IBM Security Verify Governance Adapter 10.0.2 for RSA Authentication Manager - Release notes
IBM Security Verify Governance Adapter 10.0.2 for RSA Authentication Manager is available. Compatibility, installation, and other getting-started issues are addressed.
Installation and Configuration Notes
Updates to the installation guide
Customizing or Extending Adapter Features
These Release Notes contain information for the following products that was not available when the IBM Security Verify Governance Server manuals were printed:
· nstallation and Configuration Guide for IBM Security Verify Governance Adapter for RSA Authentication Manager
The IBM Security Verify Governance Adapter for RSA Authentication Manager is designed to create and manage accounts user accounts in the RSA Authentication Manager server. The adapter runs in "agentless" mode and communicates with the RSA Authentication Manager through Enterprise Java Beans (EJBs).
IBM recommends this adapter (and the prerequisite Security Directory Integrator) be installed on each node of an IBM Security Verify Governance Server WebSphere cluster. A single copy of the adapter can handle multiple IBM Security Verify Governance Server services. The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your IBM Security Verify Governance Server Provisioning Policies and Approval Workflow process. Please refer to IBM Security Verify Governance Adapters Knowledge Center for a discussion of these topics.
IBM Security Verify Governance Server adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from IBM Security Verify Governance Server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.
Review and agree to the terms of the IBM Security Verify Governance Adapter License prior to using this product. The license can be viewed from the "license" folder included in the product package.
Component |
Version |
Release Date |
2024 August 02 07.50.49 |
Adapter Version |
10.0.2 |
Component Versions |
Adapter build: 10.0.2.5 Profile: 10.0.2.5 Connector: 10.0.2.5 Dispatcher: 7.1.40 |
Documentation |
The following guides are available in the IBM Security Verify Governance Adapters Knowledge Center: · Installation and Configuration Guide for IBM Security Verify Governance Adapter for RSA Authentication Manager · User Guide for IBM Security Verify Governance Adapter for RSA Authentication Manager
|
Component |
Version |
Release Date |
2024 August 02 07.50.49 |
Adapter Version |
10.0.2 |
Component Versions |
Adapter build: 10.0.2.6 Profile: 10.0.2.6 Connector: 10.0.2.6 Dispatcher: 7.1.40 |
Documentation |
The following guides are available in the IBM Security Verify Governance Adapters Knowledge Center: · Installation and Configuration Guide for IBM Security Verify Governance Adapter for RSA Authentication Manager · User Guide for IBM Security Verify Governance Adapter for RSA Authentication Manager |
Internal# |
Enhancement # (RFE)/#Idea |
Description |
|
|
Items included in the current release (10.0.2) |
|
|
None |
|
|
Items included in release (10.0.1) |
|
ADAPT-119 |
RSA SecurID Authentication Manager 8.7 is supported |
RTC 188277 |
|
RSA Authentication Manager 8.5 is supported |
|
|
Items included in the release (7.1.19) |
RTC 184345 |
|
RSA Authentication Manager 8.4 is supported |
|
|
Items included in the release (7.1.18) |
RTC 154247 |
|
RSA Authentication Manager 8.2 is supported. RSA Authentication Manager 8.1.1 is supported.
|
|
|
Items included in the release (7.1.17) |
RTC 152138 |
|
Add Support for Identity Governance and Intelligence (IGI) v5.2.2
This adapter is now designed for use with IBM Security Identity Manager, Privileged Identity Manager, and Identity Governance and Intelligence.
|
|
|
Items included in the release (7.0.16) |
|
36429 (71209) 40202 (80833) |
ISIM RSA on-demand token support RSA Authentication Manager Adapter v6.0.15 On-Demand provisioning
|
|
|
Items included in the release (7.0.15) |
|
|
Initial release
|
Internal# |
KnowIssue#/Case# |
Description |
|
|
Items closed in the current release (10.0.2) |
SVGAD-2321 |
TS015966156 |
The license check call should be disabled for RSA 8.7 and an RSA 8.7 specific connector should be released. ERROR, CMOMDCRSA1.cibc.cginet,,,,Failed to load product license limit for user count |
|
|
Items closed in release (10.0.1) |
|
|
None |
|
|
Items closed in the release (7.1.19) |
|
|
None |
|
|
Items closed in the release (7.1.18) |
|
|
None |
|
|
Items closed in the release (7.1.17) |
|
|
None |
|
|
Items closed in the 7.0.16 release |
Bugz1815 RTC128412
|
IV75814
|
PMR 25592,200,838 AuthMan adapter throws ArrayIndexOutOfBoundsException when reconciling an identity source with no principals in it. |
|
|
Items closed in the 7.0.15 release |
|
|
Initial release |
Internal# |
Case#/KnownIssue |
Description |
|
|
Adapter fails to modify On Demand Authentication Attributes.
If an account is enabled for On Demand Authentication(ODA), and a modify operation is performed, to update other ODA attributes (for e.g. Delivery Method, SMS Destination Address etc.), the adapter fails. Workaround to update ODA attributes: -Perform modify operation to disable the account for ODA. -Modify account again to enable ODA with new values.
The issue will be fixed in future release.
|
|
|
Wrong status returned during filtered recon
When a filtered recon is executed using a filter like (eruid=name) and "name" is not found in the target resource, the adapter returns a FAILURE status. The adapter should return a SUCCESS status so that IBM Security Verify Governance Adapter will remove the "name" service account from its datastore.
This issue will be fixed in a future release.
|
|
|
Object Class Violation Error on SendOnly Attributes
If the RSA Authentication Manager adapter fails to set one or more send-only attributes · erRsaAmT1ClearSecurIDPin · erRsaAmT2ClearSecurIDPin · erRsaAmT3ClearSecurIDPin · erServicePwd1 · erServicePwd2 · erServicePwd3 · erRsaAmT1RplNextToken · erRsaAmT2RplNextToken · erRsaAmT3RplNextToken on the RSA Authentication Manager server during an ADD or MODIFY operation, then the adapter will return the attribute in the failed attribute list and some versions of the IBM Security Verify Governance Adapter will generate an "Object Class Violation" error. This is an IBM Security Verify Governance Adapter server defect and will be addressed in a future server fix pack.
|
|
|
RSA Authentication Manager Adapter impacts on TDI and other adapters
For the adapter to run correctly, several specific jar files are needed in the runtime environment. Some of these jars interfere with the operation of other adapters or with certain features of the Tivoli Directory Integrator (TDI). In particular, · The TDI 7.1.1 or SDI 7.2 REST service will not run when the RSA Authentication Manager 8.0 or 8.1 Adapter is installed and configured. · Do not install the RSA Authentication Manager Adapter in the same TDI environment with any of the following adapters: Google Apps or Salesforce.
|
|
|
No support for 2-way SSL or SOAP communication The adapter does not support two-way SSL communication with the RSA Authentication Manager server. The adapter also does not support the SOAP protocol when communicating with the RSA Authentication Manager server
|
See the Installation and Configuration guide for IBM Security Verify Governance Adapter for RSA Authentication Manager for detailed instructions.
The following corrections to the Installation Guide apply to this release:
No updates in the current release
No updates in the current release
· In Installing -> Installing the adapter binaries or connector section change below lines
The following connectors are available:
add : - connectors/am87/RsaAuthMgrConnector.jar
add : for RSA 8.7 and later : Copy the resource/RsaAuthmanConfig.properties file to the SDI_HOME/timsol directory.
· In Installing -> Copying JAR files from the RSA Authentication Manager server to the Security Directory Integrator environment
remove:
If you are using RSA Authentication Manager 7.1, complete these steps first:
On the RSA Authentication Manager server, change to the RSA_AM_HOME/appserver/weblogic/server/lib/ directory.
Enter the following command on one line:
java -jar ../../../modules/com.bea.core.jarbuilder_1.0.0.0.jar-profile wlfullclient
If you are using RSA Authentication Manager 8.0, 8.1, or 8.2 the wlfullclient.jar file is already created
remove table :
Add table:
The required JAR files are in the RSA_SDK_HOME/lib/java directory where RSA_SDK_HOME is the directory where you installed the Authentication Manager SDK. You must copy only these files from the RSA_SDK_HOME/lib/java directory into the SDI_HOME/jars/patches/rsa directory.
Jars:
am-client.jar
aopalliance.jar
axis-jaxrpc.jar
axis-saaj.jar
axis.jar
clu-common.jar
commons-beanutils.jar
commons-codec.jar
commons-discovery.jar
commons-httpclient.jar
commons-lang.jar
commons-logging.jar
iScreen-ognl.jar
iScreen.jar
log4j.jar
ognl.jar
spring-aop.jar
spring-beans.jar
spring-context.jar
spring-core.jar
spring-expression.jar
spring-web.jar
wlfullclient.jar
wsdl4j.jar
xercesImpl.jar
xml-apis.jar
New paragraph:
-> Installing in the Verify Governance Virtual Appliance
( Please add this new section at knowledge centre (under Installing > Installing in the Verify Governance Virtual Appliance) for to describe installation procedure of adapter in Verify Governance Virtual Appliance: https://www.ibm.com/docs/en/svgaa?topic=ldap-installing-in-virtual-appliance. Please add this below note as well after adding the description.)
Note: While uploading the Adapter package, you may receive System Error: A file included in the SDI Adapter zip already exists on the system and the Server Message log under Appliance tab of VA will have a reference to error com.ibm.identity.sdi.SDIManagementService E File ibm.com_IBM_Security_Verify_Governance_xxxx.swidtag found in the adapter zip at location ILMT-Tags/ already exists in system. This is because, you can install the same swidtags only once. So, if another adapter of the same type is installed, remove the swidtags.
The ibm.com_IBM_Security_Verify_Governance_Enterprise-xxxx.swidtag file is common to all adapters. In addition to the common swidtag file, an application adapter needs ibm.com_IBM_Security_Verify_Governance_Application_Adapters-xxxx.swidtag file and an infra adapter needs ibm.com_IBM_Security_Verify_Governance_Lifecycle-xxxx.swidtag and ibm.com_IBM_Security_Verify_Governance_Compliance-xxxx.swidtag files. So, if an application adapter is already installed and this is an infra adapter, then only install the infra-specific swidtags and the other way around. Please visit IBM Security Verify Governance Adapters v10.x link to identify the adapter type of the installed adapters.
No updates in the current release
No updates in the current release
Enabling TLSv1.2 in Security Directory Integrator
Procedure:
1. Apply recommended fix packs and limited availability (LA) versions on the Security Directory Integrator. See Recommended fixes for IBM Tivoli Directory Integrator (TDI) & IBM Security Directory Integrator (SDI).
2. After applying the appropriate updates, modify the /solution.properties file by appending the following text to the bottom of the file:
#####################
# # Protocols to enforce SSL protocols in a SDI Server
# # Optional values for com.ibm.di.SSL* property (TLSv1, TLSv1.1, TLSv1.2). # # This can be a multi-valued comma separated property
# # Optional values for com.ibm.jsse2.overrideDefaultProtocol property (SSL_TLSv2, TLSv1,TLSv11,TLSv12).
# # This is a single value property.
#####################
com.ibm.di.SSLProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.di.SSLServerProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.jsse2.overrideDefaultProtocol=TLSv1
com.ibm.jsse2.overrideDefaultTLS=true
#####################
Enabling DEBUG Logs on SDI Server
Procedure:
1. Stop the SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the /etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the /etc/log4j2.xml
3. Modify the following line:
<Root level="info">
to
<Root level="debug">
4. Start the SDI Server process
5. Re-create the problem and collect the /logs/ibmdi.log
Enabling TCB logging starting SDI 7.2 FP 11
SDI 7.2.1 FP 11 introduces following new variable in the global properties: com.ibm.di.logging.close
To enable TCB logging, append the line com.ibm.di.logging.close=false in the etc/global.properties file.
Restart the dispatcher.
Enabling logging starting SDI 7.2 FP 13 on Windows
Copy log4j2.xml from SDI_HOME/etc to SDI_Solution_Dir/etc e.g. from /opt/IBM/SDI/V7.2/etc to /opt/IBM/SDI/V7.2/timsol/etc
Then configure <SDI_Solution_Dir>/ibmdiservice.props with: jvmcmdoptions=-Dlog4j2.configurationFile=etc\log4j2.xml
No updates in the current release
No updates in the current release
Please
add new section “Installing ILMT-Tags File “under the section
Installing in adapter install guide. Under Installing
ILMT-Tags specify below steps.
Before
you begin:
The
Dispatcher must be installed
Procedure:
Copy the files from ILMT-Tags folder to the specified location:
1. Windows: <SDI-HOME>/swidtag
2. Unix/Linux: <SDI-HOME>/swidtag
The IBM Security Verify Governance Adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Refer to the ‘IBM Security Verify Governance Adapter Development and Customization Guide’
The integration to the IBM Security Verify Governance Server – the adapter framework – is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
The IBM Security Verify Governance Adapter for RSA Authentication Manager was built and tested on the following product versions.
Adapter Installation Platform
Due to continuous Java security updates that may be applied to your IBM Security Verify Governance Server, the following SDI releases are the officially supported versions:
· IBM Security Directory Integrator 7.2 + FP13
Note: Earlier versions of SDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your SDI releases
to the officially supported versions by the adapters.
Managed Resource:
· RSA Authentication Manager 8.2
· RSA Authentication Manager 8.4 (use connector in am82, am84 and am85 folder)
· RSA Authentication Manager 8.5 (use connector in am82, am84 and am85 folder)
· RSA SecurID Authentication Manager 8.7
Servers
IBM
Security Verify Governance Identity Manager v10.0 *
IBM Security
Verify Governance v10.0
* Unless this document specifies a specific fix pack version of ISVG Identity Manager v10, we expect the adapter to work with ISIM 6 as well. However, it will only be debugged and fixed from the perspective of ISVG-IM v10.
This information was developed for products and services offered in
the U.S.A. IBM may not offer the products, services, or features
discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently
available in your area. Any reference to an IBM product, program, or
service is not intended to state or imply that only that IBM product,
program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual
property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM
product, program, or service.
IBM may have patents or
pending patent applications covering subject matter described in this
document. The furnishing of this document does not give you any
license to these patents. You can send license inquiries, in writing,
to:
IBM
Director of Licensing
IBM Corporation
North Castle
Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual
Property Licensing
Legal and Intellectual Property Law
IBM
Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa
242-8502 Japan
This information
could include technical inaccuracies or typographical errors. Changes
are periodically made to the information herein; these changes will
be incorporated in new editions of the publication. IBM may make
improvements and/or changes in the product(s) and/or the program(s)
described in this publication at any time without notice.
Any
references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of
those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your
own risk.
IBM may use or distribute any of the information
you supply in any way it believes appropriate without incurring any
obligation to you.
Licensees of this program who wish to
have information about it for the purpose of enabling: (i) the
exchange of information between independently created programs and
other programs (including this one) and (ii) the mutual use of the
End of Release Notes