IBM Support

Configuring Directory Integrator as WebSphere client for Identity Manager APIs

Technote (troubleshooting)


Problem(Abstract)

How to setup ITDI 7.1.x to connect to WebSphere 7.0 using the ISIM 6.0 APIs

Resolving the problem

To call the ISIM APIs from within an ITDI Assembly Line, the following jar files must be placed in the ITDI classpath (e.g. $ITDI_HOME/jars/3rdparty/IBM/isim):

    • <ISIM_HOME>/lib/api_ejb.jar
    • <ISIM_HOME>/lib/itim_api.jar
    • <ISIM_HOME>/lib/itim_common.jar
    • <ISIM_HOME>/lib/itim_server.jar
    • <ISIM_HOME>/lib/itim_server_api.jar
    • <ISIM_HOME>/lib/jlog.jar
    • <ISIM_HOME>/lib/com.ibm.cv.kmip.ext.jar
    • <WAS_HOME>/plugins/com.ibm.ws.ejbportable.jar
    • <WAS_HOME>/plugins/com.ibm.ws.emf.jar
    • <WAS_HOME>/plugins/com.ibm.ws.runtime.jar
    • <WAS_HOME>/runtimes/com.ibm.ws.admin.client_7.0.0.jar
    • <WAS_HOME>/runtimes/com.ibm.ws.webservices.thinclient_7.0.0.jar
The attached example (script_code.txt) shows how to create a platform context and subject for use with calls to the ISIM API. The "jaas_login_was.conf" file can be found in $ISIM_HOME/extensions/6.0/examples/apps/bin, and has the contents:


WSLogin {
com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy required delegate=com.ibm.ws.security.common.auth.module.WSLoginModuleImpl;
};

The "sas.client.props" and "ssl.client.props" files can be found in $WAS_HOME/AppServer/profiles/<your_profile>/properties. If ITDI is on a separate machine from WebSphere, those files will need to be copied to the ITDI machine. "sas.client.props" should have settings of:

com.ibm.CORBA.securityEnabled=true
com.ibm.CORBA.authenticationTarget=BasicAuth
com.ibm.CORBA.authenticationRetryEnabled=true
com.ibm.CORBA.authenticationRetryCount=3
com.ibm.CORBA.validateBasicAuth=true
com.ibm.CORBA.securityServerHost=isimsvr
com.ibm.CORBA.securityServerPort=2809
com.ibm.CORBA.loginTimeout=300
com.ibm.CORBA.loginSource=prompt

# RMI/IIOP user identity
com.ibm.CORBA.loginUserid=
com.ibm.CORBA.loginPassword=

"com.ibm.CORBA.securityServerHost" should be the hostname of your WebSphere server. It must be resolvable from the ITDI machine. You can use "ping hostname" to check if the machine can be found on the network with that name. "com.ibm.CORBA.securityServerPort" should be set to the port number listed for BOOTSTRAP_ADDRESS in the WebSphere Admin console under: Servers -> Server types -> WebSphere application servers -> <your_appserver> -> Ports.

If ITDI is on a separate machine from WebSphere, you will need to edit the "ssl.client.props" file to refer to local copies of the key and truststores.

The "appServerURL" used in the example code should match this line from your enRole.properties file:
enrole.appServer.url=corbaloc:iiop:isimsvr:2809

When defining the CORBA and SSL ConfigURL settings in the example code, it is VERY important that the values be prefixed with "file:". The WebSphere client code is expecting a correctly formatted URL string, and leaving out the "file:" protocol string will cause it to fail.

If you are experiencing errors when setting this up, please enable client tracing for the WebSphere jar files used by ITDI. Edit %ITDI_HOME%\ibmdisrv.bat [Windows] or $ITDI_HOME/ibmdisrv [UNIX] to add the following JVM flags:

-Dcom.ibm.CORBA.Debug=true -Dcom.ibm.CORBA.CommTrace=true -Dcom.ibm.CORBA.Debug.Output=client.log -DtraceSettingsFile=/path/to/TraceSettings.properties

The original JVM string from ibmdisrv.bat:
"%TDI_JAVA_PROGRAM%" -classpath "%TDI_HOME_DIR%\IDILoader.jar" %ENV_VARIABLES% com.ibm.di.loader.ServerLauncher %*

The DEBUG JVM string from ibmdisrv.bat:
"%TDI_JAVA_PROGRAM%" -classpath "%TDI_HOME_DIR%\IDILoader.jar" %ENV_VARIABLES% -Dcom.ibm.CORBA.Debug=true -Dcom.ibm.CORBA.CommTrace=true -Dcom.ibm.CORBA.Debug.Output=client.log -DtraceSettingsFile=c:/IBM/Solutions/TraceSettings.properties com.ibm.di.loader.ServerLauncher %*

An example "TraceSettings.properties" file can be found in $WAS_HOME/AppServer/properties. For this case, it should have the following contents:

traceFileName=MyTraceFile.log
com.ibm.ws.security.*=all=enabled
com.ibm.websphere.security.*=all=enabled

Unless a full path is specified, "MyTraceFile.log" and "client.log" will be written to whatever directory was chosen as the $SOLUTION_DIR when starting ITDI.

Product Alias/Synonym

enRole itim tim isim

Document information

More support for: IBM Security Identity Manager

Software version: 6.0

Operating system(s): AIX, Linux, Solaris, Windows

Software edition: Enterprise

Reference #: 1659565

Modified date: 17 December 2013


Translate this page: