Release Notes   

___________________________________________________________________________________

           

 

 

IBM Security Identity Adapter

Dispatcher Component for Directory Integrator-based Adapters

 

 

IBM security Identity Adapter Dispatcher Component for Directory Integrator-based Adapters is available. Compatibility, installation, and other getting-started issues are addressed.

 

 

Contents

 

           Preface

           Component Features and Purpose

License Agreement

           Contents of this release

           Installation and Configuration Notes

           Supported Configurations

           Notices

 

Preface

 

These Release Notes contain information for the following products that was not available when the IBM Security Identity Server manuals were printed:

 

 

 

Component Features and Purpose

The Dispatcher Component is designed to support integration between Security Directory Integrator and Security Identity Adapter. The Dispatcher is shipped with each Directory Integrator based adapter and is updated to the current release version with each adapter release. This package provides the Dispatcher as a separately shipped component to fast-track upgrade and maintenance delivery.

 

     

License Agreement

 

Review and agree to the terms of the IBM Security Identity Adapter License prior to using this product.

The license can be viewed from the "license" folder included in the product package.

                                                                                      


Contents of this Release

Component Version

Component

Version

Release Date

2017 September 12 09.32.06

Package Version

7.1.39

Component Versions

Dispatcher build: 7.1.39.102

Documentation

The following guide is available in the IBM Knowledge Centre

·         Dispatcher Installation and Configuration Guide

 

 
New Features

Enhancement # (FITS)

Description

 

Items included in Current version (7.1.39)

 

RTC 163389

 

Ensure that Dispatcher should be forward compatible with Java 8

 

Items included in current version (7.1.38)

69879,821,821

RFE 101574

RTC 155972

Dispatcher enhancements for better problem message transport.

 

RTC 153754 / 158915 / 158749 / 160519

FIPS 140-2 compliance for SDI/TDI Adapters.

Configuring Tivoli Directory Integrator to run FIPs mode

 

Items included in 7.1.37 version

 

None

 

Items included in 7.1.36 version

RTC 151778

Add Support for Identity Governance and Intelligence (IGI) v5.2.2

 

This adapter is now designed for use with IBM Security Identity Manager,

Privileged Identity Manager, and Identity Governance and Intelligence.

 

 

Items included in 7.0.35 version

 

 

None

 

 

 

Items included in 7.0.34 version

 

 

 

None

 

 

 

Items included in7.0.33 version

 

 

None

 

 

 

Items included in 7.0.32 version

 

 

 

Initial Release

 

 

Closed Issues

 

CMVC#

APAR#

PMR# / Description

 

 

Items closed in current version (7.1.39)

 

RTC 161480/ 161481

 

 

 

PEN TEST - Enable JVM security by adding RMI authentication

The Java RMI on the provided adapter system provides a remote unauthenticated command injection as the root user on the system.

To resolve this, changes have been made to installer to set following three properties during dispatcher installation:

1.     {protect}-systemqueue.auth.username

2.     {protect}-systemqueue.auth.password

3.     systemqueue.on=false

These properties enables authentication on systemqueue which TDI Server uses for communication.

 

For details refer Installation and Configuration Notes section.

 

 

RTC 162896

 

 

PEN TEST - Adapters are not installed with SSL encryption enabled by default

By Default communication with adapters is unencrypted, default communication of sensitive information needs to be encrypted out of the box, with only options to disable encryption.

To enable encryption in TDI system, we set following property to true during dispatcher installation:

com.ibm.di.dispatcher.ssl=true

By setting this property it enables one-way SSL on TDI-ISIM environment. End user has to configure the SSL setup manually.

 

For details refer Installation and Configuration Notes section.

 

 

 

Items closed in current version (7.1.38)

 

 

None

 

 

Items closed in 7.1.37 version

PMR: 83722,695,760

Bug 2209

RTC 153767

 

IV91236

Assembly line cache maintenance is stopped once a request was failed.

 

PMR: 82636,033,724

Bug 2213

RTC 153767

 

IV91236

Dispatcher not closing cached Assembly Lines, so keeping connections open

PMR: 82462,033,724

Bug 2176

RTC 153767

 

IV91236

RMI Dispatcher throwing IndexOutOfBoundsException

Internal Bug 1987

RTC 138914

 

 ISIM: Documentation wrong for RMI Dispatcher for cluster environments

 

 

 

Items closed in 7.1.36 version

 

 

None

 

 

Items closed in 7.0.35 version

 

Internal Bug 2047

 

 

Internal report of logging issue in latest dispatcher

 

 

PMR: 51402,227,000

RTC 145426

 

JMX remote connect dispatcher question/issue- System property was set with host name containing only IP address to resolve the JMX remote connect issue.

 

 

 

 

Items closed in 7.0.34 version

 

 

PMR: 00492,499,000

 

 

RTC 137454

 

SSL connections fail to initialize in Dispatcher

 

For details, refer the "Installation and Configuration Notes, Corrections to Install Guide" section.

 

 

 

 

Items closed in 7.0.33 version

 

Internal Bug 1813

 

 

When "ITIMAd stop" is executed, respective logs should be appended in ITIMAd_stdout.log file.

 

 

Internal Bug 1771

 

RTC 12560

 

Submit for doc update for 6.0/7.0 dispatcher docs for ITIMAd reference in /etc/init.2

 

Internal Bug 1794

 

RTC 124532

 

 

SSL configuration steps incorrect in Dispatcher Install guide

 

IV74585

 

RMI Dispatcher still seems to double the value of AssemblylineCacheTimeout (6.0.32)

 

 

 

 

Items included in 7.0.32 version

 

 

 

Initial Release

 

 

Known Issues

 

CMVC#

APAR#

PMR# / Description

 

 

 

Dispatcher installation issue on Windows Server 2012 Platform

Installation of dispatcher on Windows Server 2012 fails. In order to install it, the following steps must be followed:

 

1.     Navigate to the folder ITDI_HOME/jvm/jre/bin

2.     Right click on the java.exe

3.     Select properties and navigate to the Compatibility Tab.

4.     Select the checkbox for "Run this program in compatibility mode for:"

5.     Select the "Windows 7" option from the dropdown menu.

6.     Apply the changes

7.     Run the installer using java –jar DispatcherInstall.jar command from the command prompt.

 

 

 

 

 

Service creation fails after test operation is fired, when dispatcher is installed over SDI 7.2.

 

This problem occurs because SDI 7.2 returns a longer value of the adapter platform than the permissible value, after the test operation is fired. In order to fix this issue, you must add the following to your adapter schema file. (schema.dsml):

 

<!-- ******************************************************** -->

<!-- erAdapterPlatform                                            -->

<!-- ******************************************************** -->

<attribute-type single-value="true">

<name>erAdapterPlatform</name>

<description>Adapter installation platform</description>

<object-identifier>1.3.6.1.4.1.6054.3.1.2.122</object-identifier> 

<syntax>1.3.6.1.4.1.1466.115.121.1.15{2048}</syntax>

</attribute-type>

 

Note: Do not add the above if you are using PeopleSoft Adapter (8.5.3)

 

 

 

 

 

Reconciliation Operation Issue

The reconciliation operation happens in the form of batches. The batch size is dependent on the "SearchResultSetSize" attribute, specified in the "itim_listener.properties" file. Thus, the first batch would be reconciliation of "#" accounts, where "#" is nothing but the value specified in the "SearchResultSetSize", and subsequent batches too would be present for reconciliation of the remaining accounts, each batch of the size "#". Now, if an error or timeout occurs while the first batch of accounts is being executed, one would be able to witness that the request has failed along with the relevant error message. However, if error or timeout occurs  while the subsequent batches are being processed, the request would fail, but no error message would be seen along, as in the previous case. This is a server side issue, ISIM recon limitation.

 

 

Installation and Configuration Notes 

See the IBM Security Identity Server for Dispatcher Installation Guide for detailed instructions.

 

Corrections to Installation Guide

The following corrections to the Installation Guide apply to this release:

            Enabling the FIPS mode

 

Add the below ‘Enabling the FIPS mode’ section in Chapter 4, after ‘Configuring logging for the adapter’ section.

 

The keystore file created should be copied to TIMSOL folder and/or the encryption/decryption should be with the newly generated FIPS compliant keystore file.

 

Note: If FIPS mode is enabled, changes done to any authentication attributes in  solution.properties file  may not get affected  directly and we may get error related decryption in ibmdi.log file. To resolve this error we have to re-encrypt the solution.properties file with key created for FIPS mode.

 

Sample command for encryption is:

 

cryptoutils -input ../timsol/solution.properties -output ../timsol/solution.properties

            -mode encrypt_props -keystore ../server.jck -storepass mypass -alias server

-transformation AES/CBC/PKCS5Padding -storetype jceks -keypass mykeypass

Language package installation

The adapters use a separate language package from the IBM Security Identity Server. See the IBM Security Identity Server library and search for information about installing the adapter language pack.

 

 

 

Enable JVM Security/ Enable SSL
                                    **Start1**

Add below content after #5 in “Installing the Dispatcher in GUI mode section”:

 

6. Enter the Dispatcher Instance Name. Click Next.

7. Enter the Port number. Click Next.

8. Provide credentials to secure access to the Java Virtual Machine. For more information refer “Configuring JVM Security” (Hyperlink to this section in dispatcher guide). Click Next.

9. Select SSL level. When the check-box is checked the SSL is enabled. If you wish to disable SSL then deselect the check-box Enable SSL. If you disable SSL the communication therefore will be unencrypted i.e. in plain text. For more information refer “Configuring SSL communication” (Hyperlink to this section in dispatcher guide).

 

                        **End1**

 

 

 

Add the following content in Table 5. in “Installing the Dispatcher in silent mode”:

                   **start2**

Parameter

Description

 

 

 

 

- DUSER_SYSQUEUE_USERNAME_INPUT_RESULT

 

 

 

This parameter provides the username for JVM security.

 

 

 

 

-DUSER_SYSQUEUE_PASSWORD_INPUT_RESULT

 

 

This parameter provides the Password for JVM security.

 

 

 

 

-DUSER_SYSQUEUE_REPASSWORD_INPUT_RESULT

 

 

This parameter provides the retype password filed for JVM security.

      

 

       -DUSER_INPUT_RESULTS_FOR_SSL=Enable

 

Provides SSL level; default value is Enable

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Also change the example for this section:

To install the adapter in silent mode and with one or more custom settings,

use the -D parameter. For example:

ITDI_HOME/jvm/jre/bin/java

-jar DispatcherInstall.jar -i silent

-DUSER_INSTALL_DIR="/opt/IBM/TDI/V7.1"

-DUSER_SELECTED_SOLDIR="/opt/IBM/TDI/V7.1/timsol"

-DUSER_INPUT_RMI_PORTNUMBER=1099 -DUSER_INPUT_WS_PORTNUMBER=8081 - DUSER_SYSQUEUE_USERNAME_INPUT_RESULT=disp_user-DUSER_SYSQUEUE_PASSWORD_INPUT_RESULT= “admin@123” -DUSER_SYSQUEUE_REPASSWORD_INPUT_RESULT= admin@123”

-DUSER_INPUT_RESULTS_FOR_SSL=Enable

 

 

                        **End2**

 

 

 

Add following data at 2nd paragraph of “Configuring SSL Communication” section:

 

                        **Start3**

As an adapter manages sensitive data of the users it is essential that communication should be encrypted. The SSL facilitates the encrypted communications between an adapter and end resource. SSL requires certificates to be installed.

 

During installation you may see the panel Enable SSL. The check-box is present on a panel. It is by default checked. When the check-box is checked the SSL is enabled. If you wish to disable SSL then deselect the check-box Enable SSL. If you disable SSL the communication therefore will be unencrypted i.e. in plain text. Whether SSL is enabled or disabled can be verified after installation.

The property "com.ibm.di.dispatcher.ssl" in solution.properties is set to true if SSL is enabled otherwise it is set to false.

                       

                        **End3**

 

 

Add the following content before “Configuring SSL Communication” section.        

**Start4**

Configuring JVM Security

Since WAS and Dispatcher server communicates using RMI. It’s mandatory to secure the JVM.

In order to do so, default dispatcher installation is prompted with providing strong credentials for JVM security. These credentials will be required by an outside RMI process to access the RMI stub. You can always modify the existing credentials by changing following properties in solutions.properties file:

{protect}-systemqueue.auth.username

{protect}-systemqueue.auth.password

systemqueue.on=false

 

                        **End4**

 

Supported Configurations 

Installation Platform 

The IBM Security Identity Server for Dispatcher was built and tested on the following product versions.

Dispatcher Installation Platform:

This component installs into Tivoli Directory Integrator and may be installed on any platform supported by the product. IBM recommends installing Security Directory Integrator on each node of the Identity Server WebShere cluster and then installing this adapter on each instance of Security Directory Integrator. Supported Security Directory Integrator versions include:

 

             Dispatcher Installation Platform: 

 

Due to continuous Java security updates that may be applied to your ISIM or PIM servers, the following TDI/SDI releases are the officially supported versions:

 

·         IBM Tivoli Directory Integrator 7.1.1 + 7.1.1-TIV-TDI-FP0004 + 7.2.0-ISS-SDI-LA0008

·         Security Directory Integrator 7.2

Earlier versions of TDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your TDI/SDI releases to the officially supported versions by the adapters.

 

Note:  The adapter supports IBM Security Directory Integrator 7.2, which is available only to customers who have the correct

Entitlement. Contact your IBM representative to find out if you have the entitlement to download IBM Security Directory Integrator 7.2.

 

Managed Resource:

 N/A

 

IBM Security Identity Manager:

IBM Security Identity Manager v7.0

IBM Security Privileged Identity Manager (PIM):

ISPIM v2.0

ISPIM v2.1

Identity Governance and Intelligence (IGI):

IGI v5.2.1

IGI v5.2.2

IGI v5.2.3

Notices

This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

North Castle Drive

Armonk, NY  10504-1785  U.S.A.

 

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

 

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106-0032, Japan

 

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

 

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

 

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

 

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

 

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:

 

IBM Corporation

2ZA4/101

11400 Burnet Road

Austin, TX 78758  U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

 

The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.

 

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

 

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

 


Trademarks

The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:

IBM
IBM logo
Tivoli
Tivoli logo
WebSphere

Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom.

 

 

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

 

 

Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

 

Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino™, Intel Centrino logo, Celeron®, Intel Xeon™, Intel SpeedStep®, Itanium®, and Pentium® are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

 

UNIX is a registered trademark of The Open Group in the United States and other countries.

 

Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.

 

ITIL® is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.

 

IT Infrastructure Library® is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.

 

Other company, product, and service names may be trademarks or service marks of others.


 

End of Release Notes