IBM Security Verify Governance Adapter v10.0.8 for IBM Security Verify Access is available. Compatibility, installation and other getting-started issues are addressed.
Copyright
International Business Machines Corporation 2003, 2026. All rights reserved.
US Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Welcome to the IBM Security Verify Governance Adapter for IBM Security Verify Access, previously known as IBM Tivoli Access Manager Combo Adapter.
· IBM Security Verify Access Adapter Installation and Configuration Guide
The IBM Security Verify
Access Adapter is designed to create and manage accounts on the IBM
Security Access Manager for Web server. The adapter runs in
"agentless" mode and communicates using the IBM Security Access
Manager RegistryDirect API to the systems being managed.
The IBM Security Verify Governance Adapters are powerful
tools that require Administrator Level authority. Adapters operate much like a
human system administrator, creating accounts, permissions and home
directories. Operations requested from IBM Security Verify server, IBM Security
Verify Privilege Vault, and IBM Security Verify- Governance server will fail if
the adapter is not given sufficient authority to perform the requested task.
IBM recommends that this adapter run with administrative (sec_master)
permissions.
Review and agree to the terms of the IBM Security Verify Governance Adapter License prior to using this product. The license can be viewed from the "license" folder included in the adapter package.
Adapter Version
|
Component |
Version |
|
Build Date |
2026 June 23 03.35.52 |
|
Adapter Version |
10.0.8 |
|
Component Versions |
Adapter build: 10.0.8.005 Profile: 10.0.8.005 Connector: 10.0.8.005 Dispatcher 7.0.39 (or higher, packaged separately) |
|
Documentation |
The following guides are available in the IBM Verify Adapters Knowledge Center:
·IBM Security Verify Access Adapter Installation and Configuration Guide |
New Features
|
Internal#
|
Enhancement # (RFE) |
Description |
|
|
|
Items included in current 10.0.8 release |
|
SVGAD-5961 |
ADAPT-236 |
Certify Adapters with IVIG V11 |
|
SVGAD-5961 |
ADAPT-277 |
Certify IVIA adapter with SDI 11 |
|
SVGAD-5961 |
ADAPT-283 |
Add support for IVIA 11.0.2 |
|
SVGAD-5545 |
ADAPT-209 |
Add support for IVIA 11.0.1 |
|
SVGAD-4781 |
ADAPT-212 |
Add support for ISVA 10.0.9 |
|
SVGAD-2392 |
ADAPT-193 |
Add support for ISVA 10.0.8 |
|
SVGAD-2392 |
ADAPT-150 |
Certify the adapter for use with IBM Security Verify Directory Integrator version 10.0.0 (Added support for Conf file generated with PD.jar ) |
|
|
|
Items included in 10.0.7 release |
|
|
|
None |
|
|
|
Items included in 10.0.6 release |
|
SVGAD-1229 |
ADAPT-133 |
Add support for ISVA 10.0.6 |
|
SVGAD-451 |
ADAPT-133 |
Add support for ISVA 10.0.5 |
|
SVGAD-1821 |
ADAPT-150 |
Certify the adapter for use with IBM Security Verify Directory Integrator version 10.0.0 |
|
|
|
Items included in 10.0.5 release |
|
RTC 190879 |
ADAPT-121 |
Add support for ISVA 10.0.4 |
|
|
|
Items included in 10.0.4 release |
|
RTC 190344 |
|
ISVA Internal Changes for SDI Log4j update |
|
|
|
Items included in 10.0.3 release |
|
RTC 189881 |
|
Added support for ISVA 10.0.2 |
|
|
|
Items included in 10.0.2 release |
|
|
|
None |
|
|
|
Items included in 10.0.1 release |
|
|
|
None |
|
|
|
Items included in 7.1.29 version |
|
|
|
None |
|
|
|
Items included in 7.1.28 version |
|
RTC 183244 |
|
Internal - ISAM 9.0.7 support |
|
RTC 184339 |
|
Internal - Attribute value lookup for IGI 5.2.5 |
|
|
Items included in 7.1.27 version |
|
|
|
RTC 182692 |
Add support for IGI 5.2.5
See “Limitation on how to use eritamcred attribute” section for more information. |
|
|
|
Items included in 7.0.26 version |
|
|
Add support for IGI 5.2.2 |
|
|
|
|
Items included in 7.0.25 version |
|
|
Add support for ISAM 9.0 |
|
|
|
RFE76110 |
Add ability to manage Disable Time Interval on each account |
|
|
INT126053 |
*** CHANGE IN DEFAULT BEHAVIOR *** |
|
|
|
Items included in 7.0.24 version |
|
|
None |
|
|
|
|
Items included in 7.0.23 version |
|
|
RFE17072 |
Add ability to manage Max Password Age on each account |
|
|
RFE56722 |
Add ability to manage Max Concurrent Web Sessions on each account. The value must be an integer greater than zero, -3 for Displace, or -4 for Unlimited. |
|
|
RFE33651 |
Add ability to synchronize user password to GSO
credentials during account create. |
|
|
RFE61605 |
Boolean flag attributes are always converted to lowercase before checking their value. |
|
|
|
Initial release. |
|
Internal# |
Case# / Known Issue# |
Description |
|
|
|
Items included in current 10.0.8 release |
|
BUG 4345 / SVGAD-2402 |
TS016016975 / DT386351 |
ISVA adapter document update for linux, SSL implementation and customisation. |
|
BUG 4478 / SVGAD-3574 |
TS017993026 / DT422423 |
Reconciliation operation fails if we have any bad entry for groups |
|
|
|
Items included in 10.0.7 release |
|
BUG 4251 / SVGAD-1574 |
TS014902349 / DT365863 |
Unparseable date in TAM Combo reconciliation |
|
|
|
Items included in 10.0.6 release |
|
RTC 190836 |
|
Remove Apache log4j from 3rd party libraries TAM/SVA adapter |
|
|
|
Items included in 10.0.5 release |
|
Bug 3785 RTC 190685 TS008649391 |
|
"Default_Ok" hook restored |
|
|
Items closed in 10.0.4 release |
|
|
Bug 3623 RTC 190036 TS006724428 |
IJ36550 |
Issue While Importing User from ISIM When AD is Used as Federated User Registry. |
|
|
|
Items closed in 10.0.3 release |
|
None |
||
|
|
|
Items closed in 10.0.2 release |
|
Bug 3390 TS004351858 |
IJ31246 |
ObjectClassViolation during tamAdd when using AD federated user registry. |
|
|
|
Items closed in 10.0.1 release |
|
RTC 187878 Bug 3359 TS004188986 |
IJ28694 |
ISAM Adapter returns STATUSCODE 3 when group does not exists in isam, breaks IGI flow. |
|
RTC 187879 Bug 3340 TS004159719 |
IJ28942 |
Recon fails with "Unparseable date" error for unknown attribute |
|
|
|
Items closed in 7.1.29 version |
|
RTC 186402, Bug 3106, TS002983015 |
IJ22617 |
ISAM adapter should restore PwdValid flag to existing value after change password operation |
|
|
|
Items closed in 7.1.28 version |
|
RTC 183804, Bug 2890 |
|
See “Add admin API option on service form” section for more information. |
|
|
|
Items closed in 7.1.27 version |
|
RTC 182698, Bug 2802 |
IJ13310 |
As an ISAM adapter developer, I must ensure that the adapter re-uses the LDAP connections |
|
RTC 182696 |
|
Internal - As an ISAM adapter developer, I must ensure that the operation name in service.def uses proper case |
|
|
|
Items closed in 7.0.26 version |
|
|
|
None |
|
|
|
Items closed in 7.0.25 version |
|
|
IV74759 |
Attempting to modify account with a non-existent group results in whole request failing. |
|
|
|
Items closed in 7.0.24 version |
|
INT123097 |
|
Changes for RFE61605 caused new accounts to be provisioned as inactive if "eraccountstatus" was not included in the request. |
|
|
|
Items closed in 7.0.23 version |
|
INT102186 |
|
The previously deprecated LDAP profile has been removed. Any installations that were using the LDAP profile will need to review the ISAM Service configuration in ISIM after loading the new profile. The service form is different, and some fields will need to be set. |
|
|
|
Initial release. |
|
Internal# |
APAR# |
Case# / Description |
|
|
|
Limitation on how to use eritamcred attribute
Enter the value for eritamcred attribute in this format - “Name of the resource (Web Resource)|username|{clear}password” e.g. zira (Web Resource)|isupport|{clear}password
Please note that the password will be visible in clear text in the logs as option to encrypt the password is not available on IGI currently.
To avoid password in clear text, use the “Synchronize IBM Security Access Manager password in SSO Lockbox” checkbox to set the SSO credential password same as the ISAM account password. |
|
|
|
Adapter does not support modifying the last name (sn) attribute of IBM Security Access Manager account when IBM Security Access Manager Administration API is used since the API does not support modifying the last name. |
|
|
|
Management of non-standard IBM Security Access Manager account attributes is only available for user registries supported by Registry Direct API. |
|
|
|
IBM Security Access Manager Web Gateway appliance in standalone mode, PRIOR TO FP4, does not externalize the interface to its internal directory server. Consequently, Registry Direct API and managing non-standard ISAM account attributes are not supported by the adapter for the appliance versions 8.0 through 8.0.0.3. For example, the adapter cannot modify "mail" attribute of the user object stored in the appliance's internal directory server. In addition, only "TAM API" based reconciliation is supported for the appliance in standalone mode prior to FP4. |
|
|
|
Registry Direct API based reconciliation does not reconcile inetorgperson attributes by default. This is an optimization that was made in order to improve the performance of the reconciliation. In order to reconcile the inetorgperson attributes, edit "tamSearch" assemblyline in the profile to include the required attributes in the input mapping of the connector "tamIterRgy". Please refer to this technote for more details. |
|
|
|
The adapter does not support the modification of UID, CN, principal name, and attribute(s) that form the Distinguished Name(DN). |
|
|
|
Custom containers are not supported when creating an IBM Security Access Manager group. IBM Security Access Manager specifies a default |
|
|
|
Filtered reconciliation on groups is not supported. |
|
|
|
When "Single Signon Capability" attribute is unchecked and an account modification request is submitted, the SSO credentials for the account are removed in IBM Security Access Manager but this is not reflected in the ISIM server. This is due to the RMI protocol not allowing the response to contain the updated account information. In order to work around this limitation, edit the "modify" operation workflow for "IBM Security Access Manager Account" entity to delete "eritamcred" attribute when "eritamsinglesign" attribute is set to "false". For example, add a script element with the following script before "MODIFYACCOUNT" extension:
var accountObj =
account.get(); |
|
|
IV71775 |
The "com.tivoli.pd.rgy.jar" API library that can be downloaded from ISAM v8.0.1 appliance includes an incorrect search that will not return GSO enabled users during a reconciliation. This is corrected in the jar file available from the v8.0.1-FP1 appliance. |
|
|
|
Certain user management functions (e.g. enabling GSO) in IBM Security Access Manager do not work if the user ID contains "," and as such "," in the user ID is not supported by the adapter. |
|
|
|
When the Single Signon Capability of an IBM Security Access Manager user account is disabled (i.e. the user is no longer a GSO user), the GSO resource credentials for that account are also deleted. Hence when disabling the Single Signon Capability for a IBM Security Access Manager user account from the IBM Security Identity server, attempting to delete or modify resource credentials in the same request for that account results in "successful with warning" as the GSO credentials cannot be found. |
|
|
|
IBM Security Access Manager Java Admin API does not provide for a CN to be specified when creating a group. This is reflected in the adapter which does not manage this attribute when adding or modifying groups. |
|
|
|
If IBM Security Access Manager is configured against Windows Active Directory, an existing user or group description cannot be modified to a blank value. The description will remain unchanged. |
|
|
|
If IBM Security Access Manager is configured against Windows Active Directory, when importing an account using the pdadmin command line, the user name and first RDN value of the user DN must be the same. This issue is reflected in the adapter: User ID and first RDN value in the user Distinguished Name must be the same. |
|
|
|
If IBM Security Access Manager is configured against IBM Tivoli Directory Server 6.0, then Fix Pack 5 must be installed on the Directory Server. This fix pack addresses a problem that may affect adapter operation (APAR IO06328). |
|
85051 |
|
When using the IBM Security Access Manager API method of reconciliation to reconcile IBM Security Access Manager accounts, if an IBM Security Access Manager account already in the IBM Security Identity registry becomes a malformed IBM Security Access Manager account then IBM Security Identity will identify this malformed IBM Security Access Manager account as no longer existing, and delete it from the IBM Security Identity registry. If the malformed IBM Security Access Manager account does not already exist within the IBM Security Identity server's known IBM Security Access Manager accounts, the account will not be added. This behavior does not provide any warning or failure message by the IBM Security Identity server. See the Installation guide for how to change the adapter configuration regarding this issue. |
|
|
|
During the creation of IBM Security Access Manager accounts when IBM Security Access Manager is configured against Windows Active Directory, the account is created as a GSO user even when the Single Signon Capability for the account is not checked (i.e. There is no request to create the account as a GSO user). This is a reflection of the operation of IBM Security Access Manager when administrating accounts. If GSO credentials are supplied with same request they will be created without warning that IBM Security Access Manager account doesn't have Single Signon Capability. |
|
93688 |
|
When IBM Security Access Manager is configured against Windows Active Directory, IBM Security Access Manager account's common name (cn) must be the same as the first RDN value of the Distinguished Name. For example, when requesting a new IBM Security Access Manager service account through the IBM Security Identity web console, the "Full name" specified in the Account form must be the same as the "cn" portion of the Distinguished Name. E.g. If a user has the Distinguished Name cn=JohnSmith,o=myCompany,c=com, then the "Full name" should also be set to JohnSmith. Not doing so could result in account modification issues. |
|
|
|
Adapter does not check syntax for any non-IBM Security Access Manager account attributes. This can result in those attributes not being set in the registry if their values have incorrect syntax. A possible consequence is that operations such as account creation may fail. |
|
|
|
In case an account already has SSO credentials and the checkbox Single Signon Capability is disabled during MODIFY operation, this will delete credentials in IBM Security Access Manager registry, but not in the IBM Security Identity server. A reconciliation is needed to synchronize the account attributes. |
|
|
|
If password synchronization is configured to synchronize passwords from WebSEAL via the IBM Security Identity server to other person accounts, the synchronization with SSO credential passwords is not supported. The synchronization with SSO credential passwords is supported only if the password change is initiated from the IBM Security Identity server, and the corresponding SDI Assembly Line is executed. |
|
|
|
If password synchronization is configured to synchronize passwords from WebSEAL the "Change password on next login" checkbox on the account form cannot be reset. This is due to a current limitation of the IBM Security Identity Manager Server. |
See the Installation and Configuration guide for IBM Security Verify Governance Adapter for IBM Security Verify Access for detailed instructions.
Corrections to Installation Guide
o Steps or Updates which is mentioned for SDI v10 should be updated to SDI 10 or later version in over all KC.
· Chapter 1: Overview
o No Updates for the current release
· Chapter 2: Planning
o No Updates for the current release
· Chapter 3: Installing
Configuring the IBM Security Verify Access Run Time for Java™ System
Prerequisite:
Configured Runtime in IVIA along with Proper User and User Registries settings
Configuring the IBM Security Directory Integrator Java Runtime Environment into the IBM Security Verify Access secure domain
6. Below step is only for SDI v10. (update this step)
For Linux :
Update Java execution command in <SDI_HOME>/ibmdisrv file like below and restart dispatcher service:
--add-exports java.base/com.sun.crypto.provider=ALL-UNNAMED --add-exports java.base/jdk.internal.misc=ALL-UNNAMED --add-exports java.naming/com.sun.jndi.ldap=ALL-UNNAMED
For Windows:
Update jvmcmdoptions in <timsol_dir>/ibmdiservice.props as below and restart dispatcher service:
jvmcmdoptions=--add-exports=java.base/sun.security.util=ALL-UNNAMED --add-exports=java.base/jdk.internal.misc=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -Dlog4j2.configurationFile=etc\log4j2.xml
Chapter 4: Upgrading
o No updates for the current release
Chapter 5: Configuring
o No updates for the current release
Chapter 6: Troubleshooting
While running the command " pdjrtecfg -action config -interactive "
In case of Exception, java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
Set environment variable, set _JAVA_OPTIONS="--add-opens=java.base/sun.security.util=ALL-UNNAMED"
If issue persist then unzip pdjrte.zip and update pdjrtecfg of < pdjrte_dir>/sbin folder. Add --add-opens=java.base/sun.security.util=ALL-UNNAMED in the java command.
If you face same problem in Windows OS then update update pdjrtecfg.bat of < pdjrte_dir>/sbin folder. Add --add-opens=java.base/sun.security.util=ALL-UNNAMED after java command at every place you find java in a file.
While running the command " pdjrtecfg -action config -interactive "
In case of Exception, JVMJ9VM149E java.ext.dirs=C:\Users\ADMINI~1\AppData\Local\Temp\2\pdjrtecfg-5903 is no longer supported. Please add the required libraries/jar files to the classpath.
In windows OS, update pdjrtecfg.bat of < pdjrte_dir>/sbin folder. Update below command by removing %java_ext_flag%.
Execute the configuration command.
java --add-opens=java.base/sun.security.util=ALL-UNNAMED -Dpd.program.files="%PROGRAMFILES%" -Dpd.home="%PD_HOME%" -cp "%PDJ_CLASSPATH%" com.tivoli.pd.jcfg.PDJrteCfg %*
Chapter 7: Reference
· No updates for the current release
Password Synchronization Adapter is no longer included in the adapter package and can be downloaded separately from Passport Advantage. For Access Manager 8.0 or above, Password Synchronization Adapter is only available with the appliance and is pre-installed on the appliance.
The IBM Security Verify Governance Adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Refer to the ‘IBM Security Verify Governance Adapter Development and Customization Guide’
Support for Customized Adapters
The integration to the IBM Security Verify server "the
adapter framework" is supported. However, IBM does not support the
customizations, scripts, or other modifications. If you experience a problem
with a customized adapter, IBM Support may require the problem to be
demonstrated on the GA version of the adapter before a PMR is opened.
Installation
Platform
The IBM Security Verify Governance Adapter was built and tested on
the following product versions.
Adapter Installation Platform
Due to continuous Java security updates that may be applied to your IBM Security Verify server, IBM Security Verify Privilege Vault, and IBM Security Verify- Governance server, the following SDI releases are the officially supported versions:
Security Directory Integrator 7.2 + FP14
IBM Verify Directory Integrator 11.0.0
Security Verify Directory Integrator 10.0.0 + LA0002** The Dispatcher version 10.0.2 doesn't support installation using LA0002, please install the Dispatcher10 prior to installing LA0002. (validated with pdjrte-10.0.6.0.zip for rgy.conf created by com.tivoli.pd.rgy.jar only and for PD.jar and for com.tivoli.pd.rgy.jar both use pdjrte-11.0.0.0.zip )
Note: Earlier versions of SDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapters. Please refer to the adapter's installation and configuration guides for the latest update on IBM Security Directory Integrator versions and fix packs
Managed Resource
· IBM Security Verify Access v10.0.2
· IBM Security Verify Access v10.0.4 (pdjrte-10.0.2.0.zip)
· IBM Security Verify Access v10.0.5
· IBM Security Verify Access v10.0.6 (pdjrte-10.0.6.0.zip)
· IBM Security Verify Access v10.0.8 (pdjrte-10.0.8.0.zip / pdjrte-11.0.0.0.zip)
· IBM Security Verify Access v10.0.9 (pdjrte-10.0.9.0.zip / pdjrte-11.0.0.0.zip)
· IBM Verify Identity Access v11.0.1 (pdjrte-10.0.9.0.zip / pdjrte-11.0.0.0.zip)
· IBM Verify Identity Access v11.0.2 (Validated with SDI 11v)
Please note that some IBM Security Access Manager versions are not supported on
some JREs associated with some Operating Systems. Please see the IBM Security
Verify Access Adapter Installation and Configuration Guide for further
information.
Supported IBM Security Verify Governance servers:
· IBM Verify Identity Governance v11.0
· IBM Security Verify Governance Identity Manager v10.0*
· IBM Security Verify Governance v10.0
* Unless this document specifies a specific fix pack version of ISVG Identity Manager v10, we expect the adapter to work with ISIM 6 as well. However, it will only be debugged and fixed from the perspective of ISVG-IM v10.
Notices
This
information was developed for products and services offered in the U.S.A. IBM
may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that
IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual
property right may be used instead. However, it is the user's responsibility to
evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include
technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions
of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such
information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some measurements
may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at
"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.