IBM Security Verify Governance Adapter 10.0.5 for SharePoint Server is available. Compatibility, installation, and other getting-started issues are addressed.
Welcome to the IBM Security Verify Governance Adapter for SharePoint.
These Release Notes contain information for the following products that was not available when the IBM Security Verify Governance manuals were printed:
The SharePoint Adapter is designed to create and manage User Accounts on the SharePoint platform. The adapter runs in "agentless" mode and communicates using HTTP/S and LDAP protocol. The SharePoint adapter supports stand-alone and Active Directory backed user registries. Other user registries supported by SharePoint have not been tested.
The IBM Security Verify Governance Adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the IBM Security Verify Governance and IBM Security Verify Governance Identity Manager will fail if the Adapter is not given sufficient authority to perform the requested task.
Review and agree to the terms of the IBM Security Verify Governance License prior to using this product.
The license can be viewed from the "license" folder included in the product package.
Adapter Version
Component |
Version |
Build Date |
2026 March 26 23.23.23 |
Adapter Version |
10.0.5 |
Component Versions |
Adapter build: 10.0.5.3 Profile: 10.0.5.3 Connector: 10.0.5.3 Dispatcher 7.1.39 or higher (packaged separately) |
Documentation |
The following guides are available in the IBM Security Verify Governance Adapters Knowledge Center: > Microsoft SharePoint Adapter Installation and Configuration Guide |
New Features
Internal # |
Enhancement # (RFE / Idea) |
Description |
|
|
Items included in current release (10.0.5) |
SVGAD-5844 |
ADAPT-245 | Update the Sharepoint adapter's Authentication method (Use of JWT Certificate Credentials and removal of lagacy authentication method) |
SVGAD-6091 |
ADAPT-249 | Certify the adapter for use with IBM Verify Directory Integrator version 11.x |
|
|
Items included in release (10.0.4) |
SVGAD-3990 |
ADAPT-155 | Certify the adapter for use with IBM Security Verify Directory Integrator version 10.0.0 |
SVGAD-3021 |
ADAPT-168 | SharePoint Server Subscription Edition Support |
|
|
Items included in release (10.0.3) |
SVGAD-757 |
SharePoint Server 2019 Support |
|
|
|
Items included in release (10.0.2) |
None |
||
|
|
Items included in release (10.0.1) |
RTC 187957 |
RFE 139882 (60930)
RFE 131322 (58088) |
SharePoint Online Adapter
SharePoint for O365 |
|
|
Items included in release (7.1.9) |
Bug 2963 TS002370664 |
RFE 134608 (59299) |
SharePoint Integration with IGI and ISAM' [s] Note: For configuration details check SharePoint Site Configuration |
|
|
Items included in release (7.1.8) |
|
|
None |
|
|
Items included in release (7.1.7) |
|
|
None |
|
|
Release v7.1.6 |
RTC 154248 |
SharePoint Server 2016 Support |
|
Bug 2848 |
|
NTLM Authentication Support Note: For NTLM Authentication support needs > 7.1.1 LAIF 41 http://www.ibm.com/support/docview.wss?uid=ibm10878657 > 7.2.0 LAIF 20 http://www.ibm.com/support/docview.wss?uid=ibm10878456 > Direct Fix central links > 7.11. Limited Availability Interim Fix 41: https://ibm.biz/Bd2NeZ > 7.2.0 Limited Availability Interim Fix 20 : https://ibm.biz/Bd2Ne2 |
|
|
Release v7.1.5 |
|
|
Add support for IGI 5.2.2
This adapter is now designed for use with IBM Security Identity Manager, IBM Security Privileged Identity Manager, IBM Security Identity Governance and Intelligence, IBM Security Verify Identity and IBM Security Verify Governance. |
Closed Issues
Internal # |
KnownIssue |
Description |
|
|
Items closed in current release (10.0.5) |
|
|
None |
|
|
Items closed in release (10.0.4) |
|
|
None |
|
|
Items closed in release (10.0.3) |
SVGAD-812 |
|
Check account does not create from ISIM when we do not assign group to the user but gives success massage on ISIM |
SVGAD-935 |
|
Sharepoint server 2019 does not support create, delete, modify operation on IGI |
SVGAD-59 |
|
Providing one proper message for suspend user operation |
SVGAD-1188 / Bug 4197 |
DT243339/TS014086004 |
SharePoint Create account failing when email address is empty |
|
|
Items closed in release (10.0.2) |
RTC 191058 / Bug 3975 |
TS010849873 |
ISVG Sharepoint Adapter to communicate with Sharepoint Online. (Refer "Configuring SharePoint Online for Adapter" section of SharePoint Adapter installation and configuration guide) |
RTC 191022 / Bug 3953 |
TS010506380 |
Recon failing for Sharepoint Host named site collection (Refer "Configuring Adapter with Host Named Site Collection" section of SharePoint Adapter installation and configuration guide) |
RTC 190897 / Bug 3853 |
TS009402430 |
Integrate with SharePoint Host-named Site collections (Refer "Configuring Adapter with Host Named Site Collection" section of SharePoint Adapter installation and configuration guide) |
|
|
Items closed in release (10.0.1) |
Bug 3346 |
|
IGI does not add user to the SharePoint group |
|
|
Items closed in 7.1.9 release |
|
|
None |
|
|
Items closed in 7.1.8 release |
Bug 3015 TS002574599 |
|
SharePoint server error |
Bug 3072 TS002851426 |
|
Filtering does not work on Sharepoint adapter 6.0.7 |
|
|
Items closed in 7.1.7 release |
Bug 2892 |
IJ16315 |
TS002574599 / SharePoint recon failed with "'decoded' is
null" |
Release v7.1.6 |
||
RTC 155612 |
|
Added TDI 7.1.1 FP5 and SDI 7.2 support |
Bugz 2272 |
|
SharePoint Adapter recon user and add user problem |
Known Limitations
Internal # |
APAR # |
Case # / Description |
Internal |
NA |
The information about SharePoint authentication modes/providers are stored in a configuration file. The adapter reads this file and reconciles the list of authentication providers as supporting data. For details of this file check the topic Configuring authentication providers in SharePoint adapters Installation and Configuration guide. With version 7.1.9 release of adapter, the adapter profile has been updated to expose these SharePoint Authentication modes as Support data list on IGI. The Authentication mode value can be selected from the list.
This change will work on IGI 5.2.5 and above versions. For IGI 5.2.4 and earlier versions there will be text box for authentication mode attribute (erspdomain). The values will not be listed. To overcome this issue, while assigning value to this attribute, use the Authentication Modes Prefix value from the configuration file.
For e.g.: "i:0#.w|EXAMPLEDOMAIN "i:0#.f|SomeMembershipProvider|"
|
Internal |
NA |
With version 7.1.7 release of the adapter, the adapter profile has
been updated to expose SharePoint Groups as permissions in IGI.
This update exposes a situation in the IGI product when a
user requests a permission and the user does not have an account
on SharePoint. IGI will generate two out events: Create
SharePoint account and Assign the permission to the account.
Since the Group membership is a required attribute on the
account, the account creation will fail. |
Internal |
N/A |
The SharePoint UserGroup webservice does not provide the same function as the SharePoint GUI. As a result some features that are available through the SharePoint GUI are not available through the SharePoint WebService |
Internal |
N/A |
If there are two users with the same user name in different Domains. Then the reconciliation will only return one of the users. For example the Administrator account exists both for the SharePoint Server and the Active Directory domain. Only one of these accounts will be returned to Identity Manager. |
See the Installation Guide for IBM Security Verify Governance SharePoint adapter for detailed instructions.
Corrections to Installation guide:
Chapter 1: Overview
No updates for the current release
Chapter 2: Planning
No updates for the current release
Chapter 3: Installing
Procedure
1. Create a temporary directory on the workstation where you want to install the adapter.
2. Extract the contents of the compressed file in the temporary directory.
3. Install the adapter JAR files. Copy the SharePointConnector.jar file from the adapter package to the ITDI_HOME/jars/connectors directory.
4. See Release notes section for 3rd Party Client Libraries that need to be added in ITDI_HOME/jars/patches folder.
5. Enable Unicode. See the JVM information in the Dispatcher Installation and Configuration Guide.
6. Restart the adapter service.
On the SharePoint Domain Details tab
SharePoint hostname/ Site URL
For On-premises Microsoft™ SharePoint, specify the host name or IP address of the SharePoint site.
For Microsoft SharePoint Online, specify the Microsoft SharePoint Online Site URL. For example, https://{domain}.sharepoint.com/sites/{site name}.
Admin Login/ Client ID
For On-premises Microsoft SharePoint, specify the administrator user login.
Note: For NTLM authentication, Administrator login must be in this format: {Domain Name}\{Login Name}.
For Microsoft SharePoint Online, specify the Application (Client) ID from Microsoft Entra ID.
Admin Password/ Client Secret
For On-premises Microsoft SharePoint, specify the password for administrator user.
For Microsoft SharePoint Online, not required to add anything.
Microsoft SharePoint On-premises and Microsoft SharePoint Online
For On-premises Microsoft SharePoint, select the authentication mode with which the adapter connects to the SharePoint site.
Note: For NTLM Authentication, select OnPrem Claims-Based Authentication.
For Microsoft SharePoint Online, select the option: SharePoint Online
SharePoint site (On-premises only)
Optional: Specify the trailing URL to the SharePoint site. For the SharePoint site subsite with the location http://sharepointhost/subsite, the field entry is subsite. If you leave this field blank, the default value is the top-level SharePoint site.
SharePoint port (On-premises only)
Specify the Microsoft SharePoint server port number. The default is port 80.
Enable SSL
Specifies whether you want to enable secure communications. The default response is not to enable SSL.
Authentication Provider Configuration File (On-premises only)
The file name that includes the full path to the authentication provider file. It lists the authentication providers configured on the Microsoft SharePoint site. While provisioning account, you can select one of the authentication providers listed in this file.
For more information, see Configuring authentication providers. If the file is stored in the same location as Dispatcher home, for example, TDI_HOME/timsol, you can omit the path and provide only the file name.
Domain Name (Required for SharePoint Online)
Microsoft Entra ID domain name (e.g., contoso.onmicrosoft.com)
Certificate PFX File Path (Required for SharePoint Online)
Full path to PFX file (e.g., /opt/IBM/svgadapters/timsol/SharePoint/certs/certificate.pfx)
Certificate Password (Required for SharePoint Online)
Password used when creating the PFX file
OAuth2 Scope (Required for SharePoint Online)
Scope for SharePoint Online Authentication. Typically, https://{tenant}.sharepoint.com/.default
(e.g., https://contoso.sharepoint.com/.default)
Content of Configuring Adapter with Host Named Site Collection from existing Configuring SharePoint Online for Adapter should be moved here.
Configuring SharePoint Online OAuth2 Authentication (Certificate-Based):
For SharePoint Online, the adapter now supports OAuth 2.0 authentication using certificate-based client credentials flow. This replaces the legacy authentication methods.
A. Microsoft Entra ID Application Registration:
1. Navigate to Micrsoft Entra Portal → Micrsoft Entra ID → App registrations
2. Click "New registration"
3. Provide application name (e.g., "SharePoint Adapter OAuth2")
4. Select "Accounts in this organizational directory only"
5. No redirect URI needed for this flow
6. Click "Register"
7. Note the Application (client) ID and Directory (tenant) ID
B. Certificate Generation and Upload:
Generate a self-signed certificate or obtain from CA. The certificate must be in PFX (PKCS#12) format.
For Linux/Unix Systems (using OpenSSL):
# Step 1: Generate private key (2048-bit RSA)
openssl genrsa -out "{CERT_OUTPUT_PATH}/{CERT_NAME}.key" 2048
# Step 2: Generate certificate (valid for 365 days)
openssl req -new -x509 -key "{CERT_OUTPUT_PATH}/{CERT_NAME}.key" \
-out "{CERT_OUTPUT_PATH}/{CERT_NAME}.cer" \
-days 365 -sha256 \
-subj "/CN={CERT_COMMON_NAME}"
# Step 3: Create PFX file with password
openssl pkcs12 -export \
-out "{CERT_OUTPUT_PATH}/{CERT_NAME}.pfx" \
-inkey "{CERT_OUTPUT_PATH}/{CERT_NAME}.key" \
-in "{CERT_OUTPUT_PATH}/{CERT_NAME}.cer" \
-password "pass:{CERT_PASSWORD}"
Note: Replace the following placeholders:
• {CERT_OUTPUT_PATH} - Your TDI installation path (e.g., /opt/IBM/TDI/V7.2/timsol)
• {CERT_NAME} - Certificate file name (e.g., sharepoint_oauth2)
• {CERT_COMMON_NAME} - Certificate common name (e.g., SharePointOAuth2)
• {CERT_PASSWORD} - Strong password for the PFX file (use a secure password for production)
For Java 8 environments:
If you get certificate loading errors with Java 8, try generating the certificate using legacy OpenSSL options:
# Use -legacy flag for Java 8 compatibility
openssl pkcs12 -export -legacy \
-out "{CERT_OUTPUT_PATH}/{CERT_NAME}.pfx" \
-inkey "{CERT_OUTPUT_PATH}/{CERT_NAME}.key" \
-in "{CERT_OUTPUT_PATH}/{CERT_NAME}.cer" \
-password "pass:{CERT_PASSWORD}"
Note: The -legacy flag creates a PFX file compatible with older Java versions (Java 8 and earlier). This is required because Java 8 may not support the default encryption algorithms used by newer OpenSSL versions.
For Windows Systems (using PowerShell):
# Step 1: Set certificate name
$certname = "{CERT_NAME}" ## Replace {CERT_NAME}
# Step 2: Create self-signed certificate
$cert = New-SelfSignedCertificate `
-Subject "CN=$certname" `
-CertStoreLocation "Cert:\CurrentUser\My" `
-KeyExportPolicy Exportable `
-KeySpec Signature `
-KeyLength 2048 `
-KeyAlgorithm RSA `
-HashAlgorithm SHA256
# Step 3: Export certificate (public key)
Export-Certificate -Cert $cert `
-FilePath "{CERT_OUTPUT_PATH}\$certname.cer"
# Step 4: Set password for PFX
$mypwd = ConvertTo-SecureString `
-String "{CERT_PASSWORD}" `
-Force -AsPlainText ## Replace {CERT_PASSWORD}
# Step 5: Export PFX file (private key + certificate)
Export-PfxCertificate -Cert $cert `
-FilePath "{CERT_OUTPUT_PATH}\$certname.pfx" `
-Password $mypwd
Note: Replace the following placeholders:
• {CERT_NAME} - Certificate name (e.g., SharePointOAuth2)
• {CERT_OUTPUT_PATH} - Output directory path (e.g., C:\Certificates or C:\IBM\TDI\certs)
• {CERT_PASSWORD} - Strong password for the PFX file (use a secure password for production)
C. Upload Certificate to Microsfot Entra ID:
1. In Microsoft Entra ID app registration → Certificates & secrets
2. Under "Certificates" section, click "Upload certificate"
3. Browse and select the .cer file (public key only) generated in step B. Important: Upload the .cer file, NOT the .pfx file
4. Provide a description (optional, e.g., "SharePoint OAuth2 Certificate")
5. Click "Add" to upload the certificate
6. Note the certificate thumbprint displayed in Microsoft Entra ID (you'll need this for verification)
7. Verify the certificate appears in the certificates list with correct expiration date
D. API Permissions Configuration:
1. In Microsoft Entra ID app registration → API permissions
2. Click "Add a permission"
3. Select "SharePoint" from the list of Microsoft APIs
4. Select "Application permissions" (not Delegated permissions)
5. Add the following required permissions:
· Sites.FullControl.All (for full site access and management)
· User.Read.All (for reading user information)
· Group.Read.All (for reading group information)
6. Click "Add permissions" to save
7. Click "Grant admin consent for {tenant}" (requires Global Administrator role)
8. Confirm the consent by clicking "Yes"
9. Verify all permissions show "Granted for {tenant}" status with green checkmarks
E. Adapter Service Configuration Parameters:
The following parameters must be configured in the SharePoint service:
· Client ID: Application (client) ID from Microsoft Entra ID
· Domain Name: Directory domain name (e.g., contoso.onmicrosoft.com)
· Certificate PFX File Path: Full path to PFX file (e.g., /opt/IBM/svgadapters/timsol/SharePoint/certs/certificate.pfx)
· Certificate Password: Password used when creating the PFX file
· OAuth2 Scope: Typically "https://{tenant).sharepoint.com/.default" (e.g., https://contoso.sharepoint.com/.default)
Note: The OAuth2 token manager automatically handles token caching and refresh. Tokens are cached for their lifetime (typically 1 hour) with a 5-minute refresh buffer.
To enable communication between the adapter and the SharePoint Online, you must configure keystores for the Dispatcher.
About this task
For more information about SSL configuration, see the Dispatcher Installation and Configuration Guide.
Procedure
1. Open a web browser, and go to https://www.digicert.com/kb/digicert-root-certificates.htm
2. Download the DigiCert Global Root CA and DigiCert Global Root G2 certificates in DER/CRT format.
For Windows:
3. If the Dispatcher already has a configured keystore, use the iKeyman Utility to import the DigiCert Global Root CA and DigiCert Global Root G2 certificates.
4. Navigate to the ITDI_HOME/jvm/jre/bin directory.
5. Start the ikeyman.exe file.
6. From the Key Database File menu, select Open.
7. For the key database type, select JKS.
8. Type the keystore file name: testadmin.jks
9. Type the location: ITDI_HOME/timsol/serverapi
10. Enter the password when prompted. The default password is administrator.
11. Click Signer Certificates in the drop-down menu and click Add.
12. Use Browse to select the downloaded or exported DigiCert Global Root CA and DigiCert Global Root G2 certificates.
13. Click OK to continue. The certificate is added in the certificate store.
For Linux:
3. Navigate to the ITDI_HOME/jvm/jre/bin directory.
cd $ITDI_HOME/jvm/jre/bin
4. Import the DigiCert Global Root CA certificate using the keytool command:
./keytool -import -alias digicertglobalrootca \
-keystore $ITDI_HOME/timsol/serverapi/testadmin.jks \
-file /path/to/DigiCertGlobalRootCA.crt \
-storepass administrator
5. Import the DigiCert Global Root G2 certificate using the keytool command:
./keytool -import -alias digicertglobalrootg2 \
-keystore $ITDI_HOME/timsol/serverapi/testadmin.jks \
-file /path/to/DigiCertGlobalRootG2.crt \
-storepass administrator
6. When prompted, type yes to trust the certificate.
7. Verify the certificates are imported successfully:
./keytool -list -keystore $ITDI_HOME/timsol/serverapi/testadmin.jks \
-storepass administrator | grep digicert
Note: Replace /path/to/ with the actual path where you downloaded the certificate files. The default keystore password is administrator. If you have changed the keystore password, use your custom password instead.
For Verify Governance target management, you can install an IBM Security Verify Governance adapter or a custom adapter on the built-in Security Verify Directory Integrator in the virtual appliance instead of installing the adapter externally. As such, there is no need to manage a separate virtual machine or system.
About this task
This procedure is applicable to install this adapter on the virtual appliance for a selected list of Identity Adapters. See the Identity Adapters product documentation to determine which adapters are supported in Identity Governance and Intelligence, and which can be installed on the virtual appliance.
All Identity Governance and Intelligence supported adapters can be installed externally on the virtual appliance. Depending on the adapter, an external Security Directory Integrator may be required.
See the corresponding Adapter Installation and Configuration Guide for the specific prerequisites, installation and configuration tasks, and issues and limitations. See the Adapters Release Notes for any updates to these references.
Procedure
1. Download the adapter package from the IBM Passport Advantage.
For example, Adapter-
The adapter package includes the following files:
| Files | Descriptions |
| bundledefinition.json | The adapter definition file. It specifies the content of the package, and the adapter installation and configuration properties that are required to install and update the adapter. |
| Adapter JAR profile | A Security Directory Integrator adapter always include a JAR profile which contains: • targetProfile.json • Service provider configuration • Resource type configuration • SCIM schema extensions • List of assembly lines • A set of assembly lines in XML files • A set of forms in XML files • Custom properties that include labels and messages for supported languages. Use the Target Administration module to import the target profile. |
| Additional adapter specific files | Examples of adapter specific files: • Connector jar files • Configuration files • Script files • Properties files The file names are specified in the adapter definition file along with the destination directory in the virtual appliance. |
2. From the top-level menu of the Appliance Dashboard, click Configure > SDI Management.
3. Select the instance of the Security Directory Integrator for which you want to manage the adapters and click Manage > SDI Adapters.
The SDI Adapters window is displayed with a table that list the name, version, and any comments about the installed adapters.
4. On the SDI Adapters window, click Install.
5. On the File Upload window, click Browse to locate the adapter package and then click OK.
· For example, Adapter-
· Provide the missing 3rd party libraries when prompted.
6. On the File Upload for Pre-requisite files window, click Select Files.
· A new File Upload window is displayed.
· Browse and select all the missing libraries. For example, httpclient-4.0.1.jar, sapjco3.jar
· Click Open.
· The selected files are listed in the File Upload for Pre-requisite files window.
· Click OK.
· The missing files are uploaded and the adapter package is updated with the 3rd party libraries.
7. Enable secure communication.
· Select the instance of the Security Directory Integrator for which you want to manage the adapter.
· Click Edit.
· Click the Enable SSL check box.
· Click Save Configuration.
· Import the SSL certificate to the IBM Security Verify Directory Integrator server.
· Select the instance of the Security Directory Integrator for which you want to manage the adapter.
· Click Manage > Certificates.
· Click the Signer tab.
· Click Import.
The Import Certificate window is displayed.
· Browse for the certificate file.
· Specify a label for the certificate. It can be any name.
· Click Save.
Note: While uploading the Adapter package, you may receive System Error: A file included in the SDI Adapter zip already exists on the system. The Server Message log under Appliance tab of VA has a reference to error - com.ibm.identity.sdi.SDIManagementService File ibm.com_IBM_Verify_Identity_Governance_xxxx.swidtag found in the adapter zip at location ILMT-Tags or already exists in system. This is because, you can install the same swidtags only once. So, if another adapter of the same type is installed, remove the swidtags.
The ibm.com_IBM_Verify_Identity_Governance_Enterprise-xxxx.swidtag file is common to all adapters. In addition to the common swidtag file, an application adapter needs ibm.com_IBM_Verify_Identity_Governance_Application_Adapters-xxxx.swidtag file and an infra adapter needs ibm.com_IBM_Verify_Identity_Governance_Lifecycle-xxxx.swidtag and ibm.com_IBM_Verify_Identity_Governance_Compliance-xxxx.swidtag files. So, if an application adapter is already installed and this is an infra adapter, then only install the infra-specific swidtags and the other way around. See Security Verify Governance Adapters v10.x to identify the type of the installed adapters.
Before you begin
The steps to install adapter and related files into the container can be performed using the adapterUtil.sh script, which is shipped with the dispatcher package. This script should be staged on the machine running Kubernetes cli. The adapterUtil.sh script is also readily available in the bin directory of ISIM IBM Security Verify Governance Identity Manager Container Starter Kit installation directory (If ISVDI was selected for installation during the ISIM container installation steps).
If, for any reason, the adapter util script cannot be executed or used, the below manual instructions must be followed to copy the files to the persistent volume.
Note: The container must be restarted after installing, uninstalling the adapter or any changes to the configuration yaml. To activate changes and restart the container run the following commands:
· <path_to_starterkit>/bin/createConfigs.sh isvdi
· For OpenShift container: oc -n isvgim rollout restart deployment isvdi
· For Kubernetes container: kubectl -n isvgim rollout restart deployment isvdi
Note: This document only describes the adapterUtil.sh command options that are required to install this adapter. For other command options, such as listing installed connectors and 3rd party jars, please refer to the Dispatcher10 Installation and Configuration Guide.
Installing / Upgrading / Re-installing / Downgrading the adapter
Using Script
Use below command to install / upgrade/ re-install / downgrade the adapter:
/path/to/adapterUtil.sh -loadAdapter "/path/to/Adapter-Sharepoint-*.zip" accept
Where
/path/to/adapterUtil.sh is the location where the adapterUtil.sh script is
installed and /path/to/Adapter-Sharepoint-*.zip is the location where the Adapter zip
file is staged on the machine running Kubernetes cli.
Manually
copying files to Persistent Volume Copy the
files to the persistent volume mapped to the /opt/IBM/svgadapters
directory of the container image as per the given directory structure: SharePointConnector.jar Copy this
file to <Persistent_Volume>/jars/connectors directory. ILMT-Tags Copy below
files to <Persistent_Volume>/swidtag directory: · ibm.com_IBM_Verify_Identity_Governance_Compliance-11.0.0.swidtag · ibm.com_IBM_Verify_Identity_Governance_Enterprise-11.0.0.swidtag · ibm.com_IBM_Verify_Identity_Governance_Lifecycle-11.0.0.swidtag Copying 3rd
party libraries: Using
Script Use below
command to copy 3rd party jars: (List of the jars required are mentioned in Managed Resounce section of Release Notes, need to copy all of these jars) /path/to/adapterUtil.sh
-copyToPatches "/path/to/httpclient-*.jar" This
command will copy the 3rd party jars to <Persistent_Volume>/jars/patches
directory. Manually
copying files to Persistent Volume Copy
3rd party jar files to <Persistent_Volume>/jars/patches directory
(List of the jars required are mentioned in Managed Resounce section of Release Notes, need to copy all of these jars): Configuring authentication providers: Using
Script Use below
command to configure authentication provide:r /path/to/adapterUtil.sh
-copyFiles "/path/to/authProvider.json" "/opt/IBM/svgadapters/timsol/SharePoint/" Copying PFX certificate for SharePoint Online Using
Script Use below
command to add pfx file: /path/to/adapterUtil.sh
-copyToExternalKeystore /home/darshanap/sharepoint.pfx Configuring
the SSL connection between the IBM Security Verify Directory Integrator
Container and the SharePoint Target Uploading
the certificates For
non-ISVG-IM container env, download the certificates as mentioned in Configuring the SSL connection between the Dispatcher and the SharePoint Online section and place the certificate in the certs
directory of config volume which contains the config.yaml file. The
default location for this config volume is /opt/IBM/dispatcher/config. For ISVG-IM
container env, copy the downloaded root certificate files to the machine that
runs the adapter in the <path_to_starterkit>/config/certs directory: cp <path_to_certificate_that_was_downloaded_from_sharepoint_target>
<path_to_starterkit>/config/certs e.g. cp
/home/ibmuser/DigiCertGlobalRootG2.cer /root/isvg/config/certs Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#keyfile_trusted-certificates page from
SVDI. If the
config.yaml file which is used as the YAML_CONFIG_FILE environment variable for
the container doesn't have a trusted-certificates element, follow the
instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#keyfile_trusted-certificates to add a
trusted-certificates section to the config.yaml file. Provide
this path of the certificate in config.yaml file as shown in the example below: keyfile:
trusted-certificates: -
'@/opt/IBM/dispatcher/config/certs/DigiCertGlobalRootG2.cer' Updating
the container Using
Script To update
the dispatcher container with the new certificate using the ISVG-IM starter
kit, run the following commands: · <path_to_starterkit>/bin/createConfigs.sh
isvdi · For OpenShift
container: oc -n isvgim rollout restart deployment isvdi · For
Kubernetes container: kubectl -n isvgim rollout restart deployment isvdi Manually To update
the dispatcher container with the new certificate on Kubernetes/OpenShift, now
run the following commands to create a config map and update the dispatcher
specific yaml: <kubectl
or oc > create configmap <namespace> --from-file=<path to main
isvdi config yaml> --from-file=<directory where certificates are
stored> --dry-run=client -o yaml –namespace=<namespace where dispatcher
container resides> >
<path_to_dispatcher_container_that_runs_this_adapter_yaml> e.g. kubectl
create configmap isvgimsdi
--from-file=/root/isvg/config/adapters/isvdi_config.yaml
--from-file=/root/isvg/config/certs --dry-run=client -o yaml --namespace=isvgim
> /root/isvg/yaml/045-config-adapters.yaml Then apply
the updated dispatcher that runs this adapter yaml. <kubectl
or oc> apply -f
<path_to_dispatcher_container_that_runs_this_adapter_yaml> e.g. oc apply -f
/root/isvg/yaml/045-config-adapters.yaml Finally
restart the container <kubectl
or oc> rollout restart deployment <isvdi container deployment> e.g. oc -n
isvgim rollout restart deployment isvdi Enabling
TLS 1.2 Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced page from
SVDI. If the
config.yaml file which is used as the YAML_CONFIG_FILE environment
variable for the container doesn't have an advanced configuration element,
follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced to add an advanced
configuration section to the config.yaml file.
No updates for the current release Enabling TLSv1.2 in Security
Directory Integrator
Procedure:
1.
Apply recommended fix packs and limited availability (LA) versions on
the Security Directory Integrator. See Recommended fixes for IBM
Security Directory Integrator (SDI).
2. After applying
the appropriate updates, modify the /solution.properties file by
appending the following text to the bottom of the file:
#####################
# # Protocols to enforce SSL
protocols in a SDI Server
# # Optional values for
com.ibm.di.SSL* property (TLSv1, TLSv1.1, TLSv1.2). # # This can be a
multi-valued comma separated property
# # Optional values for
com.ibm.jsse2.overrideDefaultProtocol property (SSL_TLSv2,
TLSv1,TLSv11,TLSv12).
# # This is a single value property.
#####################
-
com.ibm.di.SSLProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.di.SSLServerProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.jsse2.overrideDefaultProtocol=TLSv1
com.ibm.jsse2.overrideDefaultTLS=true
#####################
Chapter 6: Troubleshooting
Procedure:
1. Stop the SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the < SDI_Solution_Directory >/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
to
<Root level="debug">
4. Start the SDI Server process
5. Re-create the problem and collect the /logs/ibmdi.log
Logs are not getting printed in FP13 in Windows OS
To fix this issue copy log4j2.xml file from <SDI_Home_Dir>/etc and add to the <SDI_Solution_Dir>/etc (which was missing there). Then configure <SDI_Solution_Dir>/ibmdiservice.props with jvmcmdoptions=-Dlog4j2.configurationFile=etc\log4j2.xml
OAuth2 Authentication Issues:
· Error: "Failed to obtain access token"
- Verify client ID and tenant ID are correct
- Ensure certificate is valid and not expired
- Check certificate password is correct
- Verify certificate thumbprint matches in Azure AD
· Error: "Invalid scope"
- Ensure scope format is correct: https://{tenant}.sharepoint.com/.default
- Verify tenant name matches your SharePoint Online tenant
· Error: "Insufficient permissions"
- Verify API permissions are granted in Azure AD
- Ensure admin consent has been granted
- Check that application permissions (not delegated) are used
· Certificate Issues:
- Verify PFX file is accessible from the adapter
- Check file permissions allow read access
- Ensure certificate is in PKCS#12 format
- Verify certificate contains both public and private keys
· If you encounter "Failed to load certificate" error:
- Verify the certificate path is correct and accessible
- Verify the certificate password is correct
- Check file permissions (certificate files must be readable by the adapter process)
- Ensure the PFX file contains both private key and certificate
Chapter 7: Reference
No updates for the current release
Installation Platform
The IBM Security Verify Governance SharePoint Adapter was built and tested on the following product versions.
Adapter Installation Platform:
Due to continuous Java security updates that may be applied to your ISVG or ISVGIM servers, the following SDI releases are the officially supported versions:
· Security Directory Integrator 7.2 + FP14
· IBM Verify Directory Integrator 11.0.0
· IBM Security Verify Directory Integrator 10.0.0 + LA0002** The Dispatcher version 10.0.2 doesn't support installation using LA0002.
Note: Earlier SDI supported version may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapters. Please refer to the adapter's installation and configuration guides for the latest update on the IBM Security Directory Integrator versions and fix packs.
For NTLM authentication use:
· 7.2.0 LAIF 20 http://www.ibm.com/support/docview.wss?uid=ibm10878456
· Direct Fix central links
· 7.2.0 Limited Availability Interim Fix 20 : https://ibm.biz/Bd2Ne2
Managed Resource:
· SharePoint Server Subscription Edition
· SharePoint Server 2019
· SharePoint Server 2016
· SharePoint Online
3rd Party Client Libraries:
· httpclient-4.5.14.jar
Download the httpclient-4.5.14.jar from https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.14
· httpcore-4.4.16.jar
Download the httpcore-4.4.16.jar from https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore/4.4.16
· commons-logging-1.2.jar
Download the commons-logging-1.2.jar from https://mvnrepository.com/artifact/commons-logging/commons-logging/1.2
· jjwt-api-0.11.5.jar
Download the jjwt-api-0.11.5.jar from https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt-api/0.11.5
· jjwt-impl-0.11.5.jar
Download the jjwt-impl-0.11.5.jar from https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt-impl/0.11.5
· jjwt-jackson-0.11.5.jar
Download the jjwt-jackson-0.11.5.jar from https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt-jackson/0.11.5
· jackson-annotations-2.15.2.jar
Download the jackson-annotations-2.15.2.jar from https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-annotations/2.15.2
· jackson-core-2.15.2.jar
Download the jackson-core-2.15.2.jar from https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core/2.15.2
· jackson-databind-2.15.2.jar
Download the jackson-databind-2.15.2.jar from https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.15.2
Supported IBM Security Verify Governance Servers:
· IBM Verify Identity Governance v11.0
· IBM Security Verify Governance Identity Manager v10.0*
· IBM Security Verify Governance v10.0
*Unless this document specifies a specific fix pack version of ISVG Identity Manager v10, we expect the adapter to work with ISIM 6 as well. However, it will only be debugged and fixed from the perspective of ISVG-IM v10
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.