IBM Security Verify Governance Adapter v10.0.4 for IBM i is available. Compatibility, installation, and other getting-started issues are addressed.
· Preface
· Adapter Features and Purpose
· Installation and Configuration Notes
· Customizing or Extending Adapter Features
· Notices
These Release Notes contain information for the following products that was not available when the IBM Security Verify Governance Server manuals were printed:
· IBM Security Verify Governance Adapter for IBM i Installation and Configuration guide
The IBM Security Verify Governance Adapter for IBM i is designed to create and manage accounts on System i. The adapter runs in "agentless" mode and communicates with the System i resource via HTTP.
IBM recommends the installation of this adapter (and the prerequisite IBM Security Directory Integrator) on each node of IBM Security Verify Governance Server WAS cluster. A single copy of the adapter can handle multiple IBM Security Verify Governance Server Services. The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your IBM Security VerifyGovernance Server Provisioning Policies and Approval Workflow process. Please refer to the IBM Documentation Centre for a discussion of these topics.
IBM Security Verify Governance Server adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from IBM Security Identity Server will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (root) permissions.
Review and agree to the terms of the IBM Security Verify Governance Adapter License prior to using this product.
The license can be viewed from the "license" folder included in the product package.
|
Component |
Version |
|
Build Date |
2025 December 11 02.39.34 |
|
Adapter Version |
10.0.4 |
|
Component Versions |
Adapter build: 10.0.4.002 Profile: 10.0.4.002 Connector: 10.0.4.002 Dispatcher 7.1.39 or higher (packaged separately) |
|
Documentation |
The following guides are available in the IBM Documentation Centre: · IBM Security Verify Governance Adapter for IBM i Installation and Configuration guide |
|
Internal |
Enhancement # IDEA |
Description |
|
|
|
Items included in current release 10.0.4 |
|
|
|
None |
|
|
|
Items included in release 10.0.3 |
|
SVGAD-4799 |
ADAPT-226 |
Support of Access Management to Audit objects and Audit Actions in ISIM / IVIG. |
|
Items included in release 10.0.2 |
||
|
SVGAD-3118 |
ADAPT-170 / ISV-I-1430 |
iSeries Group Management Update: Compatible with Verify/IGI, Does Not Impact ISIM |
|
SVGAD-3806 |
ADAPT-185 |
Certify the adapter for use with IBM Security Verify Directory Integrator version 10.0.0 |
|
Items included in release 10.0.1 |
||
|
SVGAD-48 |
ISIM-I-4944 |
Upgrade IBM i adapter to support IBM i 7.5 |
|
|
Items included in release 7.1.16 |
|
|
RTC 182718 |
US - As an i5OS adapter developer, I must ensure that the adapter supports attribute value lookup for IGI 5.2.5 |
|
|
|
Items included in release 7.1.15 |
|
|
RTC 168022 |
Add Support for Identity Governance and Intelligence (IGI) v5.2.3. This adapter is now designed for use with IBM Security Identity Manager, Privileged Identity Manager, and Identity Governance and Intelligence. |
|
|
|
Items included in release 7.1.14 |
|
|
RTC 159192 |
US - As an iSeries adapter developer, I need to certify my adapter with current iSeries releases (Adapter is now supported on IBM i7.3) |
|
|
|
Items included in release 7.1.13 |
|
|
|
RTC 151787 |
Add Support for Identity Governance and Intelligence (IGI) v5.2.2.
This adapter is now designed for use with IBM Security Identity Manager,
Privileged Identity Manager, and Identity Governance and Intelligence. |
|
Internal# |
Known Issue# /Case# |
Description |
|
|
|
Items included in the current release 10.0.4 |
|
SVGAD-5181 / Bug 4625 |
|
IBMi Adapter 10.0.2 throws NullPointerException in IGI after upgrade from 7.1.16.57. |
|
|
|
Items included in the release 10.0.3 |
|
SVGAD-5181 |
|
Cannot set the erOS400ObjAuditing value when creating a user. |
|
SVGAD-5140 |
|
When creating a user, ISIM/IVIG reports a failure even though the user was successfully created on IBM i. ISIM/IVIG should return a success or warning instead of a failure. |
|
Items included in the release 10.0.2 |
||
|
SVGAD-2193 / Bug 4311 |
|
Account form (erIDIOS400Account.xml) fails to load in ISIM and displays An error has occurred, if problem persist, contact your system administrator. |
|
Items included in the release 10.0.1 |
||
|
SVGAD-1114 |
Can’t lookup existing groups when trying to modify primary or supplemental groups |
|
|
SVGAD-333 |
DT221923 / TS013041730 |
Remove os400-aut as it doesn't exist in the target |
|
|
|
Items included in release 7.1.16 |
|
RTC 182683 |
|
Internal - As an i5OS developer, I must ensure that the attributemapping.def file has the correct mapping for IGI 525 |
|
|
Items included in release 7.1.15 |
|
|
|
|
None |
|
|
|
Items included in release 7.1.14 |
|
RTC 158168 |
|
US - As an iSeries adapter developer, I need to include a valid copy of iSeriesPwdSync.zip in the adapter package |
|
RTC 158754 |
|
US - As an iSeries adapter developer, I should remove the <replaceMultiValue> tag in service.def |
|
|
|
Items included in release 7.1.13 |
|
|
|
Initial Release |
|
Internal# |
Known Issue# /Case# |
Description |
|
SVGAD-5104 |
|
Due to limitation of IBM Directory Server for IBM iSeries, the eros400auditlevel (Audit Level) attribute supports limited values listed below.
*CMD |
|
SVGAD-5104 |
|
If the connection can’t be initialized, then the user creation remains in a pending state in ISIM. |
See the IBM Security Verify Governance Adapter for IBM i Installation and Configuration guide.
The following corrections to the Installation Guide apply to this release:
Chapter 1: Overview
N/A
Chapter 2: Planning
N/A
è Importing the adapter profile
Before you begin (Add new point)
- For ISIM / IVIG use IMIDOS400Profile.jar and if you are using IGI then ISVGIDOS400Profile.jar
è Installing ILMT-Tags File
(Please add new section "Installing ILMT-Tags" File under the section Installing > Installing ILMT-Tags in install guide.)
Before you begin:
- The Dispatcher must be installed
Procedure:
Copy the files in the ILMT-Tags folder to the specified location:
1. Windows: <SDI-HOME>/swidtag
2. Unix/Linux: <SDI-HOME>/swidtag
-> Installing in the Verify Governance Virtual Appliance
For Verify Governance target management, you can install an IBM Security Verify Governance Adapters or a custom adapter on the built-in Security Directory Integrator in the virtual appliance instead of installing the adapter externally. As such, there is no need to manage a separate virtual machine or system.
About this task
This procedure is applicable to install this adapter on the virtual appliance.
Procedure
1. Download the
adapter package from the IBM Passport Advantage.
For example, Adapter-<Adaptername>.zip.
The adapter package includes the following files:
|
Table 1. Adapter package contents |
|
|
Files |
Descriptions |
|
bundledefinition.json |
The adapter definition file. It specifies the content of the package, and the adapter installation and configuration properties that are required to install and update the adapter. |
|
Adapter JAR profile |
A Security Directory Integrator adapter always include a JAR profile which contains: targetProfile.json o Service provider configuration o Resource type configuration o List of assembly lines A set of assembly lines in XML files A set of forms in XML files Custom properties that include labels and messages for supported languages.
Use the Target Administration module to import the target profile. |
|
Additional adapter specific files |
Examples of adapter specific files: Connector jar files Configuration files Script files Properties files The file names are specified in the adapter definition file along with the destination directory in the virtual appliance. |
|
|
|
2. From the top-level menu of the Appliance Dashboard, click Configure > SDI Management.
3.
Select the instance of the Security Directory Integrator for which you want to
manage the adapters and click Manage > SDI Adapters
The SDI Adapters window is displayed with a table that list the name,
version, and any comments about the installed adapters.
4. On the SDI Adapters window, click Install.
5.
On the File Upload window, click Browse to locate the adapter package
and then click OK.
For example, Adapter-<Adaptername>.zip.
6. Provide the missing 3rd party libraries when prompted.
a.
On the File Upload for Pre-requisite files window, click Select Files.
A new File Upload window is
displayed.
b. Browse and select all the missing libraries and files. For example, httpclient-4.0.1.jar
c.
Click Open.
The selected files are listed in the
File Upload for Pre-requisite files window.
d.
Click OK.
The missing files are uploaded, and the adapter package is updated with the 3rd
party libraries.
7. Enable secure communication.
a. Select the instance of the Security Directory Integrator for which you want to manage the adapter.
b. Click Edit.
c. Click the Enable SSL check box.
d. Click Save Configuration.
8. Import the SSL certificate to the IBM Security Directory Integrator server.
a. Select the instance of the Security Directory Integrator for which you want to manage the adapter.
b. Click Manage > Certificates.
c. Click the Signer tab.
d.
Click Import.
The Import Certificate window is displayed.
e. Browse for the certificate file.
f. Specify a label for the certificate. It can be any name.
g. Click Save.
Note: While uploading the Adapter package, you may receive System Error: A file included in the SDI Adapter zip already exists on the system and the Server Message log under Appliance tab of VA will have a reference to error com.ibm.identity.sdi.SDIManagementService File ibm.com_IBM_Verify_Identity_Governance_xxxx.swidtag found in the adapter zip at location ILMT-Tags/ already exists in system. This is because, you can install the same swidtags only once. So, if another adapter of the same type is installed, remove the swidtags.
The ibm.com_IBM_Verify_Identity_Governance_Enterprise-xxxx.swidtag file is common to all adapters. In addition to the common swidtag file, an application adapter needs ibm.com_IBM_Verify_Identity_Governance_Application_Adapters-xxxx.swidtag file and an infra adapter needs ibm.com_IBM_Verify_Identity_Governance_Lifecycle-xxxx.swidtag and ibm.com_IBM_Verify_Identity_Governance_Compliance-xxxx.swidtag files. So, if an application adapter is already installed and this is an infra adapter, then only install the infra-specific swidtags and the other way around. Please visit Security Verify Governance Adapters v10.x link to identify the adapter type of the installed adapters.
Before you begin
The steps to install adapter and related files into the container can be performed using the adapterUtil.sh script, which is shipped with the dispatcher package. This script should be staged on the machine running Kubernetes cli. The adapterUtil.sh script is also readily available in the bin directory of ISIM IBM Security Verify Governance Identity Manager Container Starter Kit installation directory (If ISVDI was selected for installation during the ISIM container installation steps).
If, for any reason, the adapter util script cannot be executed or used, the below manual instructions must be followed to copy the files to the persistent volume.
Note: The container must be restarted after installing or uninstalling the adapter and any changes to the configuration yaml. To activate changes and restart the container run the following commands:
· <path_to_starterkit>/bin/createConfigs.sh isvdi
· For OpenShift container: oc -n isvgim rollout restart deployment isvdi
· For kubernetes container: kubectl -n isvgim rollout restart deployment isvdi
Note: This document only describes the adapterUtil.sh command options that are required to install this adapter. For other command options, such as listing installed connectors and 3rd party jars, please refer to the Dispatcher10 Installation and Configuration Guide.
Installing / Upgrading / Re-installing / Downgrading the adapter
Using Script
Use the below command to install / upgrade/ re-install / downgrade the adapter:
/path/to/adapterUtil.sh -loadAdapter "/path/to/Adapter-<Adaptername>-*.zip" accept
Where /path/to/adapterUtil.sh is the location where the adapterUtil.sh script is installed and /path/to/Adapter-<Adaptername>-*.zip is the location where the Adapter zip file is staged on the machine running Kubernetes cli.
Manually copying files to Persistent Volume
Copy the files to the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image as per the given directory structure:
ILMT-Tags
Copy below files to the <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Verify_Identity_Governance_Enterprise-xx.x.x.swidtag
ibm.com_IBM_Verify_Identity_Governance_Host_Adapters-xx.x.x.swidtag
Enabling TLS 1.2
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced page from SVDI to add an advanced configuration element (if it don’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have an advanced configuration element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced to add an advanced configuration section to the config.yaml file.
To enable TLSv1.2, add 2 attr and value key pair (as mentioned in the SVDI guide) as below:
- attr: com.ibm.di.SSLProtocols
value: 'TLSv1.2'
- attr: com.ibm.di.SSLServerProtocols
value: 'TLSv1.2'
Enabling debug logs and disabling json-logging
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have root-level and json-logging configuration elements, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging to the add root-level and json-logging configuration elements section to the config.yaml file.
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging page from SVDI to add root-level and json-logging configuration elements (if they don’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
To enable debug logs, set the value for root-level to debug. To disable json logging, set the value for json-logging element to false.
Uninstalling the adapter
Using Script
Use the below command to remove the adapter:
/path/to/adapterUtil.sh -removeAdapter Adapter-<Adaptername>
Manually copying / removing files to / from the Persistent Volume
Remove files from the given directory structure of the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image.
Note: Some 3rd party jars and ILMT-Tags files might be common with other installed adapters, and hence should not be removed while uninstalling this adapter:
ILMT-Tags
Remove below files from <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Verify_Identity_Governance_Enterprise-xx.x.x.swidtag
ibm.com_IBM_Verify_Identity_Governance_Host_Adapters-xx.x.x.swidtag
Chapter 4: Upgrading
Upgrading the adapter profile
Read the adapter Release Notes for any specific instructions before you import a new adapter profile.
The IDOS400Profile.jar and AGIDOS400Profile.jar are included in the IBMi Adapter distribution package.
To upgrade in ISIM/IVIG, use IDOS400Profile.jar. For IGI upgrades, IDOS400Profile.jar is the default choice or use AGIDOS400Profile.jar which retrieves a combined list of primary and secondary groups entitlements for a user account.
Chapter 5: Configuring
No updates for the current release
Chapter 6: Troubleshooting
Enabling DEBUG Logs on SDI Server
Procedure:
1. Stop the
SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_HOME_Directory>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
to
<Root level="debug">
Post-7.2.0-ISS-SDI-FP0011
4. To enable TCB block in debug
5. Append the line com.ibm.di.logging.close=false in
the the <SDI_HOME_Directory>/etc/global.properties file.
6. Start the SDI Server process
7. Re-create the problem and collect the <SDI_Solution_Dir>/logs/ibmdi.log
Logs are not getting printed in FP13 in Windows OS:
To fix this issue copy log4j2.xml file from <SDI_Home_Dir>/etc and add to the <SDI_Solution_Dir>/etc (which was missing there). Then configure <SDI_Solution_Dir>/ibmdiservice.props with
jvmcmdoptions=-Dlog4j2.configurationFile=etc\log4j2.xml
Chapter 6: Reference
Adapter attributes
Table 1. Account Attributes, descriptions and permissions
remove : erOS400Aut Specifies the type of authority. Read and
Configuration Notes
The following configuration notes apply to this release:
None
Customizing or Extending Adapter Features
The IBM Security Verify Governance Adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Refer to the IBM Security Verify Governance Adapter Development and Customization Guide
Support for Customized Adapters
The integration to the IBM Security Verify Server "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a case is opened.
Installation Platform
The IBM Security Verify Governance Adapter for was built and tested on the following product versions.
Adapter Installation Platform:
Due
to continuous Java security updates that may be applied to your IBM Security
Verify Governance server and IBM Security Verify Governance Identity Manager
server, the following SDI releases are the officially supported versions:
- Security
Directory Integrator 7.2 + FP14
- Security
Verify Directory Integrator 10.0.0 + LA0002** The
Dispatcher version 10.0.2 doesn't support installation using LA0002, please
install the Dispatcher10 prior to installing LA0002.
Note: Earlier versions of SDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapters. Please refer to the adapter's installation and configuration guides for the latest update on IBM Security Directory Integrator versions and fix packs
Managed Resource:
IBM i 7.4
IBM i 7.5
Supported IBM Security Verify Governance servers:
· IBM Verify Identity Governance v11.0
· IBM Security Verify Governance Identity Manager v10.0*
· IBM Security Verify Governance v10.0
* Unless this document specifies a specific fix pack version of ISVG Identity Manager v10, we expect the adapter to work with ISIM 6 as well. However, it will only be debugged and fixed from the perspective of ISVG-IM v10.
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user’s responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces.
Each copy or any portion of these sample programs or any derivative work, must include a copyright notice as follows:
© (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rights reserved.
If you are viewing this information in softcopy form, the photographs and color illustrations might not be displayed.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
End of Release Notes