Release Notes   




IBM Security Identity Adapter

Dispatcher Component for Directory Integrator-based Adapters



IBM security Identity Adapter Dispatcher Component for Directory Integrator-based Adapters is available. Compatibility, installation, and other getting-started issues are addressed.






           Component Features and Purpose

License Agreement

           Contents of this release

           Installation and Configuration Notes

           Supported Configurations




These Release Notes contain information for the following products that was not available when the IBM Security Identity Server manuals were printed:




Component Features and Purpose

The Dispatcher Component is designed to support integration between Security Directory Integrator and Security Identity Adapter. The Dispatcher is shipped with each Directory Integrator based adapter and is updated to the current release version with each adapter release. This package provides the Dispatcher as a separately shipped component to fast-track upgrade and maintenance delivery.



License Agreement


Review and agree to the terms of the IBM Security Identity Adapter License prior to using this product.

The license can be viewed from the "license" folder included in the product package.


Contents of this Release

Component Version



Release Date

2020 September 03 10.33.01

Package Version


Component Versions

Dispatcher build:


The following guide is available in the IBM Knowledge Centre

·         Dispatcher Installation and Configuration Guide


New Features

Enhancement # (RFE)



Items included in Current version (7.1.40)




Items included in 7.1.39 version


RTC 163389


Ensure that Dispatcher should be forward compatible with Java 8


Items included in current version (7.1.38)


RFE 101574

RTC 155972

Dispatcher enhancements for better problem message transport.


RTC 153754 / 158915 / 158749 / 160519

FIPS 140-2 compliance for SDI/TDI Adapters.

Configuring Tivoli Directory Integrator to run FIPs mode


Items included in 7.1.37 version




Items included in 7.1.36 version

RTC 151778

Add Support for Identity Governance and Intelligence (IGI) v5.2.2


This adapter is now designed for use with IBM Security Identity Manager,

Privileged Identity Manager, and Identity Governance and Intelligence.



Items included in 7.0.35 version







Items included in 7.0.34 version








Items included in7.0.33 version







Items included in 7.0.32 version




Initial Release



Closed Issues




Case# / Description



Items closed in current version (7.1.40)

RTC 187417
Bugz 3216


Case TS003630892/ LDAP recon is causing Dispatcher OOM after upgrading from 6.0.30 to 6.0.39

RTC 187199
Bugz 3198


Case TS003550734/ Issue with case-sensitive filtering in RMI Dispatcher



Items closed in 7.1.39 version


RTC 161480/ 161481




PEN TEST - Enable JVM security by adding RMI authentication

The Java RMI on the provided adapter system provides a remote unauthenticated command injection as the root user on the system.

To resolve this, changes have been made to installer to set following three properties during dispatcher installation:

1.     {protect}-systemqueue.auth.username

2.     {protect}-systemqueue.auth.password

3.     systemqueue.on=false

These properties enables authentication on systemqueue which TDI Server uses for communication.


For details refer Installation and Configuration Notes section.



RTC 162896



PEN TEST - Adapters are not installed with SSL encryption enabled by default

By Default communication with adapters is unencrypted, default communication of sensitive information needs to be encrypted out of the box, with only options to disable encryption.

To enable encryption in TDI system, we set following property to true during dispatcher installation:

By setting this property it enables one-way SSL on TDI-ISIM environment. End user has to configure the SSL setup manually.


For details refer Installation and Configuration Notes section.




Items closed in current version (7.1.38)






Items closed in 7.1.37 version

PMR: 83722,695,760

Bug 2209

RTC 153767



Assembly line cache maintenance is stopped once a request was failed.


PMR: 82636,033,724

Bug 2213

RTC 153767



Dispatcher not closing cached Assembly Lines, so keeping connections open

PMR: 82462,033,724

Bug 2176

RTC 153767



RMI Dispatcher throwing IndexOutOfBoundsException

Internal Bug 1987

RTC 138914


 ISIM: Documentation wrong for RMI Dispatcher for cluster environments




Items closed in 7.1.36 version






Items closed in 7.0.35 version


Internal Bug 2047



Internal report of logging issue in latest dispatcher



PMR: 51402,227,000

RTC 145426


JMX remote connect dispatcher question/issue- System property was set with host name containing only IP address to resolve the JMX remote connect issue.





Items closed in 7.0.34 version



PMR: 00492,499,000



RTC 137454


SSL connections fail to initialize in Dispatcher


For details, refer the "Installation and Configuration Notes, Corrections to Install Guide" section.





Items closed in 7.0.33 version


Internal Bug 1813



When "ITIMAd stop" is executed, respective logs should be appended in ITIMAd_stdout.log file.



Internal Bug 1771


RTC 12560


Submit for doc update for 6.0/7.0 dispatcher docs for ITIMAd reference in /etc/init.2


Internal Bug 1794


RTC 124532



SSL configuration steps incorrect in Dispatcher Install guide




RMI Dispatcher still seems to double the value of AssemblylineCacheTimeout (6.0.32)





Items included in 7.0.32 version




Initial Release



Known Issues




Case# / Description




Dispatcher installation issue on Windows Server 2012 Platform

Installation of dispatcher on Windows Server 2012 fails. In order to install it, the following steps must be followed:


1.     Navigate to the folder ITDI_HOME/jvm/jre/bin

2.     Right click on the java.exe

3.     Select properties and navigate to the Compatibility Tab.

4.     Select the checkbox for "Run this program in compatibility mode for:"

5.     Select the "Windows 7" option from the dropdown menu.

6.     Apply the changes

7.     Run the installer using java –jar DispatcherInstall.jar command from the command prompt.






Service creation fails after test operation is fired, when dispatcher is installed over SDI 7.2.


This problem occurs because SDI 7.2 returns a longer value of the adapter platform than the permissible value, after the test operation is fired. In order to fix this issue, you must add the following to your adapter schema file. (schema.dsml):


<!-- ******************************************************** -->

<!-- erAdapterPlatform                                            -->

<!-- ******************************************************** -->

<attribute-type single-value="true">


<description>Adapter installation platform</description>





Note: Do not add the above if you are using PeopleSoft Adapter (8.5.3)






Reconciliation Operation Issue

The reconciliation operation happens in the form of batches. The batch size is dependent on the "SearchResultSetSize" attribute, specified in the "" file. Thus, the first batch would be reconciliation of "#" accounts, where "#" is nothing but the value specified in the "SearchResultSetSize", and subsequent batches too would be present for reconciliation of the remaining accounts, each batch of the size "#". Now, if an error or timeout occurs while the first batch of accounts is being executed, one would be able to witness that the request has failed along with the relevant error message. However, if error or timeout occurs  while the subsequent batches are being processed, the request would fail, but no error message would be seen along, as in the previous case. This is a server side issue, ISIM recon limitation.



Installation and Configuration Notes 

See the IBM Security Identity Server for Dispatcher Installation Guide for detailed instructions.


Corrections to Installation Guide

The following corrections to the Installation Guide apply to this release:

            Enabling the FIPS mode


Add the below ‘Enabling the FIPS mode’ section in Chapter 4, after ‘Configuring logging for the adapter’ section.


The keystore file created should be copied to TIMSOL folder and/or the encryption/decryption should be with the newly generated FIPS compliant keystore file.


Note: If FIPS mode is enabled, changes done to any authentication attributes in file  may not get affected  directly and we may get error related decryption in ibmdi.log file. To resolve this error we have to re-encrypt the file with key created for FIPS mode.


Sample command for encryption is:


cryptoutils -input ../timsol/ -output ../timsol/

            -mode encrypt_props -keystore ../server.jck -storepass mypass -alias server

-transformation AES/CBC/PKCS5Padding -storetype jceks -keypass mykeypass

Language package installation

The adapters use a separate language package from the IBM Security Identity Server. See the IBM Security Identity Server library and search for information about installing the adapter language pack.




Enable JVM Security/ Enable SSL

Add below content after #5 in “Installing the Dispatcher in GUI mode section”:


6. Enter the Dispatcher Instance Name. Click Next.

7. Enter the Port number. Click Next.

8. Provide credentials to secure access to the Java Virtual Machine. For more information refer Enabling JVM Security(Hyperlink to this section in dispatcher guide). Click Next.

9. Select SSL level. When the check-box is checked the SSL is enabled. If you wish to disable SSL then deselect the check-box Enable SSL. If you disable SSL the communication therefore will be unencrypted i.e. in plain text. For more information refer “Configuring SSL communication”(Hyperlink to this section in dispatcher guide).






Add the following content in Table 5. in “Installing the Dispatcher in silent mode:












This parameter provides the username for JVM security.








This parameter provides the Password for JVM security.








This parameter provides the retype password filed for JVM security.





Provides SSL level; default value is Enable


































Also change the example for this section:

To install the adapter in silent mode and with one or more custom settings,

use the -D parameter. For example:


-jar DispatcherInstall.jar -i silent











Add following data at 2nd paragraph of “Configuring SSL Communication” section:



As an adapter manages sensitive data of the users it is essential that communication should be encrypted. The SSL facilitates the encrypted communications between an adapter and end resource. SSL requires certificates to be installed.


During installation you may see the panel Enable SSL. The check-box is present on a panel. It is by default checked. When the check-box is checked the SSL is enabled. If you wish to disable SSL then deselect the check-box Enable SSL. If you disable SSL the communication therefore will be unencrypted i.e. in plain text. Whether SSL is enabled or disabled can be verified after installation.

The property "" in is set to true if SSL is enabled otherwise it is set to false.





Add the following content before “Configuring SSL Communication” section.        


Configuring JVM Security

Since WAS and Dispatcher server communicates using RMI. It’s mandatory to secure the JVM.

In order to do so, default dispatcher installation is prompted with providing strong credentials for JVM security. These credentials will be required by an outside RMI process to access the RMI stub. You can always modify the existing credentials by changing following properties in file:







Supported Configurations 

Installation Platform 

The IBM Security Identity Server for Dispatcher was built and tested on the following product versions.

Dispatcher Installation Platform:

This component installs into Tivoli Directory Integrator and may be installed on any platform supported by the product. IBM recommends installing Security Directory Integrator on each node of the Identity Server WebShere cluster and then installing this adapter on each instance of Security Directory Integrator. Supported Security Directory Integrator versions include:


Dispatcher Installation Platform: 


Due to continuous Java security updates that may be applied to your ISIM or PIM servers, the following SDI releases are the officially supported versions:

·         Security Directory Integrator 7.2 + FP6 + 7.2.0-ISS-SDI-LA0019

Earlier versions of TDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapter.


Note:  The adapter supports IBM Security Directory Integrator 7.2, which is available only to customers who have the correct

Entitlement. Contact your IBM representative to find out if you have the entitlement to download IBM Security Directory Integrator 7.2.


Managed Resource:



IBM Security Identity Manager:

ISIM v7.0.x


IBM Security Privileged Identity Manager (PIM):



Identity Governance and Intelligence (IGI):

IGI 5.2.x


This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:


IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY  10504-1785 U.S.A.


For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:


Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan


This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:

IBM Corporation
11400 Burnet Road
Austin, TX 78758 U.S.A.


Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.


IBM, the IBM logo, and are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at

Microsoft, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.


End of Release Notes