Download
Downloadable File
File link | File size | File description |
---|---|---|
Abstract
This LA fix is to address APAR IO26894 and IO26903
Download Description
+-----------------------------------------------------+
Interim Fix 7.1.1-TIV-TDI-LA0041 README
Tivoli Directory Integrator 7.1.1
LA Interim Fix 41
(All platforms)
Date: Mar 2019
+-----------------------------------------------------+
Interim Fix 7.1.1-TIV-TDI-LA0041 README
Tivoli Directory Integrator 7.1.1
LA Interim Fix 41
(All platforms)
Date: Mar 2019
+-----------------------------------------------------+
COPYRIGHT STATEMENT
====================
Mar 2019
====================
Mar 2019
References in this publication to IBM products, programs, or services do
not imply that IBM intends to make these available in all countries in
which IBM operates. Any reference to an IBM program product in this
publication is not intended to state or imply that only IBM's program
product may be used. Any functionally equivalent program may be used
instead.
not imply that IBM intends to make these available in all countries in
which IBM operates. Any reference to an IBM program product in this
publication is not intended to state or imply that only IBM's program
product may be used. Any functionally equivalent program may be used
instead.
IBM is a trademark of the International Business Machines Corporation.
Copyright International Business Machines Corporation 2019. All rights
Reserved.
Reserved.
Fix For
========
========
APAR - IO26894 and IO26903.
General Description:
====================
This Limited Availability Interim Fix contains fix for APAR IO26894 and IO26903.
Details:
========
IO26903 NTLM AUTHENTICATION FOR HTTP CLIENT CONNECTOR
IO26894 TDI ISSUE WITH SUB AL AFTER HANDLED ERROR
Prerequisites:
==============
Tivoli Directory Integrator v7.1.1
==============
Tivoli Directory Integrator v7.1.1
Platforms:
==========
All supported Platforms
==========
All supported Platforms
Sizes of Files Included in this Fix:
============================
28,926 HTTPClientConnector.jar
1,162,173 miserver.jar
md5sum of Files Included in this Fix:
=====================================
aba8e1440279832a86e72f2af28a8d1f HTTPClientConnector.jar
b20627a3e61b209ba5663b817180000d miserver.jar
Applying the Fix:
=================
- Unzip the fix package to a temporary directory. The zip file contains HTTPClientConnector.jar and miserver.jar
- Backup the older HTTPClientConnector.jar from the TDI installed system (<TDI_Install_dir>\jars\connectors\).
- Backup the older miserver.jarfrom the TDI installed system (<TDI_Install_dir>\jars\common\).
- Replace the existing files which were backed up earlier with the fix files.
Note:
HTTPClientConnector.jar has fix for APAR IO26903 ( See Section About NTLM Addition to HTTPClientConnector )
miserver.jar has fix for APAR IO26894.
HTTPClientConnector.jar has fix for APAR IO26903 ( See Section About NTLM Addition to HTTPClientConnector )
miserver.jar has fix for APAR IO26894.
Confirming the Fix has been applied successfully:
=================================================
The problem should be solved.
About NTLM Addition to HTTPClientConnector
=================================================
Use:
The HTTP Client Connector will default to Basic Authentication, as before. If the HTTP server offers NTLM authentication,
by returning a 401 status and the header "WWW-Authenticate: NTLM", then NTLM authentication will be triggered.
NTLM:
NTLM uses 4 strings, compared to the 2 used by Basic Authentication:
NTLM uses 4 strings, compared to the 2 used by Basic Authentication:
user name - See HTTP Client Connector for how to provide this, but look below.
password - See HTTP Client Connector for how to provide this
domain - If the user name contains a backslash, e.g SHAREPOINTV2013\Administrator,
the domain will be SHAREPORTV2013 and the user name will be changed to Administrator.
Splitting happens at the first backslash. Default value for domain is empty string. And see below.
host - empty string (see below).
password - See HTTP Client Connector for how to provide this
domain - If the user name contains a backslash, e.g SHAREPOINTV2013\Administrator,
the domain will be SHAREPORTV2013 and the user name will be changed to Administrator.
Splitting happens at the first backslash. Default value for domain is empty string. And see below.
host - empty string (see below).
New connector parameters:
authMethod - Setting the connector parameter "authMethod" to "NTLM", e.g. with
thisConnector.setConnectorParam("authMethod", "NTLM")
in the Before Execute hook, will cause Basic Authentication to be switched off. This is helpful
if it is considered a security risk that the username and password is sent in clear text (Basic Authentication)
before NTLM negotiation.
authMethod - Setting the connector parameter "authMethod" to "NTLM", e.g. with
thisConnector.setConnectorParam("authMethod", "NTLM")
in the Before Execute hook, will cause Basic Authentication to be switched off. This is helpful
if it is considered a security risk that the username and password is sent in clear text (Basic Authentication)
before NTLM negotiation.
NTLM.domain - Setting this connector parameter allows you to specify the NTLM domain. Setting this has the side effect
of not splitting the user name at backslash.
of not splitting the user name at backslash.
NTLM.host - Allows you to specify the NTLM host.
http.Authorization - Setting this parameter allows you to specify the Authorization header which is sent to the HTTP server,
overriding username and password.
E.g. set it to "Bearer XYZ" to use a bearer token.
The parameter can be set with code like this in the "Before Execute" hook:
thisConnector.setConnectorParam("http.Authorization", "Bearer XYZ")
overriding username and password.
E.g. set it to "Bearer XYZ" to use a bearer token.
The parameter can be set with code like this in the "Before Execute" hook:
thisConnector.setConnectorParam("http.Authorization", "Bearer XYZ")
Debug logging (if there are issues):
The HTTP Client Connector allows you to set "Detailed Logging". This should only
be done while debugging, not in production, since it will cause a lot of sensitive logging.
When "Detailed Logging" is turned on, you will see that the new connector is loaded, with this
information in the log file:
The HTTP Client Connector allows you to set "Detailed Logging". This should only
be done while debugging, not in production, since it will cause a lot of sensitive logging.
When "Detailed Logging" is turned on, you will see that the new connector is loaded, with this
information in the log file:
CTGDIS484I Connector com.ibm.di.connector.HTTPClientConnector: 2.3-di7.2 (NTLM) 2019-02-15.
If the NTLM string is missing, the new version of the HTTP Client Connector was not properly installed.
Prerequisites
Tivoli Directory Integrator v7.1.1 Fixpack 8 is recommended.
On
[{"DNLabel":"7.1.1-TIV-TDI-LA0041","DNDate":" ","DNLang":"English","DNSize":"1,152,094","DNPlat":{"label":"Platform Independent","code":"PF025"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Directory+Integrator&fixids=7.1.1-TIV-TDI-LA0041&source=SAR","DNURL_FTP":"","DDURL":null}]
Document Location
Worldwide
[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSCQGF","label":"Tivoli Directory Integrator"},"Component":"General","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1.1","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Product Synonym
TDI SDI
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
29 March 2019
UID
ibm10878657