IBM Security Privileged Identity Manager: Microsoft ...public.dhe.ibm.com/software/security/products/isim/... · AssemblyLines. When an initial r equest is made by IBM Security Identity

IBM Security Privileged Identity Manager

Microsoft SharePoint AdapterInstallation and Configuration Guide

IBM

IBM Security Privileged Identity Manager

Microsoft SharePoint AdapterInstallation and Configuration Guide

IBM

ii IBM Security Privileged Identity Manager: Microsoft SharePoint Adapter Installation and Configuration Guide

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Chapter 1. Overview . . . . . . . . . 1Features of the adapter . . . . . . . . . . . 1Architecture of the adapter . . . . . . . . . 1Supported configurations . . . . . . . . . . 2

Chapter 2. Planning. . . . . . . . . . 5Roadmap for IBM Tivoli Directory Integrator basedadapters, for IBM Security Privileged IdentityManager . . . . . . . . . . . . . . . . 5Prerequisites . . . . . . . . . . . . . . 6Software downloads . . . . . . . . . . . . 8Installation worksheet . . . . . . . . . . . 8

Chapter 3. Installing . . . . . . . . . 9Installing the dispatcher . . . . . . . . . . 9Installing the adapter binaries or connector . . . . 9Configuring authentication providers . . . . . . 10Verifying the adapter installation . . . . . . . 12Restarting the adapter service . . . . . . . . 12Importing the adapter profile . . . . . . . . 13Creating an adapter service/target. . . . . . . 14Service/Target form details . . . . . . . . . 15Verifying that the adapter is working correctly . . 17

Chapter 4. Upgrading . . . . . . . . 19Upgrading the connector . . . . . . . . . . 19Upgrading the adapter profile . . . . . . . . 19

Chapter 5. Configuring . . . . . . . . 21Editing adapter profiles on the UNIX or Linuxoperating system . . . . . . . . . . . . 21Creating a JAR file and importing the profile . . . 21Verifying that the adapter is working correctly . . 22

Chapter 6. Troubleshooting . . . . . . 23Techniques for troubleshooting problems . . . . 23

Chapter 7. Uninstalling . . . . . . . . 27Removing the adapter binaries or connector . . . 27Deleting the adapter profile . . . . . . . . . 27

Chapter 8. Reference . . . . . . . . 29Adapter attributes and object classes . . . . . . 29Adapter usage screens . . . . . . . . . . . 32

Group creation . . . . . . . . . . . . 32Group reconciliation . . . . . . . . . . 32Group modification. . . . . . . . . . . 32Group deletion . . . . . . . . . . . . 33User creation . . . . . . . . . . . . . 33User reconciliation . . . . . . . . . . . 33User modification . . . . . . . . . . . 33User deletion . . . . . . . . . . . . . 33

Index . . . . . . . . . . . . . . . 35

iii

iv IBM Security Privileged Identity Manager: Microsoft SharePoint Adapter Installation and Configuration Guide

Figures

1. The architecture of the Microsoft SharePointAdapter . . . . . . . . . . . . . . 2

2. Example of a single server configuration . . . 33. Example of multiple server configuration 3

v

vi IBM Security Privileged Identity Manager: Microsoft SharePoint Adapter Installation and Configuration Guide

Tables

1. Prerequisites to install the adapter . . . . . 72. Required information to install the adapter 83. Supported SharePoint Servers and

corresponding authentication providers . . . 104. Authentication providers listed in the example 11

5. Adapter component . . . . . . . . . . 126. Supported attributes . . . . . . . . . 297. Supported object classes . . . . . . . . 318. Required group creation fields . . . . . . 329. Required attributes for creating a user . . . 33

vii

viii IBM Security Privileged Identity Manager: Microsoft SharePoint Adapter Installation and Configuration Guide

Chapter 1. Overview

An adapter is an interface between a managed resource and the IBM® SecurityIdentity server. The Microsoft SharePoint Adapter uses the functionality of Tivoli®

Directory Integrator to enable communication between the IBM Security Identityserver and the Microsoft SharePoint server.

Adapters can be installed on the managed resource. The IBM Security Identityserver manages access to the resource by using the security system. Adaptersfunction as trusted virtual administrators on the target operating system. Theadapter creates, suspends, restores user accounts, and other functions thatadministrators run manually. The adapter runs as a service, independently ofwhether you are logged on to the IBM Security Identity server.

Features of the adapterThe adapter automates several administrative and management tasks.

The adapter automates the following tasksv Creating users and groupsv Modifying SharePoint user attributes and SharePoint groupsv Deleting user accountsv Reconciling users and user attributes

Microsoft SharePoint Adapter provides a WebService interface that is used tomanage those tasks. Microsoft SharePoint Adapter adapters are configured to usethe existing WebService, which means that no extra software is required to bedeployed on the Microsoft SharePoint Adapter end system.

IBM Security Privileged Identity Manager communicates with the MicrosoftSharePoint Adapter to manage Microsoft SharePoint user accounts. The adapteralso supports some group management functions. You can perform the followingactions on an account or a group:v Addv Deletev Modifyv Search

Architecture of the adapterSeveral components are involved in running and using the adapter. Install all thesecomponents so that the adapter can function correctly.

You must install the following components:v The Dispatcherv The Tivoli Directory Integrator connectorv IBM Security Identity Adapter profile

1

You need to install the Dispatcher and the adapter profile; however, the TivoliDirectory Integrator connector might already be installed with the base TivoliDirectory Integrator product.

The following figure describes the components that work together to complete theuser account management tasks in a Tivoli Directory Integrator environment.

The Microsoft SharePoint Adapter consists of Tivoli Directory IntegratorAssemblyLines. When an initial request is made by IBM Security Identity server tothe adapter, the AssemblyLines are loaded into the IBM Security PrivilegedIdentity Manager. As a result, subsequent service requests do not require thosesame AssemblyLines to be reloaded.

The AssemblyLines use the SharePoint User connector and RFC functionalcomponent to enable user management-related tasks on the Microsoft SharePoint.It does this enablement remotely by using the login ID and password of a user thathas administrator privileges. The AssemblyLines also use server information aboutthe location and site of the SharePoint server to perform this task.

Supported configurationsThe adapter supports both single and multiple server configurations.

The fundamental components in each environment are:v The IBM Security Identity serverv The Tivoli Directory Integrator serverv The managed resourcev The adapter

The adapter must reside directly on the server running the Tivoli DirectoryIntegrator server.

Single server configurationIn a single server configuration, install the IBM Security Identity server, theTivoli Directory Integrator server, and the Microsoft SharePoint Adapter onone server to establish communication with the Microsoft SharePointserver. The Microsoft SharePoint server is installed on a different server asdescribed Figure 2 on page 3.

RMI callsIBM SecurityIdentityServer

DispatcherService(an instanceof the IBMTivoliDirectoryIntegrator)

Adapterresource

Figure 1. The architecture of the Microsoft SharePoint Adapter

2 IBM Security Privileged Identity Manager: Microsoft SharePoint Adapter Installation and Configuration Guide

Multiple server configurationIn multiple server configuration, the IBM Security Identity server, theMicrosoft SharePoint Adapter, and the Microsoft SharePoint server areinstalled on different servers. Install the Tivoli Directory Integrator serverand the Microsoft SharePoint Adapter on the same server as describedFigure 3.

IBM SecurityIdentity Server

Tivoli DirectoryIntegrator Server

Adapter

Managedresource

Figure 2. Example of a single server configuration

IBM SecurityIdentity Managerserver

Security DirectoryIntegrator server Managed

resource

Adapter

Figure 3. Example of multiple server configuration

Chapter 1. Overview 3


Chapter 2. Planning

Installing and configuring the adapter involves several steps that you mustcomplete in a specific sequence. Follow the roadmap for the main tasks.

Roadmap for IBM Tivoli Directory Integrator based adapters, for IBMSecurity Privileged Identity Manager

Follow this section when using the guide to install, configure, troubleshoot, oruninstall the adapter.

Pre-installation

Complete these tasks.1. Verify that your environment meets the software and hardware requirements

for the adapter. See Prerequisites.2. Obtain the installation software. See Software downloads.3. Obtain the necessary information for the installation and configuration. See

Installation worksheet.

Installation

Complete these tasks.1. Install the dispatcher.2. Install the adapter binaries or connector.3. Install 3rd party client libraries.4. Set up the adapter environment.5. Restart the adapter service.6. Import the adapter profile.7. Create an adapter service/target.8. Install the adapter language package.9. Verify that the adapter is working correctly.

Upgrade

To upgrade the adapter, do a complete re-installation of the adapter. Follow theInstallation roadmap.

Configuration

Complete these tasks.1. Configure secure communication between the IBM Security Identity server and

the adapter.a. Configure 1-way authentication.b. Configure 2-way authentication.

2. Configure secure communication between the adapter and the managed target.a. Configure 1-way authentication.b. Configure 2-way authentication.

5

3. Configure the adapter.4. Modify the adapter profiles.5. Customize the adapter.

Troubleshooting

See the following topics.v Techniques for troubleshooting problemsv Configure debuggingv Logsv Error messages and problem solving

Uninstallation

Complete these tasks.1. Stop the adapter service.2. Remove the adapter binaries or connector.3. Remove 3rd party client libraries.4. Delete the adapter service/target.5. Delete the adapter profile.

Reference

See the following topics.v Adapter attributes and object classesv Adapter attributes by operationsv Special attributes

PrerequisitesVerify that your environment meets the software and hardware requirements forthe adapter.

Table 1 on page 7 identifies the software and operating system prerequisites for theadapter installation.

Ensure that you install the adapter on the same workstation as the IBM TivoliDirectory Integrator server.


Table 1. Prerequisites to install the adapter

Prerequisite Description

Directory Integrator v IBM Tivoli Directory Integrator Version7.1.1 + 7.1.1-TIV-TDI-FP0004 +7.2.0-ISS-SDI-LA0008

v IBM Security Directory Integrator Version7.2

Note:

v Earlier versions of IBM Tivoli DirectoryIntegrator that are still supported mightfunction properly. However, to resolveany communication errors, you mustupgrade your Directory Integrator releaseto the versions that the adapter officiallysupports.

v The adapter supports IBM SecurityDirectory Integrator 7.2, which is availableonly to customers who have the correctentitlement. Contact your IBMrepresentative to find out whether youhave the entitlement to download IBMSecurity Directory Integrator 7.2.

IBM Security Identity server The following servers are supported:

v IBM Security Identity Manager serverVersion 6.0

v IBM Security Identity Manager serverVersion 7.0

v IBM Security Privileged Identity ManagerVersion 2.0

v IBM Security Identity Governance andIntelligence server Version 5.2.2

Operating System The Microsoft SharePoint Adapter can beused on any operating system that issupported by Tivoli Directory Integrator.

Network Connectivity Internet Protocol network

System Administrator authority To complete the adapter installationprocedure, you must have systemadministrator authority.

Tivoli Directory Integrator adapters solutiondirectory

A Tivoli Directory Integrator adapterssolution directory is a Tivoli DirectoryIntegrator work directory for adapters.

For more information, see the DispatcherInstallation and Configuration Guide.

For information about the prerequisites and supported operating systems for TivoliDirectory Integrator, see the IBM Tivoli Directory Integrator 7.1: Administrator Guide.

Chapter 2. Planning 7

Software downloadsDownload the software through your account at the IBM Passport Advantage®

website.

Go to IBM Passport Advantage.

See the corresponding IBM Security Identity server Download Document forinstructions.

Note:

You can also obtain additional adapter information from IBM Support.

Installation worksheetThe installation worksheet lists the information that is required to install andconfigure the adapter. Complete this worksheet before you start the installationprocedure for ease of reference. Make a copy of the worksheet for each adapterinstance you install.

Table 2. Required information to install the adapter

Required information Description Value

Tivoli DirectoryIntegrator HomeDirectory

The ITDI_HOME directory containsthe jars/connectors subdirectory thatcontains adapter jars. For example,the jars/connectors subdirectorycontains the jar for the UNIXadapter.

If Tivoli DirectoryIntegrator is automaticallyinstalled with your IBMSecurity Privileged IdentityManager product, thedefault directory path forTivoli Directory Integratoris as follows:

Windows:

v for version 7.1:

drive\ProgramFiles\IBM\TDI\V7.1

UNIX:

v for version 7.1:

/opt/IBM/TDI/V7.1

Adapters solutiondirectory

When you install the dispatcher, theadapter prompts you to specify a filepath for the solution directory. Formore information about the solutiondirectory, see the DispatcherInstallation and Configuration Guide.

The default solutiondirectory is located at:

Windows:

v for version 7.1:

drive\ProgramFiles\IBM\TDI\V7.1\timsol

UNIX:

v for version 7.1:

/opt/IBM/TDI/V7.1/timsol


http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

Chapter 3. Installing

Installing the adapter mainly involves importing the adapter profile and creatingan adapter service. Depending on the adapter, several other tasks can be involvedto completely install it.

All IBM Tivoli Directory Integrator based adapters require the Dispatcher for theadapters to function correctly. If the Dispatcher is installed from a previousinstallation, do not reinstall it unless the Dispatcher is upgraded. See DispatcherInstallation Verification.

Depending on your adapter, the Tivoli Directory Integrator connector mightalready be installed as part of the Tivoli Directory Integrator product and nofurther action is required. If the connector is not pre-installed, install it after theDispatcher.

Installing the dispatcherIf this is the first Tivoli Directory Integrator-based adapter installation, you mustinstall the RMI Dispatcher before you install the adapter. Install the RMIDispatcher on the same Tivoli Directory Integrator server where you want to installthe adapter.

If you already installed the RMI Dispatcher for another adapter, you do not needto reinstall it.

If you have not yet installed the RMI Dispatcher in the Tivoli Directory Integratorenvironment, download the Dispatcher installer from the IBM Passport Advantagewebsite. For more information about the installation, see the Dispatcher Installationand Configuration Guide.

Installing the adapter binaries or connectorThe connector might or might not be available with the base Tivoli DirectoryIntegrator or Security Directory Integrator product. The connector is required toestablish communication between the adapter and the Dispatcher.

Before you beginv The Dispatcher must be installed.v Enable Basic Authentication in IIS for the Sharepoint site. See the Configure

Basic Authentication (IIS 7) topic on the Microsoft TechNet website.v Check the Sharepoint site configuration for IIS. Set it to Integrated Windows –

Negotiated (Kerberos).

Procedure1. Create a temporary directory on the workstation where you want to install the

adapter.2. Extract the contents of the compressed file in the temporary directory.3. Install the adapter JAR files. Copy the SharePointConnector.jar file from the

adapter package to the ITDI_HOME/jars/connectors directory.

9

https://www.ibm.com/support/knowledgecenter/SSIGMP_1.0.0/com.ibm.itim_pim.doc/dispatcher/install_config/c_verifyadapterinstall.htm

https://www.ibm.com/support/knowledgecenter/SSIGMP_1.0.0/com.ibm.itim_pim.doc/dispatcher/install_config/c_verifyadapterinstall.htm

http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

4. Optional: Enable Unicode See the JVM information in the Dispatcher Installationand Configuration Guide.

5. Restart the adapter service.

Configuring authentication providersYou must configure the adapter with one of the authentication providers that issupported by the SharePoint Web Application. Authentication providers can be ADDomains or a claims provider.

The following SharePoint Servers and their corresponding authentication providersare supported:

Table 3. Supported SharePoint Servers and corresponding authentication providers

Server version Authentication mode Authentication Provider

SharePoint 2013 Classic Mode Integrated Windows (AD)

SharePoint 2016 Classic Mode Integrated Windows (AD)

SharePoint 2013 Claims BasedAuthentication

Integrated Windows (AD), FormsBased Authentication (FBA),Trusted Identity Provider

SharePoint 2016 Claims BasedAuthentication

Integrated Windows (AD), FormsBased Authentication (FBA),Trusted Identity Provider

Information about authentication providers is stored in a configuration file, whichis in JSON format. The adapter reads this file and reconciles the list ofauthentication providers as supporting data.

The configuration file must have a single JSON array only. Each authenticationprovider is stored as a JSON Object element in the array with the following keys:v DisplayNamev NameOfOriginalIssuerv IssuerTypev ClaimsValueTypev ClaimsTypev Prefix

Example of a configuration file with information about the authenticationproviders.

Note: White spaces added for readability.[{"DisplayName" : "Windows Authentication (EXAMPLEDOMAIN)","NameOfOriginalIssuer" : "EXAMPLEDOMAIN","IssuerType" : "w","ClaimsValueType" : ".","ClaimsType" : "#","Prefix" : "i:0#.w|EXAMPLEDOMAIN"},{"DisplayName" : "Some Membership Provider","NameOfOriginalIssuer" : "SomeMembershipProvider","IssuerType" : "f",


"ClaimsValueType" : ".","ClaimsType" : "#","Prefix" : "i:0#.f|SomeMembershipProvider|"},{"DisplayName" : "Example ACS","NameOfOriginalIssuer" : "Example ACS","IssuerType" : "t","ClaimsValueType" : ".","ClaimsType" : "5","Prefix" : "i:05.t|Example ACS|"}]

The previous example shows different providers for each JSON Object element.

Table 4. Authentication providers listed in the example

JSON Object element in the previousexample Authentication provider

Element #1 Windows Authentication provider

Element #2 Forms-Based Authentication provider that isusing a String logon name as Claims Value

Element #3 Trusted Identity Provider that is using emailas Claims Value

For a full explanation on the valid values for IssuerType, NameOfOriginalIssuer,ClaimsValueType, and ClaimsType, see the Microsoft SharePoint Products andTechnologies Protocol Documentation. With the four values, it is then trivial to createthe Prefix. If the site runs on a Classic Mode authentication web application, theconfiguration file typically looks like the following example:[{"DisplayName" : "EXAMPLEDOMAIN","NameOfOriginalIssuer" : "","IssuerType" : "","ClaimsValueType" : "","ClaimsType" : "","Prefix" : "EXAMPLEDOMAIN"}]

Generating the configuration file

A Powershell script is provided to assist with generating the configuration file.

Run the script on the SharePoint server with administrator privilege in a commandprompt:powershell authprovimport.ps1 -WebApplication http://[sharepointserver]:[port]-SaveAs [filename.json]

Copy the configuration file to a location on the server that is running the AdapterDispatcher service. For example, save the file under TDI_HOME\timsol\SharePointAdapter folder. Create the SharePointAdapter folder if it does not exist.

Chapter 3. Installing 11

SharePoint Site Configuration

SharePoint site configuration can contain multiple authentication providers but theadapter supports basic authentication protocol only. It is recommended to extendthe SharePoint web application and configure an alternate access mapping to caterspecifically for the adapter requirements.

Basic authentication contains credentials that are sent in clear text. Therefore,configure the adapter over Secure Sockets Layer (SSL) to protect the credentials.

Following steps are recommended to ensure that the adapter works with theSharePoint site. Refer to Microsoft SharePoint documentation for detailedinstructions.1. Extend the SharePoint web application to a new IIS website.2. Configure the authentication provider for the newly extended website.3. Select the check box for Enable Windows Authentication.4. Ensure that Integrated Windows authentication is not selected.5. Select the check box Basic authentication (password is sent in clear text).6. Ensure that no other authentication methods are selected.7. Configure alternate access mapping for this newly extended website.8. Remove the default public URL that was created in the step 1.9. Replace the IIS website URL with an appropriate internal URL mapping.

10. Configure the new IIS website for SSL.11. Import the SSL certificate into the adapter dispatcher's certificate trust store.

View the IDI_HOME/timsol/solution.properties file and search for propertyjavax.net.ssl.trustStore to determine the location of the trust store file.

Verifying the adapter installationIf the adapter is installed correctly, you can verify that the required componentsexist in the specified directories.

If the adapter is installed correctly, these adapter components exist on the TivoliDirectory Integrator server.

Table 5. Adapter component

Adapter component Directory

SharePointConnector.jar TDI_HOME\jars\connectors

JSON files containing authenticationproviders configuration

TDI_HOME\timsol\SharePointAdapter

If this installation is to upgrade a connector, then send a request from IBM SecurityIdentity Manager. Verify that the version number in the ibmdi.log matches theversion of the connector that you installed. The ibmdi.log file is atITDI_Home\adapter solution directory\logs directory.

Restarting the adapter serviceVarious installation and configuration tasks might require the adapter to berestarted to apply the changes. For example, you must restart the adapter if thereare changes in the adapter profile, connector, or assembly lines. To restart theadapter, restart the Dispatcher.


The adapter does not exist as an independent service or a process. The adapter isadded to the Dispatcher instance, which runs all the adapters that are installed onthe same Security Directory Integrator instance.

See the topic about starting, stopping, and restarting the Dispatcher service in theDispatcher Installation and Configuration Guide.

Importing the adapter profileAn adapter profile defines the types of resources that the IBM Security Identityserver can manage. It is packaged with the IBM Security Identity Adapter. Use theadapter profile to create an adapter service on IBM Security Identity server andestablish communication with the adapter.

Before you beginv The IBM Security Privileged Identity Manager is installed and running.v You have root or administrator authority on the IBM Security Privileged Identity

Manager.v The file to be imported must be a Java archive (JAR) file. The

<Adapter>Profile.jar file includes all the files that are required to define theadapter schema, account form, service/target form, and profile properties. Ifnecessary, you can extract the files from the JAR file, modify the files, andrepackage the JAR file with the updated files.The JAR file for IBM SecurityPrivileged Identity Manager is located in the top level folder of the installationpackage.

About this task

Service definition files are also called adapter profile files.

If the adapter profile is not installed correctly, the adapter cannot functioncorrectly. You cannot create a service with the adapter profile or open an accounton the service. You must import the adapter profile again.

Procedure1. Log on to the IBM Security Privileged Identity Manager by using an account

that has the authority to perform administrative tasks.2. From the navigation tree, select Configure System > Manage Service Types.

The Manage Service Types page is displayed.3. On the Manage Service Types page, click Import. The Import Service Type page

is displayed.4. On the Import Service Type page, complete these steps:

a. In the Service Definition File field, type the directory location of the<Adapter>Profile.jar file, or click Browse to locate the file. For example, ifyou are installing the IBM Security Identity Adapter for a Windows serverthat runs Active Directory, locate and import the ADProfileJAR file.

b. Click OK to import the file.

Results

A message indicates that you successfully submitted a request to import a servicetype.


What to do nextv The import occurs asynchronously, which means it might take some time for the

service type to load into the IBM Security Identity server from the propertiesfiles and to be available in other pages. On the Manage Service Types page, clickRefresh to see the new service type. If the service type status is Failed, checkthe log files to determine why the import failed.

v If you receive a schema-related error, see the trace.log file for informationabout it. The trace.log file location is specified by the handler.file.fileDirproperty that is defined in the enRoleLogging.properties file. TheenRoleLogging.properties file is in the IBM Security Identity serverHOME\datadirectory. .

Creating an adapter service/targetAfter you import the adapter profile on the IBM Security Identity server, create aservice/target so that IBM Security Identity server can communicate with themanaged resource.

Before you begin

Complete “Importing the adapter profile” on page 13.

About this task

You must create an administrative user account for the adapter on the managedresource. You can provide the account information such as administrator name andpassword when you create the adapter service. Ensure that the account hassufficient privileges to administer the users. For information about creating anadministrative account, see the documentation for the managed resource.

To create or change a service, you must use the service form to provideinformation for the service. Service forms might vary depending on the adapter.The service name and description that you provide for each service are displayedon the console. Therefore, it is important to provide values that make sense to yourusers and administrators.

Procedure1. From the navigation tree, click Manage Services.2. On the Services table, click Create. The Create a Service wizard is displayed.3. On the Select the Type of Service page, click Search to locate a business unit.

The Business Unit page is displayed.4. On the Business Unit page, complete these steps:

a. Type information about the business unit in the Search information field.b. Select a business type from the Search by list, and then click Search. A list

of business units that matches the search criteria is displayed.If the table contains multiple pages, you can do the following tasks:v Click the arrow to go to the next page.v Type the number of the page that you want to view and click Go.

c. In the Business Units table, select business unit in which you want to createthe service, and then click OK. The Select the Type of Service page isdisplayed, and the business unit that you specified is displayed in theBusiness unit field.


5. On the Select the Type of Service page, select a service type, and then clickNext.

6. On the Service Information page, specify the appropriate values for the serviceinstance. The content of the Service Information page depends on the type ofservice that you are creating.

7. Click Finish.

Results

A message is displayed, indicating that you successfully created the serviceinstance for a specific service type.

Service/Target form detailsComplete the service/target form fields.

Note: You must enable Windows Authentication with Basic Authentication modefor the SharePoint site.

On the Adapter Details tab:

Service NameSpecify a name that defines the adapter service on the IBMSecurity Identity server.

Note: Do not use forward (/) or backward slashes (\) in theservice name.

Description Optional: Specify a description that identifies the service for yourenvironment.

TDI URI

Specify the URL for the IBM Tivoli Directory Integrator instance.The valid syntax for the URL is rmi://ip-address:port/ITDIDispatcher, where ip-address is the IBM Tivoli DirectoryIntegrator host and port is the port number for the RMI Dispatcher.

The default URL for the default SDI1 instance isrmi://localhost:1099/ITDIDispatcher.

OwnerOptional: Specify a user as a service owner.

Service PrerequisiteOptional: Specify a service that is prerequisite to this service.

On the SharePoint Domain Details tab

Sharepoint hostnameSpecify the host name or IP address of the SharePoint site.

Sharepoint portSpecify the SharePoint server port number. The default is port 80.

Admin LoginSpecify the administrator user that the adapter uses to connect tothe Microsoft SharePoint instance.

Admin PasswordSpecify the password for administrator user.


Sharepoint siteOptional: Specify the trailing URL to the SharePoint site. For theSharepoint site subsite that has the location http://sharepointhost/subsite, the field entry is subsite. If you leavethis field blank, the default value is the top-level Sharepoint site.

Enable SSLSpecifies whether you want to enable secure communications. Thedefault response is not to enable SSL.

Authentication ModeSpecify the authentication mode corresponding to your site.

Authentication Provider Configuration FileThe file name that includes the full path to the authenticationprovider file. For more information, see “Configuringauthentication providers” on page 10. If the file is stored in thesame location as Dispatcher home, for example, TDI_HOME/timsol,you can omit the path and provide only the file name.

On the SharePoint Generic Configuration tabThese properties are internal properties. They are listed for informationalpurposes only. Do not change them from the default configuration.

Adapter TaskThis property allows for plug-able tasks to be called. The format is<Label>:<classname>,<Label>:<Classname>. The label must have amatching Adapter Authenticator

Adapter AuthenticatorThis property is the plug-able authenticator for the task. Theformat is <Label>:<classname>,<Label>:<Classname>.. The labelmust have a matching Task Authenticator.

Create OrderThis property specifies the order in which the tasks are calledduring a create operation. The format is <Label>|<Label>.

Delete OrderThis property specifies the order in which the tasks are calledduring a delete operation. The format is <Label>|<Label>.

Update OrderThis property specifies the order in which the tasks are calledduring an update operation. The format is <Label>|<Label>.

Read OrderThis property specifies the order in which the tasks are calledduring a read operation. The format is <Label>|<Label>.

Attributes Passed DownThese attributes are the ones that are required during anauthentication phase and are passed down to the TaskAuthenticator during initialization. The format is <AttributeName>|<Attribute Name>.

Attribute MappingThis attribute allows for attributes to be overloaded. In some casesattributes must be converted from and to different names in theadapter task. The format is <ISIM Attribute Name>|<TaskAttribute Name>,<ISIM Attribute Name>|<Task Attribute Name>.


On the Status and information tabContains read only information about the adapter and managed resource.These fields are examples. The actual fields vary depending on the type ofadapter and how the service form is configured. The adapter must berunning to obtain the information. Click Test Connection to populate thefields.

Last status update: DateSpecifies the most recent date when the Status and information tabwas updated.

Last status update: TimeSpecifies the most recent time of the date when the Status andinformation tab was updated.

Managed resource status Specifies the status of the managed resource that the adapter isconnected to.

Adapter version Specifies the version of the adapter that the service uses toprovision request to the managed resource.

Profile version Specifies the version of the profile that is installed in the IBMSecurity Identity server.

TDI version Specifies the version of the Tivoli Directory Integrator on which theadapter is deployed.

Dispatcher version Specifies the version of the Dispatcher.

Installation platformSpecifies summary information about the operating system wherethe adapter is installed.

Adapter account Specifies the account that running the adapter binary file.

Adapter up time: Date Specifies the date when the adapter started.

Adapter up time: Time Specifies the time of the date when the adapter started.

Adapter memory usage Specifies the memory usage for running the adapter.

If the connection fails, follow the instructions in the error message. Alsov Verify the adapter log to ensure that the test request was successfully

sent to the adapter.v Verify the adapter configuration information.v Verify service parameters for the adapter profile, such as the work

station name or the IP address of the managed resource and the port.

Verifying that the adapter is working correctlyAfter you install and configure the adapter, verify that the installation andconfiguration are correct.


Procedure1. Test the connection for the service that you created on the IBM Security Identity

server.2. Run a full reconciliation from the IBM Security Identity server.3. Run all supported operations such as add, modify, and delete on one user

account.4. Verify the ibmdi.log file after each operation to ensure that no errors are

reported.5. Verify the trace.log file to ensure that no errors are reported when you run an

adapter operation.


Chapter 4. Upgrading

Upgrading an IBM Tivoli Directory Integrator-based adapter involves tasks such asupgrading the dispatcher, the connector, and the adapter profile. Depending on theadapter, some of these tasks might not be applicable. Other tasks might also berequired to complete the upgrade.

To verify the required version of these adapter components, see the adapter releasenotes. For the installation steps, see Chapter 3, “Installing,” on page 9.

Upgrading the connectorBefore you upgrade the connector, verify the version of the connector.v If the connector version mentioned in the release notes is later than the existing

version on your workstation, install the connector.v If the connector version mentioned in the release notes is the same or earlier

than the existing version, do not install the connector.

Note: Stop the dispatcher service before the upgrading the connector and start itagain after the upgrade is complete.

Upgrading the adapter profileRead the adapter Release Notes for any specific instructions before you import anew adapter profile.

Note: Restart the Dispatcher service after importing the profile. Restarting theDispatcher clears the assembly lines cache and ensures that the dispatcher runs theassembly lines from the updated adapter profile.

19


Chapter 5. Configuring

After you install the adapter, configure it to function correctly. Configuration isbased on your requirements or preference.

See the Dispatcher Installation and Configuration Guide for additional configurationoptions such as:v JVM propertiesv Dispatcher filteringv Dispatcher propertiesv Dispatcher port numberv Logging configurationsv Secure Sockets Layer (SSL) communication

Editing adapter profiles on the UNIX or Linux operating systemThe adapter profile .jar file might contain ASCII files that are created by using theMS-DOS ASCII format.

About this task

If you edit an MS-DOS ASCII file on the UNIX operating system, you might see acharacter ^M at the end of each line. These characters indicate new lines of text inMS-DOS. The characters can interfere with the running of the file on UNIX orLinux systems. You can use tools, such as dos2unix, to remove the ^M characters.You can also use text editors, such as the vi editor, to remove the charactersmanually.

Example

You can use the vi editor to remove the ^M characters. From the vi commandmode, run the following command and press Enter::%s/^M//g

When you use this command, enter ^M or Ctrl-M by pressing ^v^M or Ctrl V CtrlM sequentially. The ^v instructs the vi editor to use the next keystroke instead ofissuing it as a command.

Creating a JAR file and importing the profileAfter you modify the schema.dsml or any other profile files, you must import thesefiles into IBM Security Privileged Identity Manager for the changes to take effect.

About this task

In order to install the new attributes, complete the following steps:

Note: If you are upgrading an existing adapter profile, the new adapter profileschema is not reflected immediately. You must stop and start the IBM SecurityIdentity server to refresh the cache and the adapter schema. For more informationabout upgrading an existing adapter, see Chapter 4, “Upgrading,” on page 19.

21

Procedure1. Extract the contents of the SharePointProfile.jar file into the temporary

directory by running the following command:cd c:\tempjar -xvf SharePointProfile.jar

The jar command creates the c:\temp\SharePointProfile directory.2. Update the profile files.3. Create a JAR file using the files in the \temp directory by running the following

commands:cd c:\tempjar -cvf SharePointProfile.jar SharePointProfile

4. Import the SharePointProfile.jar file into the IBM Security Identity server.5. Stop and start the IBM Security Identity server.

Verifying that the adapter is working correctlyAfter you install and configure the adapter, verify that the installation andconfiguration are correct.

Procedure1. Test the connection for the service that you created on the IBM Security Identity

server.2. Run a full reconciliation from the IBM Security Identity server.3. Run all supported operations such as add, modify, and delete on one user

account.4. Verify the ibmdi.log file after each operation to ensure that no errors are

reported.5. Verify the trace.log file to ensure that no errors are reported when you run an

adapter operation.


Chapter 6. Troubleshooting

Troubleshooting is a systematic approach to solving a problem. The goal oftroubleshooting is to determine why something does not work as expected andhow to resolve the problem. This topic provides information and techniques foridentifying and resolving problems that are related to the adapter, includingtroubleshooting errors that might occur during the adapter installation.

Techniques for troubleshooting problemsCertain common techniques can help with the task of troubleshooting. The firststep in the troubleshooting process is to describe the problem completely.

Problem descriptions help you and the IBM technical-support representative findthe cause of the problem. This step includes asking yourself basic questions:v What are the symptoms of the problem?v Where does the problem occur?v When does the problem occur?v Under which conditions does the problem occur?v Can the problem be reproduced?

The answers to these questions typically lead to a good description of the problem,which can then lead you to a problem resolution.

What are the symptoms of the problem?

When you start to describe a problem, the most obvious question is “What is theproblem?” This question might seem straightforward; however, you can break itdown into several more-focused questions that create a more descriptive picture ofthe problem. These questions can include:v Who, or what, is reporting the problem?v What are the error codes and messages?v How does the system fail? For example, is it a loop, hang, crash, performance

degradation, or incorrect result?

Where does the problem occur?

Determining where the problem originates is not always easy, but it is one of themost important steps in resolving a problem. Many layers of technology can existbetween the reporting and failing components. Networks, disks, and drivers areonly a few of the components to consider when you are investigating problems.

The following questions help you to focus on where the problem occurs to isolatethe problem layer:v Is the problem specific to one operating system, or is it common across multiple

operating systems?v Is the current environment and configuration supported?v Do all users have the problem?v (For multi-site installations.) Do all sites have the problem?

23

If one layer reports the problem, the problem does not necessarily originate in thatlayer. Part of identifying where a problem originates is understanding theenvironment in which it exists. Take some time to completely describe the problemenvironment, including the operating system and version, all correspondingsoftware and versions, and hardware information. Confirm that you are runningwithin an environment that is a supported configuration. Many problems can betraced back to incompatible levels of software that are not intended to run togetheror are not fully tested together.

When does the problem occur?

Develop a detailed timeline of events that lead up to a failure, especially for thosecases that are one-time occurrences. You can most easily develop a timeline byworking backward: Start at the time an error was reported (as precisely as possible,even down to the millisecond), and work backward through the available logs andinformation. Typically, you use the first suspicious event that you find in adiagnostic log.

To develop a detailed timeline of events, answer these questions:v Does the problem happen only at a certain time of day or night?v How often does the problem happen?v What sequence of events leads up to the time that the problem is reported?v Does the problem happen after an environment change, such as upgrading or

installing software or hardware?

Responding to these types of questions can give you a frame of reference in whichto investigate the problem.

Under which conditions does the problem occur?

Knowing which systems and applications are running at the time that a problemoccurs is an important part of troubleshooting. These questions about yourenvironment can help you to identify the root cause of the problem:v Does the problem always occur when the same task is being done?v Is a certain sequence of events required for the problem to occur?v Do any other applications fail at the same time?

Answering these types of questions can help you explain the environment inwhich the problem occurs and correlate any dependencies. Remember that justbecause multiple problems might occur around the same time, the problems arenot necessarily related.

Can the problem be reproduced?

From a troubleshooting standpoint, the ideal problem is one that can bereproduced. Typically, when a problem can be reproduced you have a larger set oftools or procedures at your disposal to help you investigate. Problems that you canreproduce are often easier to debug and solve.

However, problems that you can reproduce can have a disadvantage: If theproblem is of significant business impact, you do not want it to recur. If possible,re-create the problem in a test or development environment, which typically offersyou more flexibility and control during your investigation.v Can the problem be re-created on a test system?


v Do multiple users or applications have the same type of problem?v Can the problem be re-created by running a single command, a set of

commands, or a particular application?

Chapter 6. Troubleshooting 25


Chapter 7. Uninstalling

To remove an adapter from the IBM Security Identity server for any reason, youmust remove all the components that were added during installation. Uninstallingan IBM Tivoli Directory Integrator based adapter mainly involves removing theconnector file, and the adapter profile from the IBM Security Identity server.Depending on the adapter, some of these tasks might not be applicable, or therecan be other tasks.

Removing the adapter binaries or connectorThe Microsoft SharePoint Adapter installation process also installs the TivoliDirectory Integrator SharePoint connector.

About this task

To remove the Microsoft SharePoint Adapter, complete these steps:

Procedure1. Stop the adapter service.2. Remove the SharePointConnector.jar file from the ITDI_HOME/jars/connectors

directory.3. Start the service.

Deleting the adapter profileRemove the adapter service/target type from the IBM Security Identity server.Before you delete the adapter profile, ensure that no objects exist on the IBMSecurity Identity server that reference the adapter profile.

Objects on the IBM Security Identity server that can reference the adapter profile:v Adapter service instancesv Policies referencing an adapter instance or the profilev Accounts

Note: The Dispatcher component must be installed on your system for adapters tofunction correctly in a Tivoli Directory Integrator environment. When you deletethe adapter profile, do not uninstall the Dispatcher.

For specific information about how to delete the adapter profile, see the IBMSecurity Privileged Identity Manager product documentation.

27


Chapter 8. Reference

Reference information is organized to help you locate particular facts quickly, suchas adapter attributes, registry settings, and environment variables.

Adapter attributes and object classesThe IBM Security Identity server communicates with the Microsoft SharePointAdapter using attributes that are included in transmission packets that are sentover a network.

After you install the adapter profile, the Microsoft SharePoint Adapter supports astandard set of attributes. The following tables list the standard attributes andobject classes supported by the adapter.

The combination of attributes depends on the type of action that the IBM SecurityIdentity server requests from the Microsoft SharePoint Adapter.

Standard attributes

The following table lists the attributes that are used by the Microsoft SharePointAdapter. The table gives a brief description and corresponding values of theattribute.

Table 6. Supported attributes

IBM SecurityPrivileged IdentityManager Name Attribute Name Description Data type

SharePointHostname

ersphostname The host name of theSharepoint server

String

URL of TDI eritdiurl The URL of the TDIdispatcher

String

Description description Description field for theadapter

String

SharePoint port erspport The port that Sharepointis listening to

String

AdministratorAccount

erspadminaccount The administrationaccount used to updateSharepoint

String

AdministratorPassword

erservicepwd1 The password for theadministration account

Password

Authentication Mode erSPSiteAuthType The authentication modefor the correspondingSharePoint serverversion

String

AuthenticationProviderConfiguration File

erSPSiteAuthProvFilePath The file path to theauthentication providerconfiguration file

String

Site URL erspsiteurl A specific site on theSharepoint host that isnot the root site

String

29

Table 6. Supported attributes (continued)


Enable SSL erspenablessl If this attribute isenabled, then HTTPS isused instead of HTTP

String

Adapter Name erspadapter This attribute is used toload the Sharepointadapter.

String

AdapterAuthentication

erspadapterauthn This attribute is used toload the Sharepointadapter authenticationmodule.

String

Create Order erspadaptercreateorder Describes the order inwhich adapters arecalled

String

Delete Order erspadapterdeleteorder Describes the order inwhich adapters arecalled

String

Update Order erspadapterupdateorder Describes the order inwhich adapters arecalled

String

Read Order erspadapterreadorder Describes the order inwhich adapters arecalled

String

Attribute Mapping erspadapterattributemap This attribute is used tomap common IBMSecurity PrivilegedIdentity Managerattributes toadapter-specificattributes.

String

ConfigurationAttributes

erspconfigurationattributes This list theadapter-specificconfiguration attributesthat are passed by theservice.def

String

User ID eruid The Sharepoint user ID.Typically, the login nameor claims value

String

User Name erspusername The user display namefor the Sharepoint user

String

User Email erspemail The email address forthe Sharepoint user

String

User Notes erspusernotes Notes about theSharepoint user.Note: This field isdeprecated. It is kept inthe schema forbackwards-compatibilitypurpose only.

String


Table 6. Supported attributes (continued)


Domain erspdomain The domain name orclaims prefix for theSharepoint

String

Group List erspgrouplist The list of groups thatthis user is part of inSharepoint

String

Group Name erspgroupname The name of the groupin Sharepoint

String

Group Owner ID erspgroupownerid The owning ID of thegroup

String

Group Owner Type erspgroupownertype The type of the owner String

Group Default User erspgroupdefaultuser The default user of forthe group

String

Group Description erspgroupdescription A description for thegroup

String

AuthenticationProvider Name

erSPAuthProvName The display name for theauthentication provider

String

AuthenticationProvider Prefix

erSPAuthProvPrefix The prefix for theauthentication provider.If it is for the ClassicMode Authenticationsite, then this is thedomain name. If it is forthe Claims-BasedAuthentication site, thenthis is the claims prefix

String

Claims Type erSPAuthClaimsType The claim type encoding String

Claims Value Type erSPAuthClaimsValueType The claims value type,normally a period (.) toindicate string

String

Authentication IssuerType

erSPAuthIssuerType The issuer type of theclaims provider

String

Original IssuerName

erSPAuthOriginalIssuer The original issuer nameof the claims provider

String

Supported object classes

The following table lists the object classes that are used by the MicrosoftSharePoint Adapter. The table gives a brief description and corresponding valuesof the object class.

Table 7. Supported object classes

Description Object class name in schema Superior

Account class erspaccount top

Service class erspservice top

Group class erspgroupaccount top

Chapter 8. Reference 31

Table 7. Supported object classes (continued)

Description Object class name in schema Superior

Authentication Providerclass

erspauthenticationprovider top

Adapter configuration properties

For information about setting Tivoli Directory Integrator configuration propertiesfor the operation of the Microsoft SharePoint Adapter, see the Dispatcher Installationand Configuration Guide.

Adapter usage screensEach screen has different fields. The following topics describe the fields and someof their limitations.

Group creationThe following table lists the required fields that are used to create a group.

Table 8. Required group creation fields

Title Description

Group Name The name of the group.

Group Description A description for the group.

Group Owner Type User or Group. The Group Owner ID mustbe either a user or group based on thisselection.

Group Owner ID If the user is selected in the Group OwnerType field, the full domain qualified user IDor Claims ID must be specified. If the groupis selected, it must be a group that exists inSharepoint.Note: To obtain the full Claims ID, appendthe Claims Prefix, which is stored aserspdomain in the account object, with theClaims Value, which is stored as eruid in theaccount object. If it is a WindowsAuthentication claim, add a backslash (\)after the domain name.

Group Default User A full domain qualified user ID. The usermust exist in the backing store. If no user isspecified then the administration user that isused in the configuration of the profile is setin this field.

Group reconciliationNo specific screens exist for a reconciliation. The reconciliation operation does notreturn the Group Default User.

Group modificationDuring a modify operation, the parameters are changed if you specify the GroupDefault User.


If you do not specify the Group Default User, no changes are made.

Group deletionNo specific screens exist for deleting a group.

If a group is deleted, any users mapped to the group are removed from themapping. The users are not removed from Microsoft SharePoint.

User creationWhen you create a user in Microsoft SharePoint through IBM Security PrivilegedIdentity Manager, you must specify certain attributes.

These attributes must be specified when you create a user.

Table 9. Required attributes for creating a user

Attribute Description

User ID This attribute is the SharePoint user backing store account namewithout the domain or claims prefix. For Example:Administrator. This user must be exist on the backing store.

User Name The user display name for SharePoint.

User Email An email address for SharePoint to send notifications and alertsto this user.

Domain The domain or claims provider that this user ID belongs to.

Groups Selection of the groups.

Note: The User Notes attribute is deprecated. It is removed from the account form.However, the attribute is maintained in the schema for backwards-compatibilityreason.

User reconciliationNo specific screens exist for a user reconciliation.

The same user ID in different domains or claims providers is not supported for areconciliation. For example, the “Administrator” ID is returned from one locationonly.

User modificationDuring a modify operation, the screen contains the same attributes that are listedwhen you create a user.

Modifying a field changes the SharePoint user. Do not change the UserID or theDomain field. Changing either of these attributes causes the modification to fail.

User deletionNo specific screens exist for deleting a user.

The user is removed from any groups to which the user belongs. If the user is thelast member of the group, the group is not deleted. You must use the remove groupcommand to delete a group.

Chapter 8. Reference 33


Index

Aadapter

administrative task automation 1architecture

AssemblyLines 1directory integrator connector 1dispatcher 1profile 1

attribute descriptions 29features 1fields

creating a group 32creating a user 33deleting a group 33deleting a user 33modifying a group 33modifying a user 33reconciling a group 32reconciling a user 33

installation 9tasks 9troubleshooting errors 23verifying 12, 18, 22warnings 23worksheet 8

object class descriptions 29overview 1post-installation steps 21profile

upgrading 19supported configurations 2trusted virtual administrator 1uninstall 27upgrading 19

adapter installation 9adapter profile

importing 21JAR file, creating 21schema.dsml 21

adaptersremoving profiles 27

administrative task automationSharePoint user attribute modification,

group modification 1user

account deletion 1attribute reconciliation 1group creation 1

AssemblyLines 1attributes

descriptions 29standard 29

Cconnector, upgrading 19creating

services 14

Ddirectory integrator connector 1dispatcher

adapter architecture 1installation 9

download, software 8

Ffields


Ggroup, fields required to create 32

Iinstallation

adapter 9software 9

first post-installation steps 21planning roadmaps 5uninstall 27verification

adapter 18, 22verify 12worksheet 8

MMS-DOS ASCII characters 21

Oobject classes

descriptions 29supported 29

operating systemprerequisites 6supported by Tivoli Directory

Integrator 6

Pprofile

editing on UNIX or Linux 21

Rremoving

adapter profiles 27roadmaps

planning 5

Sscreen fields


servicerestart 13start 13stop 13

service, creating 14software

download 8requirements 6website 8

supported configurationsadapter 2overview 2

Ttask automation

SharePoint user attribute modification,group modification 1

useraccount deletion 1attribute reconciliation 1group creation 1

troubleshootingidentifying problems 23techniques for 23

troubleshooting and supporttroubleshooting techniques 23

Uuninstallation 27upgrade

adapter 19connectors 19

upgradesadapter profiles 19

userattributes for creation 33

35

Vverification

dispatcher installation 9installation 18, 22operating system

prerequisites 6requirements 6

softwareprerequisites 6requirements 6

vi command 21


IBM®

Printed in USA

Documents

IBM Security Privileged Identity Manager: Microsoft ...public.dhe.ibm.com/software/security/products/isim/... · AssemblyLines. When an initial r equest is made by IBM Security Identity