IBM® Security
Active Directory 64-Bit Adapter
Version 7.1.38
Edition notice
Note: This edition applies to versions 7.0.x of the IBM Security Identity Manager and version 5.2.x of the IBM Identity Governance and Intelligence..
© Copyright IBM Corporation 2009, 2020
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Table of Contents
Running in Federal Information Processing
Configuring the adapter to run in FIPS mode
Operational differences running in FIPS mode
Installation and Configuration Notes
Corrections to Installation Guide
Customizing or Extending Adapter Features
Update the targetprofile.json file (IGI only)
Support for Customized Adapters
Log Output From Exchange and Lync powershell calls
Issues when used with multiple Exchange versions
Welcome to the IBM Security Active Directory 64-bit (WinAD64) Adapter.
These Release Notes contain information for the following products that was not available when the IBM Security Identity Manager manuals were printed:
The Active Directory Adapter is designed to create and manage accounts on Microsoft Active Directory and mailboxes on Exchange and Lync (Skype for Business). The adapter runs in “agentless" mode and communicates using Microsoft ADSI API and PowerShell to the systems being managed.
IBM recommends the installation of this adapter in “agentless" mode on a 64-bit OS and computer in the domain being managed. Installation on a Domain Controller is not recommended. A single copy of the adapter can handle multiple Identity Manager Services. The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your Identity Manager Provisioning Policies and Approval Workflow process. Please refer to the Identity Manager Information Center for a discussion of these topics.
The IBM Security adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the Identity Manager server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.
Review and agree to the terms of the IBM Security Identity Manager License prior to using this product. The license can be viewed from the "license" folder included in the product package.
The adapter package includes two profiles:
· ADprofile.jar
o This profile is supported on ISIM and IGI. When used, if an AD group name or DN is changed in AD, the reconciliation operation will result it deleting the original group and adding the updating group as a new group.
§ IGI results: all users who had permission on the original group will lose that permission and new permission will be added using the new name
o No additional configuration changes are required on the adapter when the ADprofile.jar is used.
· ADprofileGUID.jar
o This profile is supported on ISIM and IGI. When used, if an AD group name or DN is changed in AD, the reconciliation operation will only change the name and/or DN of the group.
§ IGI results: all users who had permission on the original group will retain that permission but with new name and/or DN
o When using ADprofileGUID.jar, you must configure the adapter to use GUID as the group naming attribute using agentCfg.exe on the adapter server
§ Invoke agentCfg.exe -a adagent
- Use option (F) Registry Settings
- Use option (A) Modify Non-encrypted registry settings
- Use option (B) Modify attribute value
- Registry item to modify is: useGroup
- New registry item value is: GUID
- Use option (X) Done three times to exit out
- Restart the adapter service for the change to take effect.
The ability to manage service groups is a feature introduced prior to IBM Security Identity Manager 6.0. By service groups, ISIM is referring to any logical entity that can group accounts together on the managed resource.
Managing service groups implies the following:
Create service groups on the managed resource.
Modify attributes of a service group (group name change is not supported)
Delete a service group.
The Windows Active Directory x64 adapter supports service groups management on IBM Security Identity Manager only.
|
Component |
Version |
|
Build Date |
2020 September 08 16.25.21 |
|
Adapter Version |
7.1.38 |
|
Component Versions |
Adapter Build: 7.1.38 Profile 7.1.38 ADK 7.0.6
|
|
Documentation |
Check the IBM Knowledge Centre for the following guide(s): IBM Security Active Directory Adapter with 64-Bit Support Installation and Configuration Guide |
|
Enhancement |
Description |
|
|
Items included in this release (7.1.34) |
|
RFE TS001318020 (55491) |
IGI Active Directory Adapter - EmployeeNumber not supported |
|
RFE TS001619165 (58739) |
AD Adapter does not change Country to AD Country Code |
|
RFE TS002747046 (59959) |
Management of the attribute 'msExchAddressBookPolicyLink' by ISIM Windows AD Adapter
|
|
Internal |
Updated to ADK 7.0.8 with openSSL 1.1.1d. Added support for min tls level
|
|
|
Items included in this release (7.1.33) |
|
RFE 127449 (56512) |
Supporting eradeallowedaddresslist in hybrid environment (Adapter)
|
|
RFE 128222 (56765) |
ISIM and O365 email usage in hybrid environment
|
|
|
Items included in this release (7.1.32) |
|
RFE 130064 (57543) |
'businessCategory' attribute in Security Identity Adapter for Windows AD not handled as multi-valued.
|
|
181168 |
Attribute values lookup support.
|
|
183288 |
Support for Windows 2019 server. Both as a managed service and adapter platform. Support for Exchange 2019 and Skype for Business 2019.
|
|
PSIRT |
Upgraded to ADK 7.0.6 with OpenSSL 1.0.2r
|
|
|
Items included in this release (7.1.31) |
|
|
None |
|
|
Items included in 7.1.30 release |
|
177537 |
As a developer of the Windows AD adapter, I need to use a newer OpenSSL version that addresses PSIRT advisories. OpenSSL is upgraded from version 1.0.2n to 1.0.2p |
|
178202 |
Implementation for supporting recon for:
msDS-LastSuccessfulInteractiveLogonTime
and other 3 related attributes. - msDS-LastSuccessfulInteractiveLogonTime,
Note: On IGI Date attributes are not displayed correctly.
|
|
|
Items included in 7.1.29 release |
|
154239 |
US - As a Windows AD adapter developer, I need to update my adapter to use the newer OpenSSL |
|
|
Items included in 7.1.28 release |
|
|
None |
|
|
Items included in 7.1.27 release |
|
50831 50763 |
Windows AD adapter to support mailbox attribute msExchRecipientTypeDetails and msExchRemoteRecipientType in integer8 format
|
|
50988 |
Add businessCategory as a regular adapter attribute
|
|
43334 |
Enhance AD Adapter to detect user's email status for remote mailbox (O365) and manage proxy address and other exchange attrib
|
|
internal |
Added support for remote mailbox to support Office 365 mailboxes in a hybrid Exchange environment
|
|
internal |
Modified installer to default to SSL enabled
|
|
|
Items included in 7.1.26 release |
|
44871 |
Added support for lync Mobility and Persistent Chat policies
|
|
internal |
Now supports FIPS compliant mode
|
|
|
Items included in 7.1.25 release |
|
internal |
This release includes ADK 7.0.3 which update openssl to 1.0.2f to address a vulnerability to excessive CPU utilization
|
|
|
Items included in 7.1.24 release |
|
internal |
This release officially supports Windows 2016 server. Both as a managed resource and an installation platform
|
|
|
Items included in 7.1.23 release |
|
internal |
Now using ADK 7.0.1 with updated openSSL, ICU and SQLite all built on Visual Studio 2012. Adapter is now built on Visual Studio 2012 using .NET 4.5. It no longer requires .NET 3.5 to be installed.
|
|
|
Items included in 7.0.20 release |
|
42641 |
Adapter Support for Exchange 2016 and Lync 2015
|
|
42071 |
Second and following Mailbox Move Requests Fail on Exchange 2013
|
|
43225 |
Reduce IO in WinAD Adapter for PW change
|
|
|
Items included in 7.0.18 release |
|
38935 |
Support "Manager can update membership list" attribute for AD Group
|
|
38934 |
Support display name attribute for AD Groups
|
|
39511 |
WinAD Adapter does not reconcile Lync Registry Pools from AD
|
|
40129 |
ISIM AD Adapter Customization for Group Object class |
|
internal |
Updated resource.def in profile to support external roles
|
|
|
Items included in initial release (7.0.16) |
|
30303 |
ISIM AD adapter unable to set Mail box Retention policy check |
|
internal |
Now using ADK 6.0.1027 which provides an option disabling sslv3. There is also support for setting the list of ciphers used. |
|
internal |
The Domain Admin and Domain Password fields have been removed from the service form in the profile. They can still be used, but the preferred method is to set the logon account on the adapter windows service. |
|
|
Items included in 6.0.15 release |
|
34001 |
Added support for Exchange Automatic Mailbox Distribution. Supplying only eradealias without a mail store or external email address allows Exchange to determine the mail store to use based on load balancing. |
|
31924 |
Prevent deletion of user accounts that have a mailbox that is under litigation hold |
|
32482 |
Add support for msExchCoManagedByLink to group schema |
|
29995 |
Add support for msExchRequireAuthToSendTo to group schema |
|
|
Updated logging to include output from Lync and Exchange modules |
|
|
Items included in 6.0.14 release |
|
|
The Password Synchronization plug-in is now released as a separate package. It is no longer bundled in with the AD Adapter |
|
|
Includes updated ADK 6.0.1020 which includes update to prevent password values from being written to the log on password change failures |
|
|
Items included in 6.0.13 release |
|
|
Includes updated ADK 6.0.1019 which includes version 1.0.1h-fips of openSSL. |
|
Case |
APAR# |
PMR# / Description |
|
|
|
Items closed in this release 7.1.38) |
|
TS004078164 |
|
Recon/search failure with AD adapter and some AD group lookup
|
|
TS003784368 |
|
WinAd adapter profile ADprofileGUID.jar does not send GUID on group add |
|
|
|
Items closed in this release 7.1.37) |
|
TS003631283 |
IJ24481 |
Windows AD - unable to remove erADLyncLineURI attribute from Lync/Skype server
|
|
|
|
Items closed in this release 7.1.36) |
|
Internal |
Fixed targetProfile.json which had been reverted to the old format by mistake
|
|
|
TS003631283 |
IJ24481 |
Windows AD - unable to remove erADLyncLineURI attribute from Lync/Skype server
|
|
TS003197913 |
Adding an Activedirectory account results in SERVICE_CONTROL_INTERROGATE command (long DNs in container names)
|
|
|
TS003611746 |
IJ24480 |
Windows AD - recon not picking up erADLyncDialpPolicy (DialPlan) attribute for Lync/Skype
|
|
|
IJ24489 |
Group basepoint - Unable to bind to group basepoint
|
|
|
|
Items closed in this release (7.1.35) |
|
Inernal |
Null pointer when mailbox store is empty value on add request
|
|
|
TS003353720 |
Active Directory Adapter performance (1.5 second delay per request)
|
|
|
APAR IJ23159
|
A random server is chosen for group modify if no server is specified in the group base point
|
|
|
|
|
Items closed in this release (7.1.34) |
|
TS002713742 |
duplicate erADEmailboxGUID entries returned resulting in warnings
|
|
|
TS002782868 |
Issue with updating proxyaddresses inExchange/Active directory
|
|
|
APAR IJ17835 |
WINAD ADAPTER ERROR WHEN SETTING "ACCEPT MAIL FROM" AND THE ACCOUNT HAS A REMOTE MAILBOX
|
|
|
|
|
Items closed in this release (7.1.33) |
|
TS002562024 |
eradexdialin and erADEShowInAddrBook not working correctly due to errors in targetprofile.json
|
|
|
Internal |
erUID incorrectly marked as immutable preventing renaming user.
|
|
|
Internal |
erADERstrctAdrsLs, erADEAllowedAddressList, erADEDelegates incorrectly marked as not supported for remote mailboxes erADETargetAddress incorrectly marked as supported for remote mailboxes. |
|
|
|
|
Items closed in this release (7.1.32) |
|
183289 |
IJ12159 |
erADEHideFromAddrsBk not returned. Behaving as designed, the value is not present when set to false through the ADSI api.
|
|
183292 |
|
‘businessCategory’ on containers now supported as multi-valued.
|
|
|
|
Items closed in this release (7.1.31) |
|
Internal |
|
RTC 181198: Internal - As a WinAD adapter, i must ensure that the profile jars in 7.x package are correct |
|
|
|
Items closed in 7.1.30 release |
|
TS001030655 |
|
US - As a WinAD adapter developer I must ensure that the correct version numbers are set for the 6.x and 7.x adapter builds.
|
|
|
|
Items closed in 7.1.29 release |
|
|
|
None |
|
|
|
Items closed in 7.1.28 release |
|
TS000028936 |
|
Added support for providing primary SMTP address when mailbox is created. This avoids, the default SMTP address from becoming a secondary SMTP address when the primary SMTP address is set after the mailbox is created.
|
|
|
|
Items closed in 7.1.27 release |
|
01351,SGC,740 |
|
Error 0x00000037 and 0x80004005 trying to set eradnochangepassword |
|
|
IV98275 |
WRONG SYNTAX FOR ERADPREFERREDEXCHANGESERVERS AND ERADPREFERREDLYNCSERVERS IN TARGETPROFILE.JSON
|
|
|
IV97886 IV98275 |
ADprofile.jar file from 7.1.26 package won't import on IGI 5.2.3 |
|
|
|
Items closed in 7.1.26 release |
|
|
IV96432
|
IN HYBRID EXCHG & O365, CREATING MAIL USER GETS REMOTE ONE BUT UPON MODIFY EXCHG ATTR - GETS LOCAL MAILBOX |
|
|
|
Items closed in 7.1.25 release |
|
|
IV85621 |
WINAD ADAPTER: PASS PREFERRED LYNC SERVERS TO LYNC MODULE |
|
|
|
Items closed in 7.0.21 release |
|
|
IV84875 reoponed |
ISIM AD ADAPTER CANNOT MANAGE LYNC ATTRIBUTES |
|
|
|
Items closed in 7.0.20 release |
|
|
IV84875 |
ISIM AD ADAPTER CANNOT MANAGE LYNC ATTRIBUTES |
|
75802,227,000 |
|
Issue with erADGrpWriteMembers attribute value on reconcile returning both true and false.
|
|
04723,001,862 |
|
WinAD Adapter Release Notes Wrong+Missing Information
|
|
|
|
Items closed in 7.0.19 release |
|
|
IV82951 |
SETTING NTFS HOME DIRECTORY PERMISSIONS FAILS AFTER UPGRADE TO WINAD64 6.0.18 |
|
|
|
Items closed in 7.0.18 release |
|
52479,004,000 |
|
ITIM adapter deleting the $IPC share accidentally
|
|
|
IV79632 |
ACTIVE DIRECTORY USERS WITH COUNTRY CODE 428 ARE CREATED WITH COUNTRY LATIVA INSTEAD OF LATVIA. |
|
|
IV79641 |
AD ADAPTER INTERMITTENTLY CRASHES DURING RECONCILIATION |
|
|
IV81775 |
INVALID PARAMETER GENERATED FOR EXCHANGE 2013 PROVISIONING (-ManagedFolderMailboxPolicyAllowed) |
|
|
|
Items closed in 7.0.17 release |
|
|
IV78917 |
ISSUES WHILE ENABLING LYNC FOR IDS WHICH HAVE
SPECIAL |
|
|
IV78758 |
WINAD ADAPTER CRASHING WHILE CALLING GETLYNCUSER DURING RECONCILE |
|
|
IV78492 |
AD ADAPTER CRASH IF PROXY ADDRESS IS NOT VALID. |
|
|
IV78286 |
IADSTSUSEREX INTERFACE NOT WORKING TO RETRIEVE WTS ATTRIBUTES |
|
|
|
Items closed in initial release (7.0.16) |
|
|
IV73908 |
Event Notification no more working if USN-Changed attribute exceeds 7 digits |
|
|
|
Items closed in 6.0.15 release |
|
92067,69G,760 |
|
Test connection fails. Test connection now only reports warning if the Domain/Forest functional level cannot be determined |
|
06429,707,707 |
|
Change the default behavior for eradgroup to be add/delete rather than replace |
|
|
|
LyncDisableSearch registry setting in wrong location after install |
|
|
|
Items closed in 6.0.14 release |
|
13541,035,724 |
|
WTS attributes and recon error 1317 |
|
|
IV65653 |
WinAD adapter reports success in case of AD group interface problems during reconciliation |
|
|
IV67715 |
eradlynctelephony and eradlynclineurl fail on modify to Lync |
|
38947,031,724 CVE-2014-8923 |
|
WinAD adapter logs password in clear text on password change failures. This addresses IBM Security Bulletin CVE-2014-8923.
|
|
|
|
Items closed in 6.0.13 release |
|
|
IV61397 |
Thread logging option not showing in WinAD adapter agentcfg program |
|
|
IV62916 |
WinAD adapter recon fails when AD cannot provide information about an attribute's schema |
|
|
IV63714 |
WinAD adapter crash if eradlynctelephony is NULL |
|
CMVC# |
APAR# |
PMR# / Description |
|
N/A |
N/A |
Support for Exchange and Lync is provided using remote powershell connections to the Exchange or Lync server. There is a fixed limit of 5 concurrent connections to a remote powershell. Setting the thread count to higher than the default of 3 could result in some Exchange or Lync attributes failing to be set under heavy loads.
|
|
N/A |
N/A |
Support for erADEAllowedAddressList and erADERstrctAdrsLs is no longer available for Exchange 2007.
|
|
N/A |
N/A |
Service form fields:
See “Corrections to Installation Guide", “ The settings for Exchange Mailbox security for Read and Full access were using different values for settings in an attempt to have the default values on the form match those of Exchange. This was confusing and causing issues when the default settings on the Exchange server were changed from what the adapter expected. The adapter now uses the same values for all Exchange security settings. 1=Allow, 2=Deny and 0 or no value=None.
Chapter 4. Adapter installation" section below.
|
|
N/A |
N/A |
Class 3 Certificates Class 3 secure server CA-G2 certs are not written properly to “DamlCACerts.pem" file through CertTool.exe Utility. The certificate data is written twice between BEGIN CERTIFICATE and END CERTIFICATE.
Work around: To correct this issue, please follow the below steps and edit “DamlCACerts.pem" file present in “<Adapter installation path>\data" folder.
Step 1. Start the CertTool utility
Step 2. Import the class 3 CA certificate by using “F" option from the main menu of CertTool Utility.
Step 3. Once the class 3 CA certificate is successfully installed, open “DamlCACerts.pem” file stored in the “<Adapter installed path>\data" folder using text editor.
Step 4. Delete the class 3 CA certificate data (i.e. content between BEGIN CERTIFICATE and END CERTIFICATE) from “DamlCACerts.pem".
Step 5. Open class 3 CA certificate file using text editor and copy the certificate data (between the BEGIN CERTIFICATE and END CERTIFICATE)
Step 6. Paste the certificate data to “DamlCACerts.pem" file between the BEGIN CERTIFICATE and END CERTIFICATE lines of same class 3 CA Certificate. If more than one class 3 certificates are installed then you can identify the certificate using issuer and subject data.
Step 7. Save “DamlCACerts.pem" file.
Step 8. To verify the “DamlCACerts.pem" file is edited properly, display certificate information by using option “E" from the main menu of CertTool Utility.
Please note that this issue is seen after installing class 3 CA certificate. If you correct the DamlCACerts.pem and then install another class 3 CA certificate, the newly installed class 3 CA certificate will show same issue.
This issue is also seen when you delete any certificate using option "G" from the main menu of CertTool utility. The delete option will affect all remaining class 3 CA certificate and you have to follow step 1 to 8 to correct the DamlCACerts.pem file.
|
Security Identity Adapters can be operated with FIPS 140-2 certified cryptographic modules. FIPS 140-2 is a standard from the US National Institute of Standards and Technology (NIST) that applies to cryptographic modules.
Two FIPS 140-2 modules are used:
As a user of these modules, there is no certification implied for Security Identity Adapters. However, for the correct use of these FIPS 140-2 modules, IBM customers need to follow the instructions listed below.
The fipsEnable tool allows the adapter to be Federal Information Processing Standards (FIPS) compliant. The fipsEnable tool causes the adapter to use a FIPS-certified encryption library so that all cryptographic keys that are used are generated by a FIPS-compliant algorithm. Any communications with the adapter
are also secured. The tool generates the FIPS master key, enables the FIPS mode setting, changes the USE_SSL parameter to TRUE and re-encrypts the existing encrypted values for:
Note: After FIPS mode is enabled, it cannot be disabled. You must reinstall the adapter, if you want to disable FIPS mode.
1. Install the adapter.
2. Run the fipsEnable tool. Issue the command:
fipsEnable -reg agentName
3. Restart the adapter.
The ADK protocol that’s used to communicate between the adapter and the ADK service provider must run in SSL mode. The fipsEnable tool sets the ADK SSL mode to TRUE. In SSL mode, however, you must install a server certificate because the fipsEnable tool does not convert an existing ADK certificate and key.
Note: You cannot import a PKCS12 file containing a certificate and key. You must use CertTool (option A) to create a Certificate Signing Request (CSR) and have it signed by a Certificate Authority. You can then install the signed certificate with CertTool (option B).
The agentCfg tool automatically detects when the adapter is running in FIPS mode and initializes the encryption library in FIPS mode. In addition, the ADK only accepts agentCfg connections from localhost (127.0.0.1).
For FIPS compliance, a security policy must be defined that outlines the requirements for the end user to operate the application in a FIPS-compliant mode. The software ensures that the correct algorithms and keys are used, however, additional requirements for the environment are the responsibility of the security
officer. The security policy defines two roles, security officer and user. It defines the extent to which each of these persons can physically access the workstation, file system and configuration tools. The security of the workstation, of the file system, and of the configuration is the responsibility of the security officer.
The FIPS security policy normally defines separate roles for a security officer and a user. In the case of an adapter, the user role is actually the IBM Security Identity Manager (ISIM) or Identity Governance and Intelligence (IGI) server. The installation and configuration of the adapter needs to be performed by the security officer.
It is the responsibility of the security officer to ensure that the proper physical and logical security is in place to prevent access to the adapter by unauthorized personnel. This means that the physical workstation must be in a secure location that is accessible only by persons with the authority and access privileges of the security officer. In addition, the security on the folder in which the adapter is installed must be configured to prevent access by personnel other than security officers.
For Windows installations, the system registry must be secured at the top-level key for the adapter to prevent access by personnel other than security officers.
· The replacement or modification of the adapter by unauthorized intruders is prohibited.
· The operating system enforces authentication methods to prevent unauthorized access to adapter services.
· All critical security parameters are verified as correct and are securely generated stored, and destroyed.
· All host system components that can contain sensitive cryptographic data (main memory, system bus, disk storage) must be located in a secure environment.
· The operating system is responsible for multitasking operations so that other processes cannot access the address space of the process containing the adapter. Secret or private keys that are input to or output from an application must be encrypted using a FIPS-approved algorithm
The adapter now supports remote mailboxes. This allows supporting Office 365 mailboxes in a hybrid Exchange environment. A new attribute (erADEremoteAddress) has been added to the user object to support this feature. There are now 4 ways to create a mailbox with the adapter:
To delete a mailbox, simply delete the value for the mail store or mail address.
The remote address and target address values use the same user attribute to store their value. The msExchRecipientType value indicates whether the mailbox is remote or not. Currently remote addresses appear in the target address field. You will need to run a full reconciliation after installing this update to populate the remote addresses.
See the IBM Security Windows Local Account Adapter Installation and Configuration Guide for detailed instructions.
“The previous installation was installed with newer version of InstallAnywhere”
You may see this error while running the installer. It is only a warning and can be safely ignored.
The following corrections to the Installation Guide apply to this release:
Exchange Mailbox Security
The settings for Exchange Mailbox security for Read and Full access were using different values for settings in an attempt to have the default values on the form match those of Exchange. This was confusing and causing issues when the default settings on the Exchange server were changed from what the adapter expected. The adapter now uses the same values for all Exchange security settings. 1=Allow, 2=Deny and 0 or no value=None.
Chapter 4. Adapter installation
Section "Adapter user account creation"
The following paragraph is incorrect:
The account information must be supplied on the Active Directory Adapter service form. See “Creating an adapter service” on page 14 for information about creating a service.
Furthermore, you must not supply the account information on the service form. The following two fields on the adapter service form are not used and must be blank:
è The adapter account, used by the adapter to manage AD/Exchange/Lync, must be supplied on the logon tab of the Windows Adapter service that is named ISIM Active Directory Adapter.
The following configuration notes apply to this release:
Managed Folder Mailbox Policy
Managed folder policies and retention policies are now treated as separate items. The type of policy is determined by the location in the Active Directory LDAP.
The following corrections to the User Guide apply to this release:
The "Force Password Change" check box is documented incorrectly in section "Specifying controls for a user account" of the User Guide.
It should be as follow: "If you select the Force Password Change check box, then the adapter sets the value of the pwdLastSet attribute to 0. If you do not select the Force Password Change check box, then the adapter sets the value of the pwdLastSet attribute to -1".
Table 7. Options for the DAML protocol menu
New DAML protocol setting for TLS level
The DAML protocol settings now include a value called MIN_TLS_LEVEL. The setting supersedes the values DISALBE_SSLV3 and DISABLE_TLS10. The valid settings for this value are:
0 No restrictions. This setitngs allows SSLV3 connections which are known to have vulnerabilities.
1.0 TLS 1.0 and higher are supported
1.1 TLS 1.1 and higher are supported
1.2 TLS 1.2 and higher are supported
1.3 TLS 1.3 and higher are supported
For backward compatibility, if MIN_TLS_LEVEL is not set, it will be set at startup based on the settings of DISABLE_SSLV3 and DISABLE_TLS10.
A
new option L should be included in the table of DAML protocol options.
Displays
the following prompt:
Modify
Property ‘DISABLE_SSLV3’:
SSLv3 is now considered an unsecure
protocol. SSLv3 is now disabled by default. In order to enable
SSLv3 you need to set this value to FALSE. If this value does not exist
or is anything other than FALSE, the SSLv3 protocol will be disabled when using
SSL.
A
new option M should be included in the table of DAML protocol options.
Displays
the following prompt:
Modify
Property ‘DISABLE_TLS10’:
TLS1.0
setting is configurable. By default, DISABLE_TLS10 is set to FALSE
Setting
DISABLE_TLS10 to TRUE will disable TLS1.0 and SSLV3 regardless of the setting
for DISABLE_SSLV3.
Add the following configuration settings topic:
Enabling TLS 1.2 in Identity Manager (ISIM/IGI/ISPIM):
After Setting up certificates in Identity Manager and Adapter, Enable TLS 1.2
by adding/modifying the following line in enRole.properties file in ISIM
(equivalent for ISPIM and IGI)
com.ibm.daml.jndi.DAMLContext.SSL_PROTOCOL=TLSv1.2
The section “Modifying protocol configuration settings" should add this section for setting the SSL cipher list.
Setting the Cipher list
The DAML protocol now checks for an environment variable called "ISIM_ADAPTER_CIPHER_LIST". This variable can contain a list of ciphers for the SSL protocol. DAML uses the openSSL library to support SSL. This cipher string is passed to openSSL during initialization. The cipher names and the syntax can be found on the openSSL web site ( https://www.openssl.org/docs/apps/ciphers.html ). When this string is used, it only fails if none of the ciphers can be loaded. It is considered successful if at least one of the ciphers is loaded.
Chapter 5
For IGI uses, under the section Customizing the Active Directory Adapter there should be another section between steps 5 and 6 should be inserted for updating the targetProfile.json file ( see Update the targetprofile.json file (IGI only) )
The IBM Security Identity Manager adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
IBM Security Identity Manager Resources:
Check the “Training" section of the IBM Security Identity Manager Support website for links to training, publications, and demos.
This adapter now supports extending the schema for group objects as well as user objects on. The procedure is the same as for user objects except that the file name used for the
extended attributes is exschemagrp.txt. Extending the schema for group objects is supported on ISIM only.
The Active Directory Adapter targetprofile.json file identifies all of the supported Windows
account attributes for the IGI server.
About this task
Modify this file to identify the new extended attributes. To update the targetProfile.json file, complete the following steps:
Procedure
Change to the \ADprofile directory, where the targetProfile.json file has been created.
Open the targetProfile.json file in a text editor. Find the section for “userExtension”. It should look like this:
"userExtension": {
"schema": "urn:ibm:idbrokerage:params:scim:schemas:extension:ADAccount:2.0:User",
"definition": {
"id": "urn:ibm:idbrokerage:params:scim:schemas:extension:ADAccount:2.0:User",
"name": "CustomUserExtension",
"description": "Security adapter view of a user",
"attributes": [
The “attributes” section contains an array of attribute definitions. Each definition is separated by a comma. You add your extended attributes to this section. An attribute object contains these fields:
|
Field |
Description |
|
name |
Attribute name |
|
type |
data type (string, integer, boolean, binary) |
|
multiValued |
True if attribute can have multiple values |
|
description |
Attribute description text |
|
required |
true if required attribute |
|
caseExact |
true if value is case sensitive |
|
mutability |
immutable, read, write, readwrite |
|
returned |
Use “default” |
|
uniqueness |
Use “server” |
|
specialFlags |
Use “none” |
|
canonicalValues |
Optional list of valid values for this attribute as a json array. |
The attribute object is enclosed in braces ({}). Each field has the name in quotes followed by a colon and the value. Each field is separated by a comma. Below is an example from the AD adapter:
{
"name": "eruid",
"type": "string",
"multiValued": false,
"description": "An identifier used to uniquely identify a user",
"required": true,
"caseExact": false,
"mutability": "immutable",
"returned": "default",
"uniqueness": "server",
"specialFlags": "none"
},
Add the new attributes to the account class. For example (new attribute text in red):
"userExtension": {
"schema": "urn:ibm:idbrokerage:params:scim:schemas:extension:ADAccount:2.0:User",
"definition": {
"id": "urn:ibm:idbrokerage:params:scim:schemas:extension:ADAccount:2.0:User",
"name": "CustomUserExtension",
"description": "Security adapter view of a user",
"attributes": [
{
"name": "eruid",
"type": "string",
"multiValued": false,
"description": "An identifier used to uniquely identify a user",
"required": true,
"caseExact": false,
"mutability": "immutable",
"returned": "default",
"uniqueness": "server",
"specialFlags": "none"
},
…
{
"name": "title",
"type": "string",
"multiValued": false,
"description": "title",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none",
"specialFlags": "none"
},
{
"name": "shirtSize",
"type": "string",
"multiValued": true,
"description": "Shirt Size",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none",
"specialFlags": "none",
"canonicalValues": [
"small”,
"medium",
"large
]
}
]
},
Make sure to separate each attribute definition with a comma. Once you have updated the file, it is recommended that you verify the syntax is correct by using one of the freely available json lint sites.
The integration to the IBM Security Identity Manager server – the adapter framework – is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
The adapter uses a remote powershell session to communicate with Exchange and Lync servers. This code runs as a pair COM servers in the .NET environment. As such they do not have access to the adapter logging functions. However, there are messages that are output to the console. In order to see these log messages, you must run the adapter in console mode. This is done by running the adapter directly from the command line and specifying –console as a command line option. This causes all of the adapter logging as well as any output from the Exchange and Lync modules to be output to the console. To capture the logging to a file, simply redirect the output of the adapter to a file. For example:
>ADAgent.exe –console > adagent.log
The adapter uses remote powershell sessions to manage Exchange servers. If the adapter has issues connecting to the servers, you can manually run the powershell cmdlets that the adapter uses to troubleshoot the connection errors.
Use this command to create a new session on the remote server. Replace <hostAddr> with the actual hostname or IP of the Exchange server.
PS>$mySession = New-PSSession -configurationname Microsoft.Exchange -connectionuri http://<hostAddr>/Powershell -authentication Kerberos
Use this command to import the remote session into your local session. If this is successful, you should be able to run any Exchange cmdlets as if you were on the Exchange server.
PS>import-pssession $mySession
The IBM Security Identity Manager Adapter was built and tested on the following product versions.
Adapter Installation Platform:
Windows 10
Windows Server 2016
Windows Server 2019
Managed Resource:
Active Directory on Windows Server 2016
Active Directory on Windows Server 2019
With optional:
Exchange Server 2016
Exchange Server 2019
Skype For Business Server 2015
Skype For Business Server 2019
IBM Security Identity Manager:
IBM Security Identity Manager v7.0.x
IBM Security Privileged Identity Manager (PIM):
ISPIM v2.0
ISPIM v2.1
Identity Governance and Intelligence (IGI):
IGI v5.2.x
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include technical inaccuracies or
typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s)
described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms
and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some measurements
may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at "Copyright
and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
End of Release Notes