IBM Security Directory Integrator Version 7 - Free Download PDF

1m ago
32 Views
0 Downloads
5.91 MB
372 Pages
Transcription

IBM Security Directory IntegratorVersion 7.2Installation and Administrator Guide SC27-2705-02

IBM Security Directory IntegratorVersion 7.2Installation and Administrator Guide SC27-2705-02

NoteBefore using this information and the product it supports, read the general information under Appendix D, “Notices,” onpage 351.Edition noticeNote: This edition applies to version 7.2 of IBM Security Directory Integrator licensed program (5724-K74) and toall subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 2003, 2013.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

ContentsFigures . . . . . . . . . . . . . . . ixAbout this publication . . . . . . . . xiAccess to publications and terminology .IBM Security Directory Integrator libraryOnline publications. . . . . . . .Related information . . . . . . .IBM Terminology website . . . . .Accessibility . . . . . . . . . .Technical training . . . . . . . .Support information . . . . . . .Statement of Good Security Practices . xi. xi. . . . xii. . . . xii. . . . xiii. . . . xiii. . . . xiii. . . . xiii. . . . xiiiChapter 1. Introduction . . . . . . . . 1IBM Security Directory Integrator Version 7.2Editions . . . . . . . . . . . . .Installing or Updating using the Eclipse UpdateManager . . . . . . . . . . . . .Post-installation steps . . . . . . . .Uninstalling . . . . . . . . . . . .Launching the uninstaller. . . . . . .Performing a silent uninstallation . . . .Default installation locations. . . . . . .474950505151Chapter 3. Update Installer . . . . . . 53The .registry file .Installing fixes .Rollback . . .Troubleshooting .55565757Chapter 4. Supported platforms . . . . 59. 1Chapter 5. Migrating . . . . . . . . . 61Chapter 2. Installation instructions forIBM Security Directory Integrator . . . . 3Before you install . . . . . . . . . . . . . 3Disk space requirements . . . . . . . . . 3Memory requirements . . . . . . . . . . 3Platform requirements . . . . . . . . . . 3Components in IBM Security Directory Integrator 3Other requirements . . . . . . . . . . . 5Root or Administrator Privileges. . . . . . 5Security Enhanced (SELinux) . . . . . . . 5Authentication of AMC on Unix/Linux . . . 6Graphics packages for UNIX systems . . . . 6Prerequisites for CE on AIX operating system . 7Prerequisite for upgrading from V7.1.1 to V7.2on Windows 2012 operating system. . . . . 7Installing IBM Security Directory Integrator . . . . 7Launching the appropriate installer . . . . . . 8Using the platform-specific IBM SecurityDirectory Integrator installer. . . . . . . . 10Installing using the graphical installer . . . . 11Install Panel flow . . . . . . . . . . 11Uninstall Panel flow . . . . . . . . . 32Add Feature Panel flow . . . . . . . . 36Migration Panel flow . . . . . . . . . 39Installing using the command line . . . . . . 41Temporary file space usage during installation . 42Performing a silent install . . . . . . . . 43Service name limitation on UNIX systems . . 43Post-installation steps . . . . . . . . . . 43CE Update Site . . . . . . . . . . . 43Plug-ins . . . . . . . . . . . . . 43Administration and Monitoring Console(AMC) . . . . . . . . . . . . . . 43Documentation . . . . . . . . . . . 44Migration . . . . . . . . . . . . . 44Installing local Help files . . . . . . . . . . 44Deploying AMC to a custom ISC SE or IBMDashboard Application Services Hub . . . . . . 46 Copyright IBM Corp. 2003, 2013Migrate files to a different location . . . . . .Which files do not need to be modified to beused in another location? . . . . . . . . .Which files need to be modified before they canbe used in another location? . . . . . . . .Which files should not be used in anotherlocation under normal circumstances? . . . .Migrating files that contain encrypted data . . .Migrate files to a newer version . . . . . . .Installer-assisted migration . . . . . . . .Tool-assisted migration . . . . . . . . .Manual migration . . . . . . . . . . .Backing up important data . . . . . . . .Files backed up by the Installer. . . . . .Upgrade from version 6.0 to 7.1 . . . .Upgrade from version 6.1.x to 7.1 . . . .Upgrade from version 7.0 to 7.1 . . . .Upgrade from version 7.1 to 7.1.1 . . . .Upgrade from version 7.1 to 7.1.1 . . . .Backup tools . . . . . . . . . . . .Manual backup . . . . . . . . . . .Migrating AMC 7.x configuration settings to anotherAMC deployment . . . . . . . . . . . .Converting from EventHandlers to correspondingAssemblyLines . . . . . . . . . . . . .TCP Server Connector . . . . . . . . . .Mailbox Connector . . . . . . . . . . .JMX Connector . . . . . . . . . . . .SNMP Server Connector . . . . . . . . .IBM Security Directory Server ChangelogConnector . . . . . . . . . . . . . .HTTP Server Connector . . . . . . . . .LDAP Server Connector . . . . . . . . .Sun Directory Change Detection Connector. . .Active Directory Change Detection Connector . .z/OS LDAP Changelog Connector. . . . . .DSMLv2SOAPServerConnector . . . . . . 2838383848585iii

Migrating BTree tables and BTree Connector toSystem Store . . . . . . . . . . . . .Migrating Cloudscape database to Derby . . .Migrating global and solution properties files usingmigration tool . . . . . . . . . . . .Migrating Password plug-ins properties files usingmigration tool . . . . . . . . . . . . 86. 87. 88. 89Chapter 6. Security . . . . . . . . . 91Introduction . . . . . . . . . . . . . . 91Manage keys, certificates and keystores . . . . . 91Background . . . . . . . . . . . . . 91Public/private keys and certificates . . . . 91Secret keys . . . . . . . . . . . . 92Keystores . . . . . . . . . . . . . 92Keys for SSL . . . . . . . . . . . . 92Keys for encryption . . . . . . . . . 93Tools . . . . . . . . . . . . . . 93List the contents of a keystore . . . . . . . 93Create keys . . . . . . . . . . . . . 93Secure Sockets Layer (SSL) Support . . . . . . 96Server SSL configuration of IBM SecurityDirectory Integrator components . . . . . . 97Client SSL configuration of IBM SecurityDirectory Integrator components . . . . . . 98SSL client authentication . . . . . . . . . 98IBM Security Directory Integrator and MicrosoftActive Directory SSL configuration . . . . . 99Summary of properties for enabling SSL andPKCS#11 support . . . . . . . . . . . 100SSL example. . . . . . . . . . . . . 101IBM Security Directory Integrator componentas a server . . . . . . . . . . . . 101IBM Security Directory Integrator componentas a client . . . . . . . . . . . . 102Remote Server API . . . . . . . . . . . 102Introduction . . . . . . . . . . . . . 102Configuring the Server API. . . . . . . . 104Remote Server API access on a VirtualPrivate Network . . . . . . . . . . 106Server API access options . . . . . . . . 107Server API SSL remote access . . . . . . . 107Using Server API specific SSL properties . . 107Using the standard SSL Java Systemproperties . . . . . . . . . . . . 108Server API authentication . . . . . . . . 108Local client session . . . . . . . . . 109Remote client session . . . . . . . . . 109JAAS authentication . . . . . . . . . 109SSL-based authentication . . . . . . . 109Username/password based authentication110Authentication hook . . . . . . . . 110LDAP Authentication support . . . . . . 111LDAP Authentication Configuration . . . 111LDAP Authentication Logic . . . . . 112LDAP Group Support . . . . . . . 113Host based authentication . . . . . . . 115Summary of Server API Authenticationoptions . . . . . . . . . . . . . 115Server API JMX layer does not supportusername and password authentication. . . 115ivServer API authentication setup examplesServer API Authorization . . . . . . . .Authorization roles . . . . . . . . .Server API User Registry . . . . . . .Server Audit Capabilities . . . . . . . .Auditing scope . . . . . . . . . . .Suppression of notifications . . . . . .Sending notifications . . . . . . . . .IBM Security Directory Integrator Server InstanceSecurity . . . . . . . . . . . . . . .Stash File . . . . . . . . . . . . . .Server Security Modes . . . . . . . . .Working with encrypted IBM Security DirectoryIntegrator configuration files . . . . . . .Introduction . . . . . . . . . . . .Separation of certificates for PKI Encryptionand SSL . . . . . . . . . . . . .Creating an encrypted IBM SecurityDirectory Integrator configuration file fromscratch . . . . . . . . . . . . .Using the cryptoutils command line toolEditing an encrypted IBM Security DirectoryIntegrator configuration file . . . . . .Standard IBM Security Directory Integratorencryption of global.properties orsolution.properties. . . . . . . . . . .Encryption of properties in external propertyfiles . . . . . . . . . . . . . . .The IBM Security Directory IntegratorEncryption utility . . . . . . . . . . .IBM Security Directory Integrator System StoreSecurity . . . . . . . . . . . . . . .Miscellaneous Config File features . . . . . .The "password" configuration parameter typeComponent Password Protection . . . . . .Saving passwords to configured PropertiesProtecting attributes from being printed in cleartext during tracing . . . . . . . . . .Encryption of IBM Security Directory IntegratorServer Hooks . . . . . . . . . . . .Remote Configuration Editor and SSL . . . .Using the Remote Configuration Editor . . .Summary of configuration files and propertiesdealing with security . . . . . . . . . . .Web Admin Console Security . . . . . . . .Miscellaneous security aspects. . . . . . . .HTTP Basic Authentication . . . . . . . .Lotus Domino SSL specifics . . . . . . .Certificates for the IBM Security DirectoryIntegrator Web service Suite . . . . . . .Example Server certificate creation . . . .IBM WebSphere MQ Everyplace authenticationwith mini-certificates . . . . . . . . . .Chapter 7. Reconnect Rule EngineIntroduction . . . . . . .Reconnect Rules . . . . .User-defined rules configurationExamples . . . . . . .Exception considerations .General reconnect configurationIBM Security Directory Integrator: Installation and Administrator 38138138139139139141.141141143143144144

Chapter 8. System Queue . . . . . . 147System Queue Configuration . . . . . . . .Apache ActiveMQ parameters . . . . . . .Configuration . . . . . . . . . . .Logging . . . . . . . . . . . . .Using SSL with ActiveMQ . . . . . . .IBM WebSphere MQ Everyplace parameters . .IBM WebSphere MQ parameters . . . . . .Microbroker parameters . . . . . . . . .JMSScript Driver parameters . . . . . . .The env JavaScript object . . . . . . .The ret JavaScript object . . . . . . . .JavaScript example for Fiorano MQ . . . .System Queue Configuration Example . . . .Security and Authentication . . . . . . .Encryption . . . . . . . . . . . .Authentication . . . . . . . . . . .IBM WebSphere MQ Everyplace ConfigurationUtility . . . . . . . . . . . . . . . .Authentication of IBM WebSphere MQEveryplace messages to provide Queue Security.Support for DNS names in the configuration ofthe IBM WebSphere MQ Everyplace Queue . .Configuration of High Availability for IBMWebSphere MQ Everyplace transport ofpassword changes . . . . . . . . . . .Providing remote configuration capabilities inthe IBM WebSphere MQ EveryplaceConfiguration Utility . . . . . . . . . 53Server ID . . . . . . . . . . . .Exception for password protected Configs .Server RMI . . . . . . . . . . .Config load time-out interval . . . . .Chapter 11. PropertiesWorking with properties. .Migrating using propertiestool. . . . . . . .Global properties . . .Solution properties . .Java properties . . . .System properties . . .the. . . .tdimiggbl. . . . . . . . . . . . . . . .158Chapter 13. Command-line options159165166166Configuration Editor . . . . .Server . . . . . . . . . .Command Line Interface – tdisrvctlCommand Line Reference . .Operations . . . . . .Other points to note . . .155155166167167168168169169169169171171172172. 173.174174174174176Chapter 12. System Store . . . . . . 177157157158155. . . . . . . 173. .and. . . . . .Property stores . . . . . . . . . . . .Password Store . . . . . . . . . . .User property stores . . . . . . . . .Third-party RDBMS as System Store. . . . .Oracle . . . . . . . . . . . . . .MS SQL Server . . . . . . . . . . .IBM DB2 for z/OS . . . . . . . . .DB2 for other OS . . . . . . . . . .IBM solidDB . . . . . . . . . . .Using Derby to hold your System Store . .Configuring Apache Derby Instances . . . .Starting Apache Derby in networked mode .Enabling user authentication in System StoreCreate statements for System Store tables . .Backing up Apache Derby databases . . . .Troubleshooting Apache Derby issues . . . .154Chapter 9. Encryption and FIPS mode 157Configuring IBM Security Directory Integrator torun FIPS mode . . . . . . . . . . . . .Symmetric cipher support . . . . . . . .FIPS encryption . . . . . . . . . .Connectors, Function Components,Parsers . . . . . . . . . . . .The IBM Security Directory Integratorserver and FIPS . . . . . . . . .Configuring SSL and PKI certificates . . . . .Encrypting and decrypting using CryptoUtilsWorking with certificates . . . . . . . .Comparing CA-signed and Self-signedcertificates . . . . . . . . . . . .Configuring certificates using PKI and SSLUsing cryptographic keys located on hardwaredevices . . . . . . . . . . . . . . .Using IBMPCKS11 to access devices and to storeSSL keys and certificates. . . . . . . . .Enabling or disabling padding . . . . . .Maintaining encryption artifacts – keys, certificates,keystores, encrypted files . . . . . . . . .Changed encryption key. . . . . . . . .Changed password for encryption key orkeystore . . . . . . . . . . . . . .Expired encryption certificate . . . . . . .Chapter 10. Configuring the IBMSecurity Directory Integrator ServerAPI . . . . . . . . . . . . . . . . 171. . . . .utility. . . . . . .177177178178179179180181181181182183183. 183. 185. 185187.Chapter 14. Logging and debuggingScript-based logging . . . . . .Logging using the default Log4J classLog Levels and Log Level control .Log4J default parameters . . . .Creating your own log strategies .187188191191192201203204204208208209Chapter 15. Tracing and FFDC . . . . 211Tracing Enhancements . . . .Understanding Tracing . . . .Configuring Tracing . . . . .Setting trace levels dynamicallyUseful JLOG parameters. . .211211212212213Contentsv

Chapter 16. Administration andMonitoring . . . . . . . . . . . . 215Installation and Configuration . . . . . . . .Deploying AMC into the Integrated SolutionsConsole (ISC) . . . . . . . . . . . .Deploying AMC as a Windows service orUNIX process using the IBM SecurityDirectory Integrator installer . . . . . .Deploying AMC on existing IBM WebSphereApplication Server environment . . . . .Starting the Administration and MonitoringConsole and Action Manager and logging in . .Enabling AMC . . . . . . . . . . . .Running Action Manager remotely . . . .AMC and Action Manager startup . . .AMC and Derby shutdown. . . . . .Action Manager remote startup . . . .Action Manager shutdown . . . . . .AMC Logs . . . . . . . . . . . . . .AMC in the Integrated Solutions Console . . . .Console user authority . . . . . . . . .Administrator and the iscadmins group . .Action Manager . . . . . . . . . . . .Enabling Action Manager . . . . . . . .Action Manager status in real time . . . . .AMC force trigger for a given rule . . . . .AMC and Action Manager security . . . . . .Introduction . . . . . . . . . . . . .AMC and SSL . . . . . . . . . . . .AMC and remote IBM Security DirectoryIntegrator server . . . . . . . . . . .AMC and role management . . . . . . .AMC and passwords . . . . . . . . . .AMC and encrypted configs . . . . . . .Administation and Monitoring Console UserInterface . . . . . . . . . . . . . . .Log in and logout of the console . . . . . .AMC Console Layout . . . . . . . . .Logging off the console . . . . . . . . .Using AMC tables . . . . . . . . . . .Select action drop-down menu . . . . .Paging . . . . . . . . . . . . .Sorting . . . . . . . . . . . . .Finding . . . . . . . . . . . . .Filtering . . . . . . . . . . . . .Servers . . . . . . . . . . . . . .Add a server . . . . . . . . . . .Modify a server . . . . . . . . . .Console Properties . . . . . . . . . .General . . . . . . . . . . . . .SSL. . . . . . . . . . . . . . .JDBC Properties . . . . . . . . . .Solution Views . . . . . . . . . . . .Configure ACLs . . . . . . . . . .Local variables . . . . . . . . . . .Add a Solution View . . . . . . . . .Config files (allows loading/reloading ofconfigurations) . . . . . . . . . . .Custom load . . . . . . . . . .Monitor Status and Action Manager . . . . .Monitor Status . . . . . . . . . . 240240Solution View Details. . . . . . .Server Information . . . . . . .View Components . . . . . . . .Show Preferred Solution Views . . .Refreshing Solution View Details in AMCAction Manager . . . . . . . . .Add/Edit configuration rules . . . .Add/Modify Action . . . . . . .Substitute variable for event data. . .View Rules Summary. . . . . . .Property Stores . . . . . . . . . . .Select Solution View . . . . . . . .Solution Properties . . . . . . . .Global Properties . . . . . . . . .Java Properties . . . . . . . . . .System Properties . . . . . . . . .Password Store . . . . . . . . . .User Property Store . . . . . . . .Log Management . . . . . . . . . .Preferred Solution Views . . . . . . .AMC and AM Command line utilities . . . .Example walkthrough of creating a Solution Viewand Rules . . . . . . . . . . . . 51251251252253. 257Chapter 17. Touchpoint Server . . . . 265Touchpoint concepts . . . . . . . . . .Touchpoint Server . . . . . . . . . .Touchpoint Provider . . . . . . . . .Touchpoint Type . . . . . . . . . .Touchpoint Instance . . . . . . . . .Touchpoint Template . . . . . . . . .Resource Persistence . . . . . . . . . .Touchpoint Schema . . . . . . . . . .Touchpoint Server communication protocol .Touchpoint Configuration . . . . . . .Instance Configuration . . . . . . .Destination Configuration . . . . . .Touchpoint Instance communication protocolProvider Touchpoint . . . . . . . .Initiator Touchpoint . . . . . . . .Intermediary Touchpoint . . . . . .Representation of Entry objects as HTTPcontent . . . . . . . . . . . .Touchpoint Status Entry schema . . . . .Property sheet definitions . . . . . . .XML Schema locations . . . . . . . .Error flows . . . . . . . . . . . . .Configuration . . . . . . . . . . . .Authentication . . . . . . . . . . . .Examples . . . . . . . . . . . . . .Shipped example . . . . . . . . . .Example steps for creating a TouchpointInstance using a JDBC Connector. . . . .Provider Touchpoint Instance . . . . .Initiator Touchpoint Instance . . . . .Intermediary Touchpoint Instance . . .265265265266267269273274274278278279280. 280. 281. r 18. Tombstone Manager . . . 293Introduction . . . . .Configuring Tombstones.IBM Security Directory Integrator: Installation and Administrator Guide. 293. 293

Configuration Editor Configuration screen.AssemblyLine Configuration screen . . .The Tombstone Manager . . . . . .Tombstone Manager . . . . . . .293295296296Chapter 19. Multiple IBM SecurityDirectory Integrator services . . . . . 299IBM Security Directory Integrator as WindowsService . . . . . . . . . . . . . . .Introduction . . . . . . . . . . . . .Installing and uninstalling the service

IBM Security Directory Integrator Version 7.2 Installation andAdministrator Guide SC27-2705-02