Tivoli Identity Manager

Tivoli Identity Manager ®  Version 4.6 Password Synchronization for Active Directory Plug-in Installation and Configuration Guide SC23-5268-00 ...
Author: Aubrie Blake
1 downloads 1 Views 617KB Size
Tivoli Identity Manager ®



Version 4.6

Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

SC23-5268-00

Tivoli Identity Manager ®



Version 4.6

Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

SC23-5268-00

Note: Before using this information and the product it supports, read the information in Appendix B, “Notices,” on page 27.

Fourth Edition (June 2005) This edition applies to version 4.6 of this plug-in and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright International Business Machines Corporation 2004, 2005. All rights reserved. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents Preface . . . . . . . . . . . . . . . v Who should read this book . . . . . . . . . v Publications and related information . . . . . . v Tivoli Identity Manager library . . . . . . . v Prerequisite Product Publications . . . . . . vii Related Publications . . . . . . . . . . viii Accessing publications online . . . . . . . viii Accessibility . . . . . . . . . . . . . . viii Support information . . . . . . . . . . . ix Conventions used in this book . . . . . . . . ix Typeface conventions . . . . . . . . . . ix Operating system differences. . . . . . . . ix Definitions for HOME and other directory variables . . . . . . . . . . . . . . . x

Managing SSL certificates using CertTool . . . Starting CertTool . . . . . . . . . . Generating a private key and certificate request Installing the certificate . . . . . . . . Installing the certificate and key from a PKCS12 file . . . . . . . . . . . . . . . Viewing the installed certificate . . . . . . Installing a ca certificate . . . . . . . . Viewing ca certificates . . . . . . . . . Deleting a ca certificate . . . . . . . . Viewing registered certificates . . . . . . Registering a certificate . . . . . . . . Unregistering a certificate . . . . . . . Exporting a certificate and key to PKCS12 file .

Chapter 1. Overview of the Password Synchronization plug-in . . . . . . . . 1

Chapter 4. Uninstalling the Password Synchronization plug-in . . . . . . . 21

Features of the plug-in .

.

.

.

.

.

.

.

.

.

. 14 . 15 16 . 17 . . . . . . . . .

18 18 18 19 19 19 19 20 20

. 1

Appendix A. Support information . . . 23 Chapter 2. Installing the Password Synchronization plug-in . . . . . . . . 3 Prerequisites . . . . Information worksheet . Installing the plug-in .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. 3 . 3 . 3

Chapter 3. Configuring SSL authentication for the Password Synchronization plug-in . . . . . . . 11 Overview of SSL and digital certificates . . . . Private keys, public keys, and digital certificates Self-signed certificates . . . . . . . . . Certificate and key formats . . . . . . . Configuring certificates when the plug-in operates as an SSL client . . . . . . . . . . . .

© Copyright IBM Corp. 2004, 2005

. 11 12 . 12 . 13

Searching knowledge bases . . . . . . . . Search the information center on your local system or network . . . . . . . . . . Search the Internet . . . . . . . . . . Contacting IBM Software Support . . . . . . Determine the business impact of your problem Describe your problem and gather background information . . . . . . . . . . . . Submit your problem to IBM Software Support

. 23 . 23 . 23 . 23 24 . 25 25

Appendix B. Notices . . . . . . . . . 27 Trademarks .

.

.

.

.

.

.

.

.

.

.

.

.

. 28

Index . . . . . . . . . . . . . . . 31

. 13

iii

iv

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Preface IBM® Tivoli® Identity Manager provides the Password Synchronization for Active Directory plug-in (Password Synchronization plug-in) to process password change requests between an Active Directory domain controller and the Tivoli Identity Manager Server. This book describes how to install and configure the plug-in. Note: The program that is used to connect the managed resource to the Tivoli Identity Manager Server is now called an adapter. The term adapter replaces the previously used term agent. The user interface used to configure the adapter still uses the term agent.

Who should read this book This book is intended for domain controller security administrators responsible for installing software on their site’s computer systems. Readers are expected to understand Windows® and domain controller concepts. The person completing the Password Synchronization plug-in installation procedure must also be familiar with their site’s system standards and needs to have appropriate Windows knowledge. Readers should be able to perform routine Windows and security administration tasks.

Publications and related information Read the descriptions of the Tivoli Identity Manager library. To determine which additional publications you might find helpful, read the “Prerequisite Product Publications” on page vii and the “Related Publications” on page viii. After you determine the publications you need, refer to the instructions in “Accessing publications online” on page viii.

Tivoli Identity Manager library The publications in the technical documentation library for your product are organized into the following categories: v Release information v Online user assistance v v v v

Server installation and configuration Problem determination Technical supplements Adapter installation and configuration

Release Information: v Release Notes Provides software and hardware requirements for the product, and additional fix, patch, and other support information. v Read This First Card Lists the publications for the product. Online user assistance: Provides online help topics and an information center for administrative tasks. © Copyright IBM Corp. 2004, 2005

v

Server installation and configuration: Provides installation and configuration information for the product server. Problem determination: Provides problem determination, logging, and message information for the product. Technical supplements: The following technical supplements are provided by developers or by other groups who are interested in this product: v Performance and tuning information Provides information needed to tune your production environment, available on the Web at: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the I character in the A-Z product list to locate Tivoli Identity Manager products. Click the link for your product, and then browse the information center for the Technical Supplements section. v Redbooks and white papers are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/ IBMTivoliIdentityManager.html Browse to the Self Help section, in the Learn category, and click the Redbooks link. v Technotes are available on the Web at: http://www.redbooks.ibm.com/redbooks.nsf/tips/ v Field guides are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html v For an extended list of other Tivoli Identity Manager resources, search the following IBM developerWorks Web address: http://www.ibm.com/developerworks/ Adapter installation and configuration: The technical documentation library also includes a set of platform-specific installation documents for the adapter components of the product. Adapter information is available on the Web at: http://www.lotus.com/services/passport.nsf/WebDocs/ Passport_Advantage_Home Click Support & downloads. Browse to the Downloads and drivers. Click the link for the adapter. Skills and training: The following additional skills and technical training information were available at the time that this manual was published: v Virtual Skills Center for Tivoli Software on the Web at: http://www.cgselearning.com/tivoliskills/ v Tivoli Education Software Training Roadmaps on the Web at:

vi

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

http://www.ibm.com/software/tivoli/education/eduroad_prod.html v Tivoli Technical Exchange on the Web at: http://www.ibm.com/software/sysmgmt/products/support/ supp_tech_exch.html

Prerequisite Product Publications To use the information in this book effectively, you must have knowledge of the products that are prerequisites for your product. Publications are available from the following locations: v domain controller – Microsoft Windows® 2000 Server running Active Directory http://www.microsoft.com/windows2000/en/server/help/ – Microsoft Windows 2003 Server running Active Directory http://www.microsoft.com/resources/documentation/ WindowsServ/2003/standard/proddocs/en-us/default.asp – Microsoft Windows XP Server running Active Directory http://www.microsoft.com/resources/documentation/ Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/ Windows/XP/all/reskit/en-us/prcf_omn_gjjv.asp v Operating systems – IBM AIX® http://publib16.boulder.ibm.com/pseries/Ja_JP/infocenter/base/index.htm – Solaris http://docs.sun.com/app/docs/prod/solaris – Red Hat Linux® http://www.redhat.com/docs/ – Microsoft® Windows Server 2003 http://www.microsoft.com/windowsserver2003/proddoc/default.mspx v Database servers – IBM DB2® Universal Database - Support: http://www.ibm.com/software/data/db2/udb/support.html - Information center: http://publib.boulder.ibm.com/infocenter/db2help/ index.jsp - Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/ winos2unix/support/v8pubs.d2w/en_main - DB2 product family: http://www.ibm.com/software/data/db2 - Fix packs: http://www.ibm.com/software/data/db2/udb/support/ downloadv8.html - System requirements: http://www.ibm.com/software/data/db2/udb/ sysreqs.html – Oracle http://www.oracle.com/technology/documentation/index.html http://otn.oracle.com/tech/index.html http://otn.oracle.com/tech/linux/index.html – Microsoft SQL Server 2000 http://www.msdn.com/library/ http://www.microsoft.com/sql/ Preface

vii

v Directory server applications – IBM Directory Server http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/ en_US/HTML/ldapinst.htm http://www.ibm.com/software/network/directory – Sun ONE Directory Server http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52 v WebSphere Application Server Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/ v WebSphere embedded messaging http://www.ibm.com/software/integration/wmq/ v IBM HTTP Server http://www.ibm.com/software/webservers/httpservers/library.html

Related Publications Information that is related to your product is available in the following publications: v The Tivoli Software Library provides a variety of Tivoli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: http://www.ibm.com/software/tivoli/literature/ v The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available from the Glossary link of the Tivoli Software Library Web page at: http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

Accessing publications online IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli software information center Web site. Access the Tivoli software information center at the following Web address: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the I character in the A-Z list, and then click the link for your product to access the product library. Note: If you print PDF documents on other than letter-sized paper, set the option in the File → Print window that allows Adobe Reader to print letter-sized pages on your paper.

Accessibility The product documentation includes the following features to aid accessibility: v Documentation is available in convertible PDF format to give the maximum opportunity for users to apply screen-reader software. v All images in the documentation are provided with alternative text so that users with vision impairments can understand the contents of the images.

viii

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Support information If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: v Searching knowledge bases: You can search across a large collection of known problems and workarounds, Technotes, and other information. v Contacting IBM Software Support: If you still cannot solve your problem, and you need to work with someone from IBM, you can use a variety of ways to contact IBM Software Support. For more information about these ways to resolve problems, see Appendix A, “Support information,” on page 23.

Conventions used in this book This reference uses several conventions for special terms and actions and for operating system-dependent commands and paths.

Typeface conventions This guide uses the following typeface conventions: Bold v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) v Keywords and parameters in text Italic v v v v

Words defined in text Emphasis of words (words as words) New terms in text (except in a definition list) Variables and values you must provide

Monospace v Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options

Operating system differences This guide uses the UNIX® convention for specifying environment variables and for directory notation. When using the Windows command line, replace $variable with %variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. The names of environment variables are not always the same in Windows and UNIX. For example, %TEMP% in the Windows operating system is equivalent to $tmp in a UNIX operating system. Preface

ix

Note: If you are using the bash shell on a Windows system, you can use the UNIX conventions.

Definitions for HOME and other directory variables The following table contains the default definitions that are used in this guide to represent the HOME directory level for various product installation paths. You can customize the installation directory and HOME directory for your specific implementation. If this is the case, you need to make the appropriate substitution for the definition of each variable represented in this table. The value of path varies for these operating systems: v Windows: drive:\Program Files v AIX: /usr v Other UNIX: /opt Path Variable DB_INSTANCE_HOME

Default Definition Windows: path\IBM\SQLLIB UNIX: v AIX, Linux: /home/dbinstancename

Description The directory that contains the database for your Tivoli Identity Manager product.

v Solaris: /export/home/dbinstancename LDAP_HOME

v For IBM Directory Server Version 5.2 Windows: path\IBM\LDAP

The directory that contains the directory server code.

UNIX: path/IBM/LDAP – AIX, Linux: path/ldap – Solaris: path/IBMldaps v For IBM Directory Server Version 6.0 Windows: path\IBM\LDAP UNIX: /opt/IBM/ldap/ – AIX, Solaris: /opt/IBM/ldap/ – Linux: /opt/ibm/ldap/ v For Sun ONE Directory Server Windows: path\Sun\MPS UNIX: /var/Sun/mps

x

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Path Variable IDS_instance_HOME

Default Definition For IBM Directory Server Version 6.0 Windows: drive\ idsslapd-instance_owner_name

Description The directory that contains the IBM Directory Server Version 6.0 instance.

The value of drive might be C:\. An example of instance_owner_name might be ldapdb2. For example, the log file might be C:\idsslapd-ldapdb2\logs\ ibmslapd.log. UNIX: INSTANCE_HOME/idsslapd-instance_name On Linux and AIX systems, the default home directory is the /home/instance_name/idsslapdinstance_name directory. On Solaris systems, for example, the directory is the /export/home/ldapdb2/idsslapdldapdb2. directory. HTTP_HOME

Windows: path\IBMHttpServer

The directory that contains the IBM HTTP Server code.

UNIX: path/IBMHttpServer ITIM_HOME

Windows: path\IBM\itim UNIX: path/IBM/itim

WAS_HOME

Windows: path\WebSphere\AppServer

The base directory that contains the Tivoli Identity Manager code, configuration, and documentation. The WebSphere Application Server home directory

UNIX: path/WebSphere/AppServer WAS_MQ_HOME

Windows: path\ibm\WebSphere MQ UNIX:

The directory that contains the WebSphere MQ code.

path/mqm WAS_NDM_HOME

Windows: path\WebSphere\DeploymentManager

The home directory on the deployment manager

UNIX: path/WebSphere/DeploymentManager Tivoli_Common_Directory

Windows: path\ibm\tivoli\common\ UNIX: path/ibm/tivoli/common/

The central location for all serviceability-related files, such as logs and first-failure data capture

Preface

xi

xii

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Chapter 1. Overview of the Password Synchronization plug-in The IBM Tivoli Identity Manager Password Synchronization plug-in enables connectivity between the Tivoli Identity Manager Server and a system running the domain controller. This installation guide provides the basic information that you need to install and configure the Password Synchronization plug-in. This chapter provides an overview of the plug-in and the features of the plug-in.

Features of the plug-in The Password Synchronization plug-in intercepts the domain user password changes and communicates with Tivoli Identity Manager for password rules verification and synchronization. The new password is synchronized with other accounts managed by Tivoli Identity Manager for the domain user.

© Copyright IBM Corp. 2004, 2005

1

2

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Chapter 2. Installing the Password Synchronization plug-in Installing and configuring the Password Synchronization plug-in involves several steps that you must complete in the appropriate sequence. Review the prerequisites before you begin the installation process. You can also create an account on the managed resource for the adapter to use.

Prerequisites Table 1 identifies installation prerequisites for this plug-in. Verify that all of the prerequisites have been met before installing the Password Synchronization plug-in. Table 1. Prerequisites to install the plug-in System

A Windows Server running Active Directory

System Administrator Authority

The person completing the Password Synchronization installation procedure must have system administrator authority to complete the steps in this chapter.

Adapter Compatibility

Tivoli Identity Manager Active Directory Adapter, version 4.6

Tivoli Identity Manager Server

Version 4.6

Information worksheet The following worksheet lists information necessary to complete the installation of the plug-in. Gather this information prior to beginning the installation process. Table 2. Information worksheet Option

Description, Defaults, Notes

Installation directory

C:\Tivoli\PwdSync

Tivoli Identity Manager Application Server

IP address and SSL port

Target DN for the service

On the Tivoli Identity Manager Server

Tivoli Identity Manager account

The account under which the requests are submitted.

Tivoli Identity Manager account password

The password for the Tivoli Identity Manager account under which the requests are submitted.

Installing the plug-in The Tivoli Identity Manager Password Synchronization plug-in installation files are available for download from the IBM Web site. Contact your IBM account representative for the Web address and download instructions. In order to install the plug-in, complete the following steps: 1. Download the Password Synchronization plug-in installation compressed file from the Web site.

© Copyright IBM Corp. 2004, 2005

3

2. Extract the contents of the file into a temporary directory and navigate to that directory. 3. Start the installation program using the setup.exe file in the temporary directory. For example, select Run... from the Start menu, and type C:\Temp\setupwin32.exe in the Open field. 4. On the Welcome window, click Next. 5. On the License Agreement window, review the license agreement and decide if you accept the terms of the license. If you do, select Accept and then click Next. 6. On the Select Destination Directory window, specify where you want to install the plug-in in the Directory Name field. You can accept the default location, or click Browse to specify a different directory. Then, click Next.

Figure 1. Select Destination Directory window

7. On the PFConfig window, complete all of the text fields in the window.

4

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Figure 2. Configuration window for the Password Synchronization plug-in

The following information describes the fields: Installation Path Specifies the installation path for the Password Synchronization plug-in. The value specified must match with the installation directory value entered earlier in the installation process. Target IP and SSL Port Specifies the IP address and the SSL port for the Tivoli Identity Manager Server. The default SSL port for WebSphere Application Server is 9443 on a single server setup. If you have a WAS cluster, the IBM HTTP Server needs to be configured for SSL. The default port for HTTP SSL is 443. For example, shreth.tivlab.austin.ibm.com:9443 ITIM Principal Specifies the Tivoli Identity Manager account under which the

Chapter 2. Installing the Password Synchronization plug-in

5

password change requests are submitted. The account must have the proper authority to submit password change requests for the desired people. IBM recommends creating an account specifically for these types of requests. Refer to the IBM Tivoli Identity Manager Information Center for more information on creating accounts and privileges. Password Specifies the password for the Tivoli Identity Manager account under which the password change requests are submitted Verify Password Specifies the verification field for the Tivoli Identity Manager account password Agent Host Machine Specifies the name of the computer where the Windows Active Directory Adapter is installed and running. For example, \\mymachine Agent Name Specifies the adapter’s registry key name. This value is ADAgent. Maximum number of Password Change Requests Allowed Specifies the maximum number of Password Change requests which can be processed by the plug-in at any one time. The plug-in processes password synchronization requests in a multi-threaded manner. This value limits the number of threads to be created, so that requests can be processed in parallel. For example, if this value is specified as 15, then the password synchronization plug-in processes only 15 parallel password change requests at any one time. The next password change request after 15 fails. The default value for this parameter is 10. Enable Password Synchronization Specifies if password synchronization should be enabled or disabled. When password synchronization is enabled, all password change requests are sent to Tivoli Identity Manager in order to synchronize all passwords affected by the change request. When password synchronization is not enabled, the Password Synchronization plug-in ignores all password change requests on the managed resource. Enable Password Rules Verification Validates that the password complies with the password rules defined for the user. When this option is selected, the new password is checked against the password policy rules defined for each account type to be synchronized. Unless the password is valid for all accounts, the password change fails with an error indicating that the new password does not meet specified password rules. Refer to the IBM Tivoli Identity Manager Information Center for more information on setting Tivoli Identity Manager password policies. Enable Logging Allows administrators to enable logging for password change requests sent to the Active Directory Server.

6

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Service DN Specifies the Target DN of the service that is being monitored. For Windows 2000 AD and Windows 2003 AD Installations At the Service DN field, click Configure Target Services. A list of configured target services appears.

Figure 3. List of configured target services

Note: One copy of the Password Synchronization client can monitor multiple base points. Enter each of the points using the Target Services window. To edit a target service, click the service and click Edit. The Base Point and Service Target DN specifications appear. The base point in the Active Directory must match the service Target DN on the Tivoli Identity Manager Server.

Figure 4. Editing a target service

Base Point The base points specified must be identical to the base Chapter 2. Installing the Password Synchronization plug-in

7

points configured in your Active Directory Adapter. The default base point is the root domain of the Active Directory. Example 1 If the root of Active Directory is Cascades.Irvine.IBM.com, the Base Point must be specified as: dc=Cascades,dc=Irvine,dc=IBM,dc=com

Example 2 If you installed the Windows AD Adapter in an OU (organizational short name) of your Active Directory, Users, for example, the Base Point would be entered as: ou=Users,dc=Cascades,dc=Irvine,dc=IBM,dc=com

Service Target DN The format is: erservicename=nameofservice,o=organizationname ou=organizationshortname,dc=com

Note: Although DN formatting is used for the Service DN value, this is not the DN of the service being monitored. These are parameter values to the Password Synchronization plug-in. erservicename Specifies the name of the target service used by the Tivoli Identity Manager Server o

Specifies the name of the organization on the Tivoli Identity Manager Server

ou

Specifies the short name defined for the organization during installation and configuration of the Tivoli Identity Manager Server. If this value is not known, it can be determined by opening the LDAP configuration tool for your product and locating the new root suffix created during the Tivoli Identity Manager installation.

dc=com Specifies the root of the directory tree. For example, if you installed the Tivoli Identity Manager Server in the root LDAP suffix called ITIM and your Windows AD service is named WinAD Corp Server and is installed in an organization named Finance Org, the Tivoli Identity Manager organization chart would look similar to the following diagram: + ITIM Home + Corporate Org + IT Org Unit + HR Org Unit + Finance Org

8

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

+ Accounts Payable Org Unit This Windows AD example has the following Service DN value: erservicename=WinAD Corp Server,o=Finance Org, ou=ITIM,dc=com

8. On the Installation Summary window, click Next to begin the installation. 9. On the Confirmation window, answer the question about restarting the system. Note: The connection information can be modified at a later time by running the pfconfig.exe program. This program opens the PFConfig window. 10. Restart the Active Directory Server.

Chapter 2. Installing the Password Synchronization plug-in

9

10

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Chapter 3. Configuring SSL authentication for the Password Synchronization plug-in In order to establish a secure connection between a Tivoli Identity Manager adapter and the Tivoli Identity Manager Server, you must configure the adapter and the server to use the Secure Sockets Layer (SSL) authentication with the default communication protocol, DAML. By configuring the adapter for SSL, you ensure that the Tivoli Identity Manager Server verifies the identity of the adapter before a secure connection is established. You can configure SSL authentication for connections that originate from the Tivoli Identity Manager Server or from the adapter. Typically, the Tivoli Identity Manager Server initiates a connection to the adapter in order to set or retrieve the value of a managed attribute on the adapter. However, depending on the security requirements of your environment, you might need to configure SSL authentication for connections that originate from the adapter. For example, if the adapter uses events to notify the Tivoli Identity Manager Server of changes to attributes on the adapter, you can configure SSL authentication for Web connections that originate from the adapter to the Web server that is used by the Tivoli Identity Manager Server. In a production environment, you need to enable SSL security; however, for testing purposes you might want to disable SSL. If an external application that communicates with the adapter (such as the Tivoli Identity Manager Server) is set to use server authentication, you must enable SSL on the adapter to verify the certificate that the application presents. This chapter presents an overview of SSL authentication, certificates, and how to enable SSL authentication using the CertTool utility.

Overview of SSL and digital certificates When you deploy Tivoli Identity Manager into an enterprise network, you must secure communication between the Tivoli Identity Manager Server and the software products and components with which the server communicates. The industry-standard SSL protocol, which uses signed digital certificates from a certificate authority (ca) for authentication, is used to secure communication in a Tivoli Identity Manager deployment. Additionally, SSL provides encryption of the data exchanged between the applications. Encryption makes data transmitted over the network intelligible only to the intended recipient. Signed digital certificates enable two applications connecting in a network to authenticate each other’s identity. An application acting as an SSL server presents its credentials in a signed digital certificate to verify to an SSL client that it is the entity it claims to be. An application acting as an SSL server can also be configured to require the application acting as an SSL client to present its credentials in a certificate, thereby completing a two-way exchange of certificates. Signed certificates are issued by a third-party certificate authority for a fee. Some utilities, such as those provided by OpenSSL, can also issue signed certificates. A certificate-authority certificate (ca certificate) must be installed to verify the origin of a signed digital certificate. When an application receives another © Copyright IBM Corp. 2004, 2005

11

application’s signed certificate, it uses a ca certificate to verify the originator of the certificate. A certificate authority can be well-known and widely used by other organizations, or it can be local to a specific region or company. Many applications, such as Web browsers, are configured with the ca certificates of well known certificate authorities to eliminate or reduce the task of distributing ca certificates throughout the security zones in a network.

Private keys, public keys, and digital certificates Keys, digital certificates, and trusted certificate authorities are used to establish and verify the identities of applications. SSL uses public key encryption technology for authentication. In public key encryption, a public key and a private key are generated for an application. Data encrypted with the public key can only be decrypted using the corresponding private key. Similarly, the data encrypted with the private key can only be decrypted using the corresponding public key. The private key is password-protected in a key database file so that only the owner can access the private key to decrypt messages that are encrypted using the corresponding public key. A signed digital certificate is an industry-standard method of verifying the authenticity of an entity, such as a server, client, or application. In order to ensure maximum security, a certificate is issued by a third-party certificate authority (ca). A certificate contains the following information to verify the identity of an entity: Organizational information This section of the certificate contains information that uniquely identifies the owner of the certificate, such as organizational name and address. You supply this information when you generate a certificate using a certificate management utility. Public key The receiver of the certificate uses the public key to decipher encrypted text sent by the certificate owner to verify its identity. A public key has a corresponding private key that encrypts the text. Certificate authority’s distinguished name The issuer of the certificate identifies itself with this information. Digital signature The issuer of the certificate signs it with a digital signature to verify its authenticity. This signature is compared to the signature on the corresponding ca certificate to verify that the certificate originated from a trusted certificate authority. Web browsers, servers, and other SSL-enabled applications generally accept as genuine any digital certificate that is signed by a trusted Certificate Authority and is otherwise valid. For example, a digital certificate can be invalidated because it has expired or the ca certificate used to verify it has expired, or because the distinguished name in the digital certificate of the server does not match the distinguished name specified by the client.

Self-signed certificates You can use self-signed certificates to test an SSL configuration before you create and install a signed certificate issued by a certificate authority. A self-signed certificate contains a public key, information about the owner of the certificate, and the owner’s signature. It has an associated private key, but it does not verify the

12

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

origin of the certificate through a third-party certificate authority. Once you generate a self-signed certificate on an SSL server application, you must extract it and add it to the certificate registry of the SSL client application. This procedure is the equivalent of installing a ca certificate that corresponds to a server certificate. However, you do not include the private key in the file when you extract a self-signed certificate to use as the equivalent of a ca certificate. Use a key management utility to generate a self-signed certificate and private key, extract a self-signed certificate, and add a self-signed certificate. Where and how you choose to use self-signed certificates depends on your security requirements. In order to achieve the highest level of authentication between critical software components, do not use self-signed certificates, or use them selectively. For example, you can choose to authenticate applications that protect server data with signed digital certificates, and use self-signed certificates to authenticate Web browsers or Tivoli Identity Manager adapters. If you are using self-signed certificates, in the following procedures you can substitute a self-signed certificate for a certificate and ca certificate pair.

Certificate and key formats Certificates and keys are stored in files with the following formats: .pem format A privacy-enhanced mail (.pem ) format file begins and ends with the following lines: -----BEGIN CERTIFICATE---------END CERTIFICATE-----

A .pem file format supports multiple digital certificates, including a certificate chain. If your organization uses certificate chaining, use this format to create ca certificates. .arm format An .arm file contains a base-64 encoded ASCII representation of a certificate, including its public key, but not its private key. An .arm file format is generated and used by the IBM Key Management utility. .der format A .der file contains binary data. A .der file can only be used for a single certificate, unlike a .pem file, which can contain multiple certificates. .pfx format (PKCS12) A PKCS12 file is a portable file that contains a certificate and a corresponding private key. This format is useful for converting from one type of SSL implementation to a different implementation. For example, you can create and export a PKCS12 file using the IBM Key Management utility, then import the file on another machine using the CertTool utility.

Configuring certificates when the plug-in operates as an SSL client In this scenario, the plug-in operates as an SSL client. For example, the plug-in initiates the connection and the Web server responds by presenting its certificate to the plug-in.

Chapter 3. Configuring SSL authentication for the Password Synchronization plug-in

13

Figure 5 illustrates how a Tivoli Identity Manager plug-in operates as an SSL sever and an SSL client. When communicating with the Tivoli Identity Manager Server, the plug-in sends its certificate for authentication. When communicating with the Web server, the plug-in receives the certificate of the Web server. Certificate A CA Certificate C Tivoli Identity Manager Adapter

CA Certificate A Hello

A Certificate A

Tivoli Identity Manager Server

B

Certificate C Hello

Web server

C Certificate C

Figure 5. Tivoli Identity Manager plug-in operating as an SSL server and an SSL client

If the Web Server is configured for two-way SSL authentication, it verifies the identity of the plug-in, which sends its signed certificate to the Web server (not shown in the illustration). In order to enable two-way SSL authentication between the plug-in and Web server, use the following procedure: 1. Configure the Web server to use client authentication. 2. Follow the procedure for creating and installing a signed certificate on the Web server. 3. Install the ca certificate on the plug-in, using the CertTool utility. 4. Add the ca certificate corresponding to the signed certificate of the plug-in to the Web server. For more information on configuring certificates when the plug-in initiates a connection to the Web server (used by the Tivoli Identity Manager Server) to send a notification, see the Tivoli Identity Manager Information Center.

Managing SSL certificates using CertTool The procedures in this section describe how to use the CertTool utility to manage private keys and certificates. This section includes instructions for performing the following tasks: v “Starting CertTool” on page 15. v “Generating a private key and certificate request” on page 16. v “Installing the certificate” on page 17. v “Installing the certificate and key from a PKCS12 file” on page 18. v “Viewing the installed certificate” on page 18. v “Viewing ca certificates” on page 19. v “Installing a ca certificate” on page 18. v “Deleting a ca certificate” on page 19.

14

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

v “Viewing registered certificates” on page 19. v “Registering a certificate” on page 19. v “Unregistering a certificate” on page 20.

Starting CertTool In order to start the certificate configuration tool, CertTool, for the Password Synchronization, complete these steps: 1. Select Programs from the Start menu, select Accessories, and then select Command Prompt. 2. In the Microsoft Windows DOS Command Prompt window, change to the bin directory for the plug-in. For example, if the Password Synchronization directory is in the default location, type the following command: cd \Tivoli\PwdSync\bin

3.

Type CertTool -agent PwdSync at the prompt. The Main menu is displayed: Main menu - Configuring agent: PwdSync -----------------------------A. Generate private key and certificate request B. Install certificate from file C. Install certificate and key from PKCS12 file D. View current installed certificate E. List CA certificates F. Install a CA certificate G. Delete a CA certificate H. List registered certificates I. Register certificate J. Unregister a certificate K. Export certificate and key to PKCS12 file X. Quit Choice:

From the Main Menu, you can generate a private key and certificate request, install and delete certificates, register and unregister certificates, and list certificates. The following sections summarize the purpose of each group of options. The first set of options (A through D) allows you to generate a Certificate Signing Request (csr) and install the returned signed certificate on the adapter. A. Generate private key and certificate request Generate a csr and the associated private key that is sent to the certificate authority (ca). For more information on option A, see “Generating a private key and certificate request” on page 16. B. Install certificate from file Install a certificate from a file. This file must be the signed certificate returned by the ca in response to the csr that is generated by option A. For more information on option B, see “Installing the certificate” on page 17. C. Install certificate and key from a PKCS12 file Install a certificate from a PKCS12 format file that includes both the public certificate and a private key. If options A and B are not used to obtain a certificate, the certificate that you use must be in PKCS12 format. For more information on option C, see “Installing the certificate and key from a PKCS12 file” on page 18. Chapter 3. Configuring SSL authentication for the Password Synchronization plug-in

15

D. View current installed certificate View the certificate that is installed on the system. For more information on option D, see “Viewing the installed certificate” on page 18. The second set of options enable you to install root ca certificates on the adapter. A ca certificate is used by the Tivoli Identity Manager adapter to validate the corresponding certificate presented by a client, such as the Tivoli Identity Manager Server. E. List CA certificates Show the installed ca certificates. The adapter only communicates with Tivoli Identity Manager Servers whose certificates are validated by one of the installed ca certificates. F. Install a CA certificate Install a new ca certificate so that certificates generated by this ca can be validated. The ca certificate file can either be in X.509 or PEM encoded formats. For more information on how to install a ca certificate, see “Installing a ca certificate” on page 18. G. Delete a CA certificate Remove one of the installed ca certificates. For more information on how to delete a ca certificate, see “Deleting a ca certificate” on page 19. The remaining options (H through K) apply to the adapters or plug-ins that must authenticate the application (for example, the Tivoli Identity Manager Server or the Web server) to which the adapter or plug-in is sending information. These options enable you to register certificates on the adapter or plug-in. For Tivoli Identity Manager Version 4.5 or earlier, the signed certificate of the Tivoli Identity Manager Server must be registered with an adapter or a plug-in to enable client authentication on the adapter or plug-in. If you do not intend to upgrade an existing adapter or plug-in to use ca certificates for client authentication, the signed certificate presented by the Tivoli Identity Manager Server must be registered with the adapter or plug-in. H. List registered certificates List all registered certificates that will be accepted for communications. For more information on listing registered certificates, see “Viewing registered certificates” on page 19. I. Register a certificate Register a new certificate. The certificate to be registered be in Base 64 encoded X.509 format or PEM. For more information on registering certificates, see “Registering a certificate” on page 19. J. Unregister a certificate Remove a certificate from the registered list. For more information on removing certificates, see “Registering a certificate” on page 19. K. Export certificate and key to PKCS12 file Export a previously installed certificate and private key. You will be prompted for the filename and a password for encryption. For more information on exporting a certificate and key to a PKCS12 file, see “Exporting a certificate and key to PKCS12 file” on page 20.

Generating a private key and certificate request A certificate signing request (csr) is an unsigned certificate that is a text file. When you submit an unsigned certificate to a certificate authority, the ca signs the certificate with the private digital signature that is included in their corresponding

16

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

ca certificate. When the csr is signed, it becomes a valid certificate. A csr contains information about your organization, such as the organization name, country, and the public key for your Web server. In order to generate a csr file, complete these steps: 1. At the Main Menu of the CertTool, type A. The following message and prompt is displayed: Enter values for certificate request (press enter to skip value) -------------------------------------------------------------------------

2. At the Organization prompt, type your organization name, and press Enter. 3. At the Organizational Unit prompt, type the organizational unit, and press Enter. 4. At the Agent Name prompt, type the name of the adapter you are requesting a certificate for, and press Enter. 5. At the E-mail prompt, type the e-mail address for the contact person for this request, and press Enter. 6. At the Country prompt, type the country in which the adapter resides, and press Enter. 7. At the State prompt, type the state in which the adapter resides (if the adapter is in the United States), and press Enter. Some certificate authorities do not accept two letter abbreviations for states, so you must type the full name of the state. 8. At the Locality prompt, type the name of the city in which the adapter resides, and press Enter. 9. At the Accept these values prompt, type Y to accept the values displayed, or type N to enter the values again, and press Enter. The private key and certificate request are generated once the values are accepted. 10. At the Enter name of file to store PEM cert request prompt, type the name of the file that you want to use to store the values you specified during the previous steps, and press Enter. 11. Press Enter to continue. The certificate request and input values are written to the file you specified, and the Main Menu is displayed again. You can now request a certificate from a trusted ca by sending the .pem file that you just generated to a certificate authority vendor.

Example of certificate signing request Your csr file will look similar to the following example: -----BEGIN CERTIFICATE REQUEST----MIIB1jCCAT8CAQAwgZUxEjAQBgNVBAoTCWFjY2VzczM2MDEUMBIGA1UECxMLZW5n aW5lZXJpbmcxEDAOBgNVBAMTB250YWdlbnQxJDAiBgkqhkiG9w0BCQEWFW50YWdl bnRAYWNjZXNzMzYwLmNvbTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju aWExDzANBgNVBAcTBklydmluZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA mR6AcPnwf6hLLc72BmUkAwaXcebtxCoCnnTH9uc8VuMHPbIMAgjuC4s91hPrilG7 UtlbOfy6X3R3kbeR8apRR9uLYrPIvQ1b4NK0whsytij6syCySaFQIB6V7RPBatFr 6XQ9hpsARdkGytZmGTgGTJ1hSS/jA6mbxpgmttz9HPECAwEAAaAAMA0GCSqGSIb3 DQEBAgUAA4GBADxA1cDkvXhgZntHkwT9tCTqUNV9sim8N/U15HgMRh177jVaHJqb N1Er46vQSsOOOk4z2i/XwOmFkNNTXRVl9TLZZ/D+9mGZcDobcO+lbAKlePwyufxK Xqdpu3d433H7xfJJSNYLYBFkrQJesITqKft0Q45gIjywIrbctVUCepL2 -----END CERTIFICATE REQUEST-----

Installing the certificate Once you receive your certificate from your trusted ca, you install it in the registry of the adapter. In order to install the certificate, complete these steps: Chapter 3. Configuring SSL authentication for the Password Synchronization plug-in

17

1. If you received the certificate as part of an e-mail message, copy the text of the certificate to a text file, and copy that file to the bin directory for the plug-in. For example, C:\Tivoli\PwdSync\bin

2. At the Main Menu of the CertTool, type B. The following prompt is displayed: Enter name of certificate file: -------------------------------------------------------------------------

3.

At the Enter name of certificate file prompt, type the full path to the certificate file, and press Enter. The certificate is installed in the registry for the plug-in, and the Main Menu is displayed again.

Installing the certificate and key from a PKCS12 file If you do not use the CertTool utility to generate a csr to obtain a certificate, you must install both the certificate and private key, which must be stored in a PKCS12 file. The ca might send a password protected file, or PKCS12 file (a file with the .pfx extension), which includes both the certificate and private key. In order to install the certificate from this PKCS12 file, complete these steps: 1. Copy the PKCS12 file to the bin directory for the Password Synchronization plug-in. For example, C:\Tivoli\PwdSync\bin

2. At the Main Menu for the CertTool, type C. The following prompt is displayed: Enter name of PKCS12 file: -------------------------------------------------------------------------

3. At the Enter name of PKCS12 file prompt, type the name of the PKCS12 file that has the certificate and private key information, and press Enter. For example, DamlSrvr.pfx. 4. At the Enter password prompt, type the password to access the file, and press Enter. The certificate and private key are installed in the Password Synchronization plug-in registry, and the Main Menu is displayed.

Viewing the installed certificate In order to list the certificate that is installed on your system, at the Main Menu of CertTool, type D. The installed certificate is listed, and the Main Menu is displayed. The following example lists an installed certificate: The following certificate is currently installed. Subject: c=US,st=California,l=Irvine,o=DAML,cn=DAML Server

Installing a ca certificate If you are using client authentication, you need to install a ca certificate. The ca certificate you install is issued by a certificate authority vendor. In order to install a ca certificate that was extracted into a temporary file, complete the following steps: 1. At the Main Menu prompt, type F (Install a ca certificate). The following prompt is displayed: Enter name of certificate file:

18

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

2. At the Enter name of certificate file prompt, type the name of the certificate file, such as DamlCACerts.pem, and press Enter. The certificate file is opened, and the following prompt is displayed: [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng Install the CA? (Y/N)

3. At the Install the CA prompt, type Y to install the certificate, and press Enter. The certificate file is installed in the CACerts.pem file.

Viewing ca certificates CertTool only installs one certificate and one private key. In order to list the ca certificate that is installed on the Password Synchronization plug-in, type E at the Main Menu prompt. The installed ca certificates are displayed and the Main Menu is displayed. The following example lists an installed ca certificate: Subject: o=IBM,ou=SampleCACert,cn=TestCA Valid To: Wed Jul 26 23:59:59 2006

Deleting a ca certificate In order to delete a ca certificate from the Password Synchronization plug-in directories, complete the following steps: 1. At the Main Menu prompt, type G. A list of all ca certificates installed on the plug-in is displayed. 0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng 1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support Enter number of CA certificate to remove:

2. At the Enter number of CA certificate to remove prompt, type the number of the ca certificate that you want to remove, and press Enter. The ca certificate is deleted from the CACerts.pem file, and the Main Menu is displayed.

Viewing registered certificates Only requests that present a registered certificate will be accepted by the Password Synchronization plug-in when client validation is enabled. In order to view a list of all registered certificates available to the Password Synchronization plug-in, complete the following steps: At the Main Menu prompt, type H. The registered certificates are displayed and the Main Menu is displayed. The following example lists registered certificates: 0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng 1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support

Registering a certificate In order to register a certificate for the Password Synchronization plug-in, complete the following steps: 1.

At the Main Menu prompt, type I. The following prompt is displayed: Enter name of certificate file:

Chapter 3. Configuring SSL authentication for the Password Synchronization plug-in

19

2. At the Enter name of certificate file prompt, type the name of the certificate file that you want to register, and press Enter. The subject of the certificate is displayed, and a prompt is displayed, for example: [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng Register this CA? (Y/N)

3. At the Register this CA prompt, type Y to register the certificate, and press Enter. The certificate is registered to the plug-in, and the Main Menu is displayed.

Unregistering a certificate In order to unregister a certificate for the Password Synchronization plug-in, complete the following steps: 1. At the Main Menu prompt, type J. The registered certificates are displayed. The following example lists registered certificates: 0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng 1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support

2. Type the number of the certificate file that you want to unregister, and press Enter. The subject of the selected certificate is displayed, and a prompt is displayed, for example: [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng Unregister this CA? (Y/N)

3.

At the Unregister this CA prompt, type Y to unregister the certificate, and press Enter. The certificate is removed from the registered certificate list for the plug-in, and the Main Menu is displayed.

Exporting a certificate and key to PKCS12 file In order to export a certificate and key to a PKCS12 file for the Password Synchronization plug-in, complete the following steps: 1. At the Main Menu prompt, type K. The following prompt is displayed: Enter name of PKCS12 file:

2. At the Enter name of PKCS12 file prompt, type the name of the PKCS12 file for the installed certificate or private key, and press Enter. 3. At the Enter Password prompt, type the password for the PKCS12 file, and press Enter. 4. At the Confirm Password prompt, type the password again, and press Enter. The certificate or private key is transported to the PKCS12 file, and the Main Menu is displayed.

20

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Chapter 4. Uninstalling the Password Synchronization plug-in This section describes the procedures for uninstalling the Password Synchronization plug-in. Inform users that the resource will be unavailable prior to removing the client. If the server is taken offline, Password Synchronization requests that are not completed may not be recovered when the server is back online. Complete the following procedure to remove the Password Synchronization plug-in and directories. 1. From the Windows Control Panel, select Add/Remove Programs  Tivoli Password Synch Agent. 2. On the Welcome window, click Next. 3. On the Password Synchronization Plug-in Uninstallation Summary window, click Next. 4. On the Reboot Confirmation window, click Next to reboot your system. When your system restarts, the uninstallation wizard continues and the Password Synchronization plug-in is deleted. 5. On the Uninstallation Summary window, click Finish. Note: To ensure that the Password Synchronization directories, subdirectories, and files are removed from the system, view the directory tree.

© Copyright IBM Corp. 2004, 2005

21

22

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Appendix A. Support information This section describes the following options for obtaining support for IBM products: v “Searching knowledge bases” v “Contacting IBM Software Support”

Searching knowledge bases If you have a problem with your IBM software, you want it resolved quickly. Begin by searching the available knowledge bases to determine whether the resolution to your problem is already documented.

Search the information center on your local system or network IBM provides extensive documentation that can be installed on your local computer or on an intranet server. You can use the search function of this information center to query conceptual information, instructions for completing tasks, reference information, and support documents.

Search the Internet If you cannot find an answer to your question in the information center, search the Internet for the latest, most complete information that might help you resolve your problem. To locate Internet resources for your product, open one of the following Web sites: v Performance and tuning information Provides information needed to tune your production environment, available on the Web at: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html Click the I character in the A-Z product list to locate Tivoli Identity Manager products. Click the link for your product, and then browse the information center for the Technical Supplements section. v Redbooks and white papers are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/ IBMTivoliIdentityManager.html Browse to the Self Help section, in the Learn category, and click the Redbooks link. v Technotes are available on the Web at: http://www.redbooks.ibm.com/redbooks.nsf/tips/ v Field guides are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html v For an extended list of other Tivoli Identity Manager resources, search the following IBM developerWorks Web address: http://www.ibm.com/developerworks/

Contacting IBM Software Support IBM Software Support provides assistance with product defects. © Copyright IBM Corp. 2004, 2005

23

Before contacting IBM Software Support, your company must have an active IBM software maintenance contract, and you must be authorized to submit problems to IBM. The type of software maintenance contract that you need depends on the type of product you have: v For IBM distributed software products (including, but not limited to, Tivoli, Lotus, and Rational products, as well as DB2 and WebSphere products that run on Windows or UNIX operating systems), enroll in Passport Advantage in one of the following ways: – Online: Go to the Passport Advantage Web page (http://www.lotus.com/ services/passport.nsf/WebDocs/ Passport_Advantage_Home) and click How to Enroll – By phone: For the phone number to call in your country, go to the IBM Software Support Web site (http://techsupport.services.ibm.com/guides/ contacts.html) and click the name of your geographic region. v For IBM eServer software products (including, but not limited to, DB2 and WebSphere products that run in zSeries, pSeries, and iSeries environments), you can purchase a software maintenance agreement by working directly with an IBM sales representative or an IBM Business Partner. For more information about support for eServer software products, go to the IBM Technical Support Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html). If you are not sure what type of software maintenance contract you need, call 1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to the contacts page of the IBM Software Support Handbook on the Web (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region for phone numbers of people who provide support for your location. Follow the steps in this topic to contact IBM Software Support: 1. Determine the business impact of your problem. 2. Describe your problem and gather background information. 3. Submit your problem to IBM Software Support.

Determine the business impact of your problem When you report a problem to IBM, you are asked to supply a severity level. Therefore, you need to understand and assess the business impact of the problem you are reporting. Use the following criteria:

24

Severity 1

Critical business impact: You are unable to use the program, resulting in a critical impact on operations. This condition requires an immediate solution.

Severity 2

Significant business impact: The program is usable but is severely limited.

Severity 3

Some business impact: The program is usable with less significant features (not critical to operations) unavailable.

Severity 4

Minimal business impact: The problem causes little impact on operations, or a reasonable circumvention to the problem has been implemented.

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Describe your problem and gather background information When explaining a problem to IBM, be as specific as possible. Include all relevant background information so that IBM Software Support specialists can help you solve the problem efficiently. To save time, know the answers to these questions: v What software versions were you running when the problem occurred? v Do you have logs, traces, and messages that are related to the problem symptoms? IBM Software Support is likely to ask for this information. v Can the problem be re-created? If so, what steps led to the failure? v Have any changes been made to the system? (For example, hardware, operating system, networking software, and so on.) v Are you currently using a workaround for this problem? If so, please be prepared to explain it when you report the problem.

Submit your problem to IBM Software Support You can submit your problem in one of two ways: v Online: Go to the ″Submit and track problems″ page on the IBM Software Support site (http://www.ibm.com/software/support/probsub.html). Enter your information into the appropriate problem submission tool. v By phone: For the phone number to call in your country, go to the contacts page of the IBM Software Support Handbook on the Web (http:// techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region. If the problem you submit is for a software defect or for missing or inaccurate documentation, IBM Software Support creates an Authorized Program Analysis Report (APAR). The APAR describes the problem in detail. Whenever possible, IBM Software Support provides a workaround for you to implement until the APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the IBM product support Web pages daily, so that other users who experience the same problem can benefit from the same resolutions. For more information about problem resolution, see Searching knowledge bases.

Appendix A. Support information

25

26

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Appendix B. Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user’s responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

© Copyright IBM Corp. 2004, 2005

27

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact: IBM Corporation 2ZA4/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

Trademarks The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: IBM IBM logo ibm.com AIX AS/400 DB2 Domino Informix iSeries Linux Lotus Lotus Notes MQSeries Notes OS/400 Power PC Tivoli

28

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Tivoli logo Universal Database WebSphere Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Other company, product, and service names may be trademarks or service marks of others.

Appendix B. Notices

29

30

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Index A accessibility pdf format, for screen-reader software viii statement for documentation viii text, alternative for document images viii administrator authority 3

B books see publications

viii

C Certificate Authority definition 11 certificate signing request (csr) 17 certificates ca available functions 16 deleting 19 installing 18 viewing installed 19 definition 11 examples certificate signing request (csr) 17 install 18 installation from file 17 sample 18 key formats 13 overview 11 private keys and digital certificates 12 protocol configuration tool See CertTool register 16 registered registering 19 removing 20 viewing 19 request 17 self-signed 12 viewing installed 18 registered 19 viewing installed 18 viewing registered 19 CertTool ca certificate deleting 19 installing 18 viewing 19 certificate install 18 register 16 request 17 viewing installed 18 viewing registered 19 changing adapter parameters accessing 15 © Copyright IBM Corp. 2004, 2005

CertTool (continued) changing adapter parameters (continued) options 15 client authentication 16 install certificate 17 private key, generating 17 registered certificate registering 19 removing 20 viewing 19 client validation, SSL 13 conventions HOME directory Tivoli_Common_Directory xi DB_INSTANCE_HOME x HTTP_HOME xi ITIM_HOME xi LDAP_HOME x WAS_HOME xi WAS_MQ_HOME xi WAS_NDM_HOME xi typeface ix UNIX variable, directory notation ix used in this document ix csr definition 16 file, generating 17 customer support see Software Support 23

D DB_INSTANCE_HOME DB2 UDB installation directory x definition x directory DB_INSTANCE_HOME x HTTP_HOME xi installation DB2 UDB x IBM Directory Server x IBM HTTP Server xi WebSphere Application Server base product xi WebSphere Application Server Network Deployment product xi WebSphere MQ xi installation for Sun ONE Directory Server x ITIM_HOME xi LDAP_HOME x names, UNIX notation ix WAS_HOME xi WAS_MQ_HOME xi WAS_NDM_HOME xi disabilities, using documentation viii documents related viii Tivoli Identity Manager library v

31

E

O

encryption SSL 11, 12 environment variable UNIX notation ix

online publications accessing viii

H

password protected file See PKCS12 file path names, notation ix pdf format, for screen-reader software viii PKCS12 file certificate and key installation 18 export certificate and key 20 plug-in features 1 installation overview 1 plug-in compatibility 3 plug-in overview 1 private key definition 11 private key, generating 17 problem determination describing problem for IBM Software Support 25 determining business impact for IBM Software Support submitting problem to IBM Software Support 25 protocol SSL overview 11 two-way configuration 13 public key 12 publications accessing online viii related viii Tivoli Identity Manager library v

home directories DB_INSTANCE_HOME x HTTP_HOME xi ITIM_HOME xi LDAP_HOME x WAS_HOME xi WAS_MQ_HOME xi WAS_NDM_HOME xi HTTP_HOME definition xi IBM HTTP Server installation directory

P

xi

I import PKCS12 file 13 information centers, searching to find software problem resolution 23 installation certificate 17 directory DB2 UDB x IBM Directory Server x IBM HTTP Server xi Sun ONE Directory Server x WebSphere Application Server base product xi WebSphere Application Server Network Deployment product xi WebSphere MQ xi installation prerequisites administrator authority 3 communication with Tivoli Identity Manager Server 3 plug-in compatibility 3 server 3 system 3 Internet, searching to find software problem resolution 23 ITIM_HOME definition xi directory xi

K knowledge bases, searching to find software problem resolution 23

S self-signed certificate 12 server prerequisites 3 Software Support contacting 23 describing problem for IBM Software Support 25 determining business impact for IBM Software Support submitting problem to IBM Software Support 25 SSL certificate installation 11 Certificate Signing Request 16 encryption 11 key formats 13 overview 11 private keys and digital certificates 12 self-signed certificates 12 two-way configuration 13 system prerequisites 3

L LDAP_HOME definition x IBM Directory Server installation directory x Sun ONE Directory Server installation directory

M manuals see publications

32

T x

24

text, alternative for document images viii Tivoli Identity Manager Adapter communication with the server 13 SSL communication 13 Tivoli software information center viii Tivoli_Common_Directory definition xi

viii

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

24

two-way configuration SSL client and server 13 typeface conventions ix

W WAS_HOME definition xi WebSphere Application Server base installation directory xi WAS_MQ_HOME definition xi WebSphere MQ installation directory xi WAS_NDM_HOME definition xi WebSphere Application Server Network Deployment installation directory xi

Index

33

34

IBM Tivoli Identity Manager: Password Synchronization for Active Directory Plug-in Installation and Configuration Guide



Printed in USA

SC23-5268-00