Tivoli® Identity Manager

Password Synchronization for OS/400 Plug-in Installation and Configuration

Guide

Version 4.6

SC23-5269-01

���

Tivoli® Identity Manager

Password Synchronization for OS/400 Plug-in Installation and Configuration

Guide

Version 4.6

SC23-5269-01

���

Note:

Before using this information and the product it supports, read the information in Appendix B, “Notices,” on page 15.

Second Edition (November 2006)

This edition applies to version 4.6 of this adapter and to all subsequent releases and modifications until otherwise

indicated in new editions.

© Copyright International Business Machines Corporation 2004, 2006. All rights reserved.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract

with IBM Corp.

Contents

Preface . . . . . . . . . . . . . . . v

Who should read this book . . . . . . . . . v

Publications and related information . . . . . . v

Tivoli Identity Manager library . . . . . . . v

Prerequisite product publications . . . . . . vii

Related publications . . . . . . . . . . viii

Accessing publications online . . . . . . . viii

Accessibility . . . . . . . . . . . . . . viii

Support information . . . . . . . . . . . viii

Conventions used in this book . . . . . . . . ix

Typeface conventions . . . . . . . . . . ix

Operating system differences . . . . . . . . ix

Definitions for HOME and other directory

variables . . . . . . . . . . . . . . ix

Chapter 1. Overview of the Password

Synchronization for OS/400 plug-in . . . 1

Features of the plug-in . . . . . . . . . . . 1

Chapter 2. Installing and configuring the

Password Synchronization for OS/400

plug-in . . . . . . . . . . . . . . . 3

Prerequisites . . . . . . . . . . . . . . 3

Installing the plug-in . . . . . . . . . . . 3

Configuring the plug-in . . . . . . . . . . . 4

Configuring the IBM Tivoli Identity Manager server 4

Chapter 3. Configuring SSL

authentication for the plug-in . . . . . 5

Overview of SSL and digital certificates . . . . . 5

Private keys, public keys, and digital certificates . 6

Self-signed certificates . . . . . . . . . . 6

Certificate and key formats . . . . . . . . 7

Configuring certificates when the plug-in operates as

an SSL client . . . . . . . . . . . . . . 7

Installing CA certificates . . . . . . . . . . 8

Extracting and transferring the self-signed CA

certificate from the Tivoli Identity Manager server . 8

Installing the CA certificate on an iSeries system . 9

Appendix A. Support information . . . 11

Searching knowledge bases . . . . . . . . . 11

Search the information center on your local

system or network . . . . . . . . . . . 11

Search the Internet . . . . . . . . . . . 11

Contacting IBM Software Support . . . . . . . 11

Determine the business impact of your problem 12

Describe your problem and gather background

information . . . . . . . . . . . . . 13

Submit your problem to IBM Software Support 13

Appendix B. Notices . . . . . . . . . 15

Trademarks . . . . . . . . . . . . . . 16

Index . . . . . . . . . . . . . . . 19

© Copyright IBM Corp. 2004, 2006 iii

iv IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

Preface

IBM Tivoli Identity Manager (version 4.5 or higher) provides Password

Synchronization components that process password change requests between and

iSeries system and the Tivoli Identity Manager server. This manual describes how

to install and prepare the OS/400 Password Synchronization plug-in.

Who should read this book

This book is intended for security administrators responsible for managing

password synchronization on their site’s computer systems. Readers are expected

to understand security administration concepts. The person completing the OS/400

Password Synchronization plug-in installation procedure must also be familiar

with their site’s system standards. Readers should be able to perform routine

OS/400 Password Synchronization plug-in security and password administration

tasks.

Publications and related information

Read the descriptions of the IBM Tivoli Identity Manager library. To determine

which additional publications you might find helpful, read the “Prerequisite

product publications” on page vii and the “Related publications” on page viii.

After you determine the publications you need, refer to the instructions in

“Accessing publications online” on page viii.

Tivoli Identity Manager library

The publications in the technical documentation library for your product are

organized into the following categories:

v Release information

v Online user assistance

v Server installation and configuration

v Problem determination

v Technical supplements

v Adapter installation and configuration

Release Information:

v Release Notes

Provides software and hardware requirements for the product, and additional

fix, patch, and other support information.

v Read This First card

Lists the publications for the product.

Online user assistance:

Provides online help topics and an information center for administrative tasks.

Server installation and configuration:

Provides installation and configuration information for the product server.

© Copyright IBM Corp. 2004, 2006 v

Problem determination:

Provides problem determination, logging, and message information for the

product.

Technical supplements:

The following technical supplements are provided by developers or by other

groups who are interested in this product:

v Performance and tuning information

Provides information needed to tune your production environment, available on

the Web at:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click the I character in the A-Z product list to locate IBM Tivoli Identity

Manager products. Click the link for your product, and then browse the

information center for the Technical Supplements section.

v Redbooks™ and white papers are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

Browse to the Self Help section, in the Learn category, and click the Redbooks

link.

v Technotes are available on the Web at:

http://www.redbooks.ibm.com/redbooks.nsf/tips/

v Field guides are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

v For an extended list of other Tivoli Identity Manager resources, search the

following IBM® developerWorks® Web address:

http://www.ibm.com/developerworks/

Adapter installation and configuration:

The technical documentation library also includes a set of platform-specific

installation documents for the adapter components of the product. Adapter

information is available on the Web at:

http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home

Click Support & downloads. Browse to the Downloads and drivers. Click the link

for the adapter.

Skills and training:

The following additional skills and technical training information were available at

the time that this manual was published:

v Virtual Skills Center for Tivoli® Software on the Web at:

http://www.cgselearning.com/tivoliskills/

v Tivoli Education Software Training Roadmaps on the Web at:

http://www.ibm.com/software/tivoli/education/eduroad_prod.html

v Tivoli Technical Exchange on the Web at:

vi IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html

Prerequisite product publications

To use the information in this book effectively, you must have knowledge of the

products that are prerequisites for your product. Publications are available from

the following locations:

v Operating systems

– IBM AIX

http://publib16.boulder.ibm.com/pseries/Ja_JP/infocenter/base/index.htm

– Solaris Operating Environment

http://docs.sun.com/app/docs/prod/solaris

– Red Hat Linux

http://www.redhat.com/docs/

– Microsoft® Windows® Server 2003

http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers

– IBM DB2 Universal Database

- Support: http://www.ibm.com/software/data/db2/udb/support.html

- Information center: http://publib.boulder.ibm.com/infocenter/db2help/index.jsp

- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main

- DB2® product family: http://www.ibm.com/software/data/db2

- Fix packs: http://www.ibm.com/software/data/db2/udb/support/downloadv8.html

- System requirements: http://www.ibm.com/software/data/db2/udb/sysreqs.html

– Oracle

http://www.oracle.com/technology/documentation/index.html

http://otn.oracle.com/tech/index.html

http://otn.oracle.com/tech/linux/index.html

– Microsoft SQL Server

http://www.msdn.com/library/

http://www.microsoft.com/sql/v Directory server applications

– IBM Directory Server http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm http://www.ibm.com/software/network/directory

– Sun ONE Directory Server

http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52v WebSphere Application Server

Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/

v WebSphere embedded messaging

Preface vii

http://www.ibm.com/software/integration/wmq/

v IBM HTTP Server

http://www.ibm.com/software/webservers/httpservers/library.html

Related publications

Information that is related to your product is available in the following

publications:

v The Tivoli Software Library provides a variety of Tivoli publications such as

white papers, datasheets, demonstrations, redbooks, and announcement letters.

The Tivoli Software Library is available on the Web at:

http://www.ibm.com/software/tivoli/literature/

v The Tivoli Software Glossary includes definitions for many of the technical terms

related to Tivoli software. The Tivoli Software Glossary is available from the

Glossary link of the Tivoli Software Library Web page at:

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

Accessing publications online

IBM posts publications for this and all other Tivoli products, as they become

available and whenever they are updated, to the Tivoli software information center

Web site. Access the Tivoli software information center at the following Web

address:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click the I character in the A-Z list, and then click the link for your product to

access the product library.

Note: If you print PDF documents on other than letter-sized paper, set the option

in the File → Print window that allows Adobe Reader to print letter-sized

pages on your paper.

Accessibility

The product documentation includes the following features to aid accessibility:

v Documentation is available in convertible PDF format to give the maximum

opportunity for users to apply screen-reader software.

v All images in the documentation are provided with alternative text so that users

with vision impairments can understand the contents of the images.

Support information

If you have a problem with your IBM software, you want to resolve it quickly. IBM

provides the following ways for you to obtain the support you need:

v Searching knowledge bases: You can search across a large collection of known

problems and workarounds, Technotes, and other information.

v Contacting IBM Software Support: If you still cannot solve your problem, and

you need to work with someone from IBM, you can use a variety of ways to

contact IBM Software Support.

For more information about these ways to resolve problems, see Appendix A,

“Support information,” on page 11.

viii IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

Conventions used in this book

This reference uses several conventions for special terms and actions and for

operating system-dependent commands and paths.

Typeface conventions

This guide uses the following typeface conventions:

Bold

v Lowercase commands and mixed case commands that are otherwise

difficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spin

buttons, fields, folders, icons, list boxes, items inside list boxes,

multicolumn lists, containers, menu choices, menu names, tabs, property

sheets), labels (such as Tip:, and Operating system considerations:)

v Keywords and parameters in text

Italic

v Words defined in text

v Emphasis of words (words as words)

v New terms in text (except in a definition list)

v Variables and values you must provide

Monospace

v Examples and code examples

v File names, programming keywords, and other elements that are difficult

to distinguish from surrounding text

v Message text and prompts addressed to the user

v Text that the user must type

v Values for arguments or command options

Operating system differences

This guide uses the UNIX® convention for specifying environment variables and

for directory notation.

When using the Windows command line, replace $variable with %variable% for

environment variables and replace each forward slash (/) with a backslash (\) in

directory paths. The names of environment variables are not always the same in

Windows and UNIX. For example, %TEMP% in the Windows operating system is

equivalent to $tmp in a UNIX operating system.

Note: If you are using the bash shell on a Windows system, you can use the UNIX

conventions.

Definitions for HOME and other directory variables

The following table contains the default definitions that are used in this guide to

represent the HOME directory level for various product installation paths. You can

customize the installation directory and HOME directory for your specific

implementation. If this is the case, you need to make the appropriate substitution

for the definition of each variable represented in this table.

The value of path varies for these operating systems:

v Windows: drive:\Program Files

Preface ix

v AIX®: /usr

v Other UNIX: /opt

Path Variable Default Definition Description

DB_INSTANCE_HOME Windows:

path\IBM\SQLLIB

UNIX:

v AIX, Linux®: /home/dbinstancename

v Solaris: /export/home/dbinstancename

The directory that

contains the

database for your

Tivoli Identity

Manager product.

LDAP_HOME v For IBM Directory Server Version 5.2

Windows:

path\IBM\LDAP

UNIX:

path/IBM/LDAP

– AIX, Linux: path/ldap

– Solaris: path/IBMldaps

v For IBM Directory Server Version 6.0

Windows:

path\IBM\LDAP

UNIX:

/opt/IBM/ldap/

– AIX, Solaris: /opt/IBM/ldap/

– Linux: /opt/ibm/ldap/

v For Sun ONE Directory Server

Windows:

path\Sun\MPS

UNIX:

/var/Sun/mps

The directory that

contains the

directory server

code.

IDS_instance_HOME For IBM Directory Server Version 6.0

Windows:

drive\

idsslapd-instance_owner_name

The value of drive might be C:\. An

example of instance_owner_name might be

ldapdb2. For example, the log file might

be C:\idsslapd-ldapdb2\logs\ibmslapd.log.

UNIX:

INSTANCE_HOME/idsslapd-instance_name

On Linux and AIX systems, the default

home directory is the

/home/instance_name/idsslapd-instance_name directory. On Solaris

systems, for example, the directory is the

/export/home/ldapdb2/idsslapd-ldapdb2. directory.

The directory that

contains the IBM

Directory Server

Version 6.0 instance.

x IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

Path Variable Default Definition Description

HTTP_HOME Windows:

path\IBMHttpServer

UNIX:

path/IBMHttpServer

The directory that

contains the IBM

HTTP Server code.

ITIM_HOME Windows:

path\IBM\itim

UNIX:

path/IBM/itim

The base directory

that contains the

Tivoli Identity

Manager code,

configuration, and

documentation.

WAS_HOME Windows:

path\WebSphere\AppServer

UNIX:

path/WebSphere/AppServer

The WebSphere

Application Server

home directory

WAS_MQ_HOME Windows:

path\ibm\WebSphere MQ

UNIX:

path/mqm

The directory that

contains the

WebSphere MQ

code.

WAS_NDM_HOME Windows:

path\WebSphere\DeploymentManager

UNIX:

path/WebSphere/DeploymentManager

The home directory

on the Deployment

Manager

Tivoli_Common_Directory Windows:

path\ibm\tivoli\common\

UNIX:

path/ibm/tivoli/common/

The central location

for all

serviceability-related

files, such as logs

and first-failure data

capture

Preface xi

xii IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

Chapter 1. Overview of the Password Synchronization for

OS/400 plug-in

The Tivoli Identity Manager OS/400 Password Synchronization plug-in is a plug-in

that must be installed on the iSeries server before the Tivoli Identity Manager

Server will accept password changes from the iSeries Password Change user

interface. The iSeries FTP Agent must also be installed on the same server as

OS/400 Password Synchronization plug-in. In addition, you will have to install a

Certificate for the client as Tivoli Identity Manager relies on certificates to establish

secure SSL communication with the OS/400 Password Synchronization plug-in.

This installation and configuration guide provides the basic information that you

need to install and configure the OS/400 Password Synchronization plug-in. This

chapter provides an overview of the plug-in and the features of the plug-in.

Features of the plug-in

The OS/400 Password Synchronization plug-in intercepts the iSeries user password

changes and communicates with Tivoli Identity Manager for passwords rules

verification and synchronization. If Password Synchronization is enabled in Tivoli

Identity Manager, it will synchronize the new password with other accounts of the

user that are managed by Tivoli Identity Manager.

© Copyright IBM Corp. 2004, 2006 1

2 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

Chapter 2. Installing and configuring the Password

Synchronization for OS/400 plug-in

Password Synchronization has a client-side plug-in, installed on the iSeries server,

that must be installed before the Tivoli Identity Manager server will accept

password changes from the OS/400 Password Change user interface. The OS/400

FTP adapter must also be installed on the same server as the OS/400 Password

Synchronization plug-in.

In addition, you will have to install a certificate for the client. The Tivoli Identity

Manager server relies on certificates to establish secure SSL communication

between itself and the plug-in.

Prerequisites

Table 1 identifies hardware, software, and authorization prerequisites to install the

OS/400 Password Synchronization plug-in. Verify that all of the prerequisites have

been met before installing the OS/400 Password Synchronization plug-in.

Table 1. Prerequisites to install the plug-in

System v An OS/400-supported hardware system.

v A minimum of 16 MB of memory.

v A minimum of at least 20 MB of free disk space.

Adapter compatibility IBM Tivoli Identity Manager OS/400 adapter 4.6

Network Connectivity TCP/IP network

System Administrator

Authority

The person completing the OS/400 Password

Synchronization plug-in installation procedure must have

OS/400 QSecurity Officer (QSECOFR) authority to

complete the steps in this chapter.

IBM Tivoli Identity Manager

server

Version 4.6

Installing the plug-in

The IBM Tivoli Identity Manager OS/400 Password Synchronization plug-in

installation program is available for download from the IBM Web site. Contact

your IBM account representative for the Web address and download instructions.

In order to install the plug-in, complete the following steps:

1. Download the OS/400 Password Synchronization plug-in compressed file from

the IBM Web site.

2. Extract the contents of the OS/400 Password Synchronization plug-in

compressed file into a temporary directory.

3. To create the QITIM library of type *PROD (cannot be updated in debug/test

mode), type CRTLIB LIB(QITIM) TYPE(*PROD) , and press Enter.

4. To create a SAVF file, type RSTLIB SAVLIB(QITIM) DEV(*SAVF SaveFileName,

where SaveFileName is the qualified name of the installation file (save file) that

is used to restore data, and press Enter.

© Copyright IBM Corp. 2004, 2006 3

5. To add the QITIM library to the user portion of the library list, type ADDLIBLE

QITIM, and press Enter.

6. To display the library list, type DSPLIBL, and press Enter. Verify that the QITIM

library is displayed.

7. To display the objects, select Option 5, and then type WRKOBJPDM LIB(QITIM),

and press Enter. The following four objects should exist in the QITIM libary:

v QITIMPWSYN (*PGM)

v QITIMMSG (*MSGF)

v QITIMCFG (*VLDL)

v CHGITIMCFG (*CMD)

The QITIMCFG object might not be present if QITIM/CHGITIMCFG command

has not been previously executed.

Configuring the plug-in

To configure the OS/400 Password Synchronization plug-in, complete the

following steps:

1. Set the system value QRETSVRSEC = 1.

This system value is used to determine whether to store the encrypted data

from the Tivoli Identity Manager server in the Validation List Entry. If the

system value is set to 1 (Retain data), the encrypted data will be stored when

the Validation List Entry is added or changed, using the

QsyAddValidationLstEntry() and QsyChangeValidationLstEntry() APIs.

2. Set the system value QPWDVLDPGM = *REGFAC.

This system value provides the ability for a user-written program

(QITIMPWSYN in our case) to do additional validation on passwords. If the

value of QPWDVLDPGM is set to any other value, the validate password exit

programs will not be called.

3. Add the QITIMPWSYN program to the OS/400 registration facility to make it

exit program for password validation. To add this program, run the

ADDEXITPGM command and specify the following values:

v Exit Point = QIBM_QSY_VLD_PASSWRD

v Exit Point Format = VLDP0100

v Exit Program = QITIMPWSYN in Lib QITIM

Verify that the QITIMPWSYN program is now registered by running the

WRKREGINF EXITPNT(QIBM_QSY_VLD_PASSWRD) command.

Configuring the IBM Tivoli Identity Manager server

On the IBM Tivoli Identity Manager, complete the following steps to enable the

Password Synchronization option:

1. On the IBM Tivoli Identity Manager main menu, select Configuration.

2. Select the Properties tab.

3. Check the Enable password synchronization check box.

4. Press Apply changes.

4 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

Chapter 3. Configuring SSL authentication for the plug-in

In order to establish a secure connection between a Tivoli Identity Manager plug-in

and the Tivoli Identity Manager server, you must configure the plug-in and the

server to use the Secure Sockets Layer (SSL) authentication with the GSKit

communication protocol.

The plug-in notifies the Tivoli Identity Manager server of changes made to user

passwords on the managed resource. You can configure SSL authentication for Web

connections that originate from the plug-in to the Web server that is used by the

Tivoli Identity Manager server.

In a production environment you need to enable SSL security, but for testing

purposes you might want to disable SSL. However, if an external application that

communicates with the plug-in (such as the Tivoli Identity Manager server) is set

to use server authentication, you must enable SSL on the plug-in to verify the

certificate that the application presents.

This section presents an overview of SSL authentication, certificates, and how to

enable SSL authentication between Tivoli Identity Managerserver and the OS400

password synchronization plug-in using the OS400 Digital Certificate Manager.

Overview of SSL and digital certificates

When you deploy IBM Tivoli Identity Manager into an enterprise network, you

must secure communication between the IBM Tivoli Identity Manager server and

the software products and components with which the server communicates. The

industry-standard SSL protocol, which uses signed digital certificates from a

certificate authority (CA) for authentication, is used to secure communication in a

IBM Tivoli Identity Manager deployment. Additionally, SSL provides encryption of

the data exchanged between the applications. Encryption makes data transmitted

over the network intelligible only to the intended recipient.

Signed digital certificates enable two applications connecting in a network to

authenticate each other’s identity. An application acting as an SSL server presents

its credentials in a signed digital certificate to verify to an SSL client that it is the

entity it claims to be. An application acting as an SSL server can also be configured

to require the application acting as an SSL client to present its credentials in a

certificate, thereby completing a two-way exchange of certificates. Signed

certificates are issued by a third-party certificate authority for a fee. Some utilities,

such as those provided by OpenSSL, can also issue signed certificates.

A certificate-authority certificate (CA certificate) must be installed to verify the

origin of a signed digital certificate. When an application receives another

application’s signed certificate, it uses a CA certificate to verify the originator of

the certificate. A certificate authority can be well-known and widely used by other

organizations, or it can be local to a specific region or company. Many applications,

such as Web browsers, are configured with the CA certificates of well known

certificate authorities to eliminate or reduce the task of distributing CA certificates

throughout the security zones in a network.

© Copyright IBM Corp. 2004, 2006 5

Private keys, public keys, and digital certificates

Keys, digital certificates, and trusted certificate authorities are used to establish and

verify the identities of applications.

SSL uses public key encryption technology for authentication. In public key

encryption, a public key and a private key are generated for an application. Data

encrypted with the public key can only be decrypted using the corresponding

private key. Similarly, the data encrypted with the private key can only be

decrypted using the corresponding public key. The private key is

password-protected in a key database file so that only the owner can access the

private key to decrypt messages that are encrypted using the corresponding public

key.

A signed digital certificate is an industry-standard method of verifying the

authenticity of an entity, such as a server, client, or application. In order to ensure

maximum security, a certificate is issued by a third-party certificate authority. A

certificate contains the following information to verify the identity of an entity:

Organizational information

This section of the certificate contains information that uniquely identifies

the owner of the certificate, such as organizational name and address. You

supply this information when you generate a certificate using a certificate

management utility.

Public key

The receiver of the certificate uses the public key to decipher encrypted

text sent by the certificate owner to verify its identity. A public key has a

corresponding private key that encrypts the text.

Certificate authority’s distinguished name

The issuer of the certificate identifies itself with this information.

Digital signature

The issuer of the certificate signs it with a digital signature to verify its

authenticity. This signature is compared to the signature on the

corresponding CA certificate to verify that the certificate originated from a

trusted certificate authority.

Web browsers, servers, and other SSL-enabled applications generally accept as

genuine any digital certificate that is signed by a trusted certificate authority and is

otherwise valid. For example, a digital certificate can be invalidated because it has

expired or the CA certificate used to verify it has expired, or because the

distinguished name in the digital certificate of the server does not match the

distinguished name specified by the client.

Self-signed certificates

You can use self-signed certificates to test an SSL configuration before you create

and install a signed certificate issued by a certificate authority. A self-signed

certificate contains a public key, information about the owner of the certificate, and

the owner’s signature. It has an associated private key, but it does not verify the

origin of the certificate through a third-party certificate authority. Once you

generate a self-signed certificate on an SSL server application, you must extract it

and add it to the certificate registry of the SSL client application.

This procedure is the equivalent of installing a CA certificate that corresponds to a

server certificate. However, you do not include the private key in the file when

you extract a self-signed certificate to use as the equivalent of a CA certificate.

6 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

Use a key management utility to generate a self-signed certificate and private key,

extract a self-signed certificate, and add a self-signed certificate.

Where and how you choose to use self-signed certificates depends on your security

requirements. In order to achieve the highest level of authentication between

critical software components, do not use self-signed certificates, or use them

selectively. For example, you can choose to authenticate applications that protect

server data with signed digital certificates, and use self-signed certificates to

authenticate Web browsers or IBM Tivoli Identity Manager plug-ins.

If you are using self-signed certificates, in the following procedures you can

substitute a self-signed certificate for a certificate and CA certificate pair.

Certificate and key formats

Certificates and keys are stored in files with the following formats:

.pem format

A privacy-enhanced mail (.pem ) format file begins and ends with the

following lines:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

A .pem file format supports multiple digital certificates, including a

certificate chain. If your organization uses certificate chaining, use this

format to create CA certificates.

.arm format

An .arm file contains a base-64 encoded ASCII representation of a

certificate, including its public key, but not its private key. An .arm file

format is generated and used by the IBM Key Management utility.

.der format

A .der file contains binary data. A .der file can only be used for a single

certificate, unlike a .pem file, which can contain multiple certificates.

.pfx format (PKCS12)

A PKCS12 file is a portable file that contains a certificate and a

corresponding private key. This format is useful for converting from one

type of SSL implementation to a different implementation.

Configuring certificates when the plug-in operates as an SSL client

In this scenario, the plug-in operates as an SSL client. The plug-in initiates the

connection and the Web server responds by presenting its certificate to the plug-in.

Figure 1 on page 8 illustrates how a Tivoli Identity Manager plug-in operates as an

SSL sever and an SSL client. When communicating with the Tivoli Identity

Manager server, the plug-in sends its certificate for authentication. When

communicating with the Web server, the plug-in receives the certificate of the Web

server.

Chapter 3. Configuring SSL authentication for the plug-in 7

If the Web Server is configured for two-way SSL authentication, it verifies the

identity of the plug-in, which sends its signed certificate to the Web server (not

shown in the illustration). In order to enable two-way SSL authentication between

the plug-in and Web server, use the following procedure:

1. Configure the Web server to use client authentication.

2. Follow the procedure for creating and installing a signed certificate on the Web

server.

3. Install the CA certificate on the plug-in, using a certificate installation tool.

4. Add the CA certificate corresponding to the signed certificate of the plug-in to

the Web server.

For more information on configuring certificates when the plug-in initiates a

connection to the Web server (used by the Tivoli Identity Manager Server) to send

an event notification, see the Tivoli Identity Manager Information Center.

Installing CA certificates

Installing the self-signed CA certificate from the IBM Tivoli Identity Manager

server to each target iSeries server consists of transferring the certificate from the

IBM Tivoli Identity Manager server to the iSeries server, starting the certificate

installation tool, exporting the certificate, defining a CA trust list, and assigning the

certificate.

Extracting and transferring the self-signed CA certificate from

the Tivoli Identity Manager server

To extract and transfer the CA certificate used by Tivoli Identity Manager for

authentication with the iSeries server:

1. Use a Web browser, for example Internet Explorer, to connect to Tivoli Identity

Manager using SSL protocol (https://hostname:9443/enrole). A dialog box is

displayed requesting that you accept an untrusted certificate.

Note: This dialog box is not displayed if the SSL certificate is signed by a

well-known CA. In this situation you must use a certificate tool such as

ikeyman to extract the certificate.

2. Click View Certificate.

TivoliIdentityManagerplug-in

TivoliIdentityManagerserver

CA Certificate ACertificate ACA Certificate C

Certificate C

Web server

A B

C

Hello

Certificate A

Hello

Certificate C

Figure 1. IBM Tivoli Identity Manager plug-in operating as an SSL server and as an SSL

client

8 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

3. On the Details tab, click Copy to File.

4. Click Next.

5. Select to use DER encoded, type a file name in the field and click Finish.

6. FTP this file to the iSeries server:

a. Type ftp targetmachinename and press and press Enter.

b. Type your user name and press Enter.

c. Type the password associated with your user name and press Enter.

d. Type bin and press Enter.

e. Type cd/tmp and press Enter.

f. Type put filename, where filename is the certificate file that you extracted

and copied in the previous steps, and press Enter.

g. Type quit and press Enter.

Installing the CA certificate on an iSeries system

From an Internet browser, complete, complete the following steps:

1. Open the Web browser to http://iSerieshostname:2001, where iSerieshostname

is the host name of the iSeries server.

2. Enter your iSeries server user name and password, and click OK.

3. On the iSeries Tasks window, select Digital Certificate Manager.

4. On the Digital Certificate Manager window, select Create a Certificate

Authority (CA) in the left pane.

5. Type the information in the required fields.

Note: The Certificate Authority (CA) name describes the name of the iSeries

system.

6. Click Continue.

7. On the Install Local CA Certificate pane, click Continue. The certificate does

not need to be installed.

8. On the Certificate Authority (CA) Policy Data pane, accept the default settings

and click Continue.

9. On the Policy Data Accepted pane, a message The policy data for the

Certificate Authority (CA) was accepted. is displayed. Click Continue to

create the default server certificate store (*SYSTEM, if this was nto created

before) and a server certificate signed by your CA.

10. On the next Digital Certificate Manager window, type in the information for

the required fields.

Note: Specify a different name in the Certificate label field for the certificate

store (*SYSTEM database).The fields in the Subject Alternative Name section can be left blank. Click

Continue.

11. On the next Digital Certificate Manager window, a list of applications and

certificates is displayed. Click Select All then click Continue.

12. On the Application Status pane, a message The applications you selected

will use this certificate. is displayed. Click Cancel. The creation of a

signing certificate is optional.

13. On the Select a Certificate Store pane, select *SYSTEM and click Continue.

14. On the Certificate Store and Password pane, type the password for the

*SYSTEM Certificate Store database and click Continue.

Chapter 3. Configuring SSL authentication for the plug-in 9

15. Extract the CA certificate from the Tivoli Identity Manager system and copy

the file to the iSeries system. See “Extracting and transferring the self-signed

CA certificate from the Tivoli Identity Manager server” on page 8.

16. On the next Digital Certificate Manager window in the Fast Path menu, click

Work with CA Certificates .

17. A list of certificates is displayed. Click Import.

18. On the Import Certificate Authority (CA) Certificate pane, in the Import file:

field type:

/qibm/userdata/psdserver.der

(where psdserver.der is the name of the certificate you extracted from the

Tivoli Identity Manager system) and click Continue.

19. On the Import Certificate Authority (CA) Certificate pane, type a label name

in the CA certificate label: field, for example: Tivoli Identity Manager

server, and click Continue.

20. In the Fast Path menu, select Work with Client applications and click

Continue.

21. On the Applications registered to use certificates: pane, click Add Application.

22. On the next Digital Certificate Manager window in the Application: ID field,

type TIVOLI_PWD_SYNCH . Select Application description: and type a

description, for example, Password Sync Exit Handler. Click Add.

23. On the Work with Client Applications pane, a message The application has

been added. is displayed. Select Password Synch Exit Handler (the

description you gave the application) and Click Work with application.

24. On the next Digital Certificate Manager window, click Update Certificate

Assignment.

25. On the next Digital Certificate Manager window, select the certificate you just

created from the list and click Assign New Certificate.

26. In the Update Certificate Assignment pane, the message The certificate was

assigned to the application. is displayed.

27. In the Fast Path pane, click Work with CA certificates. Verify that Tivoli

Identity Manager server is listed as enabled in the Certificate Authority (CA)

list.

10 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

Appendix A. Support information

This section describes the following options for obtaining support for IBM

products:

v “Searching knowledge bases”

v “Contacting IBM Software Support”

Searching knowledge bases

If you have a problem with your IBM software, you want it resolved quickly. Begin

by searching the available knowledge bases to determine whether the resolution to

your problem is already documented.

Search the information center on your local system or

network

IBM provides extensive documentation that can be installed on your local

computer or on an intranet server. You can use the search function of this

information center to query conceptual information, instructions for completing

tasks, reference information, and support documents.

Search the Internet

If you cannot find an answer to your question in the information center, search the

Internet for the latest, most complete information that might help you resolve your

problem. To locate Internet resources for your product, open one of the following

Web sites:

v Performance and tuning information

Provides information needed to tune your production environment, available on

the Web at:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click the I character in the A-Z product list to locate IBM Tivoli Identity

Manager products. Click the link for your product, and then browse the

information center for the Technical Supplements section.

v Redbooks and white papers are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

Browse to the Self Help section, in the Learn category, and click the Redbooks

link.

v Technotes are available on the Web at:

http://www.redbooks.ibm.com/redbooks.nsf/tips/

v Field guides are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

v For an extended list of other Tivoli Identity Manager resources, search the

following IBM developerWorks Web address:

http://www.ibm.com/developerworks/

Contacting IBM Software Support

IBM Software Support provides assistance with product defects.

© Copyright IBM Corp. 2004, 2006 11

Before contacting IBM Software Support, your company must have an active IBM

software maintenance contract, and you must be authorized to submit problems to

IBM. The type of software maintenance contract that you need depends on the

type of product you have:

v For IBM distributed software products (including, but not limited to, Tivoli,

Lotus®, and Rational® products, as well as DB2 and WebSphere® products that

run on Windows or UNIX operating systems), enroll in Passport Advantage® in

one of the following ways:

– Online: Go to the Passport Advantage Web page (http://www.lotus.com/services/passport.nsf/WebDocs/ Passport_Advantage_Home) and click How

to Enroll

– By phone: For the phone number to call in your country, go to the IBM

Software Support Web site (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region.

v For IBM eServer™ software products (including, but not limited to, DB2 and

WebSphere products that run in zSeries®, pSeries®, and iSeries™ environments),

you can purchase a software maintenance agreement by working directly with

an IBM sales representative or an IBM Business Partner. For more information

about support for eServer software products, go to the IBM Technical Support

Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).

If you are not sure what type of software maintenance contract you need, call

1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to

the contacts page of the IBM Software Support Handbook on the Web

(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of

your geographic region for phone numbers of people who provide support for

your location.

Follow the steps in this topic to contact IBM Software Support:

1. Determine the business impact of your problem.

2. Describe your problem and gather background information.

3. Submit your problem to IBM Software Support.

Determine the business impact of your problem

When you report a problem to IBM, you are asked to supply a severity level.

Therefore, you need to understand and assess the business impact of the problem

you are reporting. Use the following criteria:

Severity 1 Critical business impact: You are unable to use the program,

resulting in a critical impact on operations. This condition

requires an immediate solution.

Severity 2 Significant business impact: The program is usable but is

severely limited.

Severity 3 Some business impact: The program is usable with less

significant features (not critical to operations) unavailable.

Severity 4 Minimal business impact: The problem causes little impact on

operations, or a reasonable circumvention to the problem has

been implemented.

12 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

Describe your problem and gather background information

When explaining a problem to IBM, be as specific as possible. Include all relevant

background information so that IBM Software Support specialists can help you

solve the problem efficiently. To save time, know the answers to these questions:

v What software versions were you running when the problem occurred?

v Do you have logs, traces, and messages that are related to the problem

symptoms? IBM Software Support is likely to ask for this information.

v Can the problem be re-created? If so, what steps led to the failure?

v Have any changes been made to the system? (For example, hardware, operating

system, networking software, and so on.)

v Are you currently using a workaround for this problem? If so, please be

prepared to explain it when you report the problem.

Submit your problem to IBM Software Support

You can submit your problem in one of two ways:

v Online: Go to the ″Submit and track problems″ page on the IBM Software

Support site (http://www.ibm.com/software/support/probsub.html). Enter

your information into the appropriate problem submission tool.

v By phone: For the phone number to call in your country, go to the contacts page

of the IBM Software Support Handbook on the Web (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your

geographic region.

If the problem you submit is for a software defect or for missing or inaccurate

documentation, IBM Software Support creates an Authorized Program Analysis

Report (APAR). The APAR describes the problem in detail. Whenever possible,

IBM Software Support provides a workaround for you to implement until the

APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the

IBM product support Web pages daily, so that other users who experience the

same problem can benefit from the same resolutions.

For more information about problem resolution, see Searching knowledge bases.

Appendix A. Support information 13

14 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

Appendix B. Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in

other countries. Consult your local IBM representative for information on the

products and services currently available in your area. Any reference to an IBM

product, program, or service is not intended to state or imply that only that IBM

product, program, or service may be used. Any functionally equivalent product,

program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify the

operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter

described in this document. The furnishing of this document does not give you

any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

North Castle Drive

Armonk, NY 10504-1785

U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM

Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any other

country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER

EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS

FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or

implied warranties in certain transactions, therefore, this statement may not apply

to you.

This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be

incorporated in new editions of the publication. IBM may make improvements

and/or changes in the product(s) and/or the program(s) described in this

publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for

convenience only and do not in any manner serve as an endorsement of those Web

sites. The materials at those Web sites are not part of the materials for this IBM

product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it

believes appropriate without incurring any obligation to you.

© Copyright IBM Corp. 2004, 2006 15

Licensees of this program who wish to have information about it for the purpose

of enabling: (i) the exchange of information between independently created

programs and other programs (including this one) and (ii) the mutual use of the

information which has been exchanged should contact:

IBM Corporation

2ZA4/101

11400 Burnet Road

Austin, TX 78758

U.S.A.

Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.

The licensed program described in this information and all licensed material

available for it are provided by IBM under terms of the IBM Customer Agreement,

IBM International Program License Agreement, or any equivalent agreement

between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may

vary significantly. Some measurements may have been made on development-level

systems and there is no guarantee that these measurements will be the same on

generally available systems. Furthermore, some measurements may have been

estimated through extrapolation. Actual results may vary. Users of this document

should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.

IBM has not tested those products and cannot confirm the accuracy of

performance, compatibility or any other claims related to non-IBM products.

Questions on the capabilities of non-IBM products should be addressed to the

suppliers of those products.

Trademarks

The following terms are trademarks or registered trademarks of International

Business Machines Corporation in the United States, other countries, or both:

IBM

IBM logo

ibm.com

AIX

AS/400

DB2

Domino

i5/OS

Informix

iSeries

Linux

Lotus

Lotus Notes

MQSeries

Notes

OS/400

Power PC

Tivoli

16 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

Tivoli logo

Universal Database

WebSphere

Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of

Microsoft Corporation in the United States, other countries, or both.

Intel®, Intel Inside® (logos), MMX and Pentium® are trademarks of Intel

Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other

countries.

Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.

Java™ and all Java-based trademarks are trademarks of Sun

Microsystems, Inc. in the United States, other countries, or

both.

Other company, product, and service names may be trademarks or service marks

of others.

Appendix B. Notices 17

18 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

Index

Aaccessibility

pdf format, for screen-reader software viii

statement for documentation viii

text, alternative for document images viii

adapterconfiguration 4

features 1

administrator authority prerequisites 3

Bbooks

see publications viii

Ccertificate authority

definition 5

certificatesdefinition 5

key formats 7

overview 5

private keys and digital certificates 6

self-signed 6

client validation, SSL 7

configurationadapter 4

plug-in 4

conventionsHOME directory

Tivoli_Common_Directory xi

DB_INSTANCE_HOME x

HTTP_HOME xi

ITIM_HOME xi

LDAP_HOME x

WAS_HOME xi

WAS_MQ_HOME xi

WAS_NDM_HOME xi

typeface ix

UNIX variable, directory notation ix

used in this document ix

customer supportsee Software Support 11

DDB_INSTANCE_HOME

DB2 UDB installation directory x

definition x

directoryDB_INSTANCE_HOME x

HTTP_HOME xi

installationDB2 UDB x

IBM Directory Server x

IBM HTTP Server xi

WebSphere Application Server base product xi

directory (continued)installation (continued)

WebSphere Application Server Network Deployment

product xi

WebSphere MQ xi

installation for Sun ONE Directory Server x

ITIM_HOME xi

LDAP_HOME x

names, UNIX notation ix

WAS_HOME xi

WAS_MQ_HOME xi

WAS_NDM_HOME xi

disabilities, using documentation viii

documentsIBM Tivoli Identity Manager library v

related viii

Eencryption

SSL 5, 6

environment variableUNIX notation ix

Hhome directories

DB_INSTANCE_HOME x

HTTP_HOME xi

ITIM_HOME xi

LDAP_HOME x

WAS_HOME xi

WAS_MQ_HOME xi

WAS_NDM_HOME xi

HTTP_HOMEdefinition xi

IBM HTTP Server installation directory xi

Iimport

PKCS12 file 7

information centers, searching to find software problem

resolution 11

installationdirectory

DB2 UDB x

IBM Directory Server x

IBM HTTP Server xi

Sun ONE Directory Server x

WebSphere Application Server base product xi

WebSphere Application Server Network Deployment

product xi

WebSphere MQ xi

plug-in 3

installation prerequisitesadministrator authority 3

network connectivity 3

software 3

system 3

© Copyright IBM Corp. 2004, 2006 19

installation prerequisites (continued)Tivoli Identity Manager server communication 3

Internet, searching to find software problem resolution 11

ITIM_HOMEdefinition xi

directory xi

Kknowledge bases, searching to find software problem

resolution 11

LLDAP_HOME

definition x

IBM Directory Server installation directory x

Sun ONE Directory Server installation directory x

Mmanuals

see publications viii

Nnetwork connectivity prerequisites 3

Oonline publications

accessing viii

Ppath names, notation ix

pdf format, for screen-reader software viii

plug-inconfiguration 4

installation 3

installation overview 1

plug-in overview 1

private keydefinition 5

problem determinationdescribing problem for IBM Software Support 13

determining business impact for IBM Software Support 12

submitting problem to IBM Software Support 13

protocolSSL

overview 5

two-way configuration 7

public key 6

publicationsaccessing online viii

IBM Tivoli Identity Manager library v

related viii

Sself-signed certificate 6

server communication prerequisites 3

software prerequisites 3

Software Supportcontacting 11

describing problem for IBM Software Support 13

determining business impact for IBM Software Support 12

submitting problem to IBM Software Support 13

SSLcertificate installation 5

encryption 5

key formats 7

overview 5

private keys and digital certificates 6

self-signed certificates 6

two-way configuration 7

system prerequisites 3

Ttext, alternative for document images viii

Tivoli Identity Manager plug-incommunication with the server 7

SSL communication 7

Tivoli Identity Manager server communication prerequisitesserver 3

Tivoli software information center viii

Tivoli_Common_Directorydefinition xi

two-way configurationSSL

client and server 7

typeface conventions ix

WWAS_HOME

definition xi

WebSphere Application Server base installation

directory xi

WAS_MQ_HOMEdefinition xi

WebSphere MQ installation directory xi

WAS_NDM_HOMEdefinition xi

WebSphere Application Server Network Deployment

installation directory xi

20 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide

����

Printed in USA

SC23-5269-01