IBM Security Identity IBM Security Access Manager Adapter 7.1.28 is available. Compatibility, installation, and other getting-started issues are addressed.
Welcome to the IBM Security Identity IBM Security Access Manager Adapter, previously known as IBM Tivoli Access Manager Combo Adapter.
These Release Notes contain information for the following products that was not available when the manuals were printed:
· IBM Security Identity IBM Security Access Manager Adapter Installation and Configuration Guide
The IBM Security Access Manager Adapter is
designed to create and manage accounts on the IBM Security Access Manager for
Web server. The adapter runs in "agentless" mode and communicates
using the IBM Security Access Manager RegistryDirect API to the systems being
managed.
IBM recommends one installation of this adapter (and the prerequisite IBM
Security Directory Integrator) for each node of an ISIM/ISPIM/IGI cluster.
However, the ISAM Java Runtime Environment can only be configured for one ISAM
server. If multiple ISAM Services are required, multiple instances of ISDI can
be installed, each pointing to a different ISAM server. The deployment
configuration is based, in part, on the topology of your network domain, but
the primary factor is the planned structure of your IBM Security Identity
Manager Provisioning Policies and Approval Workflow process. Please refer to
IBM Security Identity Manager Knowledge Center for a discussion of
these topics.
IBM Security Identity adapters are powerful tools that require Administrator Level
authority. Adapters operate much like a human system administrator, creating
accounts, permissions and home directories. Operations requested from
IBM Security Identity servers will fail if the adapter is not given sufficient
authority to perform the requested task. IBM recommends that this adapter run
with administrative (sec_master) permissions.
Review and agree to the terms of the IBM Security Identity Adapter License prior to using this product. The license can be viewed from the "license" folder included in the adapter package.
Adapter Version
|
Component |
Version |
|
Build Date |
2019 September 17 18.08.52 |
|
Adapter Version |
7.1.28 |
|
Component Versions |
Adapter build: 7.1.28.125 Profile: 7.1.28.125 Connector: 7.1.28.125 Dispatcher 7.0.39 (or higher, packaged separately) |
|
Documentation |
The following guides are available in the IBM Security Identity Adapters Knowledge Center:
·IBM Security Access Manager Adapter Installation and Configuration Guide |
New Features
|
Internal#
|
Enhancement # (RFE) |
Description |
|
|
|
Items included in current release |
|
RTC 183244 |
|
Internal - ISAM 9.0.7 support |
|
RTC 184339 |
|
Internal - Attribute value lookup for IGI 5.2.5 |
|
|
Items included in 7.1.27 version |
|
|
|
RTC 182692 |
Add support for IGI 5.2.5
See “Limitation on how to use eritamcred attribute” section for more information. |
|
|
|
Items included in 7.0.26 version |
|
|
Add support for IGI 5.2.2 |
|
|
|
|
Items included in 7.0.25 version |
|
|
Add support for ISAM 9.0 |
|
|
|
RFE76110 |
Add ability to manage Disable Time Interval on each account |
|
|
INT126053 |
*** CHANGE IN DEFAULT BEHAVIOR *** |
|
|
|
Items included in 7.0.24 version |
|
|
None |
|
|
|
|
Items included in 7.0.23 version |
|
|
RFE17072 |
Add ability to manage Max Password Age on each account |
|
|
RFE56722 |
Add ability to manage Max Concurrent Web Sessions on each account. The value must be an integer greater than zero, -3 for Displace, or -4 for Unlimited. |
|
|
RFE33651 |
Add ability to synchronize user password to GSO
credentials during account create. |
|
|
RFE61605 |
Boolean flag attributes are always converted to lowercase before checking their value. |
|
|
|
Initial release. |
|
Internal# |
APAR# |
Case# / Description |
|
|
|
Items closed in current release |
|
RTC 183804, Bug 2890 |
|
See “Add admin API option on service form” section for more information. |
|
|
|
Items closed in 7.1.27 version |
|
RTC 182698, Bug 2802 |
IJ13310 |
As an ISAM adapter developer, I must ensure that the adapter re-uses the LDAP connections |
|
RTC 182696 |
|
Internal - As an ISAM adapter developer, I must ensure that the operation name in service.def uses proper case |
|
|
|
Items closed in 7.0.26 version |
|
|
|
None |
|
|
|
Items closed in 7.0.25 version |
|
|
IV74759 |
Attempting to modify account with a non-existent group results in whole request failing. |
|
|
|
Items closed in 7.0.24 version |
|
INT123097 |
|
Changes for RFE61605 caused new accounts to be provisioned as inactive if "eraccountstatus" was not included in the request. |
|
|
|
Items closed in 7.0.23 version |
|
INT102186 |
|
The previously deprecated LDAP profile has been removed. Any installations that were using the LDAP profile will need to review the ISAM Service configuration in ISIM after loading the new profile. The service form is different, and some fields will need to be set. |
|
|
|
Initial release. |
Known Issues
|
Internal# |
APAR# |
Case# / Description |
|
85051 |
|
When using the IBM Security Access Manager API method of reconciliation to reconcile IBM Security Access Manager accounts, if an IBM Security Access Manager account already in the IBM Security Identity registry becomes a malformed IBM Security Access Manager account then IBM Security Identity will identify this malformed IBM Security Access Manager account as no longer existing, and delete it from the IBM Security Identity registry. If the malformed IBM Security Access Manager account does not already exist within the IBM Security Identity server's known IBM Security Access Manager accounts, the account will not be added. This behavior does not provide any warning or failure message by the IBM Security Identity server. See the Installation guide for how to change the adapter configuration regarding this issue. |
|
|
|
During the creation of IBM Security Access Manager accounts when IBM Security Access Manager is configured against Windows Active Directory, the account is created as a GSO user even when the Single Signon Capability for the account is not checked (i.e. There is no request to create the account as a GSO user). This is a reflection of the operation of IBM Security Access Manager when administrating accounts. If GSO credentials are supplied with same request they will be created without warning that IBM Security Access Manager account doesn't have Single Signon Capability. |
|
93688 |
|
When IBM Security Access Manager is configured against Windows Active Directory, IBM Security Access Manager account's common name (cn) must be the same as the first RDN value of the Distinguished Name. For example, when requesting a new IBM Security Access Manager service account through the IBM Security Identity web console, the "Full name" specified in the Account form must be the same as the "cn" portion of the Distinguished Name. E.g. If a user has the Distinguished Name cn=JohnSmith,o=myCompany,c=com, then the "Full name" should also be set to JohnSmith. Not doing so could result in account modification issues. |
|
|
|
Adapter does not check syntax for any non-IBM Security Access Manager account attributes. This can result in those attributes not being set in the registry if their values have incorrect syntax. A possible consequence is that operations such as account creation may fail. |
|
|
|
In case an account already has SSO credentials and the checkbox Single Signon Capability is disabled during MODIFY operation, this will delete credentials in IBM Security Access Manager registry, but not in the IBM Security Identity server. A reconciliation is needed to synchronize the account attributes. |
|
|
|
If password synchronization is configured to synchronize passwords from WebSEAL via the IBM Security Identity server to other person accounts, the synchronization with SSO credential passwords is not supported. The synchronization with SSO credential passwords is supported only if the password change is initiated from the IBM Security Identity server, and the corresponding SDI Assembly Line is executed. |
|
|
|
If password synchronization is configured to synchronize passwords from WebSEAL the "Change password on next login" checkbox on the account form cannot be reset. This is due to a current limitation of the IBM Security Identity Manager Server. |
|
Internal# |
APAR# |
Case# / Description |
|
|
|
Limitation on how to use eritamcred attribute
Enter the value for eritamcred attribute in this format - “Name of the resource (Web Resource)|username|{clear}password” e.g. zira (Web Resource)|isupport|{clear}password
Please note that the password will be visible in clear text in the logs as option to encrypt the password is not available on IGI currently.
To avoid password in clear text, use the “Synchronize IBM Security Access Manager password in SSO Lockbox” checkbox to set the SSO credential password same as the ISAM account password. |
|
|
|
Adapter does not support modifying the last name (sn) attribute of IBM Security Access Manager account when IBM Security Access Manager Administration API is used since the API does not support modifying the last name. |
|
|
|
Management of non-standard IBM Security Access Manager account attributes is only available for user registries supported by Registry Direct API. |
|
|
|
IBM Security Access Manager Web Gateway appliance in standalone mode, PRIOR TO FP4, does not externalize the interface to its internal directory server. Consequently, Registry Direct API and managing non-standard ISAM account attributes are not supported by the adapter for the appliance versions 8.0 through 8.0.0.3. For example, the adapter cannot modify "mail" attribute of the user object stored in the appliance's internal directory server. In addition, only "TAM API" based reconciliation is supported for the appliance in standalone mode prior to FP4. |
|
|
|
Registry Direct API based reconciliation does not reconcile inetorgperson attributes by default. This is an optimization that was made in order to improve the performance of the reconciliation. In order to reconcile the inetorgperson attributes, edit "tamSearch" assemblyline in the profile to include the required attributes in the input mapping of the connector "tamIterRgy". Please refer to this technote for more details. |
|
|
|
The adapter does not support the modification of UID, CN, principal name, and attribute(s) that form the Distinguished Name(DN). |
|
|
|
Custom containers are not supported when creating an IBM Security Access Manager group. IBM Security Access Manager specifies a default |
|
|
|
Filtered reconciliation on groups is not supported. |
|
|
|
When "Single Signon Capability" attribute is unchecked and an account modification request is submitted, the SSO credentials for the account are removed in IBM Security Access Manager but this is not reflected in the ISIM server. This is due to the RMI protocol not allowing the response to contain the updated account information. In order to work around this limitation, edit the "modify" operation workflow for "IBM Security Access Manager Account" entity to delete "eritamcred" attribute when "eritamsinglesign" attribute is set to "false". For example, add a script element with the following script before "MODIFYACCOUNT" extension:
var accountObj =
account.get(); |
Known IBM Security Access Manager Issues
|
Internal# |
APAR# |
Case# / Description |
|
|
IV71775 |
The "com.tivoli.pd.rgy.jar" API library that can be downloaded from ISAM v8.0.1 appliance includes an incorrect search that will not return GSO enabled users during a reconciliation. This is corrected in the jar file available from the v8.0.1-FP1 appliance. |
|
|
|
Certain user management functions (e.g. enabling GSO) in IBM Security Access Manager do not work if the user ID contains "," and as such "," in the user ID is not supported by the adapter. |
|
|
|
When the Single Signon Capability of an IBM Security Access Manager user account is disabled (i.e. the user is no longer a GSO user), the GSO resource credentials for that account are also deleted. Hence when disabling the Single Signon Capability for a IBM Security Access Manager user account from the IBM Security Identity server, attempting to delete or modify resource credentials in the same request for that account results in "successful with warning" as the GSO credentials cannot be found. |
|
|
|
IBM Security Access Manager Java Admin API does not provide for a CN to be specified when creating a group. This is reflected in the adapter which does not manage this attribute when adding or modifying groups. |
|
|
|
If IBM Security Access Manager is configured against Windows Active Directory, an existing user or group description cannot be modified to a blank value. The description will remain unchanged. |
|
|
|
If IBM Security Access Manager is configured against Windows Active Directory, when importing an account using the pdadmin command line, the user name and first RDN value of the user DN must be the same. This issue is reflected in the adapter: User ID and first RDN value in the user Distinguished Name must be the same. |
|
|
|
If IBM Security Access Manager is configured against IBM Tivoli Directory Server 6.0, then Fix Pack 5 must be installed on the Directory Server. This fix pack addresses a problem that may affect adapter operation (APAR IO06328). |
See the
IBM Security Identity Adapter Installation Guide for detailed instructions.
Corrections to Installation Guide
The following correction to the Installation Guide applies to this release:
·
Language
Pack Installation
The adapters use a separate language package from the
IBM Security Identity Manager server. See the IBM Security Identity Manager KnowledgeCenter for information
about installing the adapter language pack.
Add below note to install guide at this location- Installing ==> Service/Target form details ==> IBM SECURITY ACCESS MANAGER SETUP tab==> IBM Security Access Manager API ==> IBM Security Access Manager Administration API
The TAM Admin API option has been removed from the Service Form since Registry Direct should be used in all cases instead. This will not impact anyone using the GSO feature. If there is a particular need to use the TAM Admin APIs, it can be added back by modifying itamprofile with the following steps:
1. Open eritamservice.xml in itamprofile. Change one of the entry under $eritamapi as value: TAM, Display Value: $eritamapiadmin.
2. Open targetProfile.json in itamprofile. Add “TAM” value to canonicalValues array of eritamapi entry.
3. Create itamprofile.jar with the modified changes. Import the itamprofile.jar to IGI.
4. Restart the dispatcher service.
Password Synchronization Adapter is no longer included in the adapter package and can be downloaded separately from Passport Advantage. For Access Manager 8.0 or above, Password Synchronization Adapter is only available with the appliance and is pre-installed on the appliance.
IBM Security Identity adapters can be
customized and/or extended. The type and method of this customization may vary
from adapter to adapter.
Refer to the IBM Security Identity Adapter Development and
Customization Guide
Support for Customized Adapters
The integration to IBM Security Identity servers "the adapter framework" is
supported. However, IBM does not support the customizations, scripts, or other
modifications. If you experience a problem with a customized adapter, IBM
Support may require the problem to be demonstrated on the GA version of the
adapter before a PMR is opened.
Installation
Platform
This IBM Security Identity Adapter was built and tested on the following product
versions:
Adapter Installation Platform
This adapter installs into Security Directory Integrator(SDI) and maybe installed on any platform supported by SDI product and supported by target system libraries and client, where applicable. IBM recommends installing SDI on each node of IBM security identity manager WAS Cluster and then installing this adapter on each instance of SDI. Supported SDI versions include:
Note: Earlier SDI supported versions may function properly, however to
resolve any communication errors, you must upgrade your SDI releases to the
officially supported versions.
Managed Resource
Please note that some IBM Security Access Manager versions are not supported on
some JREs associated with some Operating Systems. Please see the IBM Security
Access Manager Adapter Installation and Configuration Guide for further
information.
Supported IBM Security Identity servers
This information was developed for products
and services offered in the U.S.A. IBM may not offer the products, services, or
features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available
in your area. Any reference to an IBM product, program, or service is not
intended to state or imply that only that IBM product, program, or service may
be used. Any functionally equivalent product, program, or service that does not
infringe any IBM intellectual property right may be used instead. However, it
is the user's responsibility to evaluate and verify the operation of any
non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This
information could include technical inaccuracies or typographical errors. Changes
are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject
to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some measurements
may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.