IBM® Security Verify Governance for Command Line Interface (CLIx) 10.0.2 - Release notes
IBM Security Verify Governance Command Line Interface (CLIx) 10.0.2 is available. Compatibility, installation, and other getting-started issues are addressed.
Welcome to the IBM Security Verify Governance for Command Line Interface (CLIx) Adapter.
These Release Notes contain information for the following products that was not available when the IBM Security Verify Governance manuals were printed:
· CLIx Adapter Installation and Configuration Guide
The Command Line Interface (CLIx) adapter is an IBM
Identity Manager adapter designed primarily for applications and resources that
do offer a programmable API. Without an API to the managed resource, an adapter
developer is forced to issues command lines from the
Java code to accomplish the required user management tasks.
Built on the IBM Security Directory Integrator framework, the CLI adapter provides all the programming modules needed by an adapter: IBM Security Directory Integrator connector and assembly lines. Instead of calling a set of APIs to perform a specific operation (i.e. create account), the CLI adapter will execute a command script locally on the operating system where the adapter is running. The adapter will pass the attributes as parameters to the command script. The command will perform the requested operation (i.e. create account) and returns the status.
· The CLI adapter package provides a sample CLI profile and a complete set of command line batch files. The sample profile and command line batch files illustrate a fully functional adapter. It’s highly recommended that you review the content of the CLI Sample adapter. The CLI Sample adapter will be referenced throughout this document
Review and agree to the terms of the IBM Security Verify Governance license prior to using this product. The license can be viewed from the
"license" folder included in the product package.
Adapter Version
|
Component |
Version |
|
Build Date |
2025 December 12 11:21:39 |
|
Adapter Version |
10.0.2 |
|
Component Versions |
Assembly Line Version: @10.0.2 Profile: 10.0.2 (CLI Sample adapter) Connector: 10.0.2.31 |
|
Documentation |
The following guides are available in the IBM Knowledge Centre : · Directory Integrator-based CLIX Adapter Installation and Configuration Guide |
New Features
|
Internal# |
Enhancement # (Idea) |
Description |
|
|
|
Items included in this release (10.0.2) |
|
SVGAD-5472 |
ADAPT-231 |
Certify the adapter for use with IBM Security Verify Directory Integrator version 10.0.0 |
|
SVGAD-5472 |
ADAPT-236 |
Certify the adapter for use with IBM Verify Identity Governance version 11.x |
|
|
|
Items included in release (10.0.1) |
|
RTC 191242 |
|
Rebranding to IBM Security Verify Governance |
|
|
|
Items included in release (7.1.4) |
|
|
RTC 154244 |
Initial Release
Note – This adapter works on IGI 5.2.2 FP1 version. |
Closed Issues
|
Internal# |
APAR# / Case# |
PMR# / Description |
|
|
|
Items included in this release (10.0.2) |
|
SVGAD-5566 |
|
The bundledefinition.json is missing in Commandline adapter |
|
|
|
Items included in release (10.0.1) |
|
|
|
None |
|
|
|
Items included in release (7.1.4) |
|
|
|
None |
Known limitations
|
CMVC# |
APAR# |
PMR# / Description |
|
|
|
To prevent
passwords from appearing in clear text in the ibmdi.log file, the connector
checks if any attribute name contains the word ‘pass’ or ‘pwd’.
If yes, then the value of that attribute is masked. If your profile contains
such an attribute, ensure that it contains ‘pass’ or ‘pwd’
so that it does not appear in clear text in the logs. |
|
|
|
With the current
release of the adapter, ‘Replace Only’ operation is supported for multi value
attributes. Add/Del operations may be supported in a future release. |
|
|
|
AL caching may not work for this adapter since the scripts create the connection to the managed resource. The TDI framework cannot cache these types of external connections. |
|
|
|
Passing the
search filter from ISIM to the command line scripts is only supported on UNIX
and Linux platforms. |
|
|
Attribute values
with open and closed brackets are only supported on UNIX and Linux platforms. |
See the IBM Security Verify Governance Adapter Installation Guide for detailed instructions.
No updates for current release
Prerequisites:
Directory Integrator
Remove "IBM
Security Directory Integrator Version 7.1.1 + 7.1.1-TIV-TDI-FP0004 +
7.2.0-ISS-SDI-LA0008" from the description
Replace "IBM® Security
Directory Integrator Version 7.2" in the description with "Please
consult the release notes for the currently supported versions of the product".
Remove "The adapter
supports IBM Security Directory Integrator 7.2, which is available only to
customers who have the correct entitlement. Contact your IBM representative to
find out whether you have the entitlement to download IBM Security Directory
Integrator 7.2." from the note.
IBM Security Verify server
Remove existing description and
update description as below:
The following servers are
supported:
- IBM Verify Identity Governance
- IBM Security Verify Governance
Identity Manager
- IBM Security Verify Governance
Remove "Note: Set the
environmental variable CLASSPATH to Java version 1.5 or later that is required
for the adapter installation or upgrade."
Installing ILMT-Tags File
Before you begin:
The dispatcher must be installed
Procedure:
Copy the files from ILMT-Tags
folder to the specified location:
1. Windows:
<SDI-HOME>\swidtag
2. Unix/Linux: <SDI-HOME>/swidtag
Installing in the Verify Governance
Virtual Appliance (This is applicable only for ISVG)
(Please add this new section at
knowledge centre (under Installing > Installing in
the Verify Governance Virtual Appliance) for CommandLine
Adapter to describe installation procedure of adapter in Verify Governance
Virtual Appliance:
https://www.ibm.com/docs/en/svgaa?topic=ldap-installing-in-virtual-appliance.
Please add this below note as well after adding the description.)
Note: While
uploading the Adapter package, you may receive System Error: A file included
in the SDI Adapter zip already exists on the system and the Server
Message log under Appliance tab of VA will have a reference to error com.ibm.identity.sdi.SDIManagementService E File ibm.com_IBM_Verify_Identity_Governance_xxxx.swidtag found
in the adapter zip at location ILMT-Tags/ already exists in system. This is
because you can install the same swidtags only once.
So, if another adapter of the same type is installed, remove the swidtags.
The ibm.com_IBM_Verify_Identity_Governance_Enterprise-xxxx.swidtag file is common to all adapters. In
addition to the common swidtag file, an application
adapter needs ibm.com_IBM_Verify_Identity_Governance_Application_Adapters-xxxx.swidtag file and an infra adapter
needs ibm.com_IBM_Verify_Identity_Governance_Lifecycle-xxxx.swidtag and ibm.com_IBM_Verify_Identity_Governance_Compliance-xxxx.swidtag files. So, if an application adapter
is already installed and this is an infra adapter,
then only install the infra-specific swidtags and the
other way around. Please visit IBM
Security Verify Governance Adapters v10.x link to identify the adapter type
of the installed adapters.
Installing
in an IBM Security Verify Directory Dispatcher Container
Before you begin
The steps to install adapter and
related files into the container can be performed using the adapterUtil.sh
script, which is shipped with the dispatcher package. This script should be
staged on the machine running Kubernetes cli. The adapterUtil.sh script is also
readily available in the bin directory of ISIM IBM Security Verify Governance
Identity Manager Container Starter Kit installation directory (If ISVDI was
selected for installation during the ISIM container installation steps).
If, for any reason, the adapter
util script cannot be executed or used, the below manual instructions must be
followed to copy the files to the persistent volume.
Note: The
container must be restarted after installing or uninstalling the adapter and
any changes to the configuration.yaml.
To activate changes and restart the container run the following commands:
· <path_to_starterkit>/bin/createConfigs.sh
isvdi
· for OpenShift container: oc
-n isvgim rollout restart deployment isvdi
· for kubernetes container: kubectl -n isvgim rollout restart
deployment isvdi
Note: This
document only describes the adapterUtil.sh command options that are required to
install this adapter. For other command options, such as listing installed
connectors and 3rd party jars, please refer to the Dispatcher10 Installation
and Configuration Guide.
Installing / Upgrading /
Re-installing / Downgrading the adapter
Using Script
Use the below command to install /
upgrade/ re-install / downgrade the adapter:
/path/to/adapterUtil.sh -loadAdapter "/path/to/Adapter-CLIx-*.zip"
accept
Where /path/to/adapterUtil.sh is
the location where the adapterUtil.sh script could be found is installed and
/path/to/Adapter-CLIx-*.zip is the location where the Adapter zip file is
staged on the machine running Kubernetes cli.
Manually copying files to
Persistent Volume
Copy the files to the persistent
volume mapped to the /opt/IBM/svgadapters directory
of the container image as per the given directory structure:
CLConnector.jar
Copy this file to the <Persistent_Volume>/jars/connectors directory.
ILMT-Tags
Copy below files to the <Persistent_Volume>/swidtag directory:
- ibm.com_IBM_Verify_Identity_Governance_Compliance-11.0.0.swidtag
- ibm.com_IBM_Verify_Identity_Governance_Enterprise-11.0.0.swidtag
- ibm.com_IBM_Verify_Identity_Governance_Lifecycle-11.0.0.swidtag
Enabling debug logs and disabling json-logging
If the config.yaml
file which is used as the YAML_CONFIG_FILE environment variable for the
container doesn't have root-level and json-logging configuration
elements, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging to
the add root-level and json-logging configuration
elements section to the config.yaml file.
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging page
from SDI to add root-level and json-logging configuration
elements (if they don’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment
variable of the container.
To enable debug logs, set the value
for root-level to debug. To and to disable json logging, set the value for json-logging element
to false.
Uninstalling the adapter
Using Script
Use the below command to remove the
Aadapter:
/path/to/adapterUtil.sh -removeAdapter Adapter-CommandLine
Manually removing files from
the Persistent Volume
Remove files from the given
directory structure of the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image.
Note: Some ILMT-Tags
files might be common with other installed adapters, and hence should not be
removed while uninstalling this adapter:
CLConnector.jar
Remove this file from <Persistent_Volume>/jars/connectors directory.
ILMT-Tags
Remove below
files from <Persistent_Volume>/swidtag directory:
- ibm.com_IBM_Verify_Identity_Governance_Compliance-11.0.0.swidtag
- ibm.com_IBM_Verify_Identity_Governance_Enterprise-11.0.0.swidtag
- ibm.com_IBM_Verify_Identity_Governance_Lifecycle-11.0.0.swidtag
No updates for current release
Enabling DEBUG Logs on SDI Server
Procedure:
1. Stop the SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_HOME_Directory>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
To
<Root
level="debug">
Post-7.2.0-ISS-SDI-FP0011
4. To enable TCB block in debug
5. Append the line com.ibm.di.logging.close=false in
the <SDI_HOME_Directory>/etc/global.properties file
6. Start the SDI Server process
7. Re-create the problem and
collect the <SDI_Solution_Dir>/logs/ibmdi.log
Logs are not getting printed in
FP13 in Windows OS
Procedure:
1. Copy log4j2.xml file from <SDI_Home_Dir>/etc and add to
the <SDI_Solution_Dir>/etc
(which was missing there).
2. Configure <SDI_Solution_Dir>/ibmdiservice.props
with below parameter:
jvmcmdoptions=-Dlog4j2.configurationFile=etc\log4j2.xml
3. Restart SDI Server process
No updates for current release
No updates for current release
The following design update is not included in accompanied white paper or the sample adapter and will be updated in the next release of the adapter.
Delete attribute values from ISIM: ‘Parsing the command line arguments’ section:
When an attribute value has the string NULL it implies that the value was deleted on the ISIM server. This is true for single and multiple valued attributes. For multiple valued attributes, if the command line contains the attribute name with a value of NULL, it means that all values have been deleted on the ISIM server.
For example:
CLIx\clix-add.bat -s:erSampleCmdServer ACME -s:erServiceUid admin -s:erPassword test -erUid johnd -erPassword changeme -erSampleFirstName John -erSampleLastName Doe -erSampleUserLocation NULL -erSampleMemberOf 101 -erSampleMemberOf 102 -erSampleMemberOf 103 -erSampleUserRole Develope
The value for attribute erSampleUserLocation is the string NULL. The clix-add.bat script must have logic to handle this scenario.
IBM Security Identity Server adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Getting Started
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
Note: If the customization requires a new IBM Security Directory Integrator connector, the developer must also be familiar with IBM Security Directory Integrator connector development and working knowledge of Java programming language.
Support for Customized Adapters
The integration to IBM Security Identity Manager server "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
Installation Platform
The IBM Security Verify Governance was built and tested on the following product versions.
Adapter Installation Platform:
This adapter installs into Security Directory
Integrator (SDI) and may be installed on any platform supported by the SDI
product and supported by the target system libraries or client, where
applicable. IBM recommends installing SDI on each node of the IBM Security
Identity Server WAS Cluster and then installing this adapter on each instance
of SDI. Supported SDI versions include:
Due to continuous Java security updates that may be
applied to your ISIM or IGI or IVIG servers, the following SDI releases are the
officially supported versions:
Security Directory Integrator 7.2 + FP14
Security Verify Directory Integrator 10.0 FP5
Note: Earlier SDI supported versions may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions.
Managed Resource:
Customizable
Verify Governance
IBM Verify Identity Governance 11.x
IBM Security Verify Governance Identity Manager
10.x
IBM Security Verify Governance 10.x*
*Unless this document specifies a specific fix
pack version of ISVG Identity Manager v10, we expect the adapter to work with
ISIM 6 as well. However, it will only be debugged and fixed from the
perspective of ISVG-IM v10
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Trademarks
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: IBM, IBM logo, AIX, DB2, Domino, Lotus, Tivoli, Tivoli logo, Universal Database, WebSphere, i5/OS, RACF.
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino™, Intel Centrino logo, Celeron®, Intel Xeon™, Intel SpeedStep®, Itanium®, and Pentium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
ITIL® is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
IT Infrastructure Library® is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Other company, product, and service names may be trademarks or service marks of others.