Support for Active Directory password synchronization in a non-trusted environment

Content

If SSL is enabled, ensure that:

• the client workstation trusts the Active Directory certificate
• the FQDN or the DNS of the Active Directory that is configured in IMS Server matches the Subject or the SubjectAlternativeName of the certificate

Ensure that the client workstation can resolve the Active Directory FQDN and domain name.

Requirements and compatibility

Before enabling the Active Directory password synchronization in a non-trusted environment, ensure that you have installed the following versions of IMS Server and AccessAgent:



• IBM Security Access Manager for Enterprise Single Sign-On IMS Server Fix Pack 5 or later
• IBM Security Access Manager for Enterprise Single Sign-On AccessAgent Fix Pack 8 or later

Enabling the Active Directory password synchronization in a non-trusted environment

1. Upload the following policies using webconf or UploadSync CLT:

Note: If you are using webconf, select Data file as the file type to be uploaded.

• com.ibm.tamesso.ims-delhi.build.boot\src\config\data\config\ldapBindPolicy\policy_mgmnt_objects.xml
• com.ibm.tamesso.ims-delhi.build.boot\src\config\data\config\ldapBindPolicy\policy_sync_data.xml
2. Run the CLT to enable this feature: <IMS_INSTALL_FOLDER>\bin\enableNonTrustedDomainPwdSync.bat <wasadminuser> <wasadminpassword> true

   Note: This CLT needs to be run whenever there is a change in IMS enterprise directory configuration.

   With this feature enabled, the user is now able to synchronize Active Directory passwords in both the trusted environment and the non-trusted environment.

   To disable this feature, run <IMS_INSTALL_FOLDER>\bin\enableNonTrustedDomainPwdSync.bat <wasadminuser> <wasadminpassword> false.