IBM Security Directory Integrator Version 7

3y ago
193 Views
5 Downloads
5.91 MB
372 Pages
Last View : 5d ago
Last Download : 6m ago
Upload by : Sabrina Baez
Transcription

IBM Security Directory IntegratorVersion 7.2Installation and Administrator Guide SC27-2705-02

IBM Security Directory IntegratorVersion 7.2Installation and Administrator Guide SC27-2705-02

NoteBefore using this information and the product it supports, read the general information under Appendix D, “Notices,” onpage 351.Edition noticeNote: This edition applies to version 7.2 of IBM Security Directory Integrator licensed program (5724-K74) and toall subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 2003, 2013.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

ContentsFigures . . . . . . . . . . . . . . . ixAbout this publication . . . . . . . . xiAccess to publications and terminology .IBM Security Directory Integrator libraryOnline publications. . . . . . . .Related information . . . . . . .IBM Terminology website . . . . .Accessibility . . . . . . . . . .Technical training . . . . . . . .Support information . . . . . . .Statement of Good Security Practices . xi. xi. . . . xii. . . . xii. . . . xiii. . . . xiii. . . . xiii. . . . xiii. . . . xiiiChapter 1. Introduction . . . . . . . . 1IBM Security Directory Integrator Version 7.2Editions . . . . . . . . . . . . .Installing or Updating using the Eclipse UpdateManager . . . . . . . . . . . . .Post-installation steps . . . . . . . .Uninstalling . . . . . . . . . . . .Launching the uninstaller. . . . . . .Performing a silent uninstallation . . . .Default installation locations. . . . . . .474950505151Chapter 3. Update Installer . . . . . . 53The .registry file .Installing fixes .Rollback . . .Troubleshooting .55565757Chapter 4. Supported platforms . . . . 59. 1Chapter 5. Migrating . . . . . . . . . 61Chapter 2. Installation instructions forIBM Security Directory Integrator . . . . 3Before you install . . . . . . . . . . . . . 3Disk space requirements . . . . . . . . . 3Memory requirements . . . . . . . . . . 3Platform requirements . . . . . . . . . . 3Components in IBM Security Directory Integrator 3Other requirements . . . . . . . . . . . 5Root or Administrator Privileges. . . . . . 5Security Enhanced (SELinux) . . . . . . . 5Authentication of AMC on Unix/Linux . . . 6Graphics packages for UNIX systems . . . . 6Prerequisites for CE on AIX operating system . 7Prerequisite for upgrading from V7.1.1 to V7.2on Windows 2012 operating system. . . . . 7Installing IBM Security Directory Integrator . . . . 7Launching the appropriate installer . . . . . . 8Using the platform-specific IBM SecurityDirectory Integrator installer. . . . . . . . 10Installing using the graphical installer . . . . 11Install Panel flow . . . . . . . . . . 11Uninstall Panel flow . . . . . . . . . 32Add Feature Panel flow . . . . . . . . 36Migration Panel flow . . . . . . . . . 39Installing using the command line . . . . . . 41Temporary file space usage during installation . 42Performing a silent install . . . . . . . . 43Service name limitation on UNIX systems . . 43Post-installation steps . . . . . . . . . . 43CE Update Site . . . . . . . . . . . 43Plug-ins . . . . . . . . . . . . . 43Administration and Monitoring Console(AMC) . . . . . . . . . . . . . . 43Documentation . . . . . . . . . . . 44Migration . . . . . . . . . . . . . 44Installing local Help files . . . . . . . . . . 44Deploying AMC to a custom ISC SE or IBMDashboard Application Services Hub . . . . . . 46 Copyright IBM Corp. 2003, 2013Migrate files to a different location . . . . . .Which files do not need to be modified to beused in another location? . . . . . . . . .Which files need to be modified before they canbe used in another location? . . . . . . . .Which files should not be used in anotherlocation under normal circumstances? . . . .Migrating files that contain encrypted data . . .Migrate files to a newer version . . . . . . .Installer-assisted migration . . . . . . . .Tool-assisted migration . . . . . . . . .Manual migration . . . . . . . . . . .Backing up important data . . . . . . . .Files backed up by the Installer. . . . . .Upgrade from version 6.0 to 7.1 . . . .Upgrade from version 6.1.x to 7.1 . . . .Upgrade from version 7.0 to 7.1 . . . .Upgrade from version 7.1 to 7.1.1 . . . .Upgrade from version 7.1 to 7.1.1 . . . .Backup tools . . . . . . . . . . . .Manual backup . . . . . . . . . . .Migrating AMC 7.x configuration settings to anotherAMC deployment . . . . . . . . . . . .Converting from EventHandlers to correspondingAssemblyLines . . . . . . . . . . . . .TCP Server Connector . . . . . . . . . .Mailbox Connector . . . . . . . . . . .JMX Connector . . . . . . . . . . . .SNMP Server Connector . . . . . . . . .IBM Security Directory Server ChangelogConnector . . . . . . . . . . . . . .HTTP Server Connector . . . . . . . . .LDAP Server Connector . . . . . . . . .Sun Directory Change Detection Connector. . .Active Directory Change Detection Connector . .z/OS LDAP Changelog Connector. . . . . .DSMLv2SOAPServerConnector . . . . . . 2838383848585iii

Migrating BTree tables and BTree Connector toSystem Store . . . . . . . . . . . . .Migrating Cloudscape database to Derby . . .Migrating global and solution properties files usingmigration tool . . . . . . . . . . . .Migrating Password plug-ins properties files usingmigration tool . . . . . . . . . . . . 86. 87. 88. 89Chapter 6. Security . . . . . . . . . 91Introduction . . . . . . . . . . . . . . 91Manage keys, certificates and keystores . . . . . 91Background . . . . . . . . . . . . . 91Public/private keys and certificates . . . . 91Secret keys . . . . . . . . . . . . 92Keystores . . . . . . . . . . . . . 92Keys for SSL . . . . . . . . . . . . 92Keys for encryption . . . . . . . . . 93Tools . . . . . . . . . . . . . . 93List the contents of a keystore . . . . . . . 93Create keys . . . . . . . . . . . . . 93Secure Sockets Layer (SSL) Support . . . . . . 96Server SSL configuration of IBM SecurityDirectory Integrator components . . . . . . 97Client SSL configuration of IBM SecurityDirectory Integrator components . . . . . . 98SSL client authentication . . . . . . . . . 98IBM Security Directory Integrator and MicrosoftActive Directory SSL configuration . . . . . 99Summary of properties for enabling SSL andPKCS#11 support . . . . . . . . . . . 100SSL example. . . . . . . . . . . . . 101IBM Security Directory Integrator componentas a server . . . . . . . . . . . . 101IBM Security Directory Integrator componentas a client . . . . . . . . . . . . 102Remote Server API . . . . . . . . . . . 102Introduction . . . . . . . . . . . . . 102Configuring the Server API. . . . . . . . 104Remote Server API access on a VirtualPrivate Network . . . . . . . . . . 106Server API access options . . . . . . . . 107Server API SSL remote access . . . . . . . 107Using Server API specific SSL properties . . 107Using the standard SSL Java Systemproperties . . . . . . . . . . . . 108Server API authentication . . . . . . . . 108Local client session . . . . . . . . . 109Remote client session . . . . . . . . . 109JAAS authentication . . . . . . . . . 109SSL-based authentication . . . . . . . 109Username/password based authentication110Authentication hook . . . . . . . . 110LDAP Authentication support . . . . . . 111LDAP Authentication Configuration . . . 111LDAP Authentication Logic . . . . . 112LDAP Group Support . . . . . . . 113Host based authentication . . . . . . . 115Summary of Server API Authenticationoptions . . . . . . . . . . . . . 115Server API JMX layer does not supportusername and password authentication. . . 115ivServer API authentication setup examplesServer API Authorization . . . . . . . .Authorization roles . . . . . . . . .Server API User Registry . . . . . . .Server Audit Capabilities . . . . . . . .Auditing scope . . . . . . . . . . .Suppression of notifications . . . . . .Sending notifications . . . . . . . . .IBM Security Directory Integrator Server InstanceSecurity . . . . . . . . . . . . . . .Stash File . . . . . . . . . . . . . .Server Security Modes . . . . . . . . .Working with encrypted IBM Security DirectoryIntegrator configuration files . . . . . . .Introduction . . . . . . . . . . . .Separation of certificates for PKI Encryptionand SSL . . . . . . . . . . . . .Creating an encrypted IBM SecurityDirectory Integrator configuration file fromscratch . . . . . . . . . . . . .Using the cryptoutils command line toolEditing an encrypted IBM Security DirectoryIntegrator configuration file . . . . . .Standard IBM Security Directory Integratorencryption of global.properties orsolution.properties. . . . . . . . . . .Encryption of properties in external propertyfiles . . . . . . . . . . . . . . .The IBM Security Directory IntegratorEncryption utility . . . . . . . . . . .IBM Security Directory Integrator System StoreSecurity . . . . . . . . . . . . . . .Miscellaneous Config File features . . . . . .The "password" configuration parameter typeComponent Password Protection . . . . . .Saving passwords to configured PropertiesProtecting attributes from being printed in cleartext during tracing . . . . . . . . . .Encryption of IBM Security Directory IntegratorServer Hooks . . . . . . . . . . . .Remote Configuration Editor and SSL . . . .Using the Remote Configuration Editor . . .Summary of configuration files and propertiesdealing with security . . . . . . . . . . .Web Admin Console Security . . . . . . . .Miscellaneous security aspects. . . . . . . .HTTP Basic Authentication . . . . . . . .Lotus Domino SSL specifics . . . . . . .Certificates for the IBM Security DirectoryIntegrator Web service Suite . . . . . . .Example Server certificate creation . . . .IBM WebSphere MQ Everyplace authenticationwith mini-certificates . . . . . . . . . .Chapter 7. Reconnect Rule EngineIntroduction . . . . . . .Reconnect Rules . . . . .User-defined rules configurationExamples . . . . . . .Exception considerations .General reconnect configurationIBM Security Directory Integrator: Installation and Administrator 38138138139139139141.141141143143144144

Chapter 8. System Queue . . . . . . 147System Queue Configuration . . . . . . . .Apache ActiveMQ parameters . . . . . . .Configuration . . . . . . . . . . .Logging . . . . . . . . . . . . .Using SSL with ActiveMQ . . . . . . .IBM WebSphere MQ Everyplace parameters . .IBM WebSphere MQ parameters . . . . . .Microbroker parameters . . . . . . . . .JMSScript Driver parameters . . . . . . .The env JavaScript object . . . . . . .The ret JavaScript object . . . . . . . .JavaScript example for Fiorano MQ . . . .System Queue Configuration Example . . . .Security and Authentication . . . . . . .Encryption . . . . . . . . . . . .Authentication . . . . . . . . . . .IBM WebSphere MQ Everyplace ConfigurationUtility . . . . . . . . . . . . . . . .Authentication of IBM WebSphere MQEveryplace messages to provide Queue Security.Support for DNS names in the configuration ofthe IBM WebSphere MQ Everyplace Queue . .Configuration of High Availability for IBMWebSphere MQ Everyplace transport ofpassword changes . . . . . . . . . . .Providing remote configuration capabilities inthe IBM WebSphere MQ EveryplaceConfiguration Utility . . . . . . . . . 53Server ID . . . . . . . . . . . .Exception for password protected Configs .Server RMI . . . . . . . . . . .Config load time-out interval . . . . .Chapter 11. PropertiesWorking with properties. .Migrating using propertiestool. . . . . . . .Global properties . . .Solution properties . .Java properties . . . .System properties . . .the. . . .tdimiggbl. . . . . . . . . . . . . . . .158Chapter 13. Command-line options159165166166Configuration Editor . . . . .Server . . . . . . . . . .Command Line Interface – tdisrvctlCommand Line Reference . .Operations . . . . . .Other points to note . . .155155166167167168168169169169169171171172172. 173.174174174174176Chapter 12. System Store . . . . . . 177157157158155. . . . . . . 173. .and. . . . . .Property stores . . . . . . . . . . . .Password Store . . . . . . . . . . .User property stores . . . . . . . . .Third-party RDBMS as System Store. . . . .Oracle . . . . . . . . . . . . . .MS SQL Server . . . . . . . . . . .IBM DB2 for z/OS . . . . . . . . .DB2 for other OS . . . . . . . . . .IBM solidDB . . . . . . . . . . .Using Derby to hold your System Store . .Configuring Apache Derby Instances . . . .Starting Apache Derby in networked mode .Enabling user authentication in System StoreCreate statements for System Store tables . .Backing up Apache Derby databases . . . .Troubleshooting Apache Derby issues . . . .154Chapter 9. Encryption and FIPS mode 157Configuring IBM Security Directory Integrator torun FIPS mode . . . . . . . . . . . . .Symmetric cipher support . . . . . . . .FIPS encryption . . . . . . . . . .Connectors, Function Components,Parsers . . . . . . . . . . . .The IBM Security Directory Integratorserver and FIPS . . . . . . . . .Configuring SSL and PKI certificates . . . . .Encrypting and decrypting using CryptoUtilsWorking with certificates . . . . . . . .Comparing CA-signed and Self-signedcertificates . . . . . . . . . . . .Configuring certificates using PKI and SSLUsing cryptographic keys located on hardwaredevices . . . . . . . . . . . . . . .Using IBMPCKS11 to access devices and to storeSSL keys and certificates. . . . . . . . .Enabling or disabling padding . . . . . .Maintaining encryption artifacts – keys, certificates,keystores, encrypted files . . . . . . . . .Changed encryption key. . . . . . . . .Changed password for encryption key orkeystore . . . . . . . . . . . . . .Expired encryption certificate . . . . . . .Chapter 10. Configuring the IBMSecurity Directory Integrator ServerAPI . . . . . . . . . . . . . . . . 171. . . . .utility. . . . . . .177177178178179179180181181181182183183. 183. 185. 185187.Chapter 14. Logging and debuggingScript-based logging . . . . . .Logging using the default Log4J classLog Levels and Log Level control .Log4J default parameters . . . .Creating your own log strategies .187188191191192201203204204208208209Chapter 15. Tracing and FFDC . . . . 211Tracing Enhancements . . . .Understanding Tracing . . . .Configuring Tracing . . . . .Setting trace levels dynamicallyUseful JLOG parameters. . .211211212212213Contentsv

Chapter 16. Administration andMonitoring . . . . . . . . . . . . 215Installation and Configuration . . . . . . . .Deploying AMC into the Integrated SolutionsConsole (ISC) . . . . . . . . . . . .Deploying AMC as a Windows service orUNIX process using the IBM SecurityDirectory Integrator installer . . . . . .Deploying AMC on existing IBM WebSphereApplication Server environment . . . . .Starting the Administration and MonitoringConsole and Action Manager and logging in . .Enabling AMC . . . . . . . . . . . .Running Action Manager remotely . . . .AMC and Action Manager startup . . .AMC and Derby shutdown. . . . . .Action Manager remote startup . . . .Action Manager shutdown . . . . . .AMC Logs . . . . . . . . . . . . . .AMC in the Integrated Solutions Console . . . .Console user authority . . . . . . . . .Administrator and the iscadmins group . .Action Manager . . . . . . . . . . . .Enabling Action Manager . . . . . . . .Action Manager status in real time . . . . .AMC force trigger for a given rule . . . . .AMC and Action Manager security . . . . . .Introduction . . . . . . . . . . . . .AMC and SSL . . . . . . . . . . . .AMC and remote IBM Security DirectoryIntegrator server . . . . . . . . . . .AMC and role management . . . . . . .AMC and passwords . . . . . . . . . .AMC and encrypted configs . . . . . . .Administation and Monitoring Console UserInterface . . . . . . . . . . . . . . .Log in and logout of the console . . . . . .AMC Console Layout . . . . . . . . .Logging off the console . . . . . . . . .Using AMC tables . . . . . . . . . . .Select action drop-down menu . . . . .Paging . . . . . . . . . . . . .Sorting . . . . . . . . . . . . .Finding . . . . . . . . . . . . .Filtering . . . . . . . . . . . . .Servers . . . . . . . . . . . . . .Add a server . . . . . . . . . . .Modify a server . . . . . . . . . .Console Properties . . . . . . . . . .General . . . . . . . . . . . . .SSL. . . . . . . . . . . . . . .JDBC Properties . . . . . . . . . .Solution Views . . . . . . . . . . . .Configure ACLs . . . . . . . . . .Local variables . . . . . . . . . . .Add a Solution View . . . . . . . . .Config files (allows loading/reloading ofconfigurations) . . . . . . . . . . .Custom load . . . . . . . . . .Monitor Status and Action Manager . . . . .Monitor Status . . . . . . . . . . 240240Solution View Details. . . . . . .Server Information . . . . . . .View Components . . . . . . . .Show Preferred Solution Views . . .Refreshing Solution View Details in AMCAction Manager . . . . . . . . .Add/Edit configuration rules . . . .Add/Modify Action . . . . . . .Substitute variable for event data. . .View Rules Summary. . . . . . .Property Stores . . . . . . . . . . .Select Solution View . . . . . . . .Solution Properties . . . . . . . .Global Properties . . . . . . . . .Java Properties . . . . . . . . . .System Properties . . . . . . . . .Password Store . . . . . . . . . .User Property Store . . . . . . . .Log Management . . . . . . . . . .Preferred Solution Views . . . . . . .AMC and AM Command line utilities . . . .Example walkthrough of creating a Solution Viewand Rules . . . . . . . . . . . . 51251251252253. 257Chapter 17. Touchpoint Server . . . . 265Touchpoint concepts . . . . . . . . . .Touchpoint Server . . . . . . . . . .Touchpoint Provider . . . . . . . . .Touchpoint Type . . . . . . . . . .Touchpoint Instance . . . . . . . . .Touchpoint Template . . . . . . . . .Resource Persistence . . . . . . . . . .Touchpoint Schema . . . . . . . . . .Touchpoint Server communication protocol .Touchpoint Configuration . . . . . . .Instance Configuration . . . . . . .Destination Configuration . . . . . .Touchpoint Instance communication protocolProvider Touchpoint . . . . . . . .Initiator Touchpoint . . . . . . . .Intermediary Touchpoint . . . . . .Representation of Entry objects as HTTPcontent . . . . . . . . . . . .Touchpoint Status Entry schema . . . . .Property sheet definitions . . . . . . .XML Schema locations . . . . . . . .Error flows . . . . . . . . . . . . .Configuration . . . . . . . . . . . .Authentication . . . . . . . . . . . .Examples . . . . . . . . . . . . . .Shipped example . . . . . . . . . .Example steps for creating a TouchpointInstance using a JDBC Connector. . . . .Provider Touchpoint Instance . . . . .Initiator Touchpoint Instance . . . . .Intermediary Touchpoint Instance . . .265265265266267269273274274278278279280. 280. 281. r 18. Tombstone Manager . . . 293Introduction . . . . .Configuring Tombstones.IBM Security Directory Integrator: Installation and Administrator Guide. 293. 293

Configuration Editor Configuration screen.AssemblyLine Configuration screen . . .The Tombstone Manager . . . . . .Tombstone Manager . . . . . . .293295296296Chapter 19. Multiple IBM SecurityDirectory Integrator services . . . . . 299IBM Security Directory Integrator as WindowsService . . . . . . . . . . . . . . .Introduction . . . . . . . . . . . . .Installing and uninstalling the service

IBM Security Directory Integrator Version 7.2 Installation andAdministrator Guide SC27-2705-02

Related Documents:

IBM Security Directory Integrator Version 7.2 Federated Directory Integrator Administration Guide contains information about using Federated Directory Server console to design, implement, and administer data integration solutions. It also contains information

- IBM Sterling B2B Integrator Version 5.2.3 - IBM Sterling File Gateway Version 2.2.3 - IBM Sterling Connect:Direct Version 4.6 - IBM WebSphere Message Queue Version 7.0.1 - IBM WebSphere Message Broker Version 8.0 - IBM WebSphere Transformation Extender Design Studio Version 8.4 - IBM WebS

Modi ed IBM IBM Informix Client SDK 4.10 03/2019 Modi ed IBM KVM for IBM z Systems 1.1 03/2019 Modi ed IBM IBM Tivoli Application Dependency Discovery Manager 7.3 03/2019 New added IBM IBM Workspace Analyzer for Banking 6.0 03/2019 New added IBM IBM StoredIQ Suite 7.6 03/2019 New added IBM IBM Rational Performance Test Server 9.5 03/2019 New .

d’annuaires LDAP, notamment: v IBM Tivoli Directory Server V5.2 v IBM Directory Server V4.1, V5.1 v IBM SecureWay Directory Server V3.2.2 v eNetwork LDAP Directory Server V2.1 v eNetwork X.500 Directory Server for AIX v Sun ONE Directory Server L’API LDAP offre des fonctions de serveur d’annuaires classiques, telles que l’écriture, la .

IBM Security Identity server The following servers ar e supported: v IBM Security Identity Manager server V ersion 6.0 v IBM Security Identity Manager server V ersion 7.0 v IBM Security Privileged Identity Manager V ersion 2.0 v IBM Security Identity Governance and Intelligence server V ersion 5.2.2 T ivoli Dir ectory Integrator adapters .

IBM 360 IBM 370IBM 3033 IBM ES9000 Fujitsu VP2000 IBM 3090S NTT Fujitsu M-780 IBM 3090 CDC Cyber 205 IBM 4381 IBM 3081 Fujitsu M380 IBM RY5 IBM GP IBM RY6 Apache Pulsar Merced IBM RY7

Oracle Data Integrator Log Locations and Configuration 4-5 Oracle Data Integrator High Availability and Failover Considerations 4-6 Oracle Data Integrator Clustered Deployment 4-7 Oracle Data Integrator Protection from Failure and Expected Behavior 4-8 WebLogic Server or Standalone Agent Crash 4-8

RS-232 (Integrator to UPS) cable-optional (Liebert part no. 141088P1) RS-232 Integrator to (PC) terminal cable with adapter (Liebert part nos. 146618P1 and 146617P1 respectively) SiteNet Integrator User's Manual Diskettes containing UPS MIBs and the Integrator Environmental MIB in DOS and TAR (UNIX) formats.