Release Notes
IBM® Security
Active Directory 64-Bit Adapter
Version 6.1.37
Edition notice
Note: This edition applies to versions 6.0 the IBM Security Identity Manager.
© Copyright IBM Corporation 2009, 2019
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Installation and Configuration Notes
Customizing or Extending Adapter Features
Support for Customized Adapters
Welcome to the IBM Security Active Directory 64-bit (WinAD64) Adapter.
These Release Notes contain information for the following products that was not available when the IBM Security Identity Manager manuals were printed:
The Active Directory Adapter is designed to create and manage accounts on Microsoft Active Directory and mailboxes on Exchange and Lync (Skype for Business). The adapter runs in “agentless" mode and communicates using Microsoft ADSI API and PowerShell (for exchange communication) to the systems being managed.
IBM recommends the installation of this adapter in “agentless" mode on a 64-bit OS and computer in the domain being managed. Installation on a Domain Controller is not recommended. A single copy of the adapter can handle multiple Identity Manager Services. The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your Identity Manager Provisioning Policies and Approval Workflow process. Please refer to the Identity Manager Information Center for a discussion of these topics.
The IBM Security adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the Identity Manager server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.
The ability to manage service groups is a feature introduced prior to IBM Security Identity Manager 6.0. By service groups, ISIM is referring to any logical entity that can group accounts together on the managed resource.
Managing service groups implies the following:
Create service groups on the managed resource.
Modify attribute of a service group.
Delete a service group.
Note that service group name change is not supported in ISIM 6.0 release.
The Windows Active Directory x64 adapter supports service groups management.
|
Component |
Version |
|
Build Date |
2020 June 05 18.16.19 |
|
Adapter Version |
6.1.37 |
|
Component Versions |
Adapter Build: 6.1.37 Profile 6.1.37 ADK 7.0.6
|
|
Documentation |
Check the IBM Knowledge Centre for the following guide(s): IBM Security Active Directory Adapter with 64-Bit Support Installation and Configuration Guide |
|
Enhancement # (FITS) |
Description |
|
|
Items included in this release (6.1.34) |
|
RFE TS001318020 (55491) |
IGI Active Directory Adapter - EmployeeNumber not supported |
|
RFE TS001619165 (58739) |
AD Adapter does not change Country to AD Country Code |
|
RFE TS002747046 (59959) |
Management of the attribute 'msExchAddressBookPolicyLink' by ISIM Windows AD Adapter
|
|
Internal |
Updated to ADK 7.0.8 with openSSL 1.1.1d. Added support for min tls level
|
|
|
Items included in this release (6.1.33) |
|
RFE 127449 (56512) |
Supporting eradeallowedaddresslist in hybrid environment (Adapter)
|
|
RFE 128222 (56765) |
ISIM and O365 email usage in hybrid environment
|
|
|
Items included in this release (6.1.32) |
|
RFE 130064 (57543) |
'businessCategory' attribute in Security Identity Adapter for Windows AD not handled as multi-valued.
|
|
181168 |
Attribute values lookup support.
|
|
183288 |
Support for Windows 2019 server. Both as a managed service and adapter platform. Support for Exchange 2019 and Skype for Business 2019.
|
|
PSIRT |
Upgraded to ADK 7.0.6 with OpenSSL 1.0.2r
|
|
|
Items included in this release (6.1.31) |
|
|
None |
|
|
Items included in 6.1.30 release |
|
177537 |
As a developer of the Windows AD adapter, I need to use a newer OpenSSL version that addresses PSIRT advisories. OpenSSL is upgraded from version 1.0.2n to 1.0.2p |
|
178202 |
Implementation for supporting recon for:
msDS-LastSuccessfulInteractiveLogonTime
and other 3 related attributes. - msDS-LastSuccessfulInteractiveLogonTime,
|
|
|
Items included in 6.1.29 release |
|
154239 |
US - As a Windows AD adapter developer, I need to update my adapter to use the newer OpenSSL |
|
|
Items included in 6.1.28 release |
|
|
None |
|
|
Items included in 6.1.27 release |
|
50831 50763 |
Windows AD adapter to support mailbox attribute msExchRecipientTypeDetails and msExchRemoteRecipientType in integer8 format
|
|
50988 |
Add businessCategory as a regular adapter attribute
|
|
43334 |
Enhance AD Adapter to detect user's email status for remote mailbox (O365) and manage proxy address and other exchange attrib
|
|
internal |
Added support for remote mailbox to support Office 365 mailboxes in a hybrid Exchange environment
|
|
internal |
Modified installer to default to SSL enabled
|
|
|
Items included in 6.1.26 release |
|
44871 |
Added support for lync Mobility and Persistent Chat policies
|
|
internal |
Now supports FIPS compliant mode
|
|
|
Items included in 6.1.25 release |
|
internal |
This release includes ADK 7.0.3 which update openssl to 1.0.2f to address a vulnerability to excessive CPU utilization
|
|
|
Items included in 6.1.24 release |
|
internal |
This release officially supports Windows 2016 server. Both as a managed resource and an installation platform
|
|
|
Items included in 6.1.23 release |
|
internal |
Now using ADK 7.0.1 with updated openSSL, ICU and SQLite all built on Visual Studio 2012. Adapter is now built on Visual Studio 2012 using .NET 4.5. It no longer requires .NET 3.5 to be installed.
|
|
|
Items included in 6.0.20 release |
|
42641 |
Adapter Support for Exchange 2016 and Lync 2015
|
|
42071 |
Second and following Mailbox Move Requests Fail on Exchange 2013
|
|
43225 |
Reduce IO in WinAD Adapter for PW change
|
|
|
Items included in 6.0.18 release |
|
38935 |
Support "Manager can update membership list" attribute for AD Group
|
|
38934 |
Support display name attribute for AD Groups
|
|
39511 |
WinAD Adapter does not reconcile Lync Registry Pools from AD
|
|
40129 |
ISIM AD Adapter Customization for Group Object class |
|
|
Items included in 6.0.16 release |
|
30303 |
ISIM AD adpater unable to set Mail box Retention policy check
|
|
internal |
Now using ADK 6.0.1027 which provides an option disabling sslv3. There is also support for setting the list of ciphers used.
|
|
internal |
The Domain Admin and Domain Password fields have been removed from the service form in the profile. They can still be used, but the preferred method is to set the logon account on the adapter windows service.
|
|
|
Items included in 6.0.15 release |
|
34001 |
Added support for Exchange Automatic Mailbox Distribution. Supplying only eradealias without a mail store or external email address allows Exchange to determine the mail store to use based on load balancing.
|
|
31924 |
Prevent deletion of user accounts that have a mailbox that is under litigation hold
|
|
32482 |
Add support for msExchCoManagedByLink to group schema
|
|
29995 |
Add support for msExchRequireAuthToSendTo to group schema
|
|
|
Updated logging to include output from Lync and Exchange modules
|
|
|
Items included in 6.0.14 release |
|
|
The Password Synchronization plug-in is now released as a separate package. It is no longer bundled in with the AD Adapter
|
|
|
Includes updated ADK 6.0.1020 which includes update to prevent password values from being written to the log on password change failures.
|
|
|
Items included in 6.0.13 release |
|
|
Includes updated ADK 6.0.1019 which includes version 1.0.1h-fips of openSSL.
|
|
|
Items included in 6.0.12 release |
|
|
Added support to allow specifying a list of preferred Exchange and Lync servers. The adapter will attempt to connect to one of the preferred servers first before searching AD for all servers. An additional attribute is also provided to force the adapter to only use the preferred servers.
|
|
|
Items included in 6.0.11 release |
|
|
This release requires an updated C++ runtime. You MUST do a FULL install for this release. An update install does not install the C++ runtime.
|
|
|
Includes updated ADK 6.0.1018 which includes an update to version 1.0.1e-fips of openSSL. This openSSL was built with the OPENSSL_NO_HEARTBEATS option and does not contain the Heartbleed vulnerability.
|
|
|
Items included in 6.0.8 release |
|
|
Added support for disabling slow Lync attributes on recon using registry value “LyncDisableSearch”
|
|
|
Items included in 6.0.7 release |
|
|
Added support for Lync 2013
|
|
|
Items included in 6.0.6 release |
|
17036, 17099, 25906, 27911, 31577 |
Added support for Lync 2010
See “Error! Reference source not found.” section for additional adapter configuration
|
|
|
Items included in 6.0.4 release |
|
30820, 27083, 33740 |
Added support for Windows 2012 Server |
|
34372 |
Added support for Exchange 2013 |
|
|
Items included in 6.0.3 release |
|
27906 |
Added support for MAPIBlockOutlookRpcHttp |
|
15453 |
Added support for msExchOWAPolicy |
|
29346, 28979, 26825, 22462 |
Added support for deleting account objects that have child nodes in AD |
|
30515 |
Added support for managedBy attribute for managed group objects |
|
19447 |
Added support for POP3 and IMAP4 protocol settings |
|
N/A |
Exchange interface updated to use remote PowerShell session with Exchange 2010 Server. No longer requires local installation of Exchange 2010 Management tools. |
|
CMVC# |
APAR# |
PMR# / Description |
|
|
|
Items closed in this release 6.1.37) |
|
TS003631283 |
IJ24481 |
Windows AD - unable to remove erADLyncLineURI attribute from Lync/Skype server |
|
|
|
Items closed in this release 6.1.36) |
|
Internal |
Fixed targetProfile.json which had been reverted to the old format by mistake
|
|
|
TS003631283 |
IJ24481 |
Windows AD - unable to remove erADLyncLineURI attribute from Lync/Skype server
|
|
TS003197913 |
Adding an Activedirectory account results in SERVICE_CONTROL_INTERROGATE command (long DNs in container names)
|
|
|
TS003611746 |
IJ24480 |
Windows AD - recon not picking up erADLyncDialpPolicy (DialPlan) attribute for Lync/Skype
|
|
|
IJ24489 |
Group basepoint - Unable to bind to group basepoint
|
|
|
Items closed in this release (6.1.35) |
|
|
Internal |
Null pointer when mailbox store is empty value on add request
|
|
|
TS003353720 |
Active Directory Adapter performance (1.5 second delay per request)
|
|
|
APAR IJ23159
|
A random server is chosen for group modify if no server is specified in the group base point
|
|
|
|
|
Items closed in this release (6.1.34) |
|
bTS00213742 |
duplicate erADEmailboxGUID entries returned resulting in warnings
|
|
|
TS002782868 |
Issue with updating proxyaddresses inExchange/Active directory
|
|
|
APAR IJ17835 |
WINAD ADAPTER ERROR WHEN SETTING "ACCEPT MAIL FROM" AND THE ACCOUNT HAS A REMOTE MAILBOX
|
|
|
|
Items closed in this release (6.1.33) |
|
|
TS002562024 |
eradexdialin and erADEShowInAddrBook not working correctly due to errors in targetprofile.json
|
|
|
Internal |
erUID incorrectly marked as immutable preventing renaming user . |
|
|
Internal |
erADERstrctAdrsLs, erADEAllowedAddressList, erADEDelegates incorrectly marked as not supported for remote mailboxes erADETargetAddress incorrectly marked as supported for remote mailboxes. |
|
|
|
|
Items closed in this release (6.1.32) |
|
183289 |
IJ12159 |
erADEHideFromAddrsBk not returned. Behaving as designed, the value is not present when set to false through the ADSI api.
|
|
183292 |
|
‘businessCategory’ on containers now supported as multi-valued.
|
|
|
|
Items closed in this release (6.1.31) |
|
TS002132224 |
|
ISIM AD Adapter looks for .v2 profile, for window 10 users it needs to be .v6. Bugz 2900 |
|
|
|
Items closed in this release (6.1.31) |
|
Internal |
|
RTC 181198: Internal - As a WinAD adapter, i must ensure that the profile jars in 7.x package are correct |
|
|
|
Items closed in 6.1.30 release |
|
TS001030655 |
|
US - As a WinAD adapter developer I must ensure that the correct version numbers are set for the 6.x and 7.x adapter builds.
|
|
|
|
Items closed in 6.1.29 release |
|
|
|
None |
|
|
|
Items closed in 6.1.28 release |
|
TS000028936 |
|
Added support for providing primary SMTP address when mailbox is created. This avoids, the default SMTP address from becoming a secondary SMTP address when the primary SMTP address is set after the mailbox is created. |
|
|
|
Items closed in 6.1.27 release |
|
01351,SGC,740 |
|
Error 0x00000037 and 0x80004005 trying to set eradnochangepassword |
|
|
IV98275 |
WRONG SYNTAX FOR ERADPREFERREDEXCHANGESERVERS AND ERADPREFERREDLYNCSERVERS IN TARGETPROFILE.JSON |
|
|
IV97886 IV98275 |
ADprofile.jar file from 7.1.26 package won't import on IGI 5.2.3 |
|
|
|
Items closed in 6.1.25 release |
|
|
IV85621 |
WINAD ADAPTER: PASS PREFERRED LYNC SERVERS TO LYNC MODULE |
|
|
|
Items closed in 6.1.23 release |
|
|
IV85621 |
CERTTOOL CRASHES WHEN TRYING TO IMPORT CERT |
|
|
IV86639 |
RECONCILIATIONS DO NOT RETURN WINAD CUSTOM ATTRIBUTES, SPECIFICALLY GIDNUMBERT |
|
|
|
Items closed in 6.0.22 release |
|
|
IV84875 reopened |
ISIM AD ADAPTER CANNOT MANAGE LYNC ATTRIBUTES |
|
|
|
Items closed in 6.0.20 release |
|
|
IV84875 |
ISIM AD ADAPTER CANNOT MANAGE LYNC ATTRIBUTES |
|
75802,227,000 |
|
Issue with erADGrpWriteMembers attribute value on reconcile returning both true and false.
|
|
04723,001,862 |
|
WinAD Adapter Release Notes Wrong+Missing Information
|
|
|
|
Items closed in 6.0.19 release |
|
|
IV82951 |
SETTING NTFS HOME DIRECTORY PERMISSIONS FAILS AFTER UPGRADE TO WINAD64 6.0.18 |
|
|
|
Items closed in 6.0.18 release |
|
52479,004,000 |
|
ITIM adapter deleting the $IPC share accidentally
|
|
|
IV79632 |
ACTIVE DIRECTORY USERS WITH COUNTRY CODE 428 ARE CREATED WITH COUNTRY LATIVA INSTEAD OF LATVIA. |
|
|
IV79641 |
AD ADAPTER INTERMITTENTLY CRASHES DURING RECONCILIATION |
|
|
IV81775 |
INVALID PARAMETER GENERATED FOR EXCHANGE 2013 PROVISIONING (-ManagedFolderMailboxPolicyAllowed) |
|
|
|
Items closed in 6.0.17 release |
|
|
IV78917 |
ISSUES WHILE ENABLING LYNC FOR IDS WHICH HAVE
SPECIAL |
|
|
IV78758 |
WINAD ADAPTER CRASHING WHILE CALLING GETLYNCUSER DURING RECONCILE |
|
|
IV78492 |
AD ADAPTER CRASH IF PROXY ADDRESS IS NOT VALID. |
|
|
IV78286 |
IADSTSUSEREX INTERFACE NOT WORKING TO RETRIEVE WTS ATTRIBUTES |
|
|
|
Items closed in 6.0.16 release |
|
|
IV73908 |
Event Notification no more working if USN-Changed attribute exceeds 7 digits |
|
|
|
Items closed in 6.0.15 release |
|
92067,69G,760 |
|
Test connection fails. Test connection now only reports warning if the Domain/Forest functional level cannot be determined |
|
06429,707,707 |
|
Change the default behavior for eradgroup to be add/delete rather than replace. |
|
|
IV71005 |
LyncDisableSearch registry setting in wrong location after install |
|
|
|
Items closed in 6.0.14 release |
|
13541,035,724 |
|
WTS ATTRIBUTES AND RECON ERROR 1317. |
|
|
IV65653 |
WINAD ADAPTER REPORTS SUCCESS IN CASE OF AD GROUP INTERFACE PROBLEMS DURING RECONCILIATION. |
|
|
IV67715
|
ERADLYNCTELEPHONY AND ERADLYNCLINEURI FAIL ON MODIFY TO LYNC |
|
38947,031,724 CVE-2014-8923
|
|
WinAD Adapter logs password in clear text on password change failures. This addresses IBM Security Bulletin CVE-2014-8923 |
|
|
|
Items closed in 6.0.13 release |
|
|
IV61397 |
THREAD LOGGING OPTION NOT SHOWING IN AD ADAPTER AGENTCFG PROGRAM |
|
|
IV62916 |
AD ADAPTER RECON FAILS WHEN AD CANNOT PROVIDE INFORMATION ABOUT AN ATTRIBUTE'S SCHEMA CHARACTERISTICS |
|
|
IV63714 |
WINAD ADAPTER CRASH IF ERADLYNCTELEPHONY IS NULL |
|
|
|
Items closed in 6.0.12 release |
|
|
IV61264 |
ADD REQUESTS FAIL TO CREATE MAILBOXES ON EXCHANGE 2013 when EXCHANGE 2010 are present |
|
|
IV54076 |
ADAPTER 6.0.7 EVENT NOTIFICATION DOESN'T SEND UPDATES ON DELETE |
|
44201,124,672 |
|
Lync updates fail to set attributes, but adapter returns “success” |
|
40800,124,672 |
|
Disable the AD account, and is it expected to see the exchange 2010 account suspended as well? |
|
|
|
Items closed in 6.0.9 release |
|
|
IV55003 |
Only first value of extended multi-valued attribute provisioned
|
|
|
IV54742 |
Failure when removing value from erAdAllowedaddresslist attribute
|
|
|
IV53979 |
Win AD adapter log rotation is not working properly
|
|
|
IV53709 |
Account modify problem with the execution policy machine policy set to remote signed,
|
|
|
IV53423 |
Windows active directory adapter can crash during test connection
|
|
|
IV45107 |
AD recon fails with large photo attribute
|
|
|
IV55742 |
ReconDiscconectedMailbox setting breaking reconcile
|
|
|
IV54738 |
THE FUNCTIONALITY OF THE FORCE PASSWORD CHANGE ATTRIBUTE IS DOCUMENTED INCORRECTLY |
|
|
|
Items closed in 6.0.8 release |
|
|
IV53185, IV52869 IV52916 |
Unable to set extended string attribute
|
|
|
IV53212
|
.V2 profile folder not deleted on deprovision |
|
|
IV53225
|
AD add with Lync account fails with user not found
|
|
|
70571,227,000 |
Test request is crashing |
|
|
|
Items closed in 6.0.7 release |
|
|
IV49178 |
Unable to update Accept Mail From attribute. |
|
42506,227,000 |
|
Random failure with eradnochangepassword attribute during add/create account request |
|
|
|
Items closed in 6.0.6 release |
|
|
IV46279 IV45884 |
User delete request reporting error “Unable to parse user DN” even though delete was successful
|
|
|
IV38015 |
Removed FIPs reference from installation guide |
|
|
IV43794 |
On AD adapter Add operation secondary SMTP is ignored |
|
|
IV44614 |
WinAD adapter has missing RPS documentation |
|
|
|
Items closed in 6.0.4 release |
|
|
IV43500
|
Proxy address handling updating to correctly support replacing primary smtp adress |
|
|
IV39511 |
Restructured code to reorder DACLs when updating security descriptor to set erADNoChangePwd |
|
|
IV36704 |
erADEActiveSyncEnabled value was not correct when returned during recon. It is now correctly set. |
|
|
IV31681 |
Additional enhancements to the handling of proxy addresses to properly handle setting primary smtp addresses |
|
|
|
Items closed in 6.0.3 release |
|
|
IV31681 |
Restructured handling of proxy address so the processing order is fixed – delete, add, replace. With the exception that a new primary SMTP address must be added if the existing one is being deleted in the delete request. |
|
|
|
Items closed in 6.0.2 release |
|
|
IV31759 |
Fixed the installer to use registry import to register the Exchange interface DLL. No longer calling RegAsm.exe at install time. |
|
|
IV31747 |
Fixed error handling when Exchange Interface is not present while managing Exchange attributes. Previously returning success, when interface is not present. |
|
|
IV25655 |
Fixed bug in lookup callback that returned success when binding to AD fails. |
|
CMVC# |
APAR# |
PMR# / Description |
|
N/A |
N/A |
Support for Exchange and Lync is provided using remote powershell connections to the Exchange or Lync server. There is a fixed limit of 5 concurrent connections to a remote powershell. Setting the thread count to higher than the default of 3 could result in some Exchange or Lync attributes failing to be set under heavy loads.
|
|
N/A |
N/A |
Support for erADEAllowedAddressList and erADERstrctAdrsLs is no longer available for Exchange 2007.
|
|
N/A |
N/A |
Service form fields:
See “Corrections to Installation Guide", “ The settings for Exchange Mailbox security for Read and Full access were using different values for settings in an attempt to have the default values on the form match those of Exchange. This was confusing and causing issues when the default settings on the Exchange server were changed from what the adapter expected. The adapter now uses the same values for all Exchange security settings. 1=Allow, 2=Deny and 0 or no value=None.
Chapter 4. Adapter installation" section below.
|
|
N/A |
N/A |
Class 3 Certificates Class 3 secure server CA-G2 certs are not written properly to “DamlCACerts.pem" file through CertTool.exe Utility. The certificate data is written twice between BEGIN CERTIFICATE and END CERTIFICATE.
Work around: To correct this issue, please follow the below steps and edit “DamlCACerts.pem” file present in “<Adapter installation path>\data" folder.
Step 1. Start the CertTool utility
Step 2. Import the class 3 CA certificate by using “F" option from the main menu of CertTool Utility.
Step 3. Once the class 3 CA certificate is successfully installed, open “DamlCACerts.pem” file stored in the “<Adapter installed path>\data" folder using text editor.
Step 4. Delete the class 3 CA certificate data (i.e. content between BEGIN CERTIFICATE and END CERTIFICATE) from “DamlCACerts.pem".
Step 5. Open class 3 CA certificate file using text editor and copy the certificate data (between the BEGIN CERTIFICATE and END CERTIFICATE)
Step 6. Paste the certificate data to “DamlCACerts.pem" file between the BEGIN CERTIFICATE and END CERTIFICATE lines of same class 3 CA Certificate. If more than one class 3 certificates are installed then you can identify the certificate using issuer and subject data.
Step 7. Save “DamlCACerts.pem" file.
Step 8. To verify the “DamlCACerts.pem" file is edited properly, display certificate information by using option “E" from the main menu of CertTool Utility.
Please note that this issue is seen after installing class 3 CA certificate. If you correct the DamlCACerts.pem and then install another class 3 CA certificate, the newly installed class 3 CA certificate will show same issue.
This issue is also seen when you delete any certificate using option "G" from the main menu of CertTool utility. The delete option will affect all remaining class 3 CA certificate and you have to follow step 1 to 8 to correct the DamlCACerts.pem file.
|
Running in Federal Information Processing
Standards compliance mode
Security Identity Adapters can be operated with FIPS 140-2 certified cryptographic modules. FIPS 140-2 is a standard from the US National Institute of Standards and Technology (NIST) that applies to cryptographic modules.
Two FIPS 140-2 modules are used:
As a user of these modules, there is no certification implied for Security Identity Adapters. However, for the correct use of these FIPS 140-2 modules, IBM customers need to follow the instructions listed below.
The fipsEnable tool allows the adapter to be Federal Information Processing Standards (FIPS) compliant. The fipsEnable tool causes the adapter to use a FIPS-certified encryption library so that all cryptographic keys that are used are generated by a FIPS-compliant algorithm. Any communications with the adapter
are also secured. The tool generates the FIPS master key, enables the FIPS mode setting, changes the USE_SSL parameter to TRUE and re-encrypts the existing encrypted values for:
Note: After FIPS mode is enabled, it cannot be disabled. You must reinstall the adapter, if you want to disable FIPS mode.
Configuring the adapter to run in FIPS mode
1. Install the adapter.
2. Run the fipsEnable tool. Issue the command:
fipsEnable -reg agentName
3. Restart the adapter.
Operational differences running in FIPS mode
The ADK protocol that’s used to communicate between the adapter and the ADK service provider must run in SSL mode. The fipsEnable tool sets the ADK SSL mode to TRUE. In SSL mode, however, you must install a server certificate because the fipsEnable tool does not convert an existing ADK certificate and key.
Note: You cannot import a PKCS12 file containing a certificate and key. You must use CertTool (option A) to create a Certificate Signing Request (CSR) and have it signed by a Certificate Authority. You can then install the signed certificate with CertTool (option B).
The agentCfg tool automatically detects when the adapter is running in FIPS mode and initializes the encryption library in FIPS mode. In addition, the ADK only accepts agentCfg connections from localhost (127.0.0.1).
Security policy
For FIPS compliance, a security policy must be defined that outlines the requirements for the end user to operate the application in a FIPS-compliant mode. The software ensures that the correct algorithms and keys are used, however, additional requirements for the environment are the responsibility of the security
officer. The security policy defines two roles, security officer and user. It defines the extent to which each of these persons can physically access the workstation, file system and configuration tools. The security of the workstation, of the file system, and of the configuration is the responsibility of the security officer.
Authentication roles
The FIPS security policy normally defines separate roles for a security officer and a user. In the case of an adapter, the user role is actually the IBM Security Identity Manager (ISIM) or Identity Governance and Intelligence (IGI) server. The installation and configuration of the adapter needs to be performed by the security officer.
It is the responsibility of the security officer to ensure that the proper physical and logical security is in place to prevent access to the adapter by unauthorized personnel. This means that the physical workstation must be in a secure location that is accessible only by persons with the authority and access privileges of the security officer. In addition, the security on the folder in which the adapter is installed must be configured to prevent access by personnel other than security officers.
For Windows installations, the system registry must be secured at the top-level key for the adapter to prevent access by personnel other than security officers.
Rules of operation
The adapter now supports remote mailboxes. This allows supporting Office 365 mailboxes in a hybrid Exchange environment. A new attribute (erADEremoteAddress) has been added to the user object to support this feature. There are now 4 ways to create a mailbox with the adapter:
To delete a mailbox, simply delete the value for the mail store or mail address.
The remote address and target address values use the same user attribute to store their value. The msExchRecipientType value indicates whether the mailbox is remote or not. Currently remote addresses appear in the target address field. You will need to run a full reconciliation after installing this update to populate the remote addresses.
See the IBM Security Windows Local Account Adapter Installation and Configuration Guide for detailed instructions.
“The previous installation was installed with newer version of InstallAnywhere”
You may see this error while running the installer. It is only a warning and can be safely ignored.
The following corrections to the Installation Guide apply to this release:
The settings for Exchange Mailbox security for Read and Full access were using different values for settings in an attempt to have the default values on the form match those of Exchange. This was confusing and causing issues when the default settings on the Exchange server were changed from what the adapter expected. The adapter now uses the same values for all Exchange security settings. 1=Allow, 2=Deny and 0 or no value=None.
Section "Adapter user account creation"
The following paragraph is incorrect:
The account information must be supplied on the Active Directory Adapter service form. See “Creating an adapter service” on page 14 for information about creating a service.
Furthermore, you must not supply the account information on the service form. The following two fields on the adapter service form are not used and must be blank:
è The adapter account, used by the adapter to manage AD/Exchange/Lync, must be supplied on the logon tab of the Windows Adapter service that is named ISIM Active Directory Adapter.
The following configuration notes apply to this release:
The following corrections to the User Guide apply to this release:
The "Force Password Change" check box is documented incorrectly in section "Specifying controls for a user account" of the User Guide.
It should be as follow: "If you select the Force Password Change check box, then the adapter sets the value of the pwdLastSet attribute to 0. If you do not select the Force Password Change check box, then the adapter sets the value of the pwdLastSet attribute to -1".
New DAML protocol setting for TLS level
The DAML protocol settings now include a value called MIN_TLS_LEVEL. The setting supersedes the values DISALBE_SSLV3 and DISABLE_TLS10. The valid settings for this value are:
0 No restrictions. This setitngs allows SSLV3 connections which are known to have vulnerabilities.
1.0 TLS 1.0 and higher are supported
1.1 TLS 1.1 and higher are supported
1.2 TLS 1.2 and higher are supported
1.3 TLS 1.3 and higher are supported
For backward compatibility, if MIN_TLS_LEVEL is not set, it will be set at startup based on the settings of DISABLE_SSLV3 and DISABLE_TLS10.
A new option L should be included in the table of DAML protocol options.
Displays the following prompt:
Modify Property ‘DISABLE_SSLV3’:
SSLv3 is now considered an unsecure protocol. SSLv3 is now disabled by default. In order to enable SSLv3 you need to set this value to FALSE. If this value does not exist or is anything other than FALSE, the SSLv3 protocol will be disabled when using SSL.
A new option M should be included in the table of DAML
protocol options.
Displays
the following prompt:
Modify
Property ‘DISABLE_TLS10’:
TLS1.0
setting is configurable. By default, DISABLE_TLS10 is set to FALSE
Setting
DISABLE_TLS10 to TRUE will disable TLS1.0 and SSLV3 regardless of the setting
for DISABLE_SSLV3.
Add the following configuration settings
topic:
Enabling TLS 1.2 in Identity Manager (ISIM/IGI/ISPIM):
After Setting up certificates in Identity Manager and Adapter, Enable TLS 1.2
by adding/modifying the following line in enRole.properties
file in ISIM (equivalent for ISPIM and IGI)
com.ibm.daml.jndi.DAMLContext.SSL_PROTOCOL=TLSv1.2
The section “Modifying protocol configuration settings" should add this section for setting the SSL cipher list.
Setting the Cipher list
The DAML protocol now checks for an environment variable called "ISIM_ADAPTER_CIPHER_LIST". This variable can contain a list of ciphers for the SSL protocol. DAML uses the openSSL library to support SSL. This cipher string is passed to openSSL during initialization. The cipher names and the syntax can be found on the openSSL web site ( https://www.openssl.org/docs/apps/ciphers.html ). When this string is used, it only fails if none of the ciphers can be loaded. It is considered successful if at least one of the ciphers is loaded.
The IBM Security Identity Manager adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
Note: This adapter supports customization only through the use of pre-Exec and post-Exec scripting.
IBM Security Identity Manager Resources:
Check the “Training" section of the IBM Security Identity Manager Support website for links to training, publications, and demos.
The integration to the IBM Security Identity Manager server – the adapter framework – is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
The adapter uses a remote powershell session to communicate with Exchange and Lync servers. This code runs as a pair COM servers in the .NET environment. As such they do not have access to the adapter logging functions. However, there are messages that are output to the console. In order to see these log messages, you must run the adapter in console mode. This is done by running the adapter directly from the command line and specifying –console as a command line option. This causes all of the adapter logging as well as any output from the Exchange and Lync modules to be output to the console. To capture the logging to a file, simply redirect the output of the adapter to a file. For example:
>ADAgent.exe –console > adagent.log
The adapter uses remote powershell sessions to manage Exchange servers. If the adapter has issues connecting to the servers, you can manually run the powershell cmdlets that the adapter uses to troubleshoot the connection errors.
Use this command to create a new session on the remote server. Replace <hostAddr> with the actual hostname or IP of the Exchange server.
PS>$mySession = New-PSSession -configurationname Microsoft.Exchange -connectionuri http://<hostAddr>/Powershell -authentication Kerberos
Use this command to import the remote session into your local session. If this is successful, you should be able to run any Exchange cmdlets as if you were on the Exchange server.
PS>import-pssession $mySession
The IBM Security Identity Manager Adapter was built and tested on the following product versions.
Adapter Installation Platform:
Windows 10
Windows 2016 Server
Windows 2019 Server
Managed Resource:
Active Directory on Windows Server 2016
Active Directory on Windows Server 2019
With optional:
Exchange Server 2016
Exchange Server 2019
Skype For Business Server 2015
Skype For Business Server 2019
IBM Security Identity Manager:
IBM Security Identity Manager v6.0.x
This information was developed for products and services offered in
the U.S.A. IBM may not offer the products, services, or features discussed in
this document in other countries. Consult your local IBM representative for
information on the products and services currently available in your area. Any
reference to an IBM product, program, or service is not intended to state or
imply that only that IBM product, program, or service may be used. Any
functionally equivalent product, program, or service that does not infringe any
IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product,
program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include technical inaccuracies or
typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s)
described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between
independently created programs and other programs (including this one) and (ii)
the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms
and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements will
be the same on generally available systems. Furthermore, some measurements may
have been estimated through extrapolation. Actual results may vary. Users of
this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
End of Release Notes