IBM Security Identity ManagerVersion 6.0

IBM i Password SynchronizationPlug-in Installation and ConfigurationGuide

SC27-4397-01

���

IBM Security Identity ManagerVersion 6.0

IBM i Password SynchronizationPlug-in Installation and ConfigurationGuide

SC27-4397-01

���

NoteBefore using this information and the product it supports, read the information in “Notices” on page 29.

Edition notice

Note: This edition applies to version 6.0 of IBM Security Identity Manager (product number 5724-C34) and to allsubsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2012, 2013.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Preface . . . . . . . . . . . . . . . ixAbout this publication . . . . . . . . . . . ixAccess to publications and terminology . . . . . ixAccessibility . . . . . . . . . . . . . . xTechnical training. . . . . . . . . . . . . xSupport information . . . . . . . . . . . . xStatement of Good Security Practices . . . . . . x

Chapter 1. Overview of the plug-in . . . 1

Chapter 2. Plug-in installation planning 3Preinstallation roadmap . . . . . . . . . . 3Installation roadmap. . . . . . . . . . . . 3Prerequisites . . . . . . . . . . . . . . 3Installation worksheet for the adapter . . . . . . 5Plug-in downloads . . . . . . . . . . . . 5

Chapter 3. Installing the plug-in . . . . 7Verification of the plug-in installation . . . . . . 8

Chapter 4. First steps after installation . 9Plug-in and server configuration. . . . . . . . 9

Configuring the plug-in. . . . . . . . . . 9Configuring the IBM Security Identity Managerserver . . . . . . . . . . . . . . . 11

Configuration of SSL communication for the plug-in 11Overview of SSL and digital certificates . . . . 11Configuring certificates when the plug-inoperates as an SSL server and an SSL client . . 14CA certificates installation . . . . . . . . 15

Chapter 5. Uninstalling the plug-in . . . 19

Appendix A. Definitions for ITDI_HOMEand ISIM_HOME directories . . . . . . 21

Appendix B. Support information . . . 23Searching knowledge bases . . . . . . . . . 23Obtaining a product fix . . . . . . . . . . 24Contacting IBM Support . . . . . . . . . . 24

Appendix C. Accessibility features forIBM Security Identity Manager . . . . 27

Notices . . . . . . . . . . . . . . 29

Index . . . . . . . . . . . . . . . 33

© Copyright IBM Corp. 2012, 2013 iii

iv IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Figures

1. Plug-in operating as an SSL server and an SSLclient. . . . . . . . . . . . . . . 14

© Copyright IBM Corp. 2012, 2013 v

vi IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Tables

1. Preinstallation roadmap . . . . . . . . . 32. Installation roadmap . . . . . . . . . . 3

3. Requirements to install the plugin . . . . . 44. Required information to install the plug-in 5

© Copyright IBM Corp. 2012, 2013 vii

viii IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Preface

About this publication

The IBM i Password Synchronization Plug-in Installation and Configuration Guide(previously titled i5/OS Password Synchronization Plug-in Installation andConfiguration Guide) describes how to install and prepare the IBM i PasswordSynchronization Plug-in.

IBM® Security Identity Manager (version 4.5 or later) provides passwordsynchronization components that process password change requests between aniSeries system and the IBM Security Identity Manager server. IBM Security IdentityManager was previously known as Tivoli® Identity Manager.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Identity Manager library.”v Links to “Online publications.”v A link to the “IBM Terminology website.”

IBM Security Identity Manager library

For a complete listing of the IBM Security Identity Manager and IBM SecurityIdentity Manager Adapter documentation, see the online library(http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm).

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Identity Manager libraryThe product documentation site (http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm) displays the welcome page and navigation for the library.

IBM Security Systems Documentation CentralIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product libraries and links to the onlinedocumentation for specific versions of each product.

IBM Publications CenterThe IBM Publications Center site ( http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss) offers customized search functionsto help you find all the IBM publications you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

© Copyright IBM Corp. 2012, 2013 ix

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

Appendix B, “Support information,” on page 23 provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

Note: The Community and Support tab on the product information center canprovide additional support resources.

Statement of Good Security PracticesIT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

x IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Chapter 1. Overview of the plug-in

The IBM i Password Synchronization Plug-in enables communication between theIBM Security Identity Manager server and an IBM i Password Synchronizationsystem.

The IBM Security Identity Manager IBM i Password Synchronization Plug-in is aplug-in that must be installed on the iSeries server. It must be installed before theIBM Security Identity Manager server can accept password changes from theiSeries Password Change user interface. You must also install a certificate for theclient because IBM Security Identity Manager relies on certificates to establishsecure SSL communication with the IBM i Password Synchronization Plug-in.

This installation and configuration guide provides the basic information that youneed to install and configure the IBM i Password Synchronization Plug-in. Thissection provides an overview of the plug-in and the features of the plug-in.

The IBM i Password Synchronization Plug-in intercepts the iSeries user passwordchanges and communicates with IBM Security Identity Manager for passwordsrules verification and synchronization. If Password Synchronization is enabled inIBM Security Identity Manager, it synchronizes the new password with otheraccounts of the user that are managed by IBM Security Identity Manager.

The IBM i Password Synchronization Plug-in uses the CHGPWD command todetect password changes. The CHGPWD command does not take user name as aparameter. The individual user must log in and use CHGPWD command to changeuser password.

© Copyright IBM Corp. 2012, 2013 1

2 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Chapter 2. Plug-in installation planning

Installing and configuring the plug-in involves several steps that you mustcomplete in an appropriate sequence.

Review the road maps before you begin the installation process.

Preinstallation roadmapBefore you install the plug-in, you must prepare the environment.

Perform the tasks that are listed in Table 1.

Table 1. Preinstallation roadmap

Task For more information

Obtain the installation software. Download the software from PassportAdvantage® Web site. See “Plug-indownloads” on page 5.

Verify that your environment meets thesoftware and hardware requirements for theadapter.

See “Prerequisites.”

Obtain the necessary information for theinstallation and configuration.

See “Installation worksheet for the adapter”on page 5.

Installation roadmapTo install the plug-n, complete the tasks that are listed in the installation roadmap.

Table 2. Installation roadmap

Task For more information

Install the plug-in. See Chapter 3, “Installing the plug-in,” onpage 7.

Verify the installation. See “Verification of the plug-in installation”on page 8.

Configuring the plug-in See “Configuring the plug-in” on page 9.

Configure IBM Security Identity Managerserver

See “Configuring the IBM Security IdentityManager server” on page 11.

Configure the SSL communication See “Plug-in and server configuration” onpage 9.

PrerequisitesYou must complete hardware, software, and authorization prerequisites before youinstall the IBM i Password Synchronization Plug-in.

Verify that your environment meets all the prerequisites before you install the IBMi Password Synchronization Plug-in.

© Copyright IBM Corp. 2012, 2013 3

Table 3. Requirements to install the plugin

Prerequisite Description

System v A supported hardware system.

– i5/OS V5R4

– IBM i Password Synchronization V6R1

– IBM i Password Synchronization V7R1

v A minimum of 16 MB of memory.

v A minimum of at least 20 MB of free disk space.

Adapter compatibility IBM Security Identity Manager IBM i PasswordSynchronization Plug-in 6.0

Softwarei5/OS V5R4

v 5722SS1, option 12 (Host Servers)

v 5722JC1 (IBM Toolbox for Java™)

The following software is required forsecure connections:

v 5722SS1, option 34 (Digital CertificateManager)

v 5722AC3 - V5R3 only (Crypto AccessProvider 128-bit)

v 5722DG1 (IBM HTTP Server)

The following administrative tool isneeded for the directory server:

iSeries® Navigator - included with iSeriesAccess EZSetup

IBM i Password Synchronization 7.1

v 5770SS1, option 12 (Host Servers)

v 5761JV1 (IBM Developer Kit for Java)

The following software packages arerequired for secure connections:

v 5770SS1, option 34 (Digital CertificateManager)

v 5770SSI, option 35, (CCA CryptographicService Provider)

v 5770DG1 (IBM HTTP Server for i)

The following administrative tool isneeded for IBM Directory server for iconfiguration and the Digital CertificateManager:

5770XH2 - IBM Navigator for i (includedin IBM i Access)

Network connectivity The plug-in must be installed on a system that cancommunicate with the IBM Security IdentityManager service through the TCP/IP network.

System Administrator authority The person, who installs the IBM i PasswordSynchronization Plug-in, must have IBM iQSecurity Officer (QSECOFR) authority.

User permissions The user whose password is being changed musthave access to the *SYSTEM certificate store.

4 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Table 3. Requirements to install the plugin (continued)

IBM Security Identity Manager server Version 6.0

Installation worksheet for the adapterThe following table identifies the information that you need before installing theplug-in.

Table 4. Required information to install the plug-in

Required information Description

Installation directory The location where the plug-in is installed. The defaultdirectory is QITIM.

IBM Security Identity ManagerApplication server

IP address and SSL port

Target DN for the service On the IBM Security Identity Manager server

IBM Security Identity Manageraccount

The account under which the requests are submitted.

IBM Security Identity Manageraccount password

The password for the IBM Security Identity Manageraccount under which the requests are submitted.

Plug-in downloadsDownload the software through your account at the IBM Passport Advantagewebsite.

Go to IBM Passport Advantage.

See the IBM Security Identity Manager Download Document for instructions.

Note:

You can also obtain additional adapter information from IBM Support.

Chapter 2. Plug-in installation planning 5

6 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Chapter 3. Installing the plug-in

This task provides the necessary steps for installing the IBM i PasswordSynchronization Plug-in software.

Before you begin

Make sure you do the following tasks:v Verify that your site meets all the prerequisite requirements. See Table 3 on page

4.v Obtain a copy of the installation software. See “Plug-in downloads” on page 5.

Note: The IBM Security Identity Manager IBM i Password SynchronizationPlug-in installation program is available for download from the IBM website.Contact your IBM account representative for the web address and downloadinstructions.

About this task

Password synchronization has a client-side plug-in that is installed on the iSeriesserver. This plug-in must be installed before the IBM Security Identity Managerserver can accept password changes from the IBM i Password Change userinterface.

You must also install a certificate for the client. The IBM Security Identity Managerserver uses certificates to establish secure SSL communication between itself andthe plug-in.

Procedure1. Use the CRTSAVF command to create a *SAVF file on the IBM i server.2. Download the IBM i Password Synchronization Plug-in compressed file from

Passport Advantage.3. Use the FTP utility to copy the file to the IBM i server. Use the *SAVF file name

that you created.4. Create the QITIM library of type *PROD (cannot be updated in debug/test

mode). Type CRTLIB LIB(QITIM) TYPE(*PROD) and press Enter.5. Extract the IBM i Password Synchronization Plug-in program objects. Type

RSTLIB SAVLIB(QITIM) DEV(*SAVF) SAVF(SaveFileName), where SaveFileName isthe name of the save file in step 1.

6. Add the QITIM library to the user portion of the library list. Type ADDLIBLEQITIM, and press Enter.

7. Display the library list. Type DSPLIBL and press Enter. Verify that the QITIMlibrary is displayed.

What to do next

After you finish the installation, you must configure the plug-in and configure theIBM Security Identity Manager server. See “Configuring the plug-in” on page 9and “Configuring the IBM Security Identity Manager server” on page 11.

© Copyright IBM Corp. 2012, 2013 7

Verification of the plug-in installationAfter you install the plug-in, you must verify that the installation was successful.

If the plug-in is installed correctly, the following components exist in the QITIMlibrary.v QITIMPWSYN (*PGM)v QITIMMSG (*MSGF)v CHGITIMCFG (*CMD)

8 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Chapter 4. First steps after installation

After you install the plug-in, you must perform several other tasks. The tasksinclude configuring the plug-in, setting up SSL, and verifying the plug-in workscorrectly.

Plug-in and server configurationBefore you can use the IBM i Password Synchronization Plug-in, you mustconfigure both the plug-in and the IBM Security Identity Manager server.

Configuring the plug-inUse this procedure to configure and verify the configuration of the IBM i PasswordSynchronization Plug-in.

Procedure1. Set the system value QRETSVRSEC = 1. This system value is used to determine

whether to store the encrypted data from the IBM Security Identity Managerserver in the Validation List Entry. When set to 1, the encrypted data is storedwhen the Validation List Entry is added to or changed by either of these APIs:v QsyAddValidationLstEntry()v QsyChangeValidationLstEntry()

2. Set the system value QPWDVLDPGM = *REGFAC. This system value provides theability for a user-written program (QITIMPWSYN in this case) to do additionalvalidation on passwords. If the value of QPWDVLDPGM is set to any othervalue, the validate password exit programs are not called.

3. Make QITIMPWSYN an exit program for password validation.a. Run the ADDEXITPGM command to add the QITIMPWSYN program to the

IBM i registration facility.b. Specify the following values:

v Exit Point = QIBM_QSY_VLD_PASSWRD

v Exit Point Format = VLDP0100

v Exit Program = QITIMPWSYN in Lib QITIM

c. Verify that the QITIMPWSYN program is registered. Run the WRKREGINFEXITPNT(QIBM_QSY_VLD_PASSWRD) command.

4. Run the QITIM/CHGITIMCFG command. (Press PF4 for the prompt.) Enterconnection details about the IBM Security Identity Manager server that is toaccept password changes from the IBM i Password Synchronization Plug-in.Specify the following details:

PRINCIPALSpecifies the IBM Security Identity Manager account under which thepassword change requests are submitted. The account must have theproper authority to submit password change requests for the selectedpeople. This authority is granted when you create the access controlinformation (ACI) for the Principal account. You must grant read andwrite permissions to all the attributes that are listed.

At a minimum, the principal must be granted read and writepermissions to perform the following tasks for passwordsynchronization:

© Copyright IBM Corp. 2012, 2013 9

v Search for the account that triggered the password synchronization.v Search for the owner of that account.v Search for any accounts that need their passwords synchronized.v Modify those same accounts, with write access to their password

attributes.

You must create an account specifically for these types of requests.

For more information about creating accounts and privileges, see theIBM Security Identity Manager product documentation.

PASSWORDSpecify the password for the IBM Security Identity Manager serverlogin ID.

HOSTNAMESpecify the IP address of the IBM Security Identity Manager server.

TARGETDNSpecify the DN of the IBM Security Identity Manager service thatreceives the password change synchronization requests.

PORT Specify the IBM Security Identity Manager port.

CHKPWDRULESpecifyv *YES to check whether the password conforms to password rules on

IBM Security Identity Manager.v *NO not to check whether the password conforms to password rules

on IBM Security Identity Manager.

LOGGINGSpecifyv *YES to enable logging.v *NO not to enable logging.

ITIM ResponseSpecifyv *YES if the response from IBM Security Identity Manager is needed

during password change.v *NO if the response from IBM Security Identity Manager is not

needed during password change.5. Set permissions on the validation list (VLDL). After configuring RPS with the

CHGITIMCFG command, a QITIMCFG (*VLDL) object is created in QITIM library.You must manually grant *PUBLIC *USE, *ADD, and *UPD authority to thevalidation list. If the permissions are not set correctly on the VLDL, thepassword synchronization plug-in cannot access the VLDL. Symptoms ofincorrect permissions are:v RPS cannot access the VLDL.v The VLDL can be accessed, but the encrypted password cannot be retrieved

and decrypted.6. Verify that the configuration was successful. Ensure that:

a. QITIMCFG (*VLDL) is available in the QITIM library.b. A log file is created in: /qibm/userdata/tivoli/qpwdsync.log

10 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Configuring the IBM Security Identity Manager serverIn addition to the IBM i Password Synchronization Plug-in, you must alsoconfigure IBM Security Identity Manager to use password synchronization.

About this task

On the IBM Security Identity Manager, complete the following steps to enable thePassword Synchronization option:

Procedure1. On the IBM Security Identity Manager main menu, select Set System Security.2. Select Set Security Properties.3. Select the Enable password synchronization check box.4. Click OK.

Configuration of SSL communication for the plug-inFor secure connection between the adapter and the server, configure the plug-inand the server to use the Secure Sockets Layer (SSL) authentication with the GSKitcommunication protocol. By configuring the plug-in for SSL, the server can verifythe identity of the adapter before establishing a secure connection.

The plug-in notifies the IBM Security Identity Manager server of changes made touser passwords on the managed resource. You can configure SSL authentication forWeb connections that originate from the plug-in to the Web server that is used bythe IBM Security Identity Manager server.

In a production environment, you must enable SSL security. For testing purposesyou might want to disable SSL. However, you must enable SSL on the plug-in toverify the certificate that the application presents, if these conditions exist:v An external application communicates with the adapter (for example, the IBM

Security Identity Manager server).v The application uses server authentication.

Overview of SSL and digital certificatesIn an enterprise network deployment, you must provide secure communicationbetween the IBM Security Identity Manager server and the software products andcomponents with which the server communicates.

SSL protocol uses signed digital certificates from a certificate authority (CA) forauthentication. SSL secures communication in a configuration. SSL providesencryption of the data that is exchanged between the applications. Encryptionmakes data that is transmitted over the network intelligible only to the intendedrecipient.

Signed digital certificates enable two applications that connect in a network toauthenticate their identity. An application that acts as an SSL server presents itscredentials to verify to an SSL client. The SSL client then verifies that theapplication is the entity it claims to be. You can configure an application that actsas an SSL server so that it requires the application that acts as an SSL client topresent its credentials in a certificate. In this way, the two-way exchange of

Chapter 4. First steps after installation 11

certificates is completed. A third-party certificate authority issues signed certificatesfor a fee. Some utilities, such as those provided by OpenSSL, can also providesigned certificates.

You must install a certificate authority certificate (CA certificate) to verify theorigin of a signed digital certificate. When an application receives a signedcertificate from another application, it uses a CA certificate to verify the certificateoriginator. A certificate authority can be:v Well-known and widely used by other organizations.v Local to a specific region or a company.

Many applications, such as web browsers, use the CA certificates of well-knowncertificate authorities. Using a well-known CA eliminates or reduces the task ofdistributing CA certificates throughout the security zones in a network.

Private keys, public keys, and digital certificatesKeys, digital certificates, and trusted certificate authorities establish and verify theidentities of applications.

SSL uses public key encryption technology for authentication. In public keyencryption, a public key and a private key are generated for an application. Thedata encrypted with the public key can be decrypted only with correspondingprivate key. Similarly, the data encrypted with the private key can be decryptedonly by using the corresponding public key. The private key is password-protectedin a key database file. Only the owner can access the private key to decryptmessages that are encrypted with the corresponding public key.

A signed digital certificate is an industry-standard method of verifying theauthenticity of an entity, such as a server, a client, or an application. To ensuremaximum security, a third-party certificate authority provides a certificate. Acertificate contains the following information to verify the identity of an entity:

Organizational informationThis certificate section contains information that uniquely identifies theowner of the certificate, such as organizational name and address. Yousupply this information when you generate a certificate with a certificatemanagement utility.

Public keyThe receiver of the certificate uses the public key to decipher encryptedtext that is sent by the certificate owner to verify its identity. A public keyhas a corresponding private key that encrypts the text.

Certificate authority's distinguished nameThe issuer of the certificate identifies itself with this information.

Digital signatureThe issuer of the certificate signs it with a digital signature to verify itsauthenticity. The corresponding CA certificate compares the signature toverify that the certificate is originated from a trusted certificate authority.

Web browsers, servers, and other SSL-enabled applications accept as genuine anydigital certificate that is signed by a trusted certificate authority and is otherwisevalid. For example, a digital certificate can be invalidated for the following reasons:v The digital certificate expired.v The CA certificate that is used to verify that it is expired.

12 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

v The distinguished name in the digital certificate of the server does not matchwith the distinguished name specified by the client.

Self-signed certificatesYou can use self-signed certificates to test an SSL configuration before you createand install a signed certificate that is provided by a certificate authority.

A self-signed certificate contains a public key, information about the certificateowner, and the owner signature. It has an associated private key; however, it doesnot verify the origin of the certificate through a third-party certificate authority.After you generate a self-signed certificate on an SSL server application, you must:1. Extract it.2. Add it to the certificate registry of the SSL client application.

This procedure is equivalent to installing a CA certificate that corresponds to aserver certificate. However, you do not include the private key in the file whenyou extract a self-signed certificate to use as the equivalent of a CA certificate.

Use a key management utility to:v Generate a self-signed certificate.v Generate a private key.v Extract a self-signed certificate.v Add a self-signed certificate.

Usage of self-signed certificates depends on your security requirements. To obtainthe highest level of authentication between critical software components, do notuse self-signed certificates or use them selectively. You can authenticateapplications that protect server data with signed digital certificates. You can useself-signed certificates to authenticate web browsers or adapters.

If you are using self-signed certificates, you can substitute a self-signed certificatefor a certificate and CA certificate pair.

Certificate and key formatsCertificates and keys are stored in the files with various formats.

.pem formatA privacy-enhanced mail (.pem) format file begins and ends with thefollowing lines:-----BEGIN CERTIFICATE----------END CERTIFICATE-----

A .pem file format supports multiple digital certificates, including acertificate chain. If your organization uses certificate chaining, use thisformat to create CA certificates.

.arm formatAn .arm file contains a base-64 encoded ASCII representation of acertificate, including its public key, not a private key. The .arm file formatis generated and used by the IBM Key Management utility.

.der formatA .der file contains binary data. You can use a.der file for a singlecertificate, unlike a .pem file, which can contain multiple certificates.

.pfx format (PKCS12)A PKCS12 file is a portable file that contains a certificate and a

Chapter 4. First steps after installation 13

corresponding private key. Use this format to convert from one type of SSLimplementation to another. For example, you can create and export aPKCS12 file with the IBM Key Management utility. You can then importthe file to another workstation with the certTool utility.

Configuring certificates when the plug-in operates as an SSLserver and an SSL client

In this configuration, the plug-in operates as an SSL server and an SSL client.

About this task

The plug-in initiates the connection and the webserver responds by presenting itscertificate to the plug-in.

Figure 1 describes how the plug-in operates as an SSL server and an SSL client.When communicating with the IBM Security Identity Manager server, the adaptersends its certificate for authentication. When communicating with the web server,the adapter receives the certificate of the web server.

If the webserver is configured for two-way SSL authentication, it verifies theidentity of the plug-in, which sends its signed certificate to the webserver. (Notshown in the illustration.) To enable two-way SSL authentication between theplug-in and webserver, use the following procedure:

Procedure1. Configure the webserver to use client authentication.2. Follow the procedure for creating and installing a signed certificate on the

webserver.3. Install the CA certificate on the adapter with a certification installation tool.4. Add the CA certificate corresponding to the signed certificate of the adapter to

the webserver.

What to do next

For more information about configuring certificates to send an event notification,when the plug-in initiates a connection to the webserver, see the IBM SecurityIdentity Manager product documentation.

Note: The webserver is the one used by the IBM Security Identity Manager server.

IBM SecurityIdentityManagerplug-in

IBM SecurityIdentityManagerserver

CA Certificate A

Certificate ACA Certificate C

Certificate C

Web server

A B

C

Hello

Certificate A

Hello

Certificate C

Figure 1. Plug-in operating as an SSL server and an SSL client

14 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

CA certificates installationThe self-signed CA certificate from IBM Security Identity Manager must beinstalled on each of the target iSeries servers.

To install the self-signed CA certificate you must:v Extract the certificate from the IBM Security Identity Manager server.v Transfer the file to the iSeries servers.v Install the file on the iSeries servers

Extracting and transferring the self-signed CA certificate fromthe IBM Security Identity Manager serverPerform this procedure to extract and transfer the CA certificate used by IBMSecurity Identity Manager for authentication with the iSeries server:

Procedure1. Use a Web browser, for example Internet Explorer, to connect to IBM Security

Identity Manager. Use the SSL protocol https://hostname:9443/itim/console.A dialog box is displayed requesting that you accept an untrusted certificate.Accept the certificate.

Note: This dialog box is not displayed if the SSL certificate is signed by awell-known CA. In this situation, you must use a certificate tool such asikeyman to extract the certificate.

2. Click View Certificate.3. On the Details tab, click Copy to File.4. Click Next.5. Select to use DER encoded, type a file name in the field and click Finish.6. Use the FTP utility to transfer the file to each of the iSeries servers.

a. Type ftp targetmachinename and press Enter.b. Type your user name press Enter.c. Type the password associated with your user name and press Enter.d. Type bin and press Enter.e. Type cd/tmp and press Enter.f. Type put filenameand press Enter. Filename is the certificate file that you

extracted and copied in the previous steps.g. Type quit and press Enter.

Installing the CA certificate on an iSeries systemAfter transferring the certificate from IBM Security Identity Manager, you mustinstall it on each of the target iSeries servers.

About this task

Perform these steps to install the CA certificate:

Procedure1. Open the web browser to http://iSerieshostname:2001. iSerieshostname is the

host name of the iSeries server.2. Enter your iSeries server user name and password, and click OK.3. On the iSeries Tasks window, select Digital Certificate Manager.

Chapter 4. First steps after installation 15

4. On the Digital Certificate Manager window, select Create a CertificateAuthority (CA).

5. Type the information in the required fields.

Note: The Certificate Authority (CA) name describes the name of the iSeriessystem.

6. Click Continue.7. On the Install Local CA Certificate pane, click Continue. The local certificate

does not need to be installed.8. On the Certificate Authority (CA) Policy Data pane, accept the default settings

and click Continue. On the Policy Data Accepted pane, a message The policydata for the Certificate Authority (CA) was accepted. is displayed.

9. Click Continue to create the default server certificate store, *SYSTEM, and aserver certificate signed by your CA. If *SYSTEM exists, the certificate store isnot created.

10. On the next Digital Certificate Manager window, type in the information forthe required fields.

Note: Specify a different name in the Certificate label field for the certificatestore database, *SYSTEM. The fields in the Subject Alternative Name section canbe left blank.

11. Click Continue. On the next Digital Certificate Manager window, a list ofapplications and certificates is displayed.

12. Click Select All then click Continue. On the Application Status pane, amessage The applications you selected will use this certificate. isdisplayed.

13. Click Cancel. The creation of a signing certificate is optional.14. On the Select a Certificate Store pane, select *SYSTEM and click Continue.15. On the Certificate Store and Password pane, type the password for the

*SYSTEM Certificate Store database and click Continue.16. If not already extracted, extract the CA certificate from the IBM Security

Identity Manager system and copy the file to the iSeries system. See“Extracting and transferring the self-signed CA certificate from the IBMSecurity Identity Manager server” on page 15.

17. On the next Digital Certificate Manager window in the Fast Path menu, clickWork with CA Certificates. A list of certificates is displayed.

18. Click Import.19. On the Import Certificate Authority (CA) Certificate pane, specify the path

and the file name on the iSeries system of the certificate that you extractedfrom IBM Security Identity Manager. Specify the path in the Import file: field.For example, type: /qibm/userdata/psdserver.der. The value of psdserver.der isthe name of the certificate you extracted from the IBM Security IdentityManager system.

20. Click Continue.21. On the Import Certificate Authority (CA) Certificate pane, type a label name

in the CA certificate label: field. For example: IBM Security Identity Manager,and click Continue.

22. In the Fast Path menu, select Work with Client applications and clickContinue.

23. On the Applications registered to use certificates: pane, click Add Application.

16 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

24. On the next Digital Certificate Manager window in the Application: ID field,type TIVOLI_PWD_SYNCH.a. Select Application description: and type a description. For example,

Password Sync Exit Handler.b. Click Add.

On the Work with Client Applications pane, a message The application hasbeen added. is displayed.

25. Select Password Synch Exit Handler (the description you gave the application)and click Work with application.

26. On the next Digital Certificate Manager window, click Update CertificateAssignment.

27. On the next Digital Certificate Manager window, select the certificate youcreated from the list and click Assign New Certificate. In the UpdateCertificate Assignment pane, the message The certificate was assigned tothe application. is displayed.

28. In the Fast Path pane, click Work with CA certificates. Verify that IBMSecurity Identity Manager server is listed as enabled in the CertificateAuthority (CA) list.

Verifying the plug-inAfter you install and configure the plug-in, perform these tasks:

Procedure1. Use the chgpwd command to change the password for a user.2. Verify that the plug-in was called by checking the log file: /qibm/userdata/

tivoli/qpwdsync.log

3. Verify that the password synchronization was successful by checking the IBMSecurity Identity Manager logs.

Chapter 4. First steps after installation 17

18 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Chapter 5. Uninstalling the plug-in

You can take a series of steps to uninstall the plug-in.

Procedure1. Set the system value QPWDVLDPGM = *NONE. When the value of QPWDVLDPGM

is set to *NONE, the validate password exit program is not called.2. Remove the installed QITIMPWSYN password validation exit program:

a. Run the WRKREGINF command to display a list of exit points.b. Go to the QIBM_QSY_VLD_PASSWRD exit point and enter option 8 - work

with exit programs. QITIMPWSYN program name is displayed.c. Enter option 4 - remove exit program.

3. After you finish removing exit points, stop and restart the FTP server.4. Delete the PROD library QITIM and the objects it contains.

© Copyright IBM Corp. 2012, 2013 19

20 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Appendix A. Definitions for ITDI_HOME and ISIM_HOMEdirectories

ITDI_HOME is the directory where Tivoli Directory Integrator is installed.ISIM_HOME is the directory where IBM Security Identity Manager is installed.

ITDI_HOMEThis directory contains the jars/connectors subdirectory that contains filesfor the adapters.

Windowsdrive\Program Files\IBM\TDI\ITDI_VERSION

For example the path for version 7.1:C:\Program Files\IBM\TDI\V7.1

UNIX/opt/IBM/TDI/ITDI_VERSION

For example the path for version 7.1:/opt/IBM/TDI/V7.1

ISIM_HOMEThis directory is the base directory that contains the IBM Security IdentityManager code, configuration, and documentation.

Windowspath\IBM\isim

UNIXpath/IBM/isim

© Copyright IBM Corp. 2012, 2013 21

22 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Appendix B. Support information

You have several options to obtain support for IBM products.v “Searching knowledge bases”v “Obtaining a product fix” on page 24v “Contacting IBM Support” on page 24

Searching knowledge basesYou can often find solutions to problems by searching IBM knowledge bases. Youcan optimize your results by using available resources, support tools, and searchmethods.

About this task

You can find useful information by searching the product documentation for IBMSecurity Identity Manager. However, sometimes you must look beyond the productdocumentation to answer your questions or resolve problems.

Procedure

To search knowledge bases for information that you need, use one or more of thefollowing approaches:1. Search for content by using the IBM Support Assistant (ISA).

ISA is a no-charge software serviceability workbench that helps you answerquestions and resolve problems with IBM software products. You can findinstructions for downloading and installing ISA on the ISA website.

2. Find the content that you need by using the IBM Support Portal.The IBM Support Portal is a unified, centralized view of all technical supporttools and information for all IBM systems, software, and services. The IBMSupport Portal lets you access the IBM electronic support portfolio from oneplace. You can tailor the pages to focus on the information and resources thatyou need for problem prevention and faster problem resolution. Familiarizeyourself with the IBM Support Portal by viewing the demo videos(https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos)about this tool. These videos introduce you to the IBM Support Portal, exploretroubleshooting and other resources, and demonstrate how you can tailor thepage by moving, adding, and deleting portlets.

3. Search for content about IBM Security Identity Manager by using one of thefollowing additional technical resources:v IBM Security Identity Manager version 6.0 technotes and APARs (problem

reports).v IBM Security Identity Manager Support website.v IBM Redbooks®.v IBM support communities (forums and newsgroups).

4. Search for content by using the IBM masthead search. You can use the IBMmasthead search by typing your search string into the Search field at the top ofany ibm.com® page.

5. Search for content by using any external search engine, such as Google, Yahoo,or Bing. If you use an external search engine, your results are more likely to

© Copyright IBM Corp. 2012, 2013 23

include information that is outside the ibm.com domain. However, sometimesyou can find useful problem-solving information about IBM products innewsgroups, forums, and blogs that are not on ibm.com.

Tip: Include “IBM” and the name of the product in your search if you arelooking for information about an IBM product.

Obtaining a product fixA product fix might be available to resolve your problem.

About this task

You can get fixes by following these steps:

Procedure1. Obtain the tools that are required to get the fix. You can obtain product fixes

from the Fix Central Site. See http://www.ibm.com/support/fixcentral/.2. Determine which fix you need.3. Download the fix. Open the download document and follow the link in the

“Download package” section.4. Apply the fix. Follow the instructions in the “Installation Instructions” section

of the download document.

Contacting IBM SupportIBM Support assists you with product defects, answers FAQs, and helps usersresolve problems with the product.

Before you begin

After trying to find your answer or solution by using other self-help options suchas technotes, you can contact IBM Support. Before contacting IBM Support, yourcompany or organization must have an active IBM software subscription andsupport contract, and you must be authorized to submit problems to IBM. Forinformation about the types of available support, see the Support portfolio topic inthe “Software Support Handbook”.

Procedure

To contact IBM Support about a problem:1. Define the problem, gather background information, and determine the severity

of the problem. For more information, see the Getting IBM support topic in theSoftware Support Handbook.

2. Gather diagnostic information.3. Submit the problem to IBM Support in one of the following ways:

v Using IBM Support Assistant (ISA):Any data that has been collected can be attached to the service request.Using ISA in this way can expedite the analysis and reduce the time toresolution.a. Download and install the ISA tool from the ISA website. See

http://www.ibm.com/software/support/isa/.b. Open ISA.

24 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

c. Click Collection and Send Data.d. Click the Service Requests tab.e. Click Open a New Service Request.

v Online through the IBM Support Portal: You can open, update, and view allof your service requests from the Service Request portlet on the ServiceRequest page.

v By telephone for critical, system down, or severity 1 issues: For the telephonenumber to call in your region, see the Directory of worldwide contacts webpage.

Results

If the problem that you submit is for a software defect or for missing or inaccuratedocumentation, IBM Support creates an Authorized Program Analysis Report(APAR). The APAR describes the problem in detail. Whenever possible, IBMSupport provides a workaround that you can implement until the APAR isresolved and a fix is delivered. IBM publishes resolved APARs on the IBM Supportwebsite daily, so that other users who experience the same problem can benefitfrom the same resolution.

Appendix B. Support information 25

26 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Appendix C. Accessibility features for IBM Security IdentityManager

Accessibility features help users who have a disability, such as restricted mobilityor limited vision, to use information technology products successfully.

Accessibility features

The following list includes the major accessibility features in IBM Security IdentityManager.v Support for the Freedom Scientific JAWS screen reader applicationv Keyboard-only operationv Interfaces that are commonly used by screen readersv Keys that are discernible by touch but do not activate just by touching themv Industry-standard devices for ports and connectorsv The attachment of alternative input and output devices

The IBM Security Identity Manager library, and its related publications, areaccessible.

Keyboard navigation

This product uses standard Microsoft Windows navigation keys.

Related accessibility information

The following keyboard navigation and accessibility features are available in theform designer:v You can use the tab keys and arrow keys to move between the user interface

controls.v You can use the Home, End, Page Up, and Page Down keys for more

navigation.v You can launch any applet, such as the form designer applet, in a separate

window to enable the Alt+Tab keystroke to toggle between that applet and theweb interface, and also to use more screen workspace. To launch the window,click Launch as a separate window.

v You can change the appearance of applets such as the form designer by usingthemes, which provide high contrast color schemes that help users with visionimpairments to differentiate between controls.

IBM and accessibility

See the IBM Human Ability and Accessibility Center For more information aboutthe commitment that IBM has to accessibility.

© Copyright IBM Corp. 2012, 2013 27

28 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

© Copyright IBM Corp. 2012, 2013 29

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment to

30 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

IBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

If you are viewing this information softcopy, the photographs and colorillustrations might not appear.

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at http://www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.

Notices 31

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Privacy Policy Considerations

IBM Software products, including software as a service solutions, ("SoftwareOfferings") may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, and to tailor interactionswith the end user or for other purposes. In many cases, no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, see IBM's Privacy Policy at http://www.ibm.com/privacy andIBM’s Online Privacy Statement at http://www.ibm.com/privacy/details/us/ensections entitled "Cookies, Web Beacons and Other Technologies and SoftwareProducts and Software-as-a Service".

32 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

Index

Aaccessibility x, 27

CCA certificates

extracting 15installation 15installing on iSeries system 15transferring 15

certificatesinstallation 15installing on iSeries system 15key formats 13overview 11private keys and digital

certificates 12protocol configuration tool, see

certTool 12self-signed 13

configurationidentity manager server 11plug-in 9

Ddefinition

certificate authority 11certificates 11private key 11

download, software 5

Eeducation xencryption

SSL 11, 12extracting certificates 15

FFTP utility

transferring certificates 15

IIBM

Software Support xSupport Assistant x

IBM Support Assistant 24iKeyman utility 11installation

CA certificates 15first steps after 9plug-in 7road map 3worksheet 5

ISA 24

iSeries systems, installing certificates 15ISIM_HOME definition 21ITDI_HOME definition 21

Kkey

encrypted information 12private 12public 12

key management utility, iKeyman 11knowledge bases 23

Nnotices 29

Oonline

publications ixterminology ix

operating system prerequisites 3overview 1

Ppassword

change requests ixsynchronization, Identity Manager

server 11PKCS12 file

importing 13plug-in

as SSL client 14as SSL server 14configuration 9installation

requirements 7verification 8, 17worksheet 5

overview 1uninstalling 19

preinstallation roadmap 3preparation, plug-in installation 3private key, definition 11problem-determination xprotocol, SSL overview 11public key 12publications

accessing online ixlist of ix

Rroadmap

installation 3preinstallation 3

Sself-signed certificates 13software

download 5requirements 3website 5

SSLcertificate

self-signed 13certificate installation 11client plug-in 14encryption 11first steps 9key formats 13overview 11plug-in as client 14plug-in as server 14private keys and digital

certificates 12server plug-in 14

support contact information 24

Tterminology ixtraining xtroubleshooting

contacting support 24getting fixes 24searching knowledge bases 23support website x

Uuninstalling the plug-in 19

Vverification

operating systemprerequisites 3requirements 3

plug-in installation 8, 17software

prerequisites 3requirements 3

© Copyright IBM Corp. 2012, 2013 33

34 IBM Security Identity Manager: IBM i Password Synchronization Plug-in Installation and Configuration Guide

����

Printed in USA

SC27-4397-01