Release notes - IBM Security Identity Adapter for IBM Security Access Manager 7.1.26


IBM Security Identity IBM Security Access Manager Adapter 7.1.26 is available. Compatibility, installation, and other getting-started issues are addressed.


Contents

 

Preface


Welcome to the IBM Security Identity IBM Security Access Manager Adapter, previously known as IBM Tivoli Access Manager Combo Adapter.


These Release Notes contain information for the following products that was not available when the manuals were printed:

·        IBM Security Identity IBM Security Access Manager Adapter Installation and Configuration Guide

 

Adapter Features and Purpose


The IBM Security Access Manager Adapter is designed to create and manage accounts on the IBM Security Access Manager for Web server. The adapter runs in "agentless" mode and communicates using the IBM Security Access Manager RegistryDirect API to the systems being managed.

IBM recommends one installation of this adapter (and the prerequisite IBM Security Directory Integrator) for each node of an ISIM/ISPIM/IGI cluster. However, the ISAM Java Runtime Environment can only be configured for one ISAM server. If multiple ISAM Services are required, multiple instances of ISDI can be installed, each pointing to a different ISAM server. The deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your IBM Security Identity Manager Provisioning Policies and Approval Workflow process. Please refer to IBM Security Identity Manager Knowledge Center for a discussion of these topics.

IBM Security Identity adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from IBM Security Identity servers will fail if the adapter is not given sufficient authority to perform the requested task. IBM recommends that this adapter run with administrative (sec_master) permissions.


License Agreement


Review and agree to the terms of the IBM Security Identity Adapter License prior to using this product. The license can be viewed from the "license" folder included in the adapter package.


Contents of this Release


Adapter Version


Component

Version

Build Date

2016 November 22 14.55.23

Adapter Version

7.1.26

Component Versions

Adapter build: 7.1.26.119

Profile: 7.1.26.119

Connector: 7.1.26.119

Dispatcher 7.0.31 (or higher, packaged separately)

Documentation

The following guides are available in the IBM Security Identity Adapters Knowledge Center:


·IBM Security Access Manager Adapter Installation and Configuration Guide


New Features


Enhancement # (FITS)

Description


Items included in current release


Add support for IGI 5.2.2

This adapter is now designed for use with Identity Manager, Privileged Identity Manager, and Identity Governance and Intelligence.



Usage of TAM Admin API is deprecated

The TAM Admin API option has been removed from the Service Form since Registry Direct should be used in all cases instead. This will not impact anyone using the GSO feature. If there is a particular need to use the TAM Admin APIs, it can be added back with the following steps:


  1. Open Configure System -> Deisgn Forms -> Service -> IBM Security Access Manager Profile
  2. Select tab named $eritamsvctab2
  3. Double click on the first entry - $eritamapi
  4. Add a new row defined with Data Value: TAM, Display Value: $eritamapiadmin
  5. Click OK, then save the form

 

Items included in 7.0.25 version


Add support for ISAM 9.0

The ISAM 9 PDJRTE is included in the appliance. In the Local Management Interface, navigate to Manage System Settings -> Secure Settings -> File Downloads. Under the isam directory, download pdjrte-9.0.0-0.zip


RFE76110

Add ability to manage Disable Time Interval on each account


INT126053

*** CHANGE IN DEFAULT BEHAVIOR ***
Reconciliation now uses a case insensitive filter.

If you need the old behavior, edit the service.def file in the profile. In the tamSearch section, look for "CaseInSensitiveFilter", then change true to false between the default tags.


 

Items included in 7.0.24 version


None


 

Items included in 7.0.23 version

RFE17072

Add ability to manage Max Password Age on each account


RFE56722

Add ability to manage Max Concurrent Web Sessions on each account. The value must be an integer greater than zero, -3 for Displace, or -4 for Unlimited.


RFE33651

Add ability to synchronize user password to GSO credentials during account create.

To utilize this feature, the ISAM service must be configured to Synchronize SSO passwords. When specifying the SSO credentials, leave the password field empty. And a password must be supplied for the user. If using the import option and not providing a user password, or not enabling Sync Password to SSO Lockbox on the Service form, a blank GSO credential password will generate an error.


RFE61605

Boolean flag attributes are always converted to lowercase before checking their value.


 

Initial release.



Closed Issues


CMVC#

APAR#

PMR# / Description

   

Items closed in current version

   

None


   

Items closed in 7.0.25 version

  IV74759

Attempting to modify account with a non-existent group results in whole request failing.


   

Items closed in 7.0.24 version

INT123097  

Changes for RFE61605 caused new accounts to be provisioned as inactive if "eraccountstatus" was not included in the request.


   

Items closed in 7.0.23 version

INT102186  

The previously deprecated LDAP profile has been removed. Any installations that were using the LDAP profile will need to review the ISAM Service configuration in ISIM after loading the new profile. The service form is different, and some fields will need to be set.


   

Initial release.



Known Issues


CMVC#

APAR#

PMR# / Description

85051  

When using the IBM Security Access Manager API method of reconciliation to reconcile IBM Security Access Manager accounts, if an IBM Security Access Manager account already in the IBM Security Identity registry becomes a malformed IBM Security Access Manager account then IBM Security Identity will identify this malformed IBM Security Access Manager account as no longer existing, and delete it from the IBM Security Identity registry. If the malformed IBM Security Access Manager account does not already exist within the IBM Security Identity server's known IBM Security Access Manager accounts, the account will not be added. This behavior does not provide any warning or failure message by the IBM Security Identity server. See the Installation guide for how to change the adapter configuration regarding this issue.


   

During the creation of IBM Security Access Manager accounts when IBM Security Access Manager is configured against Windows Active Directory, the account is created as a GSO user even when the Single Signon Capability for the account is not checked (i.e. There is no request to create the account as a GSO user). This is a reflection of the operation of IBM Security Access Manager when administrating accounts. If GSO credentials are supplied with same request they will be created without warning that IBM Security Access Manager account doesn't have Single Signon Capability.


93688  

When IBM Security Access Manager is configured against Windows Active Directory, IBM Security Access Manager account's common name (cn) must be the same as the first RDN value of the Distinguished Name. For example, when requesting a new IBM Security Access Manager service account through the IBM Security Identity web console, the "Full name" specified in the Account form must be the same as the "cn" portion of the Distinguished Name. E.g. If a user has the Distinguished Name cn=JohnSmith,o=myCompany,c=com,  then the "Full name" should also be set to JohnSmith. Not doing so could result in account modification issues.


   

Adapter does not check syntax for any non-IBM Security Access Manager account attributes. This can result in those attributes not being set in the registry if their values have incorrect syntax. A possible consequence is that operations such as account creation may fail.


   

In case an account already has SSO credentials and the checkbox Single Signon Capability is disabled during MODIFY operation, this will delete credentials in IBM Security Access Manager registry, but not in the IBM Security Identity server. A reconciliation is needed to synchronize the account attributes.


   

If password synchronization is configured to synchronize passwords from WebSEAL via the IBM Security Identity server to other person accounts, the synchronization with SSO credential passwords is not supported. The synchronization with SSO credential passwords is supported only if the password change is initiated from the IBM Security Identity server, and the corresponding SDI Assembly Line is executed.


   

If password synchronization is configured to synchronize passwords from WebSEAL the "Change password on next login" checkbox on the account form cannot be reset. This is due to a current limitation of the IBM Security Identity Manager Server.



Known Limitations


CMVC#

APAR#

PMR# / Description

   

Adapter does not support modifying the last name (sn) attribute of IBM Security Access Manager account when IBM Security Access Manager Administration API is used since the API does not support modifying the last name.


   

Management of non-standard IBM Security Access Manager account attributes is only available for user registries supported by Registry Direct API.


   

IBM Security Access Manager Web Gateway appliance in standalone mode, PRIOR TO FP4, does not externalize the interface to its internal directory server. Consequently, Registry Direct API and managing non-standard ISAM account attributes are not supported by the adapter for the appliance versions 8.0 through 8.0.0.3. For example, the adapter cannot modify "mail" attribute of the user object stored in the appliance's internal directory server. In addition, only "TAM API" based reconciliation is supported for the appliance in standalone mode prior to FP4.


   

Registry Direct API based reconciliation does not reconcile inetorgperson attributes by default. This is an optimization that was made in order to improve the performance of the reconciliation. In order to reconcile the inetorgperson attributes, edit "tamSearch" assemblyline in the profile to include the required attributes in the input mapping of the connector "tamIterRgy". Please refer to this technote for more details.


   

The adapter does not support the modification of UID, CN, principal name, and attribute(s) that form the Distinguished Name(DN).


   

Custom containers are not supported when creating an IBM Security Access Manager group. IBM Security Access Manager specifies a default


   

Filtered reconciliation on groups is not supported.


   

When "Single Signon Capability" attribute is unchecked and an account modification request is submitted, the SSO credentials for the account are removed in IBM Security Access Manager but this is not reflected in the ISIM server. This is due to the RMI protocol not allowing the response to contain the updated account information. In order to work around this limitation, edit the "modify" operation workflow for "IBM Security Access Manager Account" entity to delete "eritamcred" attribute when "eritamsinglesign" attribute is set to "false". For example, add a script element with the following script before "MODIFYACCOUNT" extension:



var accountObj = account.get();
var changes = account.get().getChanges();
if (changes != null && changes.length > 0)
{
    for (i =0 ; i < changes.length ; i++)
    {
        if (changes[i].attr == "eritamsinglesign" && changes[i].values[0] == "false")
        {
          accountObj.removeProperty("eritamcred");
          account.set(accountObj);
        }
    }
}

Alternatively, a subsequent reconciliation will correct the account information in ISIM.


Known IBM Security Access Manager Issues

CMVC#

APAR#

PMR# / Description

  IV71775

The "com.tivoli.pd.rgy.jar" API library that can be downloaded from ISAM v8.0.1 appliance includes an incorrect search that will not return GSO enabled users during a reconciliation. This is corrected in the jar file available from the v8.0.1-FP1 appliance.


   

Certain user management functions (e.g. enabling GSO) in IBM Security Access Manager do not work if the user ID contains "," and as such "," in the user ID is not supported by the adapter.


   

When the Single Signon Capability of an IBM Security Access Manager user account is disabled (i.e. the user is no longer a GSO user), the GSO resource credentials for that account are also deleted. Hence when disabling the Single Signon Capability for a IBM Security Access Manager user account from the IBM Security Identity server, attempting to delete or modify resource credentials in the same request for that account results in "successful with warning" as the GSO credentials cannot be found.


   

IBM Security Access Manager Java Admin API does not provide for a CN to be specified when creating a group. This is reflected in the adapter which does not manage this attribute when adding or modifying groups.


   

If IBM Security Access Manager is configured against Windows Active Directory, an existing user or group description cannot be modified to a blank value. The description will remain unchanged.


   

If IBM Security Access Manager is configured against Windows Active Directory, when importing an account using the pdadmin command line, the user name and first RDN value of the user DN must be the same. This issue is reflected in the adapter: User ID and first RDN value in the user Distinguished Name must be the same.


   

If IBM Security Access Manager is configured against IBM Tivoli Directory Server 6.0, then Fix Pack 5 must be installed on the Directory Server. This fix pack addresses a problem that may affect adapter operation (APAR IO06328).


Installation and Configuration Notes


See the IBM Security Identity Adapter Installation Guide for detailed instructions.

Corrections to Installation Guide

The following correction to the Installation Guide applies to this release:

· Language Pack Installation
The adapters use a separate language package from the IBM Security Identity Manager server. See the IBM Security Identity Manager KnowledgeCenter for information about installing the adapter language pack.


Configuration Notes

None.


Password Synchronization


Password Synchronization Adapter is no longer included in the adapter package and can be downloaded separately from Passport Advantage. For Access Manager 8.0 or above, Password Synchronization Adapter is only available with the appliance and is pre-installed on the appliance.



Customizing or Extending Adapter Features


IBM Security Identity adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.

Getting Started

Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:


Note: If the customization requires a new IBM Security Directory Integrator connector, the developer must also be familiar with IBM Security Directory Integrator connector development and working knowledge of the Java programming language.

IBM Security Identity Resources:

Check the "Training" link in the Tools and Resources section of the IBM Security Identity Manager Support web site for links to training, publications, and demos.

IBM Security Directory Integrator Resources:

Check the "Training" link in the Tools and Resources section of the IBM Security Directory Integrator Support web site for links to training, publications, and demos.

Support for Customized Adapters

The integration to IBM Security Identity servers "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.

Supported Configurations


Installation Platform

This IBM Security Identity Adapter was built and tested on the following product versions:

Adapter Installation Platform


Note: Earlier TDI supported versions may function properly, however to resolve any communication errors, you must upgrade your TDI/SDI releases to the officially supported versions.

Managed Resource


Please note that some IBM Security Access Manager versions are not supported on some JREs associated with some Operating Systems. Please see the IBM Security Access Manager Adapter Installation and Configuration Guide for further information.

Supported IBM Security Identity servers



Notices


This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:


IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY  10504-1785  U.S.A.


For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:


Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan


This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:

IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758  U.S.A.


Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Microsoft, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.