficiently clarify details for SSL configuration and/or Windows 2008 R2 configuration setup. |
|
INT97699 |
IV51419 |
Adapter reports "NoSuchMethodError" for "getLastPwdChange" when modifying or reconciling accounts for TAM 6.1. |
|
|
|
Items closed in 6.0.19 version |
|
|
IV37130 |
Multiple TAM Combo password change requests submitted at the same time can cause the ITDI RMI Dispatcher to hang. |
|
DEF65419 |
|
Fix documentation error for "Change Password on Next Login" attribute. |
|
|
|
Items closed in 6.0.18 version |
|
|
IV12423 |
Managing passwords when restoring accounts. |
|
|
IV24410 |
ITAM Combo profile import issue with countryCode and
userPrincipalName attribute. |
|
|
|
Items closed in 6.0.16 version |
|
|
|
Initial release. |
Known Issues
|
Internal# |
APAR# |
Case# / Description |
|
85051 |
|
When using the IBM Security Access Manager API method of reconciliation to reconcile IBM Security Access Manager accounts, if an IBM Security Access Manager account already in the ISIM registry becomes a malformed IBM Security Access Manager account then ISIM will identify this malformed IBM Security Access Manager account as no longer existing, and delete it from the ISIM registry. If the malformed IBM Security Access Manager account does not already exist within ISIM's known IBM Security Access Manager accounts, the account will not be added. This behavior does not provide any warning or failure message by ISIM. See the Installation guide for how to change the adapter configuration regarding this issue. |
|
|
|
During the creation of IBM Security Access Manager accounts when IBM Security Access Manager is configured against Windows Active Directory, the account is created as a GSO user even when the Single Signon Capability for the account is not checked (i.e. There is no request to create the account as a GSO user). This is a reflection of the operation of IBM Security Access Manager when administrating accounts. If GSO credentials are supplied with same request they will be created without warning that IBM Security Access Manager account doesn't have Single Signon Capability. |
|
93688 |
|
When IBM Security Access Manager is configured against Windows Active Directory, IBM Security Access Manager account's common name (cn) must be the same as the first RDN value of the Distinguished Name. For example, when requesting a new IBM Security Access Manager service account through the ISIM web console, the "Full name" specified in the Account form must be the same as the "cn" portion of the Distinguished Name. E.g. If a user has the Distinguished Name cn=JohnSmith,o=myCompany,c=com, then the "Full name" should also be set to JohnSmith. Not doing so could result in account modification issues. |
|
|
|
Adapter doesn't check syntax for any non-IBM Security Access Manager account attributes. This can result in those attributes not being set in the registry if their values have incorrect syntax. A possible consequence is that operations such as account creation may fail. |
|
|
|
In case that an account already has SSO credentials and the checkbox Single Signon Capability is disabled during MODIFY operation, this will delete credentials in IBM Security Access Manager registry, but not in ISIM. A reconciliation is needed to synchronize the account attributes. |
|
|
|
If password synchronization is configured to synchronize passwords from WebSEAL via ISIM to other person accounts, the synchronization with SSO credential passwords is not supported. The synchronization with SSO credential passwords is supported only if the password change is initiated from ISIM, and the corresponding TDI Assembly Line is executed. |
|
|
|
If password synchronization is configured to synchronize passwords from WebSEAL the "Change password on next login" checkbox on the account form cannot be reset. This is due to a current limitation of the ISIM Server. |
|
|
|
Due to the effort to merge two profiles into one, LDAP schema OID of an existing attribute had to change. When upgrading the adapter profile from 5.x.13 or earlier, the following change needs to be made in <tds_instance_home>/etc/V3.modifiedschema of IBM Security Identity Manager's directory server prior to installing the new profile.
Change |
Known Limitations
|
Internal# |
APAR# |
Case# / Description |
|
|
|
Adapter does not support modifying the last name (sn) attribute of IBM Security Access Manager account when IBM Security Access Manager Administration API is used since the API does not support modifying the last name. |
|
|
|
Management of non-standard IBM Security Access Manager account attributes is only available for user registries supported by Registry Direct API. |
|
|
|
IBM Security Access Manager Web Gateway appliance in standalone mode, PRIOR TO FP4, does not externalize the interface to its internal directory server. Consequently, Registry Direct API and managing non-standard ISAM account attributes are not supported by the adapter for the appliance versions 8.0 through 8.0.0.3. For example, the adapter cannot modify "mail" attribute of the user object stored in the appliance's internal directory server. In addition, only "TAM API" based reconciliation is supported for the appliance in standalone mode prior to FP4. |
|
|
|
Registry Direct API based reconciliation does not reconcile inetorgperson attributes by default. This is an optimization that was made in order to improve the performance of the reconciliation. In order to reconcile the inetorgperson attributes, edit "tamSearch" assemblyline in the profile to include the required attributes in the input mapping of the connector "tamIterRgy". Please refer to this technote for more details. |
|
|
|
The adapter does not support using multiple values for CN during the account add operation due to limitations in IBM Security Access Manager API. The default account form uses an editable text list but this is for displaying reconciled CN values only in support of the feature INT000023. |
|
|
|
The adapter does not support the modification of UID, CN, principal name, and attribute(s) that form the Distinguished Name(DN). |
|
|
|
Custom containers are not supported when creating an IBM Security Access Manager group. IBM Security Access Manager specifies a default |
|
|
|
Filtered reconciliation on groups is not supported. |
|
|
|
When "Single Signon Capability" attribute is unchecked and an account modification request is submitted, the SSO credentials for the account are removed in IBM Security Access Manager but this is not reflected in ISIM. This is due to the RMI protocol not allowing the response to contain the updated account information. In order to work around this limitation, edit the "modify" operation workflow for "IBM Security Access Manager Account" entity to delete "eritamcred" attribute when "eritamsinglesign" attribute is set to "false". For example, add a script element with the following script before "MODIFYACCOUNT" extension:
var accountObj =
account.get(); |
Known IBM Security Access Manager Issues
|
Internal# |
APAR# |
Case# / Description |
|
|
IV71775 |
The "com.tivoli.pd.rgy.jar" API library that can be downloaded from ISAM v8.0.1 appliance includes an incorrect search that will not return GSO enabled users during a reconciliation. This is corrected in the jar file available from the v8.0.1-FP1 appliance. |
|
|
|
Certain user management functions (e.g. enabling GSO) in IBM Security Access Manager do not work if the user ID contains "," and as such "," in the user ID is not supported by the adapter. |
|
|
|
When the Single Signon Capability of an IBM Security Access Manager user account is disabled (i.e. the user is no longer a GSO user), the GSO resource credentials for that account are also deleted. Hence when disabling the Single Signon Capability for a IBM Security Access Manager user account from ISIM, attempting to delete or modify resource credentials in the same request for that account results in "successful with warning" as the GSO credentials cannot be found. |
|
|
|
IBM Security Access Manager Java Admin API does not provide for a CN to be specified when creating a group. This is reflected in the adapter which does not manage this attribute when adding or modifying groups. |
|
|
|
If IBM Security Access Manager is configured against Windows Active Directory, an existing user or group description cannot be modified to a blank value. The description will remain unchanged. |
|
|
|
If IBM Security Access Manager is configured against Windows Active Directory, when importing an account using the pdadmin command line, the user name and first RDN value of the user DN must be the same. This issue is reflected in the adapter: User ID and first RDN value in the user Distinguished Name must be the same. |
|
|
|
If IBM Security Access Manager is configured against IBM Tivoli Directory Server 6.0, then Fix Pack 5 must be installed on the Directory Server. This fix pack addresses a problem that may affect adapter operation (APAR IO06328). |
See the
IBM Security Identity Manager Adapter Installation Guide for detailed instructions.
Corrections to Installation Guide
The following correction to the Installation Guide applies to this release:
·
Language
Pack Installation
The adapters use a separate language package from the
IBM Security Identity Manager server. See the IBM Security Identity Manager KnowledgeCenter for information about
installing the adapter language pack.
Add below note to install guide at this location- Installing ==> Service/Target form details ==> IBM SECURITY ACCESS MANAGER SETUP tab==> IBM Security Access Manager API ==> IBM Security Access Manager Administration API
The TAM Admin API option has been removed from the Service Form since Registry Direct should be used in all cases instead. This will not impact anyone using the GSO feature. If there is a particular need to use the TAM Admin APIs, it can be added back by modifying itamprofile with the following steps:
1. Open Configure System -> Deisgn Forms -> Service -> IBM Security Access Manager Profile
2. Select tab named $eritamsvctab2
3. Double click on the first entry - $eritamapi
4. Add a new row defined with Data Value: TAM, Display Value: $eritamapiadmin
5. Click OK, then save the form
Password Synchronization Adapter is no longer included in the adapter package and can be downloaded separately from Passport Advantage. For Access Manager 8.0 or above, Password Synchronization Adapter is only available with the appliance and is pre-installed on the appliance.
IBM Security
Identity Manager adapters can be customized and/or extended. The type and
method of this customization may vary from adapter to adapter.
Refer to the IBM Security Identity Adapter Development and
Customization Guide
Support for Customized Adapters
The integration to IBM Security Identity Manager server "the adapter framework"
is supported. However, IBM does not support the customizations, scripts, or
other modifications. If you experience a problem with a customized adapter, IBM
Support may require the problem to be demonstrated on the GA version of the
adapter before a PMR is opened.
Installation
Platform
The IBM Security Identity Manager Adapter was built and tested on the following product
versions:
Adapter Installation Platform
Note: Earlier SDI supported versions may function properly, however to
resolve any communication errors, you must upgrade your SDI releases to the
officially supported versions.
Managed Resource
Please note that some IBM Security Access Manager versions are not supported on
some JREs associated with some Operating Systems. Please see the IBM Security
Access Manager Adapter Installation and Configuration Guide for further
information.
IBM Security Identity Manager
This information was developed for products
and services offered in the U.S.A. IBM may not offer the products, services, or
features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available
in your area. Any reference to an IBM product, program, or service is not
intended to state or imply that only that IBM product, program, or service may
be used. Any functionally equivalent product, program, or service that does not
infringe any IBM intellectual property right may be used instead. However, it
is the user's responsibility to evaluate and verify the operation of any
non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This
information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject
to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some measurements
may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.