Anda di halaman 1dari 106

Tivoli Identity Manager


Version 5

Active Directory Adapter with 64–bit Support Installation and Configuration


Guide

SC23-9479-00
Tivoli Identity Manager
®


Version 5

Active Directory Adapter with 64–bit Support Installation and Configuration


Guide

SC23-9479-00
Note:
Before using this information and the product it supports, read the information in Appendix F, “Notices,” on page 79.

This edition applies to version 5 of this adapter and to all subsequent releases and modifications until otherwise
indicated in new editions.
© Copyright International Business Machines Corporation 2008. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . . v Viewing configuration settings . . . . . . . . 12
About this book . . . . . . . . . . . . . v Changing protocol configuration settings . . . . 12
Intended audience for this book . . . . . . . . v Configuring event notification . . . . . . . . 16
Publications and related information . . . . . . v Setting event notification triggers . . . . . . 19
Tivoli Identity Manager library . . . . . . . v Modifying an event notification context . . . . 20
Prerequisite product publications . . . . . . vii Changing the configuration key . . . . . . . 22
Related publications . . . . . . . . . . viii Changing activity logging settings . . . . . . . 22
Accessing terminology online . . . . . . . viii Changing registry settings . . . . . . . . . 24
Accessing publications online . . . . . . . ix Modifying non-encrypted registry settings . . . 25
Ordering publications . . . . . . . . . . ix Changing advanced settings . . . . . . . . . 28
Accessibility . . . . . . . . . . . . . . ix Viewing statistics . . . . . . . . . . . . 30
Tivoli technical training . . . . . . . . . . ix Changing code page settings . . . . . . . . 30
Support information . . . . . . . . . . . . x Accessing help and additional options . . . . . 30
Conventions used in this book . . . . . . . . x
Typeface conventions . . . . . . . . . . x Chapter 5. Configuring SSL
Operating system-dependent variables and paths xi authentication for the Active Directory
Definitions for HOME and other directory Adapter . . . . . . . . . . . . . . 33
variables . . . . . . . . . . . . . . xi
Overview of SSL and digital certificates . . . . . 33
Private keys, public keys, and digital certificates 34
Chapter 1. Overview of the Active Self-signed certificates . . . . . . . . . . 34
Directory adapter . . . . . . . . . . . 1 Certificate and key formats . . . . . . . . 35
Features of the adapter . . . . . . . . . . . 1 The use of SSL authentication . . . . . . . . 35
Limitations of the adapter . . . . . . . . . . 2 Configuring certificates for SSL authentication . . . 36
Configuring certificates for one-way SSL
Chapter 2. Communication between authentication . . . . . . . . . . . . 36
Active Directory Adapter and the Tivoli Configuring certificates for two-way SSL
authentication . . . . . . . . . . . . 37
Identity Manager server . . . . . . . . 5 Configuring certificates when the adapter
Data Transfer from Tivoli Identity Manager to the operates as an SSL client . . . . . . . . . 38
adapter . . . . . . . . . . . . . . . . 5 Managing SSL certificates using CertTool . . . . 39
Basic configuration for server-to-adapter SSL Starting CertTool . . . . . . . . . . . 39
communication . . . . . . . . . . . . . 5 Generating a private key and certificate request 41
Basic configuration for adapter-to-Active Directory Installing the certificate . . . . . . . . . 42
SSL communication . . . . . . . . . . . . 5 Installing the certificate and key from a PKCS12
Setting up SSL communication between the adapter file . . . . . . . . . . . . . . . . 42
and Active Directory. . . . . . . . . . . . 6 Viewing the installed certificate . . . . . . . 43
Installing Enterprise CA in one of the domain Installing a CA certificate . . . . . . . . . 43
controllers in domain . . . . . . . . . . 6 Viewing CA certificates . . . . . . . . . 43
Installing the certificate on the workstation where Deleting a CA certificate . . . . . . . . . 43
Active Directory Adapter is running . . . . . 6 Viewing registered certificates . . . . . . . 44
Registering a certificate . . . . . . . . . 44
Chapter 3. Installing and configuring the Unregistering a certificate . . . . . . . . 44
Active Directory adapter . . . . . . . . 7 Exporting a certificate and key to PKCS12 file . . 45
Prerequisites . . . . . . . . . . . . . . 7
Installing the adapter . . . . . . . . . . . 8 Chapter 6. Customizing the Active
Importing the adapter profile into the Tivoli Identity Directory adapter . . . . . . . . . . 47
Manager server . . . . . . . . . . . . . 8 Step 1: Extend the schema and add the extended
Creating an Active Directory service . . . . . . 9 attributes . . . . . . . . . . . . . . . 47
Configuring the adapter . . . . . . . . . . 10 Step 2. Copy the ADProfile.jar file and extract the
files . . . . . . . . . . . . . . . . . 48
Chapter 4. Configuring the Active Step 3. Modify the exschema.txt file . . . . . . 48
Directory Adapter for IBM Tivoli Identity Step 4: Update the schema.dsml file . . . . . . 49
Manager . . . . . . . . . . . . . . 11 Step 5: Modify the CustomLabels.properties file . . 49
Starting the adapter configuration tool . . . . . 11 Step 6: Create a new JAR file and install the new
attributes on the Tivoli Identity Manager server . . 50

© Copyright IBM Corp. 2008 iii


Step 7: Optionally modify the adapter form . . . 50 Appendix C. Running in Federal
Managing passwords when restoring accounts. . . 50 Information Processing Standards
Configuring the base point for the adapter . . . . 51
compliance mode . . . . . . . . . . 71
Configuring the adapter to run in FIPS mode . . . 71
Chapter 7. Upgrading the Active Operational differences running in FIPS mode . . . 71
Directory Adapter or the ADK . . . . . 53 Security policy . . . . . . . . . . . . . 72
Upgrading the Active Directory Adapter . . . . 53 Authentication roles . . . . . . . . . . 72
Upgrading the ADK . . . . . . . . . . . 54 Rules of operation . . . . . . . . . . . 72
Log files . . . . . . . . . . . . . . 54
Appendix D. Accessibility features for
Chapter 8. Uninstalling the Active the Active Directory Adapter . . . . . 73
Directory Adapter . . . . . . . . . . 55 Accessibility features . . . . . . . . . . . 73
Uninstalling the adapter from the target server . . 55 Keyboard navigation . . . . . . . . . . . 73
Removing the adapter profile from the Tivoli IBM and accessibility . . . . . . . . . . . 73
Identity Manager server . . . . . . . . . . 55
Appendix E. Support information . . . 75
Appendix A. Files . . . . . . . . . . 57 Searching knowledge bases . . . . . . . . . 75
schema.dsml file . . . . . . . . . . . . . 57 Search the information center on your local
Object identifier . . . . . . . . . . . . 58 system or network . . . . . . . . . . . 75
Attribute definition . . . . . . . . . . . 58 Search the Internet . . . . . . . . . . . 75
Classes . . . . . . . . . . . . . . . 59 Contacting IBM Software Support . . . . . . . 75
CustomLabels.properties file . . . . . . . . . 60 Determine the business impact of your problem 76
Describe your problem and gather background
Appendix B. Adapter attributes . . . . 61 information . . . . . . . . . . . . . 77
Attribute descriptions . . . . . . . . . . . 61 Submit your problem to IBM Software Support 77
Active Directory Adapter attributes by action . . . 68
System Login Add . . . . . . . . . . . 68 Appendix F. Notices . . . . . . . . . 79
System Login Change . . . . . . . . . . 68 Trademarks . . . . . . . . . . . . . . 80
System Login Delete . . . . . . . . . . 68
System Login Suspend . . . . . . . . . 68 Index . . . . . . . . . . . . . . . 83
System Login Restore . . . . . . . . . . 68
Reconciliation . . . . . . . . . . . . 69

iv IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Preface
About this book
The IBM Tivoli Identity Manager Active Directory Adapter (Active Directory
Adapter) enables connectivity between the IBM Tivoli Identity Manager server and
a network of systems running the Active Directory Server. Once the adapter is
installed and configured, IBM Tivoli Identity Manager manages access to Active
Directory resources with your site’s security system. This book describes how to
install and configure the Active Directory Adapter.

Note: The program that is used to connect the managed resource to the Tivoli
Identity Manager server is now called an adapter. The term adapter replaces
the previously used term agent. The user interface used to configure the
adapter still refers to an adapter as an agent.

Intended audience for this book


This book is intended for Microsoft Windows system and security administrators
responsible for installing software on their site’s computer systems. Readers are
expected to understand Windows concepts. The person completing the installation
procedure must also be familiar with their site’s system standards and needs to
have appropriate Active Directory experience and knowledge. Readers must be
able to perform routine Windows system and security administration tasks.

Publications and related information


This section lists publications in the IBM Tivoli Identity Manager library and
related documents. The section also describes how to access Tivoli® publications
online and how to order Tivoli publications.

Read the descriptions of the IBM Tivoli Identity Manager library. To determine
which additional publications you might find helpful, read the “Prerequisite
product publications” on page vii and the “Related publications” on page viii.
After you determine the publications you need, refer to the instructions in
“Accessing publications online” on page ix.

Tivoli Identity Manager library


The publications in the technical documentation library for your product are
organized into the following categories:
v Release information
v Online user assistance
v Server installation and configuration
v Problem determination
v Technical supplements
v Adapter installation and configuration

Release Information:
v Release Notes

© Copyright IBM Corp. 2008 v


Provides software and hardware requirements for the product, and additional
fix, patch, and other support information.
v Read This First card
Lists the publications for the product.

Online user assistance:

Provides online help topics and an information center for administrative tasks.

Server installation and configuration:

Provides installation and configuration information for the product server.

Problem determination:

Provides problem determination, logging, and message information for the


product.

Technical supplements:

The following technical supplements are provided by developers or by other


groups who are interested in this product:
v Performance and tuning information
Provides information needed to tune your production environment, available on
the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list to locate IBM Tivoli Identity
Manager products. Click the link for your product, and then browse the
information center for the Technical Supplements section.
v IBM® Redbooks® and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/
IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks® Web address:
http://www.ibm.com/developerworks/

Adapter documentation:

The technical documentation library also includes a set of platform-specific


documents for the adapter components of the product. Adapter information is
available on the Web at:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

vi IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Click the I character in the A-Z product list to locate IBM Tivoli Identity Manager
products. Click the link for your product, and then browse the information center
for the adapter information that you want.

Skills and training:

The following additional skills and technical training information were available at
the time that this manual was published:
v Virtual Skills Center for Tivoli Software on the Web at:
http://www.cgselearning.com/tivoliskills/
v Tivoli Education Software Training Roadmaps on the Web at:
http://www.ibm.com/software/tivoli/education/eduroad_prod.html
v Tivoli Technical Exchange on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/
supp_tech_exch.html

Prerequisite product publications


To use the information in this book effectively, you must have knowledge of the
products that are prerequisites for your product. Publications are available from
the following locations:
v Active Directory Server
– Microsoft Windows 2000 Server running Active Directory
http://www.microsoft.com/windows2000/en/server/help/
– Microsoft Windows 2003 Server running Active Directory
http://www.microsoft.com/resources/documentation/
WindowsServ/2003/standard/proddocs/en-us/default.asp
– Microsoft Windows XP Server running Active Directory
http://www.microsoft.com/resources/documentation/
Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/
Windows/XP/all/reskit/en-us/prcf_omn_gjjv.asp
v Operating systems
– IBM AIX
http://publib16.boulder.ibm.com/pseries/
– Solaris Operating Environment
http://docs.sun.com/app/docs/prod/solaris
– Red Hat Linux
http://www.redhat.com/docs/
– Microsoft® Windows® Server 2003
http://www.microsoft.com/windowsserver2003/proddoc/default.mspx
v Database servers
– IBM DB2 Universal Database
- Support: http://www.ibm.com/software/data/db2/udb/support.html
- Information center: http://publib.boulder.ibm.com/infocenter/db2help/
index.jsp
- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/
winos2unix/support/v8pubs.d2w/en_main
- DB2® product family: http://www.ibm.com/software/data/db2

Preface vii
- Fix packs: http://www.ibm.com/software/data/db2/udb/support/
downloadv8.html
- System requirements: http://www.ibm.com/software/data/db2/udb/
sysreqs.html
– Oracle
http://www.oracle.com/technology/documentation/index.html
http://otn.oracle.com/tech/index.html
http://otn.oracle.com/tech/linux/index.html
– Microsoft SQL Server
http://www.msdn.com/library/
http://www.microsoft.com/sql/
v Directory server applications
– IBM Directory Server
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the D
character in the A-Z list, and then click the link for your product to access the
product library.
http://www.ibm.com/software/network/directory
– Sun Java System Directory Server
http://www.sun.com/software/products/directory_srvr/home_directory.xml
v WebSphere®
Additional information is available in the product directory or Web sites.
http://www.ibm.com/software/webservers/appserv/was/library/
http://www.redbooks.ibm.com/
v WebSphere embedded messaging
http://www.ibm.com/software/integration/wmq/
v IBM HTTP Server
http://www.ibm.com/software/webservers/httpservers/library.html

Related publications
The following documents also provide useful information:
v The Tivoli Software Library provides a variety of Tivoli publications such as
white papers, datasheets, demonstrations, IBM Redbooks, and announcement
letters. The Tivoli Software Library is available on the Web at:
http://www.ibm.com/software/tivoli/literature/
v The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available from the
Glossary link of the Tivoli Software Library Web page at:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

Accessing terminology online


The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available at the following
Tivoli software library Web site:

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

viii IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
The IBM Terminology Web site consolidates the terminology from IBM product
libraries in one convenient location. You can access the Terminology Web site at the
following Web address:

http://www.ibm.com/software/globalization/terminology

Accessing publications online


IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli Information Center Web
site at http://publib.boulder.ibm.com/tividd/td/link/tdprodlist.html.

In the Tivoli Information Center window, click the letter that matches the first
letter of your product name to access your product library. For example, click M to
access the IBM Tivoli Monitoring library or click O to access the IBM Tivoli
OMEGAMON® library.

Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe® Reader to print letter-sized
pages on your paper.

Ordering publications
You can order many Tivoli publications online at http://
www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi.

You can also order by telephone by calling one of these numbers:


v In the United States: 800-879-2755
v In Canada: 800-426-4968

In other countries, contact your software account representative to order Tivoli


publications. To locate the telephone number of your local representative, perform
the following steps:
1. Go to http://www.elink.ibmlink.ibm.com/public/applications/publications/
cgibin/pbi.cgi.
2. Select your country from the list and click Go.
3. Click About this site in the main panel to see an information page that
includes the telephone number of your local representative.

Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully. With this product,
you can use assistive technologies to hear and navigate the interface. You can also
use the keyboard instead of the mouse to operate all features of the graphical user
interface.

For additional information, see Appendix D, “Accessibility features for the Active
Directory Adapter,” on page 73.

Tivoli technical training


For Tivoli technical training information, refer to the following IBM Tivoli
Education Web site at http://www.ibm.com/software/tivoli/education.

Preface ix
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM
provides the following ways for you to obtain the support you need:
v IBM Support Assistant: You can search across a large collection of known
problems and workarounds, Technotes, and other information at
http://www.ibm.com/software/support/isa.
v Obtaining fixes: You can locate the latest fixes that are already available for your
product.
v Contacting IBM Software Support: If you still cannot solve your problem, and
you need to work with someone from IBM, you can use a variety of ways to
contact IBM Software Support.

For more information about these ways to resolve problems, see Appendix E,
“Support information,” on page 75.

Conventions used in this book


This reference uses several conventions for special terms and actions and for
operating system-dependent commands and paths.

Typeface conventions
This book uses the following typeface conventions:
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as Tip:, and Operating system considerations:)
v Keywords and parameters in text
Italic
v Citations (examples: titles of books, diskettes, and CDs)
v Words defined in text (example: a nonswitched line is called a
point-to-point line)
v Emphasis of words and letters (words as words example: "Use the word
that to introduce a restrictive clause," letters as letters example: "The
LUN address must start with the letter L.")
v New terms in text (except in a definition list): a view is a frame in a
workspace that contains data.
v Variables and values you must provide: ... where myname represents...
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options

x IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Operating system-dependent variables and paths
This guide uses the Windows convention for specifying environment variables and
for directory notation.

When using the Unix command line, replace %variable% with $variable for
environment variables and replace each backslash (\) with a forward slash (/) in
directory paths. The names of environment variables are not always the same in
Windows and UNIX®. For example, %TEMP% in the Windows operating system is
equivalent to $tmp in a UNIX operating system.

Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.

Definitions for HOME and other directory variables


The following table contains the default definitions that are used in this guide to
represent the HOME directory level for various product installation paths. You can
customize the installation directory and HOME directory for your specific
implementation. If this is the case, you need to make the appropriate substitution
for the definition of each variable represented in this table.

The value of path varies for these operating systems:


v Windows: drive:\Program Files
v AIX®: /usr
v Other UNIX: /opt

Path variable Default definition Description


DB_INSTANCE_HOME Windows: The directory that
path\IBM\SQLLIB contains the
database for your
UNIX: Tivoli Identity
v AIX, Linux®: /home/dbinstancename Manager product.

v Solaris: /export/home/dbinstancename

Preface xi
Path variable Default definition Description
LDAP_HOME v For IBM Directory Server Version 5.2 The directory that
contains the
Windows:
directory server
path\IBM\LDAP code.
UNIX:
path/IBM/LDAP
– AIX, Linux: path/ldap
– Solaris: path/IBMldaps
v For IBM Directory Server Version 6.0
Windows:
path\IBM\LDAP
UNIX:
/opt/IBM/ldap/
– AIX, Solaris: /opt/IBM/ldap/
– Linux: /opt/ibm/ldap/
v For Sun Java System Directory Server
Windows:
path\Sun\MPS
UNIX:
/var/Sun/mps

IDS_instance_HOME For IBM Directory Server Version 6.0 The directory that
contains the IBM
Windows: Directory Server
drive\ Version 6.0 instance.
idsslapd-instance_owner_name

The value of drive might be C:\. An


example of instance_owner_name might be
ldapdb2. For example, the log file might
be C:\idsslapd-itimldap\logs\
ibmslapd.log

UNIX:
INSTANCE_HOME/idsslapd-instance_name

On Linux and AIX systems, the default


home directory is the
/home/instance_name/idsslapd-
instance_name directory. On Solaris
systems, for example, the directory is the
/export/home/itimldap/idsslapd-
itimldap. directory.
HTTP_HOME Windows: The directory that
path\IBMHttpServer contains the IBM
HTTP Server code.
UNIX:
path/IBMHttpServer

xii IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Path variable Default definition Description
ITIM_HOME Windows: The base directory
path\IBM\itim that contains the
Tivoli Identity
UNIX: Manager code,
path/IBM/itim configuration, and
documentation.
WAS_HOME Windows: The WebSphere
path\IBM\WebSphere\AppServer home directory.

UNIX:
path/IBM/WebSphere/AppServer
WAS_NDM_HOME Windows: The home directory
path\IBM\WebSphere\DeploymentManager on the Deployment
Manager.
UNIX:
path/IBM/WebSphere/DeploymentManager
Tivoli_Common_Directory Windows: The central location
path\ibm\tivoli\common\ for all
serviceability-related
UNIX: files, such as logs
path/ibm/tivoli/common/ and first-failure data
capture.

Preface xiii
xiv IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Chapter 1. Overview of the Active Directory adapter
An adapter is a program that provides an interface between a managed resource
and the Tivoli Identity Manager server. Adapters might or might not reside on the
managed resource and the Tivoli Identity Manager server manages access to the
resource by using your security system. Adapters function as trusted virtual
administrators on the target platform, performing such tasks as creating login IDs,
suspending IDs, and performing other functions administrators normally run
manually. The adapter runs as a service, independent of whether a user is logged
on to the Tivoli Identity Manager server.

Features of the adapter


You can use the Active Directory Adapter to automate the following administrative
tasks:
v Creating an Active Directory account
Use the adapter to create an Active Directory account on Windows 2000 and
Windows 2003 domain servers.
v Managing an Active Directory account
Use the adapter to manage an Active Directory account on Windows 2000 and
Windows 2003 domain servers.
v Managing an Exchange Mailbox
The 64–bit version of the adapter supports Exchange 2007 only. The 64–bit
adapter has no backward support for Exchange 2000 or 2003.
v Creating home directories
Use the adapter to create home directories.
v Move user in hierarchy
A user can be moved in different containers managed by the Active Directory
Adapter by changing the container of the user from Tivoli Identity Manager.

The Active Directory Adapter does not create or manage local system accounts.
Use the Windows Local Account Adapter for this purpose.

The Active Directory Adapter requires administrator authority. IBM Tivoli Identity
Manager requests will fail if the adapter is not given sufficient authority to
perform the requested task.

The adapter must be installed on a Windows 2003 workstation. The Active


Directory Adapter can be installed within the domain being managed or in a
different domain. If the adapter is installed in a different domain, both the domain
being managed and the domain where the adapter is installed must have trusts
configured. For more information on configuring trusts for domains, see the
Microsoft documentation that corresponds to your operating system.

Configure the Active Directory Adapter to support both sub-domains and multiple
domains through the Base Point feature on the adapter service form. While the
best deployment for your environment is based on the topology of your Windows
domain and Active Directory structure, the primary factor is the planned design of
your IBM Tivoli Identity Manager provisioning policies and approval workflow

© Copyright IBM Corp. 2008 1


process. For more information on provisioning policies and approval workflow, see
the Tivoli Identity Manager Information Center.

Limitations of the adapter


Running under an account with sufficient authority, the adapter is able to manage
user accounts and Exchange 2007 mailboxes for all domains within a single forest.
However, some limitations and configuration issues exist:
v In order to manage Exchange 2007 servers, the Exchange 2007 Management
Tools must be installed on the workstation where the adapter is installed. The
adapter can manage Active Directory accounts without the Exchange Tools,
however, it needs the tools to manage Exchange mailboxes.
v The adapter cannot manage domains or Exchange servers that are in a different
forest.
v The adapter cannot create mailboxes on Exchange 2000 or 2003 servers.
v The supporting data returned from a reconciliation only includes groups from
the domain being reconciled. Local groups from other domains are not returned.
Although you can join local groups in other domains, you cannot specify groups
in other domains when sending requests to the adapter.
In this illustration the user account in Domain 2 is joined directly to a group in
Domain 1. While this is possible to do in Active Directory, but the adapter does
not support it.
NOT SUPPORTED

Domain 1 Domain 2

Local or Global Group in Join Domain 2 User Account


Domain 1

You can use Active Directory to create a universal group and making it a
member of the group you wish to join. Do not add users directly to the
universal group. Instead create a group in the local domain and add it to the
universal group. You can then add users to the group in the local domain. See
your Microsoft Active Directory documentation for more information. This
configuration is supported by the adapter.
With this configuration, you join Domain 2 users to the local group in Domain 2
and by association they are members of the cross domain group in Domain 1.
SUPPORTED

Domain 1 Domain 2

Local or Global Group in Local Group in


Domain 1 Domain 2

of
Member of

b er
Join

Mem

Universal Group Domain 2 User Account

2 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
v Because you can create multiple service instances on the Tivoli Identity
Manager server that point to the same adapter, ensure that you do not specify
base points that overlap. If you use a base point for one service instance that
contains the base point of another service instance, only the users in the
contained base point are returned as duplicates of the parent base point.

Chapter 1. Overview of the Active Directory adapter 3


4 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Chapter 2. Communication between Active Directory Adapter
and the Tivoli Identity Manager server
Data Transfer from Tivoli Identity Manager to the adapter
The Active Directory Adapter is an individual Tivoli Identity Manager Software
program that resides on a domain controller or a non-domain controller
workstation. Data is transferred between the Active Directory Adapter and the
Tivoli Identity Manager server using the Directory Access Markup Language
(DAML) protocol. DAML uses Secure Sockets Layer (SSL) to send XML-formatted
messages between the adaptert and Tivoli Identity Manager.

Tivoli Identity Manager communicates with the Active Directory Adapter in order
to administer user accounts. When the Tivoli Identity Manager server issues a
request to the Active Directory Adapter, the server opens a TCP/IP connection.
This connection stays open until the agent completes the request and responds
back to the server with an acknowledgement message. After the Tivoli Identity
Manager server receives the anticipated response, it drops the connection to the
adapter.

Basic configuration for server-to-adapter SSL communication


The following information pertains to Tivoli Identity Manager deployment on
either the WebSphere or the WebLogic application server. In this configuration, the
Tivoli Identity Manager server initiates communication with the adapter
(server-to-adapter) using one-way authentication over SSL. The version of the SSL
protocol that is used is either RSA or Open SSL.

Note: From Tivoli Identity Manager 4.6 and onward only the Open SSL protocol is
used.

For more information on SSL, see Chapter 5, “Configuring SSL authentication for
the Active Directory Adapter,” on page 33.

Basic configuration for adapter-to-Active Directory SSL


communication
The Active Directory Adapter can reside on domain controller or non-domain
controller workstation. Currently the communication between Active Directory
Adapter and Active Directory is not secure; as such the data sent over the network
is in plain text. The Active Directory Adapter uses secure authentication method
(no SSL) for identifying itself to the active directory. For this, provision is made on
the Active Directory service form to accept a user ID and password to authenticate
to the Active Directory. Active Directory uses Kerberos, and possibly NTLM, to
authenticate the Active Directory Adapter. When the user name and password are
NULL, ADSI binds to the object using the security context of the calling thread,
which is either the security context of the user account under which the
application is running or of the client user account that the calling thread
represents.

When SSL communication is setup between the adapter and Active Directory, it
allows data transfer over the network in encrypted form.

© Copyright IBM Corp. 2008 5


Setting up SSL communication between the adapter and Active
Directory
To use SSL-based encryption while communicating with Active Directory:
v Active Directory must have enabled Public Key Infrastructure (PKI). PKI
requires that enterprise certificate authority (CA) is installed on one of the
domain controller workstation in the domain. Setting up an enterprise certificate
authority causes an Active Directory server to get a server certificate that can
then be used to do SSL-based encryption.
v The certificate must be installed on the workstation on which Active Directory
Adapter is running.

Installing Enterprise CA in one of the domain controllers in


domain
Note: Internet Information Services must be stopped before installing the
certificate.
1. Go to Control Panel > Add Remove Programs > Windows Components. Click
Components.
2. Select Certificate Services and click Next.
3. A dialog box is displayed. Click Yes to continue.
4. Select Remote Administration mode. Click Next.
5. Select Enterprise root CA. Click Next .
6. Specify the information to identify this CA. Click Next .
7. Accept the default location or specify a different location for where storage data
related to certificate server is stored. Click Next.
8. If Internet Information Services is running, a dialog box is displayed. Click OK
to stop the service and continue with the certificate installation.
9. Click Finish to complete the installation.

Note: A restart of the server is not required for SSL communication.

Installing the certificate on the workstation where Active


Directory Adapter is running
1. 1. Get the Trusted root certificate from certificate server. Usually the certificate
is present in folder c:\winnt\system32\certsrv\certEnroll folder. For example
a certificate name might be ps0721.agents2.com_PS0721CA(1).crt
2. Copy the certificate on the workstation where Active Directory Adapter is
installed. Double click on the certificate.
3. Double click the certificate.
4. Click Install Certificate.
5. Click Next.
6. Select Place all certificates in the following store and click Browse.
7. Select Show Physical stores and from the tree view select the folder Local
Computer.
8. Click OK.
9. Click Next.
10. Click Finish to complete the installation of the certificate.

6 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Chapter 3. Installing and configuring the Active Directory
adapter
Installing and configuring the Active Directory Adapter involves several steps that
you must complete in the appropriate sequence. Review the prerequisites before
you begin the installation process. You can also create an account on the managed
resource for the adapter to use.

Some adapters might be installed automatically with your IBM Tivoli Identity
Manager product. If your adapter is automatically installed with the product, you
do not need to install the adapter. The following sections provide information for
installing and configuring the adapter.
v “Prerequisites”
v “Installing the adapter” on page 8
v “Importing the adapter profile into the Tivoli Identity Manager server” on page
8
v “Creating an Active Directory service” on page 9

Prerequisites
Table 1 identifies hardware, software, and authorization prerequisites for installing
the Active Directory Adapter. Verify that all of the prerequisites have been met
before installing the Active Directory Adapter.
Table 1. Prerequisites to install the adapter
Prerequisite Description
System v A 64-bit x86-based microprocessor.
v A minimum of 256 MB of memory.
v At least 300 MB of free disk space.
v If you plan to manage Exchange Mailbox, the Exchange
administration tools must be installed.
Operating System v Windows 2003
v Windows 2003 R2

A Windows Server running Active Directory must be


operational in the domain of the system where the
adapter is installed.
Network Connectivity v TCP/IP network
v For security purposes, the adapter must be installed on
a Windows NT File System (NTFS).
System Administrator The person completing the Active Directory Adapter
Authority installation procedure must have system administrator
authority to complete the steps in this chapter.
Tivoli Identity Manager server Version 5

© Copyright IBM Corp. 2008 7


Installing the adapter
If the Active Directory Adapter is not automatically installed with your IBM Tivoli
Identity Manager product, use the adapter installer to manually install the adapter.
The IBM Tivoli Identity Manager Active Directory Adapter installation program is
available for download from the IBM Web site. Contact your IBM account
representative for the Web address and download instructions.

To manually install the adapter, complete these steps.

Note: All directory paths apply to Windows operating systems. Change the
directory paths as needed for UNIX operating systems.
1. Download the Active Directory Adapter compressed file from the IBM Web site.
2. Extract the contents of the compressed file into a temporary directory and
navigate to that directory.
3. Start the installation program using the setup.exe file in the temporary
directory. For example, select Run from the Start menu, and type
C:\TEMP\setup.exe in the Open field.
4. In the Welcome window, click Next.
5. In the License Agreement window, review the license agreement and decide if
you accept the terms of the license. If you do, select Accept and then click
Next.
6. Select the option you want to perform:
v Full installation
v Update installation

Note: If Update Installation is selected in Step 6, the adapter you want to


update must already exist, otherwise a message is generated:
Adapter is not found at specified location. Can not perform Update
Installation. Please correct the path of installed adapter or select
Full Installation.
7. In the Select Destination Directory window, specify where you want to install
the adapter in the Directory Name field. You can accept the default location, or
click Browse to specify a different directory. Then, click Next.
8. In the Installation Summary window, review the installation settings. Click
Back to change any of these settings. Otherwise, click Install to begin the
installation.
9. In the Installation Completed window, click Finish to exit the program.

Importing the adapter profile into the Tivoli Identity Manager server
An adapter profile defines the types of resources that the Tivoli Identity Manager
server can manage. The profile is used to create a service on the Tivoli Identity
Manager server. You must import the adapter profile into the Tivoli Identity
Manager server before using the Active Directory Adapter.

Before you import the adapter profile, verify that the following conditions are met:
v The Tivoli Identity Manager server is installed and running.
v You have root or Administrator authority on the Tivoli Identity Manager server.

The adapter profile is included in the JAR file for the adapter, ADProfile.jar. To
import the adapter profile, complete these steps:

8 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
1. Log in to the Tivoli Identity Manager server using an account that has the
authority to perform administrative tasks.
2. Import the adapter profile (or service type) using the import service type
feature for your IBM Tivoli Identity Manager product. Refer to the information
center or the online help for specific instructions about importing service types.

When you import the adapter profile, if you receive an error related to the schema,
refer to the trace.log file for information about the error. The trace.log file location
is specified using the handler.file.fileDir property defined in the IBM Tivoli
Identity Manager enRoleLogging.properties file. The enRoleLogging.properties file
is installed in the IBM Tivoli Identity Manager \data directory.

Creating an Active Directory service


You must create a service for the Active Directory Adapter before the Tivoli
Identity Manager server can use the adapter to communicate with the managed
resource. To create a service, complete these steps:
1. Log in to the Tivoli Identity Manager server using an account that has the
authority to perform administrative tasks.
2. Create the service using the information for your Tivoli Identity Manager
product. Refer to the information center or the online help for specific
instructions about creating a service.

To create or change a service, you must use the service form to provide
information for the service. Service forms might vary depending on the adapter.
The Active Directory Adapter service form contains the following fields:
Service Name
Specify a name that defines this Active Directory service on the Tivoli
Identity Manager server. Service Name is a required field.
Description
Specify a description for this service. Description is an optional field.
URL Specify the location and port number of the Active Directory Adapter. The
port number is defined in the protocol configuration using the agentCfg
program. For additional information about protocol configuration settings,
see “Changing protocol configuration settings” on page 12. URL is a
required field.
If https is specified as part of the URL, the adapter must be configured to
use SSL authentication. If the adapter is not configured to use SSL
authentication, specify http for the URL. For additional information about
configuring the adapter to use SSL authentication, see Chapter 5,
“Configuring SSL authentication for the Active Directory Adapter,” on
page 33.
User Id
Specify the Directory Access Markup Language (DAML) protocol user
name. The user name is defined in the protocol configuration using the
agentCfg program. For additional information about the protocol
configuration settings, see “Changing protocol configuration settings” on
page 12. User Id is a required field.
Password
Specify the password for the DAML protocol user name. This password is
defined in the protocol configuration using the agentCfg program. For

Chapter 3. Installing and configuring the Active Directory adapter 9


additional information about the protocol configuration settings, see
“Changing protocol configuration settings” on page 12. Password is a
required field.
Base Point DN
Specify the DN of the domain name, extended to allow any base point, for
example:
v ou=users,dc=ibm,dc=com
v ADServer/ou=user,dc=ibm,dc=com
Base Point DN is an optional field.
Administration User Account
Specify the user ID that is used to connect to the Active Directory.
Administration User Account is an optional field.
Administration User Password
Specify the password for the user ID that is used to connect to the Active
Directory. Administration User Password is an optional field.

Configuring the adapter


Once you have installed the IBM Tivoli Identity Manager Active Directory Adapter,
configuration is required to ensure that it functions properly.

In order to configure the Active Directory Adapter, complete the following steps:
1. Start the Active Directory Adapter service using the Windows Services Tool.
2. Configure DAML to ensure communication with the Tivoli Identity Manager
Server. For more information on configuring DAML, see “Changing protocol
configuration settings” on page 12.
3. Configure the Active Directory Adapter to communicate with the Tivoli Identity
Manager server by configuring the adapter for event notification. For more
information on configuring event notification, see “Configuring event
notification” on page 16.
4. For secure communication, install a certificate on the workstation where the
adapter resides and on the Tivoli Identity Manager server. For more
information on installing certificates, see Chapter 5, “Configuring SSL
authentication for the Active Directory Adapter,” on page 33.
5. Add optional extended attributes to the schema of the adapter. For more
information on extending the attributes, see Chapter 6, “Customizing the Active
Directory adapter,” on page 47.
6. Install the adapter profile on the Tivoli Identity Manager server. For more
information on installing the adapter profile, see “Importing the adapter profile
into the Tivoli Identity Manager server” on page 8.
7. Configure the adapter service form. For more information on configuring the
service form, see “Creating an Active Directory service” on page 9.
8. Use the agentCfg utility to modify the adapter parameters. For more
information on parameter configuration, see Chapter 4, “Configuring the Active
Directory Adapter for IBM Tivoli Identity Manager,” on page 11.
9. Configure the adapter account form. For more information on configuring the
account form, see “Configuring the base point for the adapter” on page 51.

10 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Chapter 4. Configuring the Active Directory Adapter for IBM
Tivoli Identity Manager
Use the adapter configuration program, agentCfg, to view or modify the Active
Directory Adapter parameters. All changes that you make to parameters with this
tool take effect immediately.

Starting the adapter configuration tool


In order to start the adapter configuration tool, agentCfg, for Active Directory
Adapter parameters, complete these steps:
1. From the Start Menu, select Programs > Accessories > Command Prompt.
2. At the command prompt, change to the \bin directory for the adapter. For
example, type the following command, if the Active Directory Adapter is in the
default location:
cd C:\Tivoli\Agents\ADAgent\bin
3. Type the following command:
agentCfg -agent ADAgent
You can also use agentCfg to view or change configuration settings from a
remote computer. See the table in “Accessing help and additional options” on
page 30 for procedures on using additional arguments.
4. At the Enter configuration key for Agent ’ADAgent’ prompt, type the
configuration key for the Active Directory Adapter.
The default configuration key is agent. You must change the configuration key
once installation completes, to prevent unauthorized access to the configuration
of the adapter. See “Changing protocol configuration settings” on page 12 for
procedures to change the configuration key.
The Main Configuration Menu is displayed.
ADAgent 5.0.1000 Agent Main Configuration Menu
-------------------------------------------
A. Configuration Settings.
B. Protocol Configuration.
C. Event Notification.
D. Change Configuration Key.
E. Activity Logging.
F. Registry Settings.
G. Advanced Settings.
H. Statistics.
I. Codepage Support.

X. Done.

Select menu option:

From the Main Menu, you can configure the protocol, view statistics, and modify
settings, including configuration, registry, and advanced settings.
Table 2. Options for the main configuration menu
Option Configuration task For more information
A Viewing configuration settings See page 12.

© Copyright IBM Corp. 2008 11


Table 2. Options for the main configuration menu (continued)
Option Configuration task For more information
B Changing protocol configuration See page 12.
settings
C Configuring event notification See page 16.
D Changing the configuration key See page 22.
E Changing activity logging settings See page 22.
F Changing registry settings See page 24.
G Changing advanced settings See page 28.
H Viewing statistics See page 30.
I Changing code page settings See page 30.

Viewing configuration settings


The following procedure describes how to view the Active Directory Adapter
configuration settings.
1. At the Agent Main Configuration Menu, type A. The configuration settings for
the Active Directory Adapter are displayed. The following screen is an example
of the Active Directory Adapter configuration settings.
Configuration Settings
-------------------------------------------
Name : ADAgent
Version : 5.0.1000
ADK Version : 5.01
ERM Version : 5.01
Adapter Events : TRUE
License : NONE
Asynchronous ADD Requests : FALSE (Max.Threads:3)
Asynchronous MOD Requests : FALSE (Max.Threads:3)
Asynchronous DEL Requests : FALSE (Max.Threads:3)
Asynchronous SEA Requests : FALSE (Max.Threads:3)
Available Protocols : DAML
Configured Protocols : DAML
Logging Enabled : TRUE
Logging Directory : C:\Tivoli\Agents\ADAgent\log
Log File Name : ADAgent.log
Max. log files : 3
Max.log file size (Mbytes) : 1
Debug Logging Enabled : TRUE
Detail Logging Enabled : FALSE
Thread Logging Enabled : FALSE

Press any key to continue

2. Press any key to return to the Main Menu.

Changing protocol configuration settings


The Active Directory Adapter uses the DAML protocol to communicate with the
Tivoli Identity Manager server. By default, when the adapter is installed, the
DAML protocol is configured to be used in nonsecure mode. In order to configure
a secure environment, you must configure the DAML protocol to use SSL and
install a certificate. Refer to “Installing the certificate” on page 42 for more
information about installing certificates.

12 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
In previous versions of this adapter, you could add and remove protocols.
However, in the latest version of this adapter, the DAML protocol is the only
supported protocol that you can use. Therefore, you will not need to add or
remove a protocol.

In order to configure the DAML protocol for the Active Directory Adapter,
complete the following steps:
1. At the Agent Main Configuration Menu, type B. The DAML protocol is
configured and available by default for the Active Directory Adapter.
Agent Protocol Configuration Menu
-----------------------------------
Available Protocols: DAML
Configured Protocols: DAML
A. Add Protocol.
B. Remove Protocol.
C. Configure Protocol.

X. Done

Select menu option

2. At the Agent Protocol Configuration Menu, type C. The DAML Protocol


Properties Menu is displayed.
Configure Protocol Menu
-----------------------------------
A. DAML

X. Done

Select menu option:

3. At the DAML Configure Protocol Menu, type A. to select DAML protocol. The
DAML Protocol Properties menu is displayed. The properties on your menu
might be different from the ones shown in the examples.
The following screen is an example of the DAML protocol properties:
DAML Protocol Properties
--------------------------------------------------------------------
A. USERNAME ****** ;Authorized user name.
B. PASSWORD ****** ;Authorized user password.
C. MAX_CONNECTIONS 100 ;Max Connections.
D. PORTNUMBER 45580 ;Protocol Server port number.
E. USE_SSL FALSE ;Use SSL secure connection.
F. SRV_NODENAME ––––– ;Event Notif. Server name.
G. SRV_PORTNUMBER 9443 ;Event Notif. Server port number.
H. HOSTADDR ANY ;Listen on address < or "ANY" >
I. VALIDATE_CLIENT_CE FALSE ;Require client certificate.
J. REQUIRE_CERT_REG FALSE ;Require registered certificate.

X. Done

Select menu option:

4. Type the letter of the menu option for the protocol property that you want to
configure.
See Table 3 on page 14 below for additional information about the properties
that you can configure for the DAML protocol.

Chapter 4. Configuring the Active Directory Adapter for IBM Tivoli Identity Manager 13
Table 3. Options for the DAML protocol menu
Option Configuration task
A The following prompt is displayed:
Modify Property ’USERNAME’:

Type a user ID.

This value is the user ID that the Tivoli Identity Manager server uses to
connect to the adapter.

The default user ID is agent.


B The following prompt is displayed:
Modify Property ’PASSWORD’:

Type a password.

This value is the password for the user ID that the Tivoli Identity
Manager server uses to connect to the adapter.

The default password is agent.


C The following prompt is displayed:
Modify Property ’MAX_CONNECTIONS’:

Enter the maximum number of concurrent open connections that the


adapter supports.

The default number is 100.


D The following prompt is displayed:
Modify Property ’PORTNUMBER’:

Type a different port number.

This value is the port number that the Tivoli Identity Manager server
uses to connect to the adapter. The default port number is 45580.
E The following prompt is displayed:
Modify Property ’USE_SSL’:

Enter TRUE or FALSE to specify whether a secure SSL connection will


be used to connect to or from the adapter.

The default value is FALSE.

You must install a certificate when USE_SSL is set to TRUE. For more
information on certificate installation, see “Installing the certificate” on
page 42.
Note: By default event notification requires USE_SSL set to TRUE. To
use event notification you must set USE_SSL to TRUE and add a
certificate and key from the PKCS12 file in the adapter.
F The following prompt is displayed:
Modify Property ’SRV_NODENAME’:

Type a server name or an IP address, for example, 9.38.215.20.

This value is the DNS name or IP address of the Tivoli Identity Manager
server that is used for event notification and asynchronous request
processing.
Note: If your platform supports Internet Protocol version 6 (IPv6)
connections, you can specify an IPv6 server.

14 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Table 3. Options for the DAML protocol menu (continued)
Option Configuration task
G The following prompt is displayed:
Modify Property ’SRV_PORTNUMBER’:

Type a different port number to access the Tivoli Identity Manager


server.

This value is the port number that the adapter uses to connect to the
Tivoli Identity Manager server. The default port number for WebLogic is
7002. The default port number for WebSphere Application Server (WAS)
is 9443.
H The HOSTADDR option is useful when the system where the adapter is
running has more than one network adapter. The user can select which
IP Address the adapter will listen to.

The default value is ANY.


I The following prompt is displayed:
Modify Property ’VALIDATE_CLIENT_CE’:

Type TRUE to require the Tivoli Identity Manager server to send a


certificate when it communicates with the adapter.

Type FALSE to allow the Tivoli Identity Manager server to communicate


with the adapter without a certificate. The default value is FALSE.
Notes:
1. If you set this option to TRUE, you must configure options D
through I.
2. The property name is actually VALIDATE_CLIENT_CERT. It is
truncated by agentCfg to fit onto the screen.
3. You must use CertTool to install the appropriate CA certificates and
optionally register the Tivoli Identity Manager server certificate. For
more information on using CertTool, see “Managing SSL certificates
using CertTool” on page 39.
J The following prompt is displayed:
Modify Property ’REQUIRE_CERT_REG’:

This value only applies when option I is set to TRUE.

Type TRUE to require the client certificate from the Tivoli Identity
Manager server to be registered with the adapter before it will accept an
SSL connection.

Type FALSE to require the client certificate only be verified against the
list of CA certificates. The default value is FALSE.

For more information on certificates, see Chapter 5, “Configuring SSL


authentication for the Active Directory Adapter,” on page 33.

5. At the prompt, change the value, and press Enter.


The Protocol Properties Menu is displayed with your new settings.
If you do not want to change the value, just press Enter to return to the
Protocol Properties Menu.
6. Repeat steps 4 and 5 to configure as many protocol properties as you need to.
7. At the Protocol Properties Menu, type X to exit the menu.

Chapter 4. Configuring the Active Directory Adapter for IBM Tivoli Identity Manager 15
Configuring event notification
Event notification is a feature of the Active Directory Adapter that updates the
Tivoli Identity Manager server at set intervals. Event notification detects changes
that are made on the managed resource and updates the Tivoli Identity Manager
server with the changes. You can enable event notification if you want to have
updated information from the managed resource sent back to the Tivoli Identity
Manager server between full reconciliations. Event notification is not intended to
replace reconciliations on the Tivoli Identity Manager server.

When event notification is enabled, a database of the reconciliation data is kept on


the workstation where the adapter is installed. The database is updated with the
changes that are requested by the Tivoli Identity Manager server and will remain
synchronized with the server. You can specify an interval for the event notification
process to compare the database to data that currently exists on the managed
resource. When the interval has elapsed, any differences between the managed
resource and the database are forwarded to the Tivoli Identity Manager server and
updated in the local snapshot database.

There are several steps to enabling event notification. These steps assume that the
adapter is communicating successfully with the managed resource and the Tivoli
Identity Manager server.

First, you must configure the host name, port number, and login information for
the Tivoli Identity Manager server and SSL authentication. In order to identify the
server for the DAML protocol to use and to configure SSL authetication, complete
the following steps:
1. At the Agent Protocol Configuration Menu, select Configure Protocol. For more
information on configuring a protocol, see “Changing protocol configuration
settings” on page 12.
2. Change the USE_SSL property to TRUE.
3. Install certificate using certtool. For more information on installing certificate,
see “Managing SSL certificates using CertTool” on page 39.
4. Type the letter of the menu option for the SRV_NODENAME property.
5. Specify the IP address or server name that identifies the Tivoli Identity
Manager server, and press Enter.
The Protocol Properties Menu is displayed with your new settings.
6. Type the letter of the menu option for the SRV_PORTNUMBER property.
7. Specify the port number that the adapter uses to connect to the Tivoli Identity
Manager server for event notification and press Enter.
The Protocol Properties Menu is displayed with your new settings.

The example menu shows all of the options displayed when Event Notification for
the ADK is enabled. If Event Notification is disabled or, if your adapter supports
event notification, enabled for the adapter, not all of the options are displayed.

Note: The Active Directory Adapter supports adapter-based event notification.

In order to set Event Notification for the Tivoli Identity Manager server, complete
the following steps:
1. At the Agent Main Configuration Menu, type C. The Event Notification Menu
for Disabled is displayed as the default setting. Type A to toggle to the other
available Event Notification Menus.

16 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Event Notification Menu
--------------------------------------------------------------
*Password attributes : erPassword
* Reconciliation interval : 1 hour(s)
* Next Reconciliation time : 57 min(s). 36 sec(s).
* Configured Contexts : subtest, outtest, tradewinds
A. Enabled - ADK
B. Time interval between reconciliations.
C. Set Processing cache size. (currently: 50 Mbytes)
D. Start event notification now.
E. Set attributes to be reconciled.
F. Reconciliation process priority. (current: 1)
G. Add Event Notification Context.
H. Modify Event Notification Context.
I. Remove Event Notification Context.
J. List Event Notification Contexts.
K. Set password attribute names.

X. Done

Select menu option:

2. Type the letter of the menu option that you want to change.
Press Enter to return to the Agent Event Notification Menu without changing
the value.
Table 4. Options for the event notification menus
Option Configuration task
A When this option is enabled, the adapter updates the Tivoli Identity
Manager server with changes to the adapter at regular intervals. If
Enabled - Adapter is selected, the adapter code processes event
notification by monitoring a change log on the managed resource.

When the option is set to:


v Disabled, all options except Start event notification now and Set
attributes to be reconciled are available. Pressing the A key changes
the setting to Enabled - ADK.
v Enabled - ADK, all options are available. Pressing the A key changes
the setting to Disabled or if your adapter supports event notification,
changes to Enabled - Adapter.
v Enabled - Adapter, all options except Time interval between
reconciliations, Set processing cache size, Start event notification now,
and Set attributes to be reconciled are available. Pressing the A key
changes the setting to Disabled.

Press A to toggle between the options.


B When Time interval between reconciliations is selected, the following
prompt is displayed:
Enter new interval
([ww:dd:hh:mm:ss])

Type a different reconciliation interval. For example,


[00:01:00:00:00]

Note: This value is the interval to wait once event notification completes
before it is run again. The event notification process is resource
intensive, therefore this value must not be set to run too frequently. This
option is not available, if Enabled - Adapter is selected.

Chapter 4. Configuring the Active Directory Adapter for IBM Tivoli Identity Manager 17
Table 4. Options for the event notification menus (continued)
Option Configuration task
C When Set processing cache size is selected, the following prompt is
displayed:
Enter new cache size[50]:

Type a different value to change the processing cache size.


Note: This option is not available, if Enabled - Adapter is selected.
D When Start event notification now is selected, event notification is
started.
Note: This option is not available, if Disabled or Enabled - Adapter is
selected.
E When Set attributes to be reconciled is selected, the Event Notification
Entry Types Menu is displayed. See “Setting event notification triggers”
on page 19 for more information.
Note: This option is not available, if Disabled or Enabled - Adapter is
selected.
F When Reconciliation process priority, the following prompt is displayed:
Enter new thread priority [1-10]:

Type a different thread value to change the event notification process


priority.
Note: Setting the thread priority to a lower value reduces the impact
that the event notification process has on the performance of the adapter.
A lower value might also cause event notification to take longer.
G When Add Event Notification Context is selected, the following prompt
is displayed:
Enter new context name:

Type the new context name, and press Enter. The new context is added.
H When Modify Event Notification Context is selected, a menu listing the
available contexts is displayed. See “Modifying an event notification
context” on page 20 for more information.
I When Remove Event Notification Context is selected, the Remove
Context Menu is displayed. Select the context to remove. The following
prompt is then displayed:
Delete context context1? [no]:

Press Enter to exit without deleting the context, or type Yes and press
Enter to delete the context.
J When the List Event Notification Contexts is selected, the Event
Notification Contexts are displayed in the following format:
Context Name : Context1
Target DN :
erservicename=context1,o=IBM,
ou=IBM,dc=com
--- Attributes for search request ---
{search attributes listed}
-----------------------------------------------

18 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Table 4. Options for the event notification menus (continued)
Option Configuration task
K When Set password attribute names is selected, you can set the names of
the attributes that contain passwords. These values are not stored in the
state database and changes are not sent as events. This avoids the risk of
sending a delete request for the old password in clear text when Tivoli
Identity Manager changes a password. Changes from Tivoli Identity
Manager are recorded in the local database for event notification. A
subsequent event notification does not get the password and sends a
delete request for the old password in clear text that is listed in the
Tivoli Identity Manager logs.

3. If you changed the value for options B, C, E, or F, press Enter. The other
options are automatically changed when you type the corresponding letter of
the menu option.
The Event Notification Menu is displayed with your new settings.

Setting event notification triggers


By default, all attributes are queried for value changes. Certain attributes that
change frequently (for example, password age or last successful logon) must be
omitted.
1. At the Event Notification Menu, type E. The Event Notification Entry Types
Menu is displayed.
Event Notification Entry Types
-------------------------------------------
A. erADGroup
B. erADAccount
C. erADContainer
D. erADMailStore
X. Done
Select menu option:

The erADGroup, erADAccount, erADContainer, and erADMailStore types are


not displayed in the menu until the following conditions have been met:
a. Event notification has been enabled
b. A context has been created and configured
c. A full reconciliation has been run
2.
Type A for a list of group attributes, or type B for user attributes, or type C for
container attributes, or type D for a mailstore attributes returned during
reconciliation.

Note: the erADGroup, erADContainer and erADMailstore entry types are the
support data that is used by erADAccount. The support data is returned
during the reconcile operation or the support data reconcile operation.
The Event Notification Attribute Listing for the selected type is displayed. The
default setting lists all attributes that the adapter supports. The example below
lists example attributes, and might differ from the list that is displayed on your
workstation.

Chapter 4. Configuring the Active Directory Adapter for IBM Tivoli Identity Manager 19
Event Notification Attribute Listing
-------------------------------------
(a) **erADEAlias (b) **erADAllowDialin (c) **erADBadLoginCount
(d) **erADBasePoint (e) **erCompany (f) **erADContainer
(g) **erADContainerCN (h) **erADContainerDN (i) **erADContainerRDN
(j) **erADCountyCode (k) **erADEDelegates (l) **erDepartment
(m) **erADDisplayName (n) **erADDomainPassword (o) **erADDomainUser
(p) **erDivision (q) **erADEmployeeID (r) **erADExpirationDate

(p)rev page 1 of 3 (n)ext


-----------------------------

X. Done
Select menu option:

3. Type the letter of the menu option for the attribute to exclude from an event
notification.
Attributes that are marked with two asterisks (**) are returned during the event
notification. Attributes that are not marked with asterisks are not returned
during the event notification.

Modifying an event notification context


An event notification context corresponds to a service on the Tivoli Identity
Manager server. Some adapters support multiple services. The services are
identified based on event notification attribute values.

You can have multiple event notification contexts, but you must have at least one
adapter. In the following example screen, note that Context1, Context2, and
Context3 are three different contexts, all having a different value for event
notification attributes.

In order to modify an event notification context, complete these steps:


1. At the Event Notification Menu, type H. The Modify Context Menu is
displayed.
Modify Context Menu
------------------------------
A. Context1
B. Context2
C. Context3
X. Done
Select menu option:

2. Type the letter of the menu option that you want to modify. The Modify
Context Menu for the selected context is displayed.
A. Set attributes for search
B. Target DN:
C. Delete Baseline Database
X. Done
Select menu option:

Table 5. Options for the modify context menu


Option Configuration task For more information
A Adding search attributes for event notification See page 21.
B Configuring the target DN for event notification See page 21.
contexts

20 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Table 5. Options for the modify context menu (continued)
Option Configuration task For more information
C Removing the baseline database for event See page 22.
notification contexts

Adding search attributes for event notification


For some adapters, you might need to specify an attribute-value pair for one or
more contexts. These attribute-value pairs, which are defined by completing the
steps below, serve multiple purposes:
v When multiple services are supported by a single adapter, each service needs to
specify one or more attributes to differentiate it from the other services.
v The search attributes are passed to the event notification process, once the event
notification interval has occurred or is started manually. For each context, a full
search request is sent to the adapter. Additionally, the attributes specified for
that context are passed to the adapter.
v When the Tivoli Identity Manager server initiates a reconciliation process, the
adapter replaces the local database that represents this service with the new
database.

In order to add search attributes, perform the following step:


1. At the Modify Context Menu for the context, type A. The Reconciliation
Attribute Passed to Agent Menu is displayed.
Reconciliation Attributes Passed to Agent for Context: Context1
----------------------------------------------------
----------------------------------------------------
A. Add new attribute
B. Modify attribute value
C. Remove attribute
X. Done
Select menu option:

The valid attributes for the Active Directory Adapter are:


v erADBasePoint
v erADDomainUser
v erADDomainPassword
If you modify these attributes, the new value must be the same as what is
entered on the adapter service form. If the field is blank on the service form,
you do not have to specify an attribute value.

Configuring the target DN for event notification contexts


The target DN field holds the unique name of the service that receives event
notification updates.

In order to configure the target DN, complete the following steps:


1. At the Modify Context Menu for the context, type B.
2. At the Enter Target DN prompt, type the target DN for the context, and press
Enter. The target DN for the event notification context must be in the following
format:
erservicename=erservicename,o=organizationname,ou=tenantname,rootsuffix

Chapter 4. Configuring the Active Directory Adapter for IBM Tivoli Identity Manager 21
Each element of the DN is defined as follows:
Table 6. DN elements and definitions
Element Definition
erservicename Specifies the name of the target service
o Specifies the name of the organization
ou Specifies the name of the tenant in which
the organization is in
rootsuffix Specifies the root of the directory tree

The Modify Context Menu is displayed with the new target DN listed.

Removing the baseline database for event notification contexts


This option is only available once a context is created and a reconciliation is run on
the context to create a Baseline Database file.

At the Modify Context Menu for the context, type C. The Modify Context Menu is
displayed with the Delete Baseline Database option removed.

Changing the configuration key


You use the configuration key as a password to access the configuration tool for
the adapter.

In order to change the Active Directory Adapter configuration key, complete the
following steps:
1. At the Main Menu prompt, type D.
2. Change the value of the configuration key, and press Enter.
Press Enter to return to the Main Configuration Menu without changing the
configuration key. The default configuration key is agent. Make sure that you
choose passwords that cannot be easily guessed.
The following message is displayed:
Configuration key successfully changed.
The configuration program exits, and the Main Menu prompt is displayed.

Changing activity logging settings


When you enable logging, Active Directory Adapter maintains a dated log file of
all transactions, ADAgent.log. By default, the log file is in the \log directory.

In order to change the Active Directory Adapter activity logging settings, complete
the following steps:
1. At the Main Menu prompt, type E.
The Agent Activity Logging Menu is displayed. The following example shows
the default activity logging settings.

22 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Agent Activity Logging Menu
-------------------------------------
A. Activity Logging (Enabled).
B. Logging Directory (current: C:\Tivoli\Agents\ADAgent\log).
C. Activity Log File Name (current: ADAgent.log).
D. Activity Logging Max. File Size ( 1 mbytes)
E. Activity Logging Max. Files ( 3 )
F. Debug Logging (Enabled).
G. Detail Logging (Disabled).
H. Base Logging (Disabled).
I. Thread Logging (Disabled).
X. Done
Select menu option:

2. Type the letter of the Activity Logging Menu option that you want to change.
Option A must be enabled in order for the values of the other options to take
effect.
Press Enter to return to the Agent Activity Logging Menu without changing the
value.
Table 7. Options for the activity logging menu
Option Configuration task
A Set this option to enabled to have the adapter maintain a dated log file
of all transactions.

When the option is set to:


v Disabled, pressing the A key changes to enabled
v Enabled, pressing the A key changes to disabled

Type A to toggle between the options.


B The following prompt is displayed:
Enter log file directory:

Type a different value for the logging directory, for example, C:\Log.
When the logging option is enabled, details about each access request
are stored in the logging file that is in this directory.
C The following prompt is displayed:
Enter log file name:

Type a different value for the log file name. When the logging option is
enabled, details about each access request are stored in the logging file.
D The following prompt is displayed:
Enter maximum size of log files (mbytes):

Type a new value, for example, 10. The oldest data is archived when the
log file reaches the maximum file size. File size is measured in
megabytes. It is possible for the activity log file size to exceed disk
capacity.
E The following prompt is displayed:
Enter maximum number of log files to retain:

Type a new value up to 99, for example, 5. The adapter automatically


deletes the oldest activity logs beyond the specified limit.

Chapter 4. Configuring the Active Directory Adapter for IBM Tivoli Identity Manager 23
Table 7. Options for the activity logging menu (continued)
Option Configuration task
F If this option is set to enabled, the adapter includes the debug
statements in the log file of all transactions.

When the option is set to:


v Disabled, pressing the F key changes the value to enabled
v Enabled, pressing the F key changes the value to disabled

Type F to toggle between the options.


G If this option is set to enabled, the adapter maintains a detailed log file
of all transactions. The detail logging option must be used for diagnostic
purposes only. Detailed logging enables more messages from the adapter
and might increase the size of the logs.

When the option is set to:


v Disabled, pressing the G key changes the value to enabled
v Enabled, pressing the G key changes the value to disabled

Type G to toggle between the options.


H If this option is set to enabled, the adapter maintains a log file of all
transactions in the Adapter Development Kit (ADK) and library files.
Base logging will substantially increase the size of the logs.

When the option is set to:


v Disabled, pressing the H key changes the value to enabled
v Enabled, pressing the H key changes the value to disabled

Type H to toggle between the options.


I If this option is enabled, the log file will contain thread IDs, in addition
to a date and timestamp on every line of the file.

When the option is set to:


v Disabled, pressing the I key changes the value to enabled
v Enabled, pressing the I key changes the value to disabled

Type I to toggle between the options.

3. Press Enter if you changed the value for option B, C, D, or E. The other options
are changed automatically when you type the corresponding letter of the menu
option.
The Agent Activity Logging Menu is displayed with your new settings.

Changing registry settings


In order to change the Active Directory Adapter registry settings, complete the
following steps:
1. At the Main Menu, type F. The Registry Menu is displayed.
ADAgent 5.0.1000 Agent Registry Menu
-------------------------------------------
A. Modify Non-encrypted registry settings.
B. Modify encrypted registry settings.
C. Multi-instance settings.
X. Done
Select menu option:

24 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
2. See the following procedures on modifying registry settings.

Note: There are no encrypted registry settings for this adapter.

Modifying non-encrypted registry settings


In order to modify the non-encrypted registry settings, complete the following
steps:
1. At the Agent Registry Menu, type A. The Non-encrypted Registry Settings
Menu is displayed.
Agent Registry Items
-----------------------------------
01. CreateUNCHomeDirectories ’FALSE’
02. DeleteUNCHomeDirectories ’FALSE’
03. delRoamingProfileOnDeprov 'FALSE'
04. delUNCHomeDirOnDeprov 'FALSE'
05. ForceRASServerLookup ’FALSE’
06. ForceTerminalServerLookup ’FALSE’
07. ManageHomeDirectories ’FALSE’
08. NotifyIntervalSeconds '300'
09. ReconHomeDirSecurity ’FALSE’
10. ReconPrimaryGroup 'TRUE'
-----------------------------------
Page 1 of 3

A. Add new attribute


B. Modify attribute value
C. Remove attribute

D. Next Page

X. Done

Select menu option:D


Agent Registry Items
------------------------------------
11. SearchPasswordSettings 'FALSE'
12. UnlockOnPasswordReset ’FALSE’
13. useDefaultDC 'FALSE'
14. useSSL 'FALSE'
15. WtsDisableSearch ’TRUE’
16. WtsEnabled ’FALSE’
-------------------------------------
Page 2 of 3

A. Add new attribute


B. Modify attribute value
C. Remove attribute

E. Prev Page

X. Done

Select menu option:

2. Type the letter of the menu option for the action that you want to perform on
an attribute.
Table 8. Attribute configuration option descriptions
Option Configuration task
A Add new attribute
B Modify attribute value
C Remove attribute

Chapter 4. Configuring the Active Directory Adapter for IBM Tivoli Identity Manager 25
3. Type the registry item name, and press Enter.
See Table 9 for a description of each registry key.
4. If you selected option A or B, type the registry item value and press Enter.
The non-encrypted registry settings menu reappears and displays your new
settings.

Table 9 describes the registry keys and their available settings:


Table 9. Registry key descriptions
Key Description
CreateUNCHomeDirectories If this key is set to TRUE, the key enables
creation of the UNC home directory.
DeleteUNCHomeDirectories If this key is set to TRUE, the key enables
deletion of the UNC home directory on
delete.
delRoamingProfileOnDeprovision If this key is set to TRUE, the key enables
user profile directory deletion when the user
is de-provisioned. After successfully deleting
the user from the Active Directory, the
adapter deletes the user home directory,
subdirectories, and files.

If this key is set to FALSE, or if the key does


not exist, the adapter does not delete the
user home directory.
delUNCHomeDirOnDeprovision If this key is set to TRUE, the key enables
UNC Home directory deletion when the user
is de-provisioned. After successfully deleting
the user from the Active Directory, the
adapter deletes the user home directory,
subdirectories, and files.

If this key is set to FALSE, or if the key does


not exist, the adapter does not delete the
user home directory.
ForceRASServerLookup If this key is set to TRUE, the RASServer is
always found from the domain information.

If this key is set to FALSE, one of these


conditions exist:
v If the target server is specified in the base
point, the target server is used as the RAS
server.
v If the target server is not specified in the
base point, the RAS server is found from
the domain information.

26 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Table 9. Registry key descriptions (continued)
Key Description
ForceTerminalServerLookup If this key is set to TRUE, the terminal server
is always found from the domain
information.

If this key is set to FALSE, one of these


conditions exist:
v If the target server is specified in the base
point, the target server is used as the
terminal server.
v If the target server is not specified in the
base point, the terminal server is found
from the domain information.
ManageHomeDirectories If this key is set to TRUE, the adapter
performs Add and Delete operations for
actual directories.

If this key is set to FALSE, the adapter


updates only the home directory information
in the Active Directory.
NotifyIntervalSeconds This key specifies the interval (in seconds)
after which the adapter enabled event
notification process starts. It can be modified
using the agentCfg tool.
ReconHomeDirSecurity If this key is set to TRUE, the adapter brings
the Home Security information (NTFS
security, share name, and share security)
during a reconciliation.
ReconPrimaryGroup The recon operation does not add the
primary group to the group list. The
memberof attribute in Active Directory stores
the user’s group membership, except the
primary group. The primaryGroupID
attribute in Active Directory stores the
primary group of the user. As a result the
primary group needs to be explicitly added
to group list.

If this key is set to TRUE, the primary group


is added to the group list.

If this key is set to FALSE, the primary


group is not added to the group list.
SearchPasswordSettings Most of the password attributes are stored in
the Active Directory and are directly
retrieved. But some (for example, Require
Unique Password and User Cannot Change
Password) are not stored in the Active
Directory. These attributes have to be
retrieved using APIs.

If this key is set to TRUE, the password


attributes are retrieved using the respective
API.

If this key is set to FALSE, the attributes are


not retrieved.

Chapter 4. Configuring the Active Directory Adapter for IBM Tivoli Identity Manager 27
Table 9. Registry key descriptions (continued)
Key Description
UnlockOnPasswordReset If this key is set to TRUE, the adapter
activates the user on a password change
request.
useDefaultDC This key provides failover capability for the
adapter when the host specified in the base
point is not available. If the adapter cannot
connect to the host specified in the base
point and the key is set to TRUE, the adapter
connects to the base point without the host
name.

If this key is set to TRUE, the key affects


RASServer and Terminal server lookup
behavior.
useSSL This key enables SSL communication
between the adapter and the Active
Directory.

If this key is set to TRUE, the adapter uses


SSL to communicate with the Active
Directory.

If this key is set to FALSE or does not exist,


the adapter does not use SSL.
WtsDisableSearch This key takes effect only if WtsEnabled is
set to TRUE.

If set to FALSE, this key enables a


reconciliation of the WTS attributes.

If set to TRUE, the reconciliation is faster.


WtsEnabled If this key is set to TRUE, the key enables
processing of Windows Terminal Server
(WTS) attributes.

Note: The following registry keys are no longer used:


v AbortReconOnFailure
v ReconMailboxPermissions
v userGroupCN
v OverrideX500Addresses

Changing advanced settings


You can change the Active Directory Adapter thread count settings for the
following types of requests:
v System Login Add
v System Login Change
v System Login Delete
v Reconciliation
These settings determine the maximum number of requests that the Active
Directory Adapter processes concurrently. In order to change these settings,
complete the following steps:

28 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
1. At the Main Menu prompt, type G.
The Advanced Settings Menu is displayed. The following example shows the
default thread count settings.
ADAgent 5.0.1000 Advanced Settings Menu
-------------------------------------------
A. Single Thread Agent (current:FALSE)
B. ADD max. thread count. (current:3)
C. MODIFY max. thread count. (current:3)
D. DELETE max. thread count. (current:3)
E. SEARCH max. thread count. (current:3)
F. Allow User EXEC procedures (current:FALSE)
G. Archive Request Packets (current:FALSE)
H. UTF8 Conversion support (current:TRUE)
I. Pass search filter to agent (current:FALSE)
J. Thread Priority Level (1-10) (current:4)
X. Done
Select menu option:

2. Type the letter of the menu option of the advanced setting that you want to
change. For a description of each option, see Table 10.
Table 10. Options for the advanced settings menu
Option Description
A Forces the adapter to allow only one request at a time.

The default value is FALSE.


B Controls how many simultaneous ADD requests can run at one time.

The default value is 3.


C Controls how many simultaneous MODIFY requests can run at one time.

The default value is 3.


D Controls how many simultaneous DELETE requests can run at one time.

The default value is 3.


E Controls how many simultaneous SEARCH requests can run at one time.

The default value is 3.


F Determines whether the adapter allows pre- and post-exec functions.
Enabling this option is a potential security risk.

The default value is FALSE.


G This option is no longer supported.
H This option is no longer supported.
I Active Directory Adapter supports processing filters directly. If you
enable this option, that is, set it to TRUE, the adapter filters the results
instead of the ADK. By default this option is set to FALSE and the ADK
performs the filtering.
J Sets the thread priority level for the adapter.

The default value is 4.

3. Change the value, and press Enter.


The Advanced Settings Menu is displayed with your new settings.

Chapter 4. Configuring the Active Directory Adapter for IBM Tivoli Identity Manager 29
Viewing statistics
In order to view an event log for the Active Directory Adapter, complete the
following steps:
1. At the Main Menu prompt, type H.
The activity history for the adapter is displayed.
ADAgent 5.0.1000 Agent Request Statistics
--------------------------------------------------------------------
Date Add Mod Del Ssp Res Rec

-----------------------------------------------------------------

02/15/06 000001 000000 000000 000000 000000 000001

-----------------------------------------------------------------

X. Done

2. Type X to return to the Main Configuration Menu.

Changing code page settings


In order to list the supported code page information for the Active Directory
Adapter, the adapter must be running. Run the following command to view the
code page information:
agentCfg -agent [adapter_name] -codepages

In order to change the code page settings for the Active Directory Adapter,
complete the following steps:
1. At the Main Menu prompt, type I.
The Code Page Support Menu for the adapter is displayed.
ADAgent 5.0.1000 Codepage Support Menu
-------------------------------------------
* Configured codepage: US-ASCII
-------------------------------------------
*
*******************************************
* Restart Agent After Configuring Codepages
*******************************************

A. Codepage Configure.

X. Done

Select menu option:

2. Type A to configure a code page.

Note: The ADAgent code page uses unicode, therefore this option is not
applicable.
3. Type X to return to the Main Configuration Menu.

Accessing help and additional options


In order to access the agentCfg help menu and use the help arguments, complete
the following steps:

30 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
1. At the Main Menu prompt, type X. The command prompt is displayed, and
you are in the \bin directory.
2. Type agentCfg -help at the prompt to view the help menu.
The following list of possible commands is displayed:
-version ;Show version
-hostname < value> ;Target nodename to connect to (Default:Local host IP address)
-findall ;Find all agents on target node
-list ;List available agents on target node
-agent <value> ;Name of agent
-tail ;Display agent’s activity log
-portnumber <value> ;Specified agent’s TCP/IP port number
-netsearch <value> ;Lookup agents hosted on specified subnet
-confidencetest ;Confidence test
-setup ;Confidence test setup
-codepages ;Display list of available codepages
-help ;Display this help screen

Table 11 describes each argument.


Table 11. Arguments and descriptions for the agentCfg help command
Argument Description
-version Use this argument to display the version of the agentCfg tool.
-hostname <value> Use the -hostname argument with any of the following
arguments to specify a different host:
v -findall
v -list
v -tail
v -agent

Enter a host name or IP address as the value.


-findall Use this argument to search and display all port addresses
between 44970 and 44994 and their assigned adapter names.
This option will timeout on unused port numbers, so it might
take several minutes to complete.

Add the -hostname argument to search a remote host.


-list Use this argument to display the adapters that are installed
on the local host of the Active Directory Adapter. By default,
the first time you install an adapter, it is either assigned to
port address 44970 or to the next available port number. All
subsequently installed adapters are then assigned to the next
available port address. Once an unused port is found, the
listing stops.

Use the -hostname argument to search a remote host.


-agent <value> Use this argument to specify the adapter that you want to
configure. Enter an adapter name as the value. Use this
argument with the -hostname argument to modify the
configuration setting from a remote host. You can also use
this argument with the -tail argument.
-tail Use this argument with the -agent argument to display the
activity log for an adapter. Add the -hostname argument to
display the log file for an adapter on a different host.
-portnumber <value> Use this argument with the -agent argument to specify the
port number that is used for connections for the agentCfg
tool.

Chapter 4. Configuring the Active Directory Adapter for IBM Tivoli Identity Manager 31
Table 11. Arguments and descriptions for the agentCfg help command (continued)
Argument Description
-netsearch <value> Use this argument with the -findall argument to display all
active adapters on the system. You must specify a subnet
address as the value.
-confidencetest Use this argument to run a test to add, modify, search, and
delete a request to the adapter. The confidence test allows
you to test the connection between the adapter and the
Active Directory Server. This allows you to verify that the
adapter can connect to Active Directory Server without the
Tivoli Identity Manager server.
-setup Use this argument, along with the −confidence argument, to
configure the confidence test.
-codepages Use this argument to display a list of available codepages.
-help Use this argument to display the Help information for the
agentCfg command.

3. Type agentCfg and one or more of the supported arguments at the prompt.
You must type agentCfg before every argument to run the adapter
configuration tool.
Type agentCfg -list to list all of the adapters on the local host IP address.
Note that the port address for the Tivoli Identity Manager server is 44970. The
output is similar to the following output:
Agent(s) installed on node ’127.0.0.1’
-----------------------
ADAgent (44970)
Type agentCfg -agent ADAgent to display the Main Menu of the agentCfg tool,
which is used to view or modify the Active Directory Adapter parameters.
Type agentCfg -list -hostname 192.9.200.7 to list the adapters on a host
whose IP address is 192.9.200.7. The output is similar to the following output:
Agent(s) installed on node ’192.9.200.7’
------------------
ADAgent (44970)
Type agentCfg -agent ADAgent -hostname 192.9.200.7 to display the Main
Menu of the agentCfg tool for a host whose IP address is 192.9.200.7. Use the
menu options to view or modify the Active Directory Adapter parameters.

32 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Chapter 5. Configuring SSL authentication for the Active
Directory Adapter
In order to establish a secure connection between Tivoli Identity Manager adapter
and the Tivoli Identity Manager server, you must configure the adapter and the
server to use the Secure Sockets Layer (SSL) authentication with the default
communication protocol, DAML. By configuring the adapter for SSL, you ensure
that the Tivoli Identity Manager server verifies the identity of the adapter before a
secure connection is established.

You can configure SSL authentication for connections that originate from the Tivoli
Identity Manager server or from the adapter. Typically, the Tivoli Identity Manager
server initiates a connection to the adapter in order to set or retrieve the value of a
managed attribute on the adapter. However, depending on the security
requirements of your environment, you might need to configure SSL authentication
for connections that originate from the adapter. For example, if the adapter uses
events to notify the Tivoli Identity Manager server of changes to attributes on the
adapter, you can configure SSL authentication for Web connections that originate
from the adapter to the Web server used by the Tivoli Identity Manager server.

In a production environment, you need to enable SSL security; however, for testing
purposes you might want to disable SSL. If an external application that
communicates with the adapter (such as the Tivoli Identity Manager server) is set
to use server authentication, you must enable SSL on the adapter to verify the
certificate that the application presents.

This chapter presents an overview of SSL authentication, certificates, and how to


enable SSL authentication using the CertTool utility.

Overview of SSL and digital certificates


When you deploy IBM Tivoli Identity Manager in an enterprise network, you must
secure communication between the Tivoli Identity Manager server and the
software products and components with which the server communicates. The
industry-standard SSL protocol, which uses signed digital certificates from a
certificate authority (CA) for authentication, is used to secure communication in a
Tivoli Identity Manager configuration. Additionally, SSL provides encryption of the
data exchanged between the applications. Encryption makes data transmitted over
the network intelligible only to the intended recipient.

Signed digital certificates enable two applications connecting in a network to


authenticate each other’s identity. An application acting as an SSL server presents
its credentials in a signed digital certificate to verify to an SSL client that it is the
entity it claims to be. An application acting as an SSL server can also be configured
to require the application acting as an SSL client to present its credentials in a
certificate, thereby completing a two-way exchange of certificates. Signed
certificates are issued by a third-party certificate authority for a fee. Some utilities,
such as those provided by OpenSSL, can also issue signed certificates.

A certificate-authority certificate (CA certificate) must be installed to verify the


origin of a signed digital certificate. When an application receives another
application’s signed certificate, it uses a CA certificate to verify the originator of

© Copyright IBM Corp. 2008 33


the certificate. A certificate authority can be well-known and widely used by other
organizations, or it can be local to a specific region or company. Many applications,
such as Web browsers, are configured with the CA certificates of well−known
certificate authorities to eliminate or reduce the task of distributing CA certificates
throughout the security zones in a network.

Private keys, public keys, and digital certificates


Keys, digital certificates, and trusted certificate authorities are used to establish and
verify the identities of applications.

SSL uses public key encryption technology for authentication. In public key
encryption, a public key and a private key are generated for an application. Data
encrypted with the public key can only be decrypted using the corresponding
private key. Similarly, the data encrypted with the private key can only be
decrypted using the corresponding public key. The private key is
password-protected in a key database file so that only the owner can access the
private key to decrypt messages that are encrypted using the corresponding public
key.

A signed digital certificate is an industry-standard method of verifying the


authenticity of an entity, such as a server, client, or application. In order to ensure
maximum security, a certificate is issued by a third-party certificate authority. A
certificate contains the following information to verify the identity of an entity:
Organizational information
This section of the certificate contains information that uniquely identifies
the owner of the certificate, such as organizational name and address. You
supply this information when you generate a certificate using a certificate
management utility.
Public key
The receiver of the certificate uses the public key to decipher encrypted
text sent by the certificate owner to verify its identity. A public key has a
corresponding private key that encrypts the text.
Certificate authority’s distinguished name
The issuer of the certificate identifies itself with this information.
Digital signature
The issuer of the certificate signs it with a digital signature to verify its
authenticity. This signature is compared to the signature on the
corresponding CA certificate to verify that the certificate originated from a
trusted certificate authority.

Web browsers, servers, and other SSL-enabled applications generally accept as


genuine any digital certificate that is signed by a trusted certificate authority and is
otherwise valid. For example, a digital certificate can be invalidated because it has
expired or the CA certificate used to verify it has expired, or because the
distinguished name in the digital certificate of the server does not match the
distinguished name specified by the client.

Self-signed certificates
You can use self-signed certificates to test an SSL configuration before you create
and install a signed certificate issued by a certificate authority. A self-signed
certificate contains a public key, information about the owner of the certificate, and
the owner’s signature. It has an associated private key, but it does not verify the
origin of the certificate through a third-party certificate authority. Once you

34 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
generate a self-signed certificate on an SSL server application, you must extract it
and add it to the certificate registry of the SSL client application.

This procedure is the equivalent of installing a CA certificate that corresponds to a


server certificate. However, you do not include the private key in the file when
you extract a self-signed certificate to use as the equivalent of a CA certificate.

Use a key management utility to generate a self-signed certificate and a private


key, to extract a self-signed certificate, and to add a self-signed certificate.

Where and how you choose to use self-signed certificates depends on your security
requirements. In order to achieve the highest level of authentication between
critical software components, do not use self-signed certificates, or use them
selectively. For example, you can choose to authenticate applications that protect
server data with signed digital certificates, and use self-signed certificates to
authenticate Web browsers or IBM Tivoli Identity Manager adapters.

If you are using self-signed certificates, in the following procedures you can
substitute a self-signed certificate for a certificate and CA certificate pair.

Certificate and key formats


Certificates and keys are stored in files with the following formats:
.pem format
A privacy-enhanced mail (.pem ) format file begins and ends with the
following lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

A .pem file format supports multiple digital certificates, including a


certificate chain. If your organization uses certificate chaining, use this
format to create CA certificates.
.arm format
An .arm file contains a base-64 encoded ASCII representation of a
certificate, including its public key, but not its private key. An .arm file
format is generated and used by the IBM Key Management utility.
.der format
A .der file contains binary data. A .der file can only be used for a single
certificate, unlike a .pem file, which can contain multiple certificates.
.pfx format (PKCS12)
A PKCS12 file is a portable file that contains a certificate and a
corresponding private key. This format is useful for converting from one
type of SSL implementation to a different implementation. For example,
you can create and export a PKCS12 file using the IBM Key Management
utility, then import the file to another workstation using the CertTool
utility.

The use of SSL authentication


When you start the adapter, the available connection protocols are loaded. The
DAML protocol is the only available protocol that supports the use of SSL
authentication. You can specify to use the DAML SSL implementation.

Chapter 5. Configuring SSL authentication for the Active Directory Adapter 35


The DAML SSL implementation uses a certificate registry to store private keys and
certificates. The location of the certificate registry is managed internally by the
CertTool key and certificate management tool; therefore, you do not specify the
location of the registry when you perform certificate management tasks.

For more information on the DAML protocol, see “Changing protocol


configuration settings” on page 12.

Configuring certificates for SSL authentication


Use the following procedures to configure the adapter for one-way or two-way SSL
authentication using signed certificates. In order to perform these procedures, use
the CertTool utility.

Configuring certificates for one-way SSL authentication


In this configuration, the IBM Tivoli Identity Manager Server and the Tivoli
Identity Manager adapter are set to use SSL. Client authentication is not set on
either application. The Tivoli Identity Manager Server operates as the SSL client
and initiates the connection. The adapter operates as the SSL server and responds
by sending its signed certificate to the Tivoli Identity Manager Server. The Tivoli
Identity Manager Server uses the CA certificate that is installed to validate the
certificate sent by the adapter.

In Figure 1, Application A operates as the Tivoli Identity Manager server, and


Application B operates as the IBM Tivoli Identity Manager adapter.

Tivoli Identity Manager Tivoli Identity Manager


Server (SSL client) adapter (SSLCserver)
1
Hello

Keystore
CA
Certificate Verify Send Certificate B Certificate
A A

Figure 1. One-way SSL authentication (server authentication)

In order to configure one-way SSL, perform the following tasks for each
application:
1. On the adapter, complete these steps:
a. Start the CertTool utility.
b. In order to configure the SSL-server application with a signed certificate
issued by a certificate authority:
1) Create a certificate signing request (CSR) and private key. This step
creates the certificate with an embedded public key and a separate
private key and places the private key in the PENDING_KEY registry
value.
2) Submit the CSR to the certificate authority using the instructions
supplied by the CA. When you submit the CSR, specify that you want
the root CA certificate returned with the server certificate.

36 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
2. On the Tivoli Identity Manager Server, complete one of these steps:
v If you are configuring the use of a signed certificate issued by a well-known
CA, ensure that the Tivoli Identity Manager Server has stored the root
certificate of the CA (CA certificate) in its keystore. If the keystore does not
contain the CA certificate, extract the CA certificate from the adapter and add
it to the keystore of the server.
v If you are configuring the use of self-signed certificates:
– If you generated the self-signed certificate on the Tivoli Identity Manager
Server, the certificate is already installed in its keystore.
– If you generated the self-signed certificate using the key management
utility of another application, extract the certificate from that application’s
keystore and add it to the keystore of the Tivoli Identity Manager Server.

Configuring certificates for two-way SSL authentication


In this configuration, the IBM Tivoli Identity Manager Server and the Tivoli
Identity Manager adapter are set to use SSL and the adapter is set to use client
authentication. Once sending its certificate to the Tivoli Identity Manager Server,
the adapter requests identity verification from the server, which sends its signed
certificate to the adapter. Both applications are configured with signed certificates
and corresponding CA certificates.

In Figure 2, the Tivoli Identity Manager server operates as Application A, and the
IBM Tivoli Identity Manager adapter operates as Application B.

Tivoli Identity Manager Tivoli Identity Manager


Server (SSL client) adapter (SSL Cserver) C
Hello
Keystore
CA
Certificate Verify Send Certificate A Certificate
A A
Send Certificate A

CA
Certificate Verify Certificate
B B

Send Certificate B

Figure 2. Two-way SSL authentication (client authentication)

The following procedure assumes that you have already configured the adapter
and Tivoli Identity Manager Server for one-way SSL authentication using the
procedure described in “Configuring certificates for one-way SSL authentication”
on page 36. Therefore, if you are using signed certificates from a CA:
v The adapter is configured with a private key and a signed certificate that was
issued by a CA.
v The Tivoli Identity Manager Server is configured with the CA certificate of the
CA that issued the signed certificate of the adapter.

In order to complete the certificate configuration for two-way SSL, perform the
following tasks:

Chapter 5. Configuring SSL authentication for the Active Directory Adapter 37


1. On the Tivoli Identity Manager Server, create a CSR and private key, obtain a
certificate from a CA, install the CA certificate, install the newly signed
certificate, and extract the CA certificate to a temporary file.
2. On the adapter, add the CA certificate that was extracted from the keystore of
the Tivoli Identity Manager Server to the adapter.

When you have finished the two-way certificate configuration, each application has
its own certificate and private key and the CA certificate of the CA that issued the
certificates for each application.

Configuring certificates when the adapter operates as an SSL


client
In this configuration, the adapter operates as an SSL client in addition to operating
as an SSL server. This configuration applies if the adapter initiates a connection to
the Web server (used by the Tivoli Identity Manager server) to send an event
notification. For example, the adapter initiates the connection and the Web server
responds by presenting its certificate to the adapter.

Figure 3 illustrates how a Tivoli Identity Manager adapter operates as an SSL sever
and an SSL client. When communicating with the Tivoli Identity Manager server,
the adapter sends its certificate for authentication. When communicating with the
Web server, the adapter receives the certificate of the Web server.

Certificate A
CA Certificate C CA Certificate A
Tivoli Hello Tivoli
Identity Identity
Manager A Manager B
Adapter Server
Certificate A

Certificate C

Hello Web server

C
Certificate C

Figure 3. IBM Tivoli Identity Manager adapter operating as an SSL server and an SSL client

If the Web Server is configured for two-way SSL authentication, it verifies the
identity of the adapter, which sends its signed certificate to the Web server (not
shown in the illustration). In order to enable two-way SSL authentication between
the adapter and Web server, use the following procedure:
1. Configure the Web server to use client authentication.
2. Follow the procedure for creating and installing a signed certificate on the Web
server.
3. Install the CA certificate on the adapter using the CertTool utility.
4. Add the CA certificate corresponding to the signed certificate of the adapter to
the Web server.

38 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
For more information on configuring certificates when the adapter initiates a
connection to the Web server (used by the Tivoli Identity Manager Server) to send
an event notification, see the Tivoli Identity Manager Information Center.

Managing SSL certificates using CertTool


The procedures in this section describe how to use the CertTool utility to manage
private keys and certificates.

This section includes instructions for performing the following tasks:


v “Starting CertTool.”
v “Generating a private key and certificate request” on page 41.
v “Installing the certificate” on page 42.
v “Installing the certificate and key from a PKCS12 file” on page 42.
v “Viewing the installed certificate” on page 43.
v “Viewing CA certificates” on page 43.
v “Installing a CA certificate” on page 43.
v “Deleting a CA certificate” on page 43.
v “Viewing registered certificates” on page 44.
v “Registering a certificate” on page 44.
v “Unregistering a certificate” on page 44.

Starting CertTool
In order to start the certificate configuration tool, CertTool, for the Active Directory
Adapter, complete these steps:
1. Select Programs from the Start menu, select Accessories, and then select
Command Prompt.
2. In the Microsoft Windows DOS Command Prompt window, change to the bin
directory for the adapter. For example, if the Active Directory Adapter directory
is in the default location, type the following command:
cd C:\Tivoli\Agents\ADAgent\bin
3. Type CertTool -agent ADAgent at the prompt. The Main Menu is displayed:
Main menu - Configuring agent: ADAgent
------------------------------
A. Generate private key and certificate request
B. Install certificate from file
C. Install certificate and key from PKCS12 file
D. View current installed certificate

E. List CA certificates
F. Install a CA certificate
G. Delete a CA certificate

H. List registered certificates


I. Register certificate
J. Unregister a certificate

K. Export certificate and key to PKCS12 file

X. Quit

Choice:

Chapter 5. Configuring SSL authentication for the Active Directory Adapter 39


From the Main Menu, you can generate a private key and certificate request, install
and delete certificates, register and unregister certificates, and list certificates. The
following sections summarize the purpose of each group of options.

The first set of options (A through D) allows you to generate a CSR and install the
returned signed certificate on the adapter.
A. Generate private key and certificate request
Generate a CSR and the associated private key that is sent to the certificate
authority. For more information on option A, see “Generating a private key
and certificate request” on page 41.
B. Install certificate from file
Install a certificate from a file. This file must be the signed certificate
returned by the CA in response to the CSR that is generated by option A.
For more information on option B, see “Installing the certificate” on page
42.
C. Install certificate and key from a PKCS12 file
Install a certificate from a PKCS12 format file that includes both the public
certificate and a private key. If options A and B are not used to obtain a
certificate, the certificate that you use must be in PKCS12 format. For more
information on option C, see “Installing the certificate and key from a
PKCS12 file” on page 42.
D. View current installed certificate
View the certificate that is installed on the system. For more information
on option D, see “Viewing the installed certificate” on page 43.

The second set of options enable you to install root CA certificates on the adapter.
A CA certificate is used by the IBM Tivoli Identity Manager adapter to validate the
corresponding certificate presented by a client, such as the Tivoli Identity Manager
server.
E. List CA certificates
Show the installed CA certificates. The adapter only communicates with
Tivoli Identity Manager servers whose certificates are validated by one of
the installed CA certificates.
F. Install a CA certificate
Install a new CA certificate so that certificates generated by this CA can be
validated. The CA certificate file can either be in X.509 or PEM encoded
formats. For more information on how to install a CA certificate, see
“Installing a CA certificate” on page 43.
G. Delete a CA certificate
Remove one of the installed CA certificates. For more information on how
to delete a CA certificate, see “Deleting a CA certificate” on page 43.

The remaining options (H through K) apply to adapters that must authenticate the
application (for example, the Tivoli Identity Manager server or the Web server) to
which the adapter is sending information. These options enable you to register
certificates on the adapter. For IBM Tivoli Identity Manager Version 4.5 or earlier,
the signed certificate of the IBM Tivoli Identity Manager Server must be registered
with an adapter to enable client authentication on the adapter. If you do not intend
to upgrade an existing adapter to use CA certificates for client authentication, the
signed certificate presented by the Tivoli Identity Manager server must be
registered with the adapter.

40 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
If you configure the adapter to use event notification, or client authentication is
enabled in DAML, then you must install the CA certificate corresponding to the
signed certificate of the Tivoli Identity Manager server using the Install a CA
certificate option, option F.
H. List registered certificates
List all registered certificates that will be accepted for communications. For
more information on listing registered certificates, see “Viewing registered
certificates” on page 44.
I. Register a certificate
Register a new certificate. The certificate to be registered be in Base 64
encoded X.509 format or PEM. For more information on registering
certificates, see “Registering a certificate” on page 44.
J. Unregister a certificate
Unregister (remove) a certificate from the registered list. For more
information on unregistering certificates, see “Unregistering a certificate”
on page 44.
K. Export certificate and key to PKCS12 file
Export a previously installed certificate and private key. You will be
prompted for the file name and a password for encryption. For more
information on exporting a certificate and key to a PKCS12 file, see
“Exporting a certificate and key to PKCS12 file” on page 45.

Generating a private key and certificate request


A certificate signing request is an unsigned certificate that is a text file. When you
submit an unsigned certificate to a certificate authority, the CA signs the certificate
with the private digital signature that is included in their corresponding CA
certificate. When the CSR is signed, it becomes a valid certificate. A CSR contains
information about your organization, such as the organization name, country, and
the public key for your Web server.

In order to generate a CSR file, complete these steps:


1. At the Main Menu of the CertTool, type A. The following message and prompt
are displayed:
Enter values for certificate request (press enter to skip value)
-------------------------------------------------------------------------
2. At the Organization prompt, type your organization name, and press Enter.
3. At the Organizational Unit prompt, type the organizational unit, and press
Enter.
4. At the Agent Name prompt, type the name of the adapter you are requesting
a certificate for, and press Enter.
5. At the Email prompt, type the e-mail address for the contact person for this
request, and press Enter.
6. At the State prompt, type the state in which the adapter resides (if the adapter
is in the United States), and press Enter. Some certificate authorities do not
accept two letter abbreviations for states, so you must type the full name of
the state.
7. At the Country prompt, type the country in which the adapter resides, and
press Enter.
8. At the Locality prompt, type the name of the city in which the adapter
resides, and press Enter.

Chapter 5. Configuring SSL authentication for the Active Directory Adapter 41


9. At the Accept these values prompt, type Y to accept the values displayed, or
type N to re-enter the values, and press Enter.
The private key and certificate request are generated once the values are
accepted.
10. At the Enter name of file to store PEM cert request prompt, type the name of
the file that you want to use to store the values you specified during the
previous steps, and press Enter.
11. Press Enter to continue. The certificate request and input values are written to
the file you specified. The file is copied to the agents bin folder and the Main
Menu is displayed again.

You can now request a certificate from a trusted CA by sending the .pem file that
you just generated to a certificate authority vendor.

Example of certificate signing request


Your CSR file will look similar to the following example:
-----BEGIN CERTIFICATE REQUEST-----
MIIB1jCCAT8CAQAwgZUxEjAQBgNVBAoTCWFjY2VzczM2MDEUMBIGA1UECxMLZW5n
aW5lZXJpbmcxEDAOBgNVBAMTB250YWdlbnQxJDAiBgkqhkiG9w0BCQEWFW50YWdl
bnRAYWNjZXNzMzYwLmNvbTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExDzANBgNVBAcTBklydmluZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
mR6AcPnwf6hLLc72BmUkAwaXcebtxCoCnnTH9uc8VuMHPbIMAgjuC4s91hPrilG7
UtlbOfy6X3R3kbeR8apRR9uLYrPIvQ1b4NK0whsytij6syCySaFQIB6V7RPBatFr
6XQ9hpsARdkGytZmGTgGTJ1hSS/jA6mbxpgmttz9HPECAwEAAaAAMA0GCSqGSIb3
DQEBAgUAA4GBADxA1cDkvXhgZntHkwT9tCTqUNV9sim8N/U15HgMRh177jVaHJqb
N1Er46vQSsOOOk4z2i/XwOmFkNNTXRVl9TLZZ/D+9mGZcDobcO+lbAKlePwyufxK
Xqdpu3d433H7xfJJSNYLYBFkrQJesITqKft0Q45gIjywIrbctVUCepL2
-----END CERTIFICATE REQUEST-----

Installing the certificate


Once you receive your certificate from your trusted CA, you install it in the
registry of the adapter. In order to install the certificate, complete these steps:
1. If you received the certificate as part of an e-mail message, copy the text of the
certificate to a text file, and copy that file to the bin directory for the adapter.
For example,
C:\Tivoli\Agents\ADAgent\bin
2. At the Main Menu of the CertTool, type B. The following prompt is displayed:
Enter name of certificate file:
-------------------------------------------------------------------------
3. At the Enter name of certificate file prompt, type the full path to the
certificate file, and press Enter.
The certificate is installed in the registry for the adapter, and the Main Menu is
displayed again.

Installing the certificate and key from a PKCS12 file


If you do not use the CertTool utility to generate a CSR to obtain a certificate, you
must install both the certificate and private key, which must be stored in a PKCS12
file. The CA might send a password−protected file, or PKCS12 file (a file with the
.pfx extension), which includes both the certificate and private key. In order to
install the certificate from this PKCS12 file, complete these steps:
1. Copy the PKCS12 file to the bin directory for the adapter. For example,
C:\Tivoli\Agents\ADAgent\bin
2. At the Main Menu for the CertTool, type C. The following prompt is displayed:
Enter name of PKCS12 file:
-------------------------------------------------------------------------

42 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
3. At the Enter name of PKCS12 file prompt, type the name of the PKCS12 file
that has the certificate and private key information, and press Enter. For
example, DamlSrvr.pfx.
4. At the Enter password prompt, type the password to access the file, and press
Enter.

The certificate and private key are installed in the adapter registry, and the Main
Menu is displayed.

Viewing the installed certificate


In order to list the certificate that is installed on your system, at the Main Menu of
CertTool, type D.

The installed certificate is listed, and the Main Menu is displayed. The following
example lists an installed certificate:
The following certificate is currently installed.
Subject: c=US,st=California,l=Irvine,o=DAML,cn=DAML Server

Installing a CA certificate
If you are using client authentication, you need to install a CA certificate. The CA
certificate you install is issued by a certificate authority vendor.

In order to install a CA certificate that was extracted into a temporary file,


complete the following steps:
1. At the Main Menu prompt, type F (Install a CA certificate).
The following prompt is displayed:
Enter name of certificate file:
2. At the Enter name of certificate file prompt, type the name of the certificate
file, such as DamlCACerts.pem, and press Enter.
The certificate file is opened, and the following prompt is displayed:
e=admin@ibm.com,c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
Install the CA? (Y/N)
3. At the Install the CA prompt, type Y to install the certificate, and press Enter.
The certificate file is installed in the CACerts.pem file.

Viewing CA certificates
CertTool only installs one certificate and one private key. In order to list the CA
certificate that is installed on the adapter, type E at the Main Menu prompt.

The installed CA certificates are displayed and the Main Menu is displayed. The
following example lists an installed CA certificate:
Subject: o=IBM,ou=SampleCACert,cn=TestCA
Valid To: Wed Jul 26 23:59:59 2006

Deleting a CA certificate
In order to delete a CA certificate from the adapter directories, complete the
following steps:
1. At the Main Menu prompt, type G.
A list of all CA certificates installed on the adapter is displayed.
0 - e=admin@ibm.com,c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
1 - e=support@ibm.com,c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support
Enter number of CA certificate to remove:

Chapter 5. Configuring SSL authentication for the Active Directory Adapter 43


2. At the Enter number of CA certificate to remove prompt, type the number of
the CA certificate that you want to remove, and press Enter.
The CA certificate is deleted from the CACerts.pem file, and the Main Menu is
displayed.

Viewing registered certificates


Only requests that present a registered certificate will be accepted by the adapter
when client validation is enabled.

In order to view a list of all registered certificates available to the adapter, at the
Main Menu prompt, type H.

The registered certificates are displayed and the Main Menu is displayed. The
following example lists registered certificates:
0 - e=admin@ibm.com,c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
1 - e=support@ibm.com,c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support

Registering a certificate
In order to register a certificate for the adapter, complete the following steps:
1. At the Main Menu prompt, type I.
The following prompt is displayed:
Enter name of certificate file:
2. At the Enter name of certificate file prompt, type the name of the certificate
file that you want to register, and press Enter.
The subject of the certificate is displayed, and a prompt is displayed, for
example:
e=admin@ibm.com,c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
Register this CA? (Y/N)
3. At the Register this CA prompt, type Y to register the certificate, and press
Enter.
The certificate is registered to the adapter, and the Main Menu is displayed.

Unregistering a certificate
In order to unregister a certificate for the adapter, complete the following steps:
1. At the Main Menu prompt, type J.
The registered certificates are displayed. The following example lists registered
certificates:
0 - e=admin@ibm.com,c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
1 - e=support@ibm.com,c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support
2. Type the number of the certificate file that you want to unregister, and press
Enter.
The subject of the selected certificate is displayed, and a prompt is displayed,
for example:
e=admin@ibm.com,c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
Unregister this CA? (Y/N)
3. At the Unregister this CA prompt, type Y to unregister the certificate, and
press Enter.
The certificate is removed from the registered certificate list for the adapter, and
the Main Menu is displayed.

44 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Exporting a certificate and key to PKCS12 file
In order to export a certificate and key to a PKCS12 file for the adapter, complete
the following steps:
1. At the Main Menu prompt, type K.
The following prompt is displayed:
Enter name of PKCS12 file:
2. At the Enter name of PKCS12 file prompt, type the name of the PKCS12 file
for the installed certificate or private key, and press Enter.
3. At the Enter Password prompt, type the password for the PKCS12 file, and
press Enter.
4. At the Confirm Password prompt, type the password again, and press Enter.
The certificate or private key is exported to the PKCS12 file, and the Main
Menu is displayed.

Chapter 5. Configuring SSL authentication for the Active Directory Adapter 45


46 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Chapter 6. Customizing the Active Directory adapter
Active Directory can support custom attributes for the user class. The Active
Directory Adapter only supports standard Windows attributes by default.
However, you can customize the adapter to support custom (extended) attributes.

Complete these steps to customize the Active Directory Adapter to support the
extended attributes in the Active Directory:
1. Extend the Active Directory Adapter schema and add the custom attributes to
the Active Directory Server. For more information on extending the schema, see
“Step 1: Extend the schema and add the extended attributes.”
2. Copy the JAR file to a temporary directory and extract the files. For more
information on extracting the files, see “Step 2. Copy the ADProfile.jar file and
extract the files” on page 48.
3. Add the extended attributes to the exschema.txt file. For more information on
extending the attributes, see “Step 3. Modify the exschema.txt file” on page 48.
4. Update the schema.dsml file on the Tivoli Identity Manager server. For more
information on updating this file, see “Step 4: Update the schema.dsml file” on
page 49.
5. Update the customlabels.properties file on the host workstation. For more
information on updating this file, see “Step 5: Modify the
CustomLabels.properties file” on page 49.
6. Install the new attributes on the Tivoli Identity Manager server. For more
information on updating this file, see “Step 6: Create a new JAR file and install
the new attributes on the Tivoli Identity Manager server” on page 50.
7. Modify the form for the account. For more information on updating the form,
see “Step 7: Optionally modify the adapter form” on page 50.

For information on the files that you can modify, in order to customize the Active
Directory Adapter, see Appendix A, “Files,” on page 57.

Step 1: Extend the schema and add the extended attributes


Extend the Windows Active Directory schema and add the custom attributes to the
Active Directory Server using the tools provided by Windows. Refer to the
Microsoft Windows Server documentation for more information about adding new
attributes to the Active Directory.

The Active Directory Adapter supports the following types of custom attributes:
v Boolean
v Integer
v Case insensitive string
v UTC coded time

Consider prefixing the attribute names with erAD in order to easily identify the
attributes that are used with IBM Tivoli Identity Manager.

Note: If IBM Tivoli Directory Server is being used as the directory server
application, the name of the attribute must be unique within the first 16
characters.

© Copyright IBM Corp. 2008 47


Step 2. Copy the ADProfile.jar file and extract the files
The profile JAR file, ADProfile.jar, is included in the Active Directory Adapter
compressed file that you downloaded from the IBM Web site. The ADProfile.jar file
contains the following files:
v CustomLabels.properties
v erADAccount.xml
v erADDAMLService.xml
v resource.def
v schema.dsml
You can modify these files to customize your environment.

When you finish updating the profile JAR file, install it on the Tivoli Identity
Manager server. For more information on the profile installation, see “Importing
the adapter profile into the Tivoli Identity Manager server” on page 8.

In order to modify the ADProfile.jar file, complete the following steps:


1. Log in to the system where the Active Directory Adapter is installed.
2. On the Start menu, click Programs > Accessories > Command Prompt.
3. Copy the ADProfile.jar file into a temporary directory.
4. Extract the contents of` the ADProfile.jar file into the temporary directory by
running the following command:
cd c:\temp
jar -xvf ADProfile.jar

The jar command will create the c:\temp\ADProfile directory.


5. Edit the appropriate file by completing the remaining steps below.

Step 3. Modify the exschema.txt file


The exschema.txt file lists all extended attributes in the Active Directory Server.
Modify this file to allow the Active Directory Adapter to recognize an extended
attribute in the Windows Active Directory Server.

In order to modify the exschema.txt file, complete the following steps:


1. Change to the \data directory for the adapter.
2. Create or open the exschema.txt file in a text editor.
3. Add the extended attributes to the file. List only 1 attribute per line. For
example:
erADString1
erADInteger
erADDate
erADBoolean
erADMultiValueString
4. Save the changes, and close the file.
5. Start the adapter again.
Start the adapter by using the Windows Services Console.

48 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Step 4: Update the schema.dsml file
The Active Directory Adapter schema.dsml file identifies all of the standard
Windows account attributes. Modify this file to identify the new extended
attributes in the Active Directory Server.

For more information about the attributes in this file, see “schema.dsml file” on
page 57.

In order to update the schema.dsml file, complete the following steps:


1. Change to the \ADProfile directory, where the schema.dsml file has been
created.
2. Edit the schema.dsml file to add an attribute definition for each extended
attribute. The Object Identifier (OID) be incremented by 1, based on the last
entry in the file. For example, if the last attribute in the file uses the OID
1.3.6.1.4.1.6054.3.125.2.67 , the first new attribute use the OID
1.3.6.1.4.1.6054.3.125.2.68.
Consider starting a new range of numbers for your custom attributes. For
example, start custom attributes with OID 1.3.6.1.4.1.6054.3.125.2.100. This
prevents duplicate OIDs if the adapter is upgraded to support new attributes
that are standard for newer versions of Windows.
3. Add each of the new attributes to the account class. For example, add the
following attribute definition under the erADAccount section of the
schema.dsml file:
<attribute ref="erADDate" required="false"/>

Step 5: Modify the CustomLabels.properties file


Once you add the extended attributes to the schema.dsml file, the attributes are
available for use on the Active Directory Adapter form. The attributes appear in
the attribute list by their directory server name. You can modify the attribute
names that appear in the attribute list.

For more information about the attributes that appear on the adapter form, see
“CustomLabels.properties file” on page 60.

In order to add the attribute and its corresponding label to the


CustomLabels.properties file, complete the following steps:
1. Change to the ADProfile directory where the CustomLabels.properties file has
been created.
2. Edit the CustomLabels.properties file to add the attribute and its corresponding
label using the following format:
attribute=label

Note: The attribute name must be in lower case.


For example:
#
# ADAgent Labels definitions
#
eradstring1=ADString1
eradinteger=ADInteger
eraddate=ADDate
eradboolean=ADBoolean
eradmultivaluestring=ADMultiValueString

Chapter 6. Customizing the Active Directory adapter 49


Step 6: Create a new JAR file and install the new attributes on the
Tivoli Identity Manager server
Once you modify the schema.dsml and CustomLabels.properties files, you must
import these files, and any other files that were modified for the adapter, into the
Tivoli Identity Manager server for the changes to take effect.

In order to install the new attributes, complete the following steps:


1. Create a new JAR file using the files in the \temp directory by running the
following commands:
cd c:\temp
jar -cvf ADProfile.jar ADProfile
2. Import the ADProfile.jar file into the Tivoli Identity Manager Application
server. For more information on importing the file, see “Importing the adapter
profile into the Tivoli Identity Manager server” on page 8.
3. Stop and start the Tivoli Identity Manager server.

Note: If you are upgrading an existing adapter profile, the new adapter profile
schema is not reflected immediately. You need to stop and start the Tivoli
Identity Manager server in order to refresh the cache and the adapter
schema. For more information on upgrading an existing adapter, see
“Upgrading the Active Directory Adapter” on page 53.

Step 7: Optionally modify the adapter form


Once the changes are available in the Tivoli Identity Manager server, you can
modify the Active Directory Adapter forms to use the new extended attributes. The
attributes do not need to be added to the Active Directory Adapter form unless
you want them to be available. The attributes will be returned during
reconciliations unless you explicitly exclude them.

For more information on how to modify the adapter form, see the IBM Tivoli
Identity Manager Information Center.

Managing passwords when restoring accounts


When a person’s accounts are restored from being previously suspended, you are
prompted to supply a new password for the reinstated accounts. However, there
are circumstances when you might want to circumvent this behavior.

The password requirement to restore an account on Active Directory Server falls


into two categories: allowed and required. How each restore action interacts with
its corresponding managed resource depends on either the managed resource, or
the business processes that you implement. Certain resources will reject a
password when a request is made to restore an account. In this case, you can
configure IBM Tivoli Identity Manager to forego the new password requirement. If
your company has a business process in place that dictates that the account
restoration process must be accompanied by resetting the password, you can set
the Active Directory Adapter to require a new password when the account is
restored.

In the resource.def file, you can define whether or not a password is required as a
new protocol option. When you import the adapter profile, if an option is not
specified, the adapter profile importer determines the correct restoration password
behavior. Adapter profile components also enable remote services to find out if you
50 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
discard a password that is entered by the user in a situation where multiple
accounts on disparate resources are being restored. In this scenario, only some of
the accounts being restored might require a password. Remote services will discard
the password from the restore action for those managed resources that do not
require them.

In order to configure the Active Directory Adapter to not prompt for a new
password when restoring accounts:
1. Stop the Tivoli Identity Manager server.
2. Extract the files from the ADProfile.jar file. For more information on
customizing the adapter profile file, see “Step 2. Copy the ADProfile.jar file and
extract the files” on page 48.
3. Change to the \ADProfile directory, where the resource.def file has been
created.
4. Edit the resource.def file to add the new protocol options, for example:
<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.
PASSWORD_NOT_REQUIRED_ON_RESTORE" Value = "TRUE"/>
<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.
PASSWORD_NOT_ALLOWED_ON_RESTORE" Value = "FALSE"/>

By adding the two options in the example above, you are ensuring that you
will not be prompted for a password when an account is restored.
5. Create a new ADProfile.jar file using the resource.def file and import the
adapter profile file into the Tivoli Identity Manager server. For more
information, see “Step 6: Create a new JAR file and install the new attributes on
the Tivoli Identity Manager server” on page 50.
6. Start the Tivoli Identity Manager server again.

Note: If you are upgrading an existing adapter profile, the new adapter profile
schema will not be reflected immediately. You need to stop and start the
Tivoli Identity Manager server in order to refresh the cache and therefore
the adapter schema. For more information on upgrading an existing adapter,
see “Upgrading the Active Directory Adapter” on page 53.

Configuring the base point for the adapter


You can configure the Active Directory Adapter to support both sub-domains and
multiple domains through the base point feature on the adapter service form. For
more information on configuring the service form, see the Tivoli Identity Manager
Information Center.

The base point for the Active Directory Adapter is the point in the directory server
that is used as the root for the adapter. This point can be an OU or DC point.
Because the base point is an optional value, if a value is not specified, the adapter
uses the default domain of the workstation on which it is installed.

The following definition is an example of a base point defined from the root of the
directory server:
dc=irvine,dc=IBM,dc=com

The following definition is an example of a base point defined from an


organizational unit level:
ou=engineering,dc=irvine,dc=IBM,dc=com

Chapter 6. Customizing the Active Directory adapter 51


The syntax of the base point also allows for an optional workstation name to prefix
the base point DN, for example server1/dc=ibm,dc=com. This causes the adapter
to bind to a specific server instead of connecting to the first available server when
responding to an active directory bind request.

Also on the service form are the Admin User Account and Admin User Password
values. These optional values are only required if an administrator account is
defined for the base point of the adapter, and you want to use this account for
logging purposes. If these values are not defined, the adapter will use the account
assigned to the adapter service.

Note: Do not create services that overlap in scope in the directory tree. This could
result in duplicate account creation during reconciliation.

52 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Chapter 7. Upgrading the Active Directory Adapter or the ADK
Note: If your existing adapter version is earlier than 5.0, you must uninstall the
older version of the adapter before you can install the 5.0 adapter. You
cannot migrate from an earlier version to 5.0 because the encryption used in
the 5.0 release is not compatible with previous versions of the ADK. Any
previously encrypted values cannot be read by the 5.0 adapter.

You can either upgrade the Active Directory Adapter or the Adapter Development
Kit (ADK). The ADK is the base component of the adapter. While all adapters have
the same ADK, the remaining adapter functionality is specific to the managed
resource.

You can perform an adapter upgrade to migrate your current adapter installation
to a newer version, for example version 5.0 to version 5.x. Upgrading the adapter,
as opposed to reinstalling it, allows you to keep your configuration settings.
Additionally, you do not have to uninstall the current adapter and install the
newer version.

If only a code fix has been made to the ADK, instead of upgrading the entire
adapter, you can upgrade just the ADK to the newer version. See “Upgrading the
ADK” on page 54.

Upgrading the Active Directory Adapter


For adapter versions 5 and higher, use the adapter upgrade option:
v If you want to keep the adapter configuration (registry keys and certificates)
unchanged.
v If the installed adapter is FIPS enabled. The Update Installation option keeps
FIPS configurations such as the CA certificates, fipsdata.txt the (key generated by
running fipsenable.exe) and the registry keys encrypted with fipsdata.txt
unchanged.

If update installation option is selected, the path of the existing installed adapter is
required. The installer replaces the binaries and the DLLs of the adapter and the
ADK. The installer does not prompt for any configuration information during an
update installation.

Note: Adapter related registry keys are not modified. The update installation does
not create a new service for the adapter.

During an upgrade, in order to maintain all of your current configuration settings,


as well as the certificate and private key, do not uninstall the old version of the
adapter before installing the new version. During the install, specify the same
installation directory where the previous adapter was installed. For more
information on how to install the adapter, see Chapter 3, “Installing and
configuring the Active Directory adapter,” on page 7.

In order to upgrade an existing adapter, complete the following steps:


1. Stop the Active Directory Adapter service.
2. Install the new version of the adapter.

© Copyright IBM Corp. 2008 53


When the upgraded adapter starts for the first time, new log files will be created,
replacing the old files.

The adapter installer allows an update installation of the adapter, for adapters
versions 5.0 or later.

Upgrading the ADK


The ADK consists of the runtime library, filtering and event notification
functionality, protocol settings, and logging information. The remainder of the
adapter is comprised of the Add, Modify, Delete, and Search functions. While all
adapters have the same ADK, the remaining functionality is specific to the
managed resource.

You can use the ADK upgrade program to update the ADK portion of the adapters
that are currently installed on a workstation. This allows you to install just the
ADK, and not the entire adapter. As part of the ADK upgrade, the ADK library
and the DAML protocol library are updated. In addition, the agentCfg and
CertTool binaries are updated.

Note: Upgrading the ADK from versions 4.5 or 4.6 to 5.0 or a higher version is not
supported.

Before upgrading the ADK files, the upgrade program checks the current version
of the ADK. If the current level is higher than what you are attempting to install, a
warning message is displayed.

In order to upgrade the Active Directory Adapter ADK on a Windows-based


operating system, complete the following steps:
1. Download the ADK upgrade program compressed file from the IBM Web site.
2. Extract the contents of the compressed file into a temporary directory.
3. Stop the Active Directory Adapter service.
4. Start the upgrade program using the adkinst_win64.exe file in the temporary
directory. For example, select Run from the Start menu, and type
C:\TEMP\adkinst_win64.exe in the Open field.
If no adapter is installed, you will receive the following error message, and the
program exits:
No Agent Installed - Cannot Install ADK.
5. In the Welcome window, click Next.
6. In the Software License Agreement window, review the license agreement and
decide if you accept the terms of the license. If you do, click Accept.
7. In the Installation Information window, click Next to begin the installation.
8. In the Install Completed window, click Finish to exit the program.

Log files
Logging entries are stored in the <ADKVersion>Installer.log and
<ADKVersion>Installeropt.log files, where <ADKVersion> is the version of the ADK.
For example, ADK50Installer.log and ADK50Installeropt.log. These files are
created in the folder where you run the installation program.

54 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Chapter 8. Uninstalling the Active Directory Adapter
Before you remove the adapter, inform your users that the Active Directory
Adapter will be unavailable. If the server is taken offline, adapter requests that
were completed might not be recovered when the server is back online.

To completely uninstall the Active Directory Adapter, you need to perform two
procedures:
1. Uninstall the adapter from the target server.
2. Remove the adapter profile from the Tivoli Identity Manager server.

Uninstalling the adapter from the target server


To remove the Active Directory Adapter, complete these steps:
1. Stop the adapter service.
2. Run the uninstaller. To run the uninstaller:
a. Navigate to the adapter home directory for example Tivoli/agents/
adaptername/_uninst
b. Double click the uninstaller.exe file.
c. In the Welcome window, click Next.
d. In the uninstallation summary window, click Next.
e. Click Finish.
f. Inspect the directory tree for the adapter directories, subdirectories, and files
to verify that uninstall is complete.

Removing the adapter profile from the Tivoli Identity Manager server
Before removing the adapter profile ensure that no objects exist on your Tivoli
Identity Manager server that reference the adapter profile. Examples of objects on
the Tivoli Identity Manager server that can reference the adapter profile are:
v Adapter service instances
v Policies referencing an adapter instance or the profile
v Accounts

For specific information on how to remove the adapter profile, see the online help
or the information center for your Tivoli Identity Manager product.

© Copyright IBM Corp. 2008 55


56 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Appendix A. Files
You can configure several adapter-specific files. This appendix includes information
about the files that are associated with the Active Directory Adapter:
v “schema.dsml file”
v “CustomLabels.properties file” on page 60

schema.dsml file
The schema.dsml file contains all of the attributes that are common to all adapters.
This common file also contains Tivoli Identity Manager server attributes that can
be used by any adapter. The schema.dsml file defines all of the classes used by the
adapter. The classes are used to declare accounts, services, and supporting data.

The schema.dsml file defines the attributes and objects that the adapter supports
and uses to communicate with the Tivoli Identity Manager server. All attributes
must be unique, therefore they are assigned an OID.

The OID is defined using the <object-identifier>...</object-identifier> tags.

The schema.dsml file has the following format:


SCHEMA.DSML File
<?xml version="1.0" encoding="UTF-8"?>
<!-- edited with XML Spy v3.5 NT (http://www.xmlspy.com) by IBM -->
<dsml>
<!-- ******************************************************** -->
<!-- Schema supported by the Windows adapter. -->
<!-- ******************************************************** -->
<directory-schema> ...
<!-- ******************************************************** -->
<!-- eraADString1-->
<!-- ******************************************************** -->
<attribute-type single-value="true">
<name>erADString1</name>
<description/>
<object-identifier>1.3.6.1.4.1.6054.3.125.2.100</object-identifier>
<syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax>
</attribute-type>
<!-- ******************************************************** -->
<!-- erADInteger-->
<!-- ******************************************************** -->
<attribute-type single-value="true">
<name>erADInteger</name>
<description/>
<object-identifier>1.3.6.1.4.1.6054.3.125.2.101</object-identifier>
<syntax>1.3.6.1.4.1.1466.115.121.1.27</syntax>
</attribute-type>
<!-- ******************************************************** -->
<!-- erADDate-->
<!-- ******************************************************** -->
<attribute-type single-value="true">
<name>erADDate</name>
<description/>
<object-identifier>1.3.6.1.4.1.6054.3.125.2.102</object-identifier>
<syntax>1.3.6.1.4.1.1466.115.121.1.24</syntax>
</attribute-type>
<!-- ******************************************************** -->
<!-- erADBoolean-->
<!-- ******************************************************** -->
<attribute-type
single-value="true">
<name>erADBoolean</name>
<description/>
<object-identifier>1.3.6.1.4.1.6054.3.125.2.103</object-identifier>
<syntax>1.3.6.1.4.1.1466.115.121.1.7</syntax>

© Copyright IBM Corp. 2008 57


</attribute-type>
<!-- ******************************************************** -->
<!-- erADMultiValueString-->
<!-- ******************************************************** -->
<attribute-type>
<name>erADMultiValueString</name>
<description>List of string values</description>
<object-identifier>1.3.6.1.4.1.6054.3.125.2.104</object-identifier>
<syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax>
</attribute-type> ...
<!-- ******************************************************** -->
<!-- erADAccount Class -->
<!-- ******************************************************** -->
<class superior="top">
<name>erADAccount</name>
<description>Windows account.</description>
<object-identifier>1.3.6.1.4.1.6054.3.125.1.1</object-identifier> ...
<attribute ref="erADBoolean" required="false"/>
<attribute ref="erADDate" required="false"/>
<attribute ref="erADInteger" required="false"/>
<attribute ref="erADMultiValueString" required="false"/>
<attribute ref="erADString1" required="false"/>
</class> ...
</directory-schema>
</dsml>

Each of the sections of this schema file are described in the following sections.

Object identifier
The Tivoli Identity Manager server uses LDAP directory services to add, delete,
modify, and search IBM Tivoli Identity Manager data. Each data item in an LDAP
directory server must have a unique OID. Therefore, each attribute and class that is
defined in the schema.dsml file in IBM Tivoli Identity Manager has an OID.

OIDs have the following syntax:


enterprise ID.product ID.adapter ID.object ID.instance ID

The enterprise ID is always 1.3.6.1.4.1.6054 for IBM.

The product ID is always 3 because these schema.dsml files are used with adapters.

The adapter ID is 125 for the Active Directory Adapter.

The object ID is 2 . An attribute uses 2 as the object ID.

The instance ID is a sequential number of the object.

Attribute definition
Before defining unique attributes for the adapter, ensure that the attribute does not
exist in the common schema.dsml file.

The following example defines an attribute:


<!-- *********************************************** -->
<!-- erSampleHome -->
<!-- *********************************************** -->
<attribute-type single-value = "true" >
<name>erSampleHome</name>
<description>User home directory</description>
<object-identifier>1.3.6.1.4.1.6054.3.125.2.100</object-identifier>
<syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax>
</attribute-type>

Comment lines are denoted by the <!— ... —> markers.

58 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
The attribute type is defined as single-value or multi-value. A single-value attribute
is denoted by the line: <attribute-type single-value ="true">. In order to denote
a multi-valued attribute, change the true value to false.

The name of the attribute that is used by the Tivoli Identity Manager server is
defined in the schema. In order to simplify the tracking of new Active Directory
Adapter attributes, use erAD as the preface for all new attributes, so that they can
be easily identified in your Windows Active Directory. When attributes have
already been defined in the Windows Active Directory, and they do not conflict
with existing attributes, they can be used without changing their names.

The description of the attribute is denoted by the <description>...</description>


tags.

The OID is defined using the <object-identifier>...</object-identifier> tags.


Because OIDs are already assigned to the existing, standard attributes, the OID can
be copied from the last attribute in the list. However, the last number must be
incremented by one for each new attribute that you add to the schema.dsml file.

The data type is defined using the <syntax>...</syntax> tags. The following table
lists various data types and the value you specify in the syntax tags.
Table 12. Data types and values for syntax tags
Data Type Value
Bit string 1.3.6.1.4.1.1466.115.121.1.6
Boolean 1.3.6.1.4.1.1466.115.121.1.7
Directory String 1.3.6.1.4.1.1466.115.121.1.15
UTC Coded Time 1.3.6.1.4.1.1466.115.121.1.24
Integer 1.3.6.1.4.1.1466.115.121.1.27

Classes
At least one account class and one service class must be defined in the
schema.dsml file.

Each class requires at least one attribute to identify the class: a name attribute.
Additional attributes might be required depending on the class defined.

The following syntax defines a class:


<class superior="top">
<name> ... </name>
<description> ... </description>
<object-identifier> ... </object-identifier>
<attribute ref = "..." required = "true" />
<attribute ref = "..." required = "true" />
</class>

In order to make an attribute optional for a class, change required = "true" to


required = "false" in the <attribute ref> tag.

An account class defines the attributes that are used to describe an account. An
account class must be defined in the schema.dsml file.

The following example defines an account class:

Appendix A. Files 59
<class superior="top" >
<name>erSampleAccount</name>
<description>Sample Account</description>
<object-identifier>1.3.6.1.4.1.6054.3.125.1.101</object-identifier>
<attribute ref = "eruid" required = "true" />
<attribute ref = "erAccountStatus" required = "false" />
<attribute ref = "erSampleGroups" required = "false" />
<attribute ref = "erSampleHome" required = "false" />
<attribute ref = "erSampleDesc" required = "false" />
<attribute ref = "erPassword" required = "false" />
</class>

In this example, the class name is erSampleAccount and the only required attribute
is eruid. However, note that erAccountStatus is a required attribute to suspend or
restore accounts.

CustomLabels.properties file
The CustomLabels.properties file is a text file that defines the labels on the form
for the adapter. The syntax for the information in the file is:
attribute=text

where attribute is the same attribute defined in the schema.dsml file and text is the
label that appears on the form in the IBM Tivoli Identity Manager user interface
for the account.

The attribute must be in lowercase. This requirement comes from the Tivoli Identity
Manager server.

60 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Appendix B. Adapter attributes
As part of the adapter implementation, a dedicated account for Tivoli Identity
Manager to access the Active Directory Server is created on the Active Directory
Server. The Active Directory Adapter consists of files and directories that are
owned by the Tivoli Identity Manager account. These files establish communication
with the Tivoli Identity Manager server.

Attribute descriptions
The Tivoli Identity Manager server communicates with the Active Directory
Adapter using attributes that are included in transmission packets that are sent
over a network. The combination of attributes, included in the packets, depends on
the type of action that the Tivoli Identity Manager server requests from the Active
Directory Adapter.

Table 13 is an alphabetical listing of the attributes that are used by the Active
Directory Adapter. The table gives a brief description and the data type for the
value of the attribute.
Table 13. Attributes, descriptions, and corresponding data types
Directory server attribute Description Data type
cn Specifies the user’s full name (first and last name) String
description Specifies the description for the user String
erADAllowDialin Specifies whether the user is allowed dial in access Boolean
erADAllowEncryptedPassword Specifies whether encrypted passwords are allowed Boolean
erADBadLoginCount Specifies the number of invalid login attempts that are Long
allowed since the last reset
erADBasePoint Specifies the DN of the domain name, extended to allow String
any base point
erADCallbackNumber Specifies the callback number for remote access services String
that is used when DialinCallBack is set to fixed
erADCannotBeDelegated Specifies that this account cannot be assigned for delegation Boolean
by another account
erADContainer Specifies the Relative Distinguished Name (RDN) of a Integer
container object in which to create the user account.

The container is relative to the domain.


erADContainerCN Specifies the short name for the container object String
erADContainerDN Specifies the full DN for the container object String
erADContainerRDN Specifies the container RDN String
erADCountyCode Specifies the country where the user resides Integer

© Copyright IBM Corp. 2008 61


Table 13. Attributes, descriptions, and corresponding data types (continued)
Directory server attribute Description Data type
erADDialinCallback Sets the Dial in Callback for the user. Integer

1 − No Callback

2 − Fixed callback using erADCallbackNumber

3 − This option is not used

4 − User supplied callback


erADDisplayName Specifies the Active Directory displayName attribute String
erADDistinguishedName Specifies the distinguished name of the account on the String
Active Directory
erADDomainPassword Specifies the password for the user ID that is used to String
connect to the Active Directory
erADDomainUser Specifies the user ID that is used when connecting to the String
active directory
erADEActiveSyncEnabled Specifies whether to enable or disable Active Sync Boolean
erADEAlias Specifies the alias for the Exchange Mailbox String
erADEAllowAddressList Specifies the a list of e-mail IDs that the user accepts mail String
from
erADEAssociatedExtAcc Specifies whether the user has associated external account Integer
permission
erADEAutoGenEmailAddrs Specifies whether the recipient update services updates the Boolean
e-mail address
erADEChgPermissions Specifies whether to change the user’s Mailbox permission Integer
erADEDaysBeforeGarbage Specifies the number of days that deleted mail is retained Integer
before it is permanently deleted
erADEDelegates Specifies the list of all users that have access to the String
Exchange Mailbox
erADEDelMailboxStorage Specifies whether the user has delete Mailbox storage Integer
permission
erADEEnableRetentionHold Specifies whether to enable or disable Retention Hold Boolean
erADEEnableStoreDeflts Specifies whether to use only default store values for Boolean
storage limits, or to use other properties pertaining to the
Mailbox
erADEEndRetentionHold Specifies the date to stop retention hold Date
erADEExtension1 Specifies a user−defined extension attribute String
erADEExtension2 Specifies a user−defined extension attribute String
erADEExtension3 Specifies a user−defined extension attribute String
erADEExtension4 Specifies a user−defined extension attribute String
erADEExtension5 Specifies a user−defined extension attribute String
erADEExtension6 Specifies a user−defined extension attribute String
erADEExtension7 Specifies a user−defined extension attribute String
erADEExtension8 Specifies a user−defined extension attribute String
erADEExtension9 Specifies a user−defined extension attribute String
erADEExtension10 Specifies a user−defined extension attribute String

62 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Table 13. Attributes, descriptions, and corresponding data types (continued)
Directory server attribute Description Data type
erADEExtension11 Specifies a user−defined extension attribute String
erADEExtension12 Specifies a user−defined extension attribute String
erADEExtension13 Specifies a user−defined extension attribute String
erADEExtension14 Specifies a user−defined extension attribute String
erADEExtension15 Specifies a user−defined extension attribute String
erADEForwardingStyle Specifies whether e-mail is also delivered to an alternative String
e-mail address
erADEForwardTo Specifies the URL where e−mail is to be forwarded String
erADEFullMailboxAccess Specifies whether the user has full Mailbox access Integer
permission
erADEGarbageAfterBckp Specifies whether deleted messages can be permanently Boolean
deleted once the Mailbox has been backed up
erADEGroupType Specifies the group object String
erADEHardLimit Specifies the maximum Mailbox size in KB when sending Integer
and receiving e−mail is disabled
erADEHideFromAddrsBk Specifies whether the address is displayed in the address Boolean
book
erADEHomeMDB Specifies the URL of the store for the recipient String
erADEIncomingLimit Specifies the maximum size in KB of a message sent to the Integer
recipient
erADELanguages Specifies an array of language names for the user String
erADEMailboxStore Specifies the name of the mail store that will hold user Binary
Mailbox
erADEMailStoreCN Specifies the mail store common name (CN) String
erADEMailStoreDN Specifies the mail store DN Binary
erADEMailStoreGN Specifies the mail store group name String
erADEMailStoreRDN Specifies the mail store object relative directory name Binary
(RDN) attribute
erADEMailStoreSN Specifies the Mailbox store single name includes server String
name (server - mailstore )
erADEMAPIEnabled Specifies whether to enable or disable MAPI support Boolean
erADEmployeeID Specifies the user’s employee identifier String
erADEOutgoingLimit Specifies the maximum size in KB of a message sent from Integer
the recipient
erADEOutlookWebAccessEnabled Specifies whether to enable or disable Outlook Web Access Boolean
erADEOverQuotaLimit Specifies the maximum size of a Mailbox in KB before Integer
sending messages is suspended
erADEOverrideGarbage Specifies whether the store will be prevented from Boolean
permanently deleting messages
erADEProxyAddresses Specifies a list of proxy addresses for the recipient String
erADEReadPermissions Specifies whether the user has read Mailbox permission Integer
erADERecipientLimit Specifies the maximum number of people to whom the Integer
recipient can send e-mail
erADERstrctAdrsLs Specifies a list of e-mail addresses to reject mail from String

Appendix B. Adapter attributes 63


Table 13. Attributes, descriptions, and corresponding data types (continued)
Directory server attribute Description Data type
erADEServerName Specifies the name of the Microsoft Exchange Server String
erADEShowInAddrBook Specifies the list of address books that the user is a member String
of
erADESMTPEmail Specifies the primary SMTP address that is used for the String
recipient
erADEStartRetentionHold Specifies the date to start retention hold Date
erADEStoreQuota Specifies a limit when the recipient will get a warning for Integer
exceeding their mail file storage allocation
erADETakeOwnership Specifies whether the user has take Mailbox ownership Integer
permission
erADETargetAddress Specifies the external e−mail address to be used by the user String
erADEX400Email Specifies the primary X.400 address that is used for the String
recipient
erADExpirationDate Specifies the date and time once the user cannot log in Date
erADfax Specifies the fax numbers of the user String
erADGroupCN Specifies the short name for the group object String
erADGroupDN Specifies the full DN for the group object String
erADHomeDir Specifies a null-terminated string containing the path of the String
user’s home directory.

This string can specify a local path or a UNC path.

For example:

\\machine\share\path
erADHomeDirAccessShare Specifies the user access level on the share String
erADHomeDirDrive Specifies the drive letter to assign to a UNC−based home String
directory
erADHomeDirNtfsAccess Specifies the NTFS security level for the user’s home String
directory
erADHomeDirShare Specifies the name of the share to create for home directory. String
Append a dollar sign ($) to create a hidden share.
erADHomePage Specifies the URL for the user’s home page String
erADInitial Specifies the middle initials of the user’s name String
erADIsAccountLocked Specifies whether the account is locked because of intruder Boolean
detection
erADLastFailedLogin Specifies the date and time of the last failed network login Date
erADLastLogoff Specifies the date and time of the last network logoff Date
erADLastLogon Specifies the date and time of the last successful network Date
login
erADLoginScript Specifies the login script path String
erADLoginWorkstations Specifies a comma separated list of addresses or names of String
workstations from which the user can Log in to
erADManager Specifies the user ID for the user’s manager String
erADNamePrefix Specifies the user’s title, for example Ms. or Mr. String
erADNameSuffix Specifies the user’s name suffix, for example Jr., or III String

64 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Table 13. Attributes, descriptions, and corresponding data types (continued)
Directory server attribute Description Data type
erADNoChangePassword Specifies whether the user can change their password Boolean
erADOfficeLocations Specifies the office location String
erADOtherName Specifies an additional name, for example, the middle String
name, for the user
erADPasswordForceChange Specifies whether to force a password change on next login Boolean
erADPasswordLastChange Specifies the last time that the password was changed Date
erADPasswordMinimumLength Specifies the minimum length of the password Long
erADPasswordNeverExpires Specifies whether a password can never expire Boolean
erADPasswordRequired Specifies whether the password is required Boolean
erADPrimaryGroup Specifies the primary group ID String
erADPrimaryGrpTkn Specifies the ID of the group that is used to set primary String
group
erADRequireUniquePassword Specifies whether a new password must be different from Boolean
those known through a password history
erADSmartCardRequired Specifies whether a smart card is required for login Boolean
erADTrustedForDelegation Specifies that the user has the ability to assign responsibility Boolean
for management and administration of a portion of the
domain namespace to another user, group or organization
erADUPN Specifies the principal name for the user account String
erADWTSAllowLogon Specifies whether the user account is permitted to log on to Boolean
a terminal server
erADWTSBrokenTimeout Specifies what happens when the connection or idle timers Boolean
expire or when a connection is lost due to a connection
error Long
erADWTSCallbackNumber Citrix ICA clients must specify a null-terminated string String
containing the phone number to use for callback
connections
erADWTSCallbackSettings Citrix ICA clients must specify a value that indicates the Integer
configuration for dialup connections in which the terminal
server hangs up and then calls back the client to establish
the connection.

Valid values indicate:

1 - The server prompts the user to enter a phone number,


and calls the user back at that phone number. You can use
the WtsCallbackNumber value to specify a default phone
number.

2 - The server automatically calls the user back at the phone


number specified by the WtsCallbackNumber value.
erADWTSClientDefaultPrinter RDP 5.0 clients and Citrix ICA clients must specify whether Boolean
the client printer is the default printer
erADWTSClientDrives Citrix ICA clients must specify whether the terminal server Boolean
automatically establishes client drive mappings at login
erADWTSClientPrinters RDP 5.0 clients and Citrix ICA clients must specify whether Boolean
the terminal server automatically establishes client printer
mappings at login

Appendix B. Adapter attributes 65


Table 13. Attributes, descriptions, and corresponding data types (continued)
Directory server attribute Description Data type
erADWTSHomeDir Specifies a null-terminated string for the path of the user’s String
home directory for terminal server login. This string can
specify a local path or a UNC path (\\machine\share\
path)
erADWTSHomeDirAccessShare Specifies the user access level to the share on the WTS Integer
home directory
erADWTSHomeDirDrive Specifies a null-terminated string for a drive letter to which String
the UNC path specified in the WtsHomeDir string is
mapped
erADWTSHomeDirNtfsAccess Specifies the NTFS access to the home directory String
erADWTSHomeDirShare Specifies the name of a share to create the WTS home String
directory. Append a dollar sign ($) to create a hidden share.
erADWTSInheritInitialProg Specifies whether the client can specify the initial program. Boolean
If not set, WtsInitialProgram is the only program the user
can run. The terminal server logs off the user when the user
exits that program.
erADWTSInitialProgram Specifies a null-terminated string for the path of the initial String
program that Terminal Services runs when the user logs
into. If the WtsInheritInitialProgram value is 1, the initial
program can be any program specified by the client.
erADWTSProfilePath Specifies a null-terminated string for the path of the user’s String
profile for terminal server login
erADWTSReconnectSettings Specifies a value that indicates how a disconnected session Integer
for a user can be reconnected.

Valid values indicate:

0 - The user can login to any client computer to reconnect


to a disconnected session. Note that sessions started at
clients other than the system console cannot be connected
to the system console, and sessions started at the system
console cannot be disconnected.

1 - The user can reconnect to a disconnected session by


logging on to the client computer used to establish the
disconnected session. If the user logs on from a different
client computer, the user gets a new login session.
erADWTSRemoteHomeDir Specifies the user’s home directory on the Windows Server String
erADWTSServerName Specifies the name of the WTS where the user is configured String
erADWTSShadowSettings RDP 5.0 clients and Citrix ICA clients must specify a value Integer
that indicates whether the user session can be shadowed.
Shadowing allows a user to remotely monitor the on-screen
operations of another user.
erADWTSTimeoutConnections Specifies a value that specifies the maximum connection Integer
duration, in milliseconds. One minute before the connection
timeout interval expires, the user is notified of the pending
disconnection. The user’s session is disconnected or
terminated depending on the WtsBrokenTimeout value.
Every time the user logs on, the timer is reset. A value of
zero indicates the connection timer is disabled.

66 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Table 13. Attributes, descriptions, and corresponding data types (continued)
Directory server attribute Description Data type
erADWTSTimeoutDisconnections Specifies the maximum duration, in milliseconds, that a Integer
WTS retains a disconnected session before the login is
terminated. A value of zero indicates the disconnection
timer is disabled.
erADWTSTimeoutIdle Specifies the maximum idle time, in milliseconds. If there is Integer
no keyboard or mouse activity for the specified interval, the
user’s session is disconnected or terminated depending on
the WtsBrokenTimeout value. A value of zero indicates the
idle timer is disabled.
erADWTSWorkingDir Specifies a null-terminated string for the path of the String
working directory for the initial program
erCompany Specifies the name of the company that the user works for String
erDepartment Specifies the department within the company to which the String
user belongs
erDivision Specifies the division within a company (organization) that String
the employee belongs to
erGroup Specifies names of groups String
erLogonTimes Specifies the time periods for each day of the week during Byte array
which logins are permitted for the user. Represented as a
table of Boolean values for the week, each indicating if that Login time (LT)
time slot is a valid login time.
erMaxStorage Specifies the maximum amount of disk space, in KB, that Long
the user can have
erPassword Specifies the password for the user account String
erProfile Specifies the path to the user’s profile String
eruid Specifies the user ID String
givenName Specifies the user’s first name String
homePhone Specifies the user’s home telephone number String
l Specifies the user’s city or location (shown as the lowercase String
letter 'l' )
mail Specifies the user’s e-mail address String
mobile Specifies the user’s mobile telephone number String
pager Specifies the user’s pager number String
postalCode Specifies the user’s postal code for their address String
postOfficeBox Specifies the user’s Post Office Box String
sn Specifies the user’s last name String
st Specifies the state where the user resides String
street Specifies the street address where the user resides String
telephoneNumber Specifies the user’s work telephone number String
title Specifies the user’s title String

Appendix B. Adapter attributes 67


Active Directory Adapter attributes by action
The following lists are typical Active Directory Adapter actions by their functional
transaction group. The lists include more information about required and optional
attributes sent to the Active Directory Adapter to complete that action.

System Login Add


A System Login Add is a request to create a new user account with the specified
attributes.
Table 14. Add request attributes
Required attribute Optional attribute
erUid All other supported attributes

System Login Change


A System Login Change is a request to change one or more attributes for the
specified users.
Table 15. Change request attributes
Required attribute Optional attribute
erUid All supported attributes

System Login Delete


A System Login Delete is a request to remove the specified user from the directory.
Table 16. Delete request attributes
Required attribute Optional attribute
erUid erADBasePoint

erADDomainUser

erADDomainPassword

System Login Suspend


A System Login Suspend is a request to disable a user account. The user is neither
removed nor are their attributes modified.
Table 17. Suspend request attributes
Required attribute Optional attribute
erUid erADBasePoint

erAccountStatus erADDomainUser

erADDomainPassword

System Login Restore


A System Login Restore is a request to activate a user account that was previously
suspended. Once an account is restored, the user can access the system with the
same attributes as those before the Suspend function was called.

68 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Table 18. Restore request attributes
Required attribute Optional attribute
erUid erADBasePoint

erAccountStatus erADDomainUser

erADDomainPassword

Reconciliation
The Reconciliation function synchronizes user account information between Tivoli
Identity Manager and the adapter.
Table 19. Reconciliation attributes
Required attribute Optional attribute
None erADBasePoint

erADDomainUser

erADDomainPassword

Appendix B. Adapter attributes 69


70 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Appendix C. Running in Federal Information Processing
Standards compliance mode
Tivoli Identity Manager can be operated with FIPS 140-2 certified cryptographic
modules. FIPS 140-2 is a standard from the US National Institute of Standards and
Technology (NIST) that applies to cryptographic modules.

Two FIPS 140-2 modules are used:


v IBM Java™ Crytographic Extension
v Open SSL module

As a user of these moduless there is no certification implied for Tivoli Identity


Manager. However, for the correct use of these FIPS 14-2 modules IBM customers
need to follow the instructions in this document.

The fipsEnable tool enables the adapter to be Federal Information Processing


Standards (FIPS) compliant. The fipsEnable tool causes the adapter to use a FIPS
certified encryption library so that all cryptographic keys that are used are
generated by a FIPS compliant algorithm. Any communications with the adapter
are also secured. The tool generates the FIPS master key, enables the FIPS mode
setting, changes the USE_SSL parameter to TRUE and re-encrypts the existing
encrypted values for:
v agentCfg key
v DAML user name and password
v Adapter specific encrypted registry items

Note: After FIPS mode is enable, it cannot be disabled. You must reinstall the
adapter, if you want to disable FIPS mode.

Configuring the adapter to run in FIPS mode


1. Install the adapter.
2. Run the fipsEnable tool. Issue the command:
fipsEnable -reg agentName
3. Restart the adapter.

Operational differences running in FIPS mode


The DAML protocol used to communicate between the adapter and &tim. must
run in SSL mode. The fipsEnable tool sets the DAML SSL mode to TRUE. In SSL
mode, however, you must install a server certificate because the fipsEnable tool
does not convert an existing DAML certificate and key.

Note: You cannot import a PKCS12 file containing a certificate and key. You must
use certtool (option A) to create a Certificate Signing Request (CSR) and
have it signed by a Certificate Authority. You can then install the signed
certificate with certtool (option B). See “Starting CertTool” on page 39 for
more information about creating and installing a certificate.

© Copyright IBM Corp. 2008 71


The agentCfg tool automatically detects when the adapter is running in FIPS mode
and initializes the encryption library in FIPS mode. In addition, the ADK only
accepts agentCfg connections from localhost (127.0.0.1).

Security policy
For FIPS compliance, a security policy must be defined that outlines the
requirements for the end user to operate the application in a FIPS compliant mode.
The software ensures that the correct algorithms and keys are used, however,
additional requirements for the environment are the responsibility of the security
officer. The security policy defines two roles, security officer and user. It defines
the extent to which each of these persons can physically access the workstation, file
system and configuration tools. The security of the workstation, of the file system,
and of the configuration is the responsibility of the security officer.

Authentication roles
The FIPS security policy normally defines separate roles for a security officer and a
user. In the case of an adapter, the user role is actually the Tivoli Identity Manager
server. The installation and configuration of the adapter needs to be performed by
the security officer.

It is the responsibility of the security officer to ensure that the proper physical and
logical security is in place to prevent access to the adapter by unauthorized
personnel. This means that the physical workstation must be in a secure location
that is accessible only by persons with the authority and access privileges of the
security officer. In addition, the security on the folder in which the adapter is
installed must be configured to prevent access by personnel other than security
officers.

For Windows installations, the system registry must be secured at the top level key
for the adapter to prevent access by personnel other than security officers.

Rules of operation
v The replacement or modification of the adapter by unauthorized intruders is
prohibited.
v The operating system enforces authentication methods to prevent unauthorized
access to adapter services.
v All critical security parameters are verified as correct and are securely generated,
stored, and destroyed.
v All host system components that can contain sensitive cryptographic data (main
memory, system bus, disk storage) must be located in a secure environment.
v The operating system is responsible for multitasking operations so that other
processes cannot access the address space of the process containing the adapter.
v Secret or private keys that are input to or output from an application must be
encrypted using a FIPS approved algorithm.

72 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Appendix D. Accessibility features for the Active Directory
Adapter
Accessibility features help a user who has a physical disability, such as restricted
mobility or limited vision, to use information technology products successfully.

Accessibility features
The following list includes the major accessibility features in the Active Directory
Adapter. These features support:
v Keyboard-only operation.
v Interfaces that are commonly used by screen readers.
v Keys that are tactilely discernible and do not activate just by touching them.
v Industry-standard devices for ports and connectors.
v The attachment of alternative input and output devices.
v Documentation is available in convertible PDF format to give the maximum
opportunity for users to apply screen-reader software.
v All images in the documentation are provided with alternative text so that users
with vision impairments can understand the contents of the images.

Note: The IBM Tivoli Identity Manager Information Center and its related
publications are accessibility-enabled for the IBM Home Page Reader. You
can operate all features using the keyboard instead of the mouse.

Keyboard navigation
This product uses standard Microsoft Windows navigation keys.

IBM and accessibility


See the IBM Accessibility Center at http://www.ibm.com/able for more information
about the commitment that IBM has to accessibility.

© Copyright IBM Corp. 2008 73


74 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Appendix E. Support information
Use the following options to obtain support for IBM products:
v “Searching knowledge bases”
v “Contacting IBM Software Support”

Searching knowledge bases


If you have a problem with your IBM software, you want it resolved quickly. Begin
by searching the available knowledge bases to determine whether the resolution to
your problem is already documented.

Search the information center on your local system or


network
IBM provides extensive documentation that can be installed on your local
computer or on an intranet server. You can use the search function of this
information center to query conceptual information, instructions for completing
tasks, reference information, and support documents.

Search the Internet


If you cannot find an answer to your question in the information center, search the
Internet for the latest, most complete information that might help you resolve your
problem. To locate Internet resources for your product, open one of the following
Web sites:
v Performance and tuning information
Provides information needed to tune your production environment, available on
the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list to locate IBM Tivoli Identity
Manager products. Click the link for your product, and then browse the
information center for the Technical Supplements section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/
IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web address:
http://www.ibm.com/developerworks/

Contacting IBM Software Support


IBM Software Support provides assistance with product defects.

© Copyright IBM Corp. 2008 75


Before contacting IBM Software Support, your company must have an active IBM
software maintenance contract, and you must be authorized to submit problems to
IBM. The type of software maintenance contract that you need depends on the
type of product you have:
v For IBM distributed software products (including, but not limited to, Tivoli,
Lotus®, and Rational® products, as well as DB2 and WebSphere products that
run on Windows or UNIX operating systems), enroll in Passport Advantage® in
one of the following ways:
– Online: Go to the Passport Advantage Web page (http://www.lotus.com/
services/passport.nsf/WebDocs/ Passport_Advantage_Home) and click How
to Enroll
– By phone: For the phone number to call in your country, go to the IBM
Software Support Web site (http://techsupport.services.ibm.com/guides/
contacts.html) and click the name of your geographic region.
v For IBM eServer™ software products (including, but not limited to, DB2 and
WebSphere products that run in zSeries®, pSeries®, and iSeries™ environments),
you can purchase a software maintenance agreement by working directly with
an IBM sales representative or an IBM Business Partner. For more information
about support for eServer software products, go to the IBM Technical Support
Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).

If you are not sure what type of software maintenance contract you need, call
1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to
the contacts page of the IBM Software Support Handbook on the Web
(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of
your geographic region for phone numbers of people who provide support for
your location.

Follow the steps in this topic to contact IBM Software Support:


1. Determine the business impact of your problem.
2. Describe your problem and gather background information.
3. Submit your problem to IBM Software Support.

Determine the business impact of your problem


When you report a problem to IBM, you are asked to supply a severity level.
Therefore, you need to understand and assess the business impact of the problem
you are reporting. Use the following criteria:

Severity 1 Critical business impact: You are unable to use the program,
resulting in a critical impact on operations. This condition
requires an immediate solution.
Severity 2 Significant business impact: The program is usable but is
severely limited.
Severity 3 Some business impact: The program is usable with less
significant features (not critical to operations) unavailable.
Severity 4 Minimal business impact: The problem causes little impact on
operations, or a reasonable circumvention to the problem has
been implemented.

76 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Describe your problem and gather background information
When explaining a problem to IBM, be as specific as possible. Include all relevant
background information so that IBM Software Support specialists can help you
solve the problem efficiently. To save time, know the answers to these questions:
v What software versions were you running when the problem occurred?
v Do you have logs, traces, and messages that are related to the problem
symptoms? IBM Software Support is likely to ask for this information.
v Can the problem be re-created? If so, what steps led to the failure?
v Have any changes been made to the system? (For example, hardware, operating
system, networking software, and so on.)
v Are you currently using a workaround for this problem? If so, please be
prepared to explain it when you report the problem.

Submit your problem to IBM Software Support


You can submit your problem in one of two ways:
v Online: Go to the ″Submit and track problems″ page on the IBM Software
Support site (http://www.ibm.com/software/support/probsub.html). Enter
your information into the appropriate problem submission tool.
v By phone: For the phone number to call in your country, go to the contacts page
of the IBM Software Support Handbook on the Web (http://
techsupport.services.ibm.com/guides/contacts.html) and click the name of your
geographic region.

If the problem you submit is for a software defect or for missing or inaccurate
documentation, IBM Software Support creates an Authorized Program Analysis
Report (APAR). The APAR describes the problem in detail. Whenever possible,
IBM Software Support provides a workaround for you to implement until the
APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the
IBM product support Web pages daily, so that other users who experience the
same problem can benefit from the same resolutions.

For more information about problem resolution, see Searching knowledge bases.

Appendix E. Support information 77


78 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Appendix F. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.

This information could include technical inaccuracies or typographical errors.


Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.

© Copyright IBM Corp. 2008 79


Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758
U.S.A.

Such information may be available, subject to appropriate terms and conditions,


including in some cases, payment of a fee.

The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.

Any performance data contained herein was determined in a controlled


environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of


those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.

Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other countries,
or both. If these and other IBM trademarked terms are marked on their first
occurrence in this information with a trademark symbol (® or ™), these symbols
indicate U.S. registered or common law trademarks owned by IBM at the time this
information was published. Such trademarks may also be registered or common
law trademarks in other countries. A current list of IBM trademarks is available on
the Web at ″Copyright and trademark information″ at www.ibm.com/legal/
copytrade.shtml.

Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either
registered trademarks or trademarks of Adobe Systems Incorporated in the United
States, other countries, or both.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer


Entertainment, Inc., in the United States, other countries, or both and is used under
license therefrom.

80 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Java and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or
both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,
Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or
registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries.

UNIX is a registered trademark of The Open Group in the United States and other
countries.

Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Office


of Government Commerce, and is registered in the U.S. Patent and Trademark
Office.

IT Infrastructure Library is a registered trademark of the Central Computer and


Telecommunications Agency which is now part of the Office of Government
Commerce.

Other company, product, and service names may be trademarks or service marks
of others.

Appendix F. Notices 81
82 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
Index
A B
accessibility ix, 73 books
keyboard 73 see publications v, ix
pdf format, for screen-reader software 73
shortcut keys 73
text, alternative for document images 73
activity logging 22
C
certificate authority
adapter
definition 33
ADK upgrade 54
certificate signing request (CSR) 42
attributes
certificates
by adapter action 68
CA
descriptions 61
available functions 40
base point configuration 51
deleting 43
communication with Tivoli Identity Manager Server 5
installing 43
configuration steps 10
viewing installed 43
customization steps 47
certificate management tools
extend attributes 47
See CertTool
features 1
definition 33
installation 8
examples
installation overview 1
certificate signing request (CSR) 42
installation prerequisites 7
install 42
removal 55
installation
upgrade 53
from file 42
adapter configuration tool
sample 42
See agentCfg
key formats 35
adapter overview 1
overview 33
add request attributes 68
private keys and digital certificates 34
ADK50Installer.log file 54
protocol configuration tool
ADK50Installeropt.log file 54
See CertTool
administrator authority prerequisites 7
register 40
agentCfg
registered
arguments 30
registering 44
changing adapter parameters
removing 44
configuration key 22
viewing 44
protocol settings 13
request 41
registry settings 24
self-signed 34
request processing 28
viewing
menus
installed 43
activity logging 22
registered 44
advanced settings 29
viewing installed 43
event notification 16
viewing registered 44
help 30
CertTool
Main Configuration 11
CA certificate
Protocol Configuration 12
deleting 43
registry 24
installing 43
viewing configuration settings 12
viewing 43
attributes
certificate
by Active Directory Adapter action
install 42
add 68
register 40
change 68
request 41
delete 68
viewing installed 43
restore 68
viewing registered 44
suspend 68
changing adapter parameters
descriptions 61
accessing 35, 39
extension 47
options 40
reconciliation 69
client authentication 40
install certificate 42
private key, generating 41
registered certificate
registering 44

© Copyright IBM Corp. 2008 83


CertTool (continued) debug log
registered certificate (continued) default value 23
removing 44 enable/disable with agentCfg 22
viewing 44 purpose 24
change request attributes 68 delete request attributes 68
character sets, supported 29 detail log
client authentication 37 default value 23
client validation, SSL 38 enable/disable with agentCfg 22
configuration purpose 24
base point 51 directory
key DB_INSTANCE_HOME xi
changing with agentCfg 22 HTTP_HOME xii
default value 11, 22 installation
purpose 11 DB2 UDB xi
settings IBM Directory Server xii
changing with agentCfg 11 IBM HTTP Server xii
default value 12 WebSphere Application Server base product xiii
viewing with agentCfg 12 WebSphere Application Server Network Deployment
SSL 36 product xiii
context installation for Sun Java System Directory Server xii
baseline database 22 ITIM_HOME xiii
deleting 18 LDAP_HOME xii
listing 18 WAS_HOME xiii
modifying 20 WAS_NDM_HOME xiii
search attributes 21 disability 73
target DN 21 disk space prerequisites 7
conventions documents
HOME directory IBM Tivoli Identity Manager library v
Tivoli_Common_Directory xiii related viii
DB_INSTANCE_HOME xi
HTTP_HOME xii
ITIM_HOME xiii
LDAP_HOME xii
E
education
WAS_HOME xiii
see Tivoli technical training ix
WAS_NDM_HOME xiii
enable/disable with agentCfg 22
typeface x
encrypted registry settings 24
used in this document x
encryption
CSR
DAML protocol
definition 41
default value 13
file, generating 41
type 13
customer support
SSL 33, 34
see Software Support 75
environment variables, notation xi
CustomLabels.properties file 60
event notification
updating 49
cache size 18
changing with agentCfg 16
context
D baseline database 22
DAML protocol deleting 18
configuring with agentCfg 13 listing 18
encryption modifying 20
default value 13 search attributes 21
type 13 target DN 21
options 13 enable/disable 17
properties, changing with agentCfg reconciliation
options 13 attributes 18
password 14 context 18
portnumber 14 intervals 17
require_cert_reg 15 modifying 18
srv_nodename 14 process priority 18
srv_portnumber 15 starting manually 18
username 14 Exchange Mailbox prerequisites 7
validate_client_ce 15 exschema.txt file 48
SSL authentication 35
DB_INSTANCE_HOME
DB2 UDB installation directory xi
definition xi

84 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
F L
files LDAP_HOME
adapter-specific 57 definition xii
CustomLabels.properties file 60 IBM Directory Server installation directory xii
updating 49 Sun Java System Directory Server installation directory xii
examples logs
schema.dsml file 57 activity settings, changing 12
exschema.txt file 48 ADK50Installer.log file 54
schema.dsml file 57 ADK50Installeropt.log file 54
classes 59 debug 22
object identifier 58 detail 22
updating 49 directory, changing with agentCfg 23
display using agentCfg 31
enable/disable, changing with agentCfg 23
H file name, changing with agentCfg 22
settings, changing with adapterCfg 23
help menu for agentCfg 31
settings, changing with agentCfg
accessing with -help command 30
log file name 23
home directories
max file size 23
DB_INSTANCE_HOME xi
settings, default values 22
HTTP_HOME xii
statistics 30
ITIM_HOME xiii
trace.log file 9
LDAP_HOME xii
view events 12
WAS_HOME xiii
viewing statistics 30
WAS_NDM_HOME xiii
HTTP_HOME
definition xii
IBM HTTP Server installation directory xii M
manuals
see publications v, ix
I memory prerequisites 7
import
adapter profile 8, 50
PKCS12 file 35 N
information centers, searching to find software problem network connectivity prerequisites 7
resolution 75 non-encrypted registry settings 24, 25
installation notation
adapter 8 environment variables xi
certificate 42 path names xi
directory typeface xi
DB2 UDB xi
IBM Directory Server xii
IBM HTTP Server xii
Sun Java System Directory Server xii
O
online publications
WebSphere Application Server base product xiii
accessing ix
WebSphere Application Server Network Deployment
operating system prerequisites 7
product xiii
ordering publications ix
prerequisites 7
profile 8
uninstall 55
installation prerequisites P
administrator authority 7 password protected file
network connectivity 7 See PKCS12 file
operating system 7 passwords
Tivoli Identity Manager server 7 changing configuration key 22
Internet, searching to find software problem resolution 75 configuration key, default value 11, 22
ITIM_HOME passwords, changing with agentCfg
definition xiii DAML protocol 14
directory xiii pdf format, for screen-reader software 73
PKCS12 file
certificate and key installation 42
K export certificate and key 45
portnumber
knowledge bases, searching to find software problem
changing with agentCfg 13
resolution 75
portnumber, changing with agentCfg 14
private key
definition 33

Index 85
private key, generating 41 SSL (continued)
problem determination private keys and digital certificates 34
describing problem for IBM Software Support 77 self-signed certificates 34
determining business impact for IBM Software Support 76 server-to-adapter configuration 36
submitting problem to IBM Software Support 77 two-way configuration 37, 38
properties, changing with agentCfg 13 SSL implementations, DAML protocol 35
protocol suspend request attributes 68
DAML system prerequisites 7
configuring with agentCfg 13
encryption default value 13
encryption type 13
properties, changing with agentCfg 13
T
text, alternative for document images 73
SSL
thread count settings
overview 33
changing with agentCfg 28
server-to-adapter configuration 36
default values 28
two-way configuration 37, 38
maximum concurrent requests 28
public key 34
reconciliation requests 29
publications v
system login add requests 29
accessing online ix
system login change requests 29
IBM Tivoli Identity Manager library v
system login delete requests 29
ordering ix
Tivoli Identity Manager Adapter
related viii
communication with the server 37, 38
SSL communication 37, 38
Tivoli Identity Manager Server
R communication with adapter 5
reconciliation communication with the adapter 36
attributes 18 configuring event notification 16
context 18 importing adapter profile 8
intervals 17 SSL communication 36
modifying 18 Tivoli Identity Manager server prerequisites 7
process priority 18 Tivoli software information center ix
reconciliation attributes 69 Tivoli technical training ix
registry settings Tivoli_Common_Directory
encrypted 24 definition xiii
non-encrypted 24, 25 trace.log file 9
request attributes training, Tivoli technical ix
add 68 two-way configuration
change 68 SSL
delete 68 client 37
restore 68 client and server 38
suspend 68 typeface conventions x
require_cert_reg, changing with agentCfg 15
restore request attributes 68
restoring accounts
password requirements 50
U
uninstallation 55
updating
adapter form 50
S adapter profile 47
schema.dsml file 57 upgrade
updating 49 adapter 53
self-signed certificate 34 adapter profile 8
shortcut keys ADK 54
keyboard 73 username, changing with agentCfg 14
Software Support UTF8 support 29
contacting 75
describing problem for IBM Software Support 77
determining business impact for IBM Software Support
submitting problem to IBM Software Support 77
76 V
validate_client_ce, changing with agentCfg 15
srv_nodename, changing with agentCfg 14
variables, notation for xi
srv_portnumber, changing with agentCfg 15
SSL
certificate installation 33
certificate signing request 41 W
encryption 33 WAS_HOME
key formats 35 definition xiii
overview 33

86 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide
WAS_HOME (continued)
WebSphere Application Server base installation
directory xiii
WAS_NDM_HOME
definition xiii
WebSphere Application Server Network Deployment
installation directory xiii
western European character set, support 29
Windows Local Account Adapter 1

Index 87
88 IBM Tivoli Identity Manager: Active Directory Adapter with 64–bit Support Installation and Configuration Guide


Printed in USA

SC23-9479-00

Anda mungkin juga menyukai