Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
Tivoli® Identity Manager
Password Synchronization for OS/400 Plug-in Installation and Configuration
Guide
Version 4.6
SC23-5269-01
���
Tivoli® Identity Manager
Password Synchronization for OS/400 Plug-in Installation and Configuration
Guide
Version 4.6
SC23-5269-01
���
Note:
Before using this information and the product it supports, read the information in Appendix B, “Notices,” on page 15.
Second Edition (November 2006)
This edition applies to version 4.6 of this adapter and to all subsequent releases and modifications until otherwise
indicated in new editions.
© Copyright International Business Machines Corporation 2004, 2006. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . . v
Who should read this book . . . . . . . . . v
Publications and related information . . . . . . v
Tivoli Identity Manager library . . . . . . . v
Prerequisite product publications . . . . . . vii
Related publications . . . . . . . . . . viii
Accessing publications online . . . . . . . viii
Accessibility . . . . . . . . . . . . . . viii
Support information . . . . . . . . . . . viii
Conventions used in this book . . . . . . . . ix
Typeface conventions . . . . . . . . . . ix
Operating system differences . . . . . . . . ix
Definitions for HOME and other directory
variables . . . . . . . . . . . . . . ix
Chapter 1. Overview of the Password
Synchronization for OS/400 plug-in . . . 1
Features of the plug-in . . . . . . . . . . . 1
Chapter 2. Installing and configuring the
Password Synchronization for OS/400
plug-in . . . . . . . . . . . . . . . 3
Prerequisites . . . . . . . . . . . . . . 3
Installing the plug-in . . . . . . . . . . . 3
Configuring the plug-in . . . . . . . . . . . 4
Configuring the IBM Tivoli Identity Manager server 4
Chapter 3. Configuring SSL
authentication for the plug-in . . . . . 5
Overview of SSL and digital certificates . . . . . 5
Private keys, public keys, and digital certificates . 6
Self-signed certificates . . . . . . . . . . 6
Certificate and key formats . . . . . . . . 7
Configuring certificates when the plug-in operates as
an SSL client . . . . . . . . . . . . . . 7
Installing CA certificates . . . . . . . . . . 8
Extracting and transferring the self-signed CA
certificate from the Tivoli Identity Manager server . 8
Installing the CA certificate on an iSeries system . 9
Appendix A. Support information . . . 11
Searching knowledge bases . . . . . . . . . 11
Search the information center on your local
system or network . . . . . . . . . . . 11
Search the Internet . . . . . . . . . . . 11
Contacting IBM Software Support . . . . . . . 11
Determine the business impact of your problem 12
Describe your problem and gather background
information . . . . . . . . . . . . . 13
Submit your problem to IBM Software Support 13
Appendix B. Notices . . . . . . . . . 15
Trademarks . . . . . . . . . . . . . . 16
Index . . . . . . . . . . . . . . . 19
© Copyright IBM Corp. 2004, 2006 iii
iv IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
Preface
IBM Tivoli Identity Manager (version 4.5 or higher) provides Password
Synchronization components that process password change requests between and
iSeries system and the Tivoli Identity Manager server. This manual describes how
to install and prepare the OS/400 Password Synchronization plug-in.
Who should read this book
This book is intended for security administrators responsible for managing
password synchronization on their site’s computer systems. Readers are expected
to understand security administration concepts. The person completing the OS/400
Password Synchronization plug-in installation procedure must also be familiar
with their site’s system standards. Readers should be able to perform routine
OS/400 Password Synchronization plug-in security and password administration
tasks.
Publications and related information
Read the descriptions of the IBM Tivoli Identity Manager library. To determine
which additional publications you might find helpful, read the “Prerequisite
product publications” on page vii and the “Related publications” on page viii.
After you determine the publications you need, refer to the instructions in
“Accessing publications online” on page viii.
Tivoli Identity Manager library
The publications in the technical documentation library for your product are
organized into the following categories:
v Release information
v Online user assistance
v Server installation and configuration
v Problem determination
v Technical supplements
v Adapter installation and configuration
Release Information:
v Release Notes
Provides software and hardware requirements for the product, and additional
fix, patch, and other support information.
v Read This First card
Lists the publications for the product.
Online user assistance:
Provides online help topics and an information center for administrative tasks.
Server installation and configuration:
Provides installation and configuration information for the product server.
© Copyright IBM Corp. 2004, 2006 v
Problem determination:
Provides problem determination, logging, and message information for the
product.
Technical supplements:
The following technical supplements are provided by developers or by other
groups who are interested in this product:
v Performance and tuning information
Provides information needed to tune your production environment, available on
the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list to locate IBM Tivoli Identity
Manager products. Click the link for your product, and then browse the
information center for the Technical Supplements section.
v Redbooks™ and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM® developerWorks® Web address:
http://www.ibm.com/developerworks/
Adapter installation and configuration:
The technical documentation library also includes a set of platform-specific
installation documents for the adapter components of the product. Adapter
information is available on the Web at:
http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home
Click Support & downloads. Browse to the Downloads and drivers. Click the link
for the adapter.
Skills and training:
The following additional skills and technical training information were available at
the time that this manual was published:
v Virtual Skills Center for Tivoli® Software on the Web at:
http://www.cgselearning.com/tivoliskills/
v Tivoli Education Software Training Roadmaps on the Web at:
http://www.ibm.com/software/tivoli/education/eduroad_prod.html
v Tivoli Technical Exchange on the Web at:
vi IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html
Prerequisite product publications
To use the information in this book effectively, you must have knowledge of the
products that are prerequisites for your product. Publications are available from
the following locations:
v Operating systems
– IBM AIX
http://publib16.boulder.ibm.com/pseries/Ja_JP/infocenter/base/index.htm
– Solaris Operating Environment
http://docs.sun.com/app/docs/prod/solaris
– Red Hat Linux
http://www.redhat.com/docs/
– Microsoft® Windows® Server 2003
http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers
– IBM DB2 Universal Database
- Support: http://www.ibm.com/software/data/db2/udb/support.html
- Information center: http://publib.boulder.ibm.com/infocenter/db2help/index.jsp
- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main
- DB2® product family: http://www.ibm.com/software/data/db2
- Fix packs: http://www.ibm.com/software/data/db2/udb/support/downloadv8.html
- System requirements: http://www.ibm.com/software/data/db2/udb/sysreqs.html
– Oracle
http://www.oracle.com/technology/documentation/index.html
http://otn.oracle.com/tech/index.html
http://otn.oracle.com/tech/linux/index.html
– Microsoft SQL Server
http://www.msdn.com/library/
http://www.microsoft.com/sql/v Directory server applications
– IBM Directory Server http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm http://www.ibm.com/software/network/directory
– Sun ONE Directory Server
http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52v WebSphere Application Server
Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/
v WebSphere embedded messaging
Preface vii
http://www.ibm.com/software/integration/wmq/
v IBM HTTP Server
http://www.ibm.com/software/webservers/httpservers/library.html
Related publications
Information that is related to your product is available in the following
publications:
v The Tivoli Software Library provides a variety of Tivoli publications such as
white papers, datasheets, demonstrations, redbooks, and announcement letters.
The Tivoli Software Library is available on the Web at:
http://www.ibm.com/software/tivoli/literature/
v The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available from the
Glossary link of the Tivoli Software Library Web page at:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
Accessing publications online
IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli software information center
Web site. Access the Tivoli software information center at the following Web
address:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z list, and then click the link for your product to
access the product library.
Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe Reader to print letter-sized
pages on your paper.
Accessibility
The product documentation includes the following features to aid accessibility:
v Documentation is available in convertible PDF format to give the maximum
opportunity for users to apply screen-reader software.
v All images in the documentation are provided with alternative text so that users
with vision impairments can understand the contents of the images.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM
provides the following ways for you to obtain the support you need:
v Searching knowledge bases: You can search across a large collection of known
problems and workarounds, Technotes, and other information.
v Contacting IBM Software Support: If you still cannot solve your problem, and
you need to work with someone from IBM, you can use a variety of ways to
contact IBM Software Support.
For more information about these ways to resolve problems, see Appendix A,
“Support information,” on page 11.
viii IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
Conventions used in this book
This reference uses several conventions for special terms and actions and for
operating system-dependent commands and paths.
Typeface conventions
This guide uses the following typeface conventions:
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as Tip:, and Operating system considerations:)
v Keywords and parameters in text
Italic
v Words defined in text
v Emphasis of words (words as words)
v New terms in text (except in a definition list)
v Variables and values you must provide
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Operating system differences
This guide uses the UNIX® convention for specifying environment variables and
for directory notation.
When using the Windows command line, replace $variable with %variable% for
environment variables and replace each forward slash (/) with a backslash (\) in
directory paths. The names of environment variables are not always the same in
Windows and UNIX. For example, %TEMP% in the Windows operating system is
equivalent to $tmp in a UNIX operating system.
Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
Definitions for HOME and other directory variables
The following table contains the default definitions that are used in this guide to
represent the HOME directory level for various product installation paths. You can
customize the installation directory and HOME directory for your specific
implementation. If this is the case, you need to make the appropriate substitution
for the definition of each variable represented in this table.
The value of path varies for these operating systems:
v Windows: drive:\Program Files
Preface ix
v AIX®: /usr
v Other UNIX: /opt
Path Variable Default Definition Description
DB_INSTANCE_HOME Windows:
path\IBM\SQLLIB
UNIX:
v AIX, Linux®: /home/dbinstancename
v Solaris: /export/home/dbinstancename
The directory that
contains the
database for your
Tivoli Identity
Manager product.
LDAP_HOME v For IBM Directory Server Version 5.2
Windows:
path\IBM\LDAP
UNIX:
path/IBM/LDAP
– AIX, Linux: path/ldap
– Solaris: path/IBMldaps
v For IBM Directory Server Version 6.0
Windows:
path\IBM\LDAP
UNIX:
/opt/IBM/ldap/
– AIX, Solaris: /opt/IBM/ldap/
– Linux: /opt/ibm/ldap/
v For Sun ONE Directory Server
Windows:
path\Sun\MPS
UNIX:
/var/Sun/mps
The directory that
contains the
directory server
code.
IDS_instance_HOME For IBM Directory Server Version 6.0
Windows:
drive\
idsslapd-instance_owner_name
The value of drive might be C:\. An
example of instance_owner_name might be
ldapdb2. For example, the log file might
be C:\idsslapd-ldapdb2\logs\ibmslapd.log.
UNIX:
INSTANCE_HOME/idsslapd-instance_name
On Linux and AIX systems, the default
home directory is the
/home/instance_name/idsslapd-instance_name directory. On Solaris
systems, for example, the directory is the
/export/home/ldapdb2/idsslapd-ldapdb2. directory.
The directory that
contains the IBM
Directory Server
Version 6.0 instance.
x IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
Path Variable Default Definition Description
HTTP_HOME Windows:
path\IBMHttpServer
UNIX:
path/IBMHttpServer
The directory that
contains the IBM
HTTP Server code.
ITIM_HOME Windows:
path\IBM\itim
UNIX:
path/IBM/itim
The base directory
that contains the
Tivoli Identity
Manager code,
configuration, and
documentation.
WAS_HOME Windows:
path\WebSphere\AppServer
UNIX:
path/WebSphere/AppServer
The WebSphere
Application Server
home directory
WAS_MQ_HOME Windows:
path\ibm\WebSphere MQ
UNIX:
path/mqm
The directory that
contains the
WebSphere MQ
code.
WAS_NDM_HOME Windows:
path\WebSphere\DeploymentManager
UNIX:
path/WebSphere/DeploymentManager
The home directory
on the Deployment
Manager
Tivoli_Common_Directory Windows:
path\ibm\tivoli\common\
UNIX:
path/ibm/tivoli/common/
The central location
for all
serviceability-related
files, such as logs
and first-failure data
capture
Preface xi
xii IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
Chapter 1. Overview of the Password Synchronization for
OS/400 plug-in
The Tivoli Identity Manager OS/400 Password Synchronization plug-in is a plug-in
that must be installed on the iSeries server before the Tivoli Identity Manager
Server will accept password changes from the iSeries Password Change user
interface. The iSeries FTP Agent must also be installed on the same server as
OS/400 Password Synchronization plug-in. In addition, you will have to install a
Certificate for the client as Tivoli Identity Manager relies on certificates to establish
secure SSL communication with the OS/400 Password Synchronization plug-in.
This installation and configuration guide provides the basic information that you
need to install and configure the OS/400 Password Synchronization plug-in. This
chapter provides an overview of the plug-in and the features of the plug-in.
Features of the plug-in
The OS/400 Password Synchronization plug-in intercepts the iSeries user password
changes and communicates with Tivoli Identity Manager for passwords rules
verification and synchronization. If Password Synchronization is enabled in Tivoli
Identity Manager, it will synchronize the new password with other accounts of the
user that are managed by Tivoli Identity Manager.
© Copyright IBM Corp. 2004, 2006 1
2 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
Chapter 2. Installing and configuring the Password
Synchronization for OS/400 plug-in
Password Synchronization has a client-side plug-in, installed on the iSeries server,
that must be installed before the Tivoli Identity Manager server will accept
password changes from the OS/400 Password Change user interface. The OS/400
FTP adapter must also be installed on the same server as the OS/400 Password
Synchronization plug-in.
In addition, you will have to install a certificate for the client. The Tivoli Identity
Manager server relies on certificates to establish secure SSL communication
between itself and the plug-in.
Prerequisites
Table 1 identifies hardware, software, and authorization prerequisites to install the
OS/400 Password Synchronization plug-in. Verify that all of the prerequisites have
been met before installing the OS/400 Password Synchronization plug-in.
Table 1. Prerequisites to install the plug-in
System v An OS/400-supported hardware system.
v A minimum of 16 MB of memory.
v A minimum of at least 20 MB of free disk space.
Adapter compatibility IBM Tivoli Identity Manager OS/400 adapter 4.6
Network Connectivity TCP/IP network
System Administrator
Authority
The person completing the OS/400 Password
Synchronization plug-in installation procedure must have
OS/400 QSecurity Officer (QSECOFR) authority to
complete the steps in this chapter.
IBM Tivoli Identity Manager
server
Version 4.6
Installing the plug-in
The IBM Tivoli Identity Manager OS/400 Password Synchronization plug-in
installation program is available for download from the IBM Web site. Contact
your IBM account representative for the Web address and download instructions.
In order to install the plug-in, complete the following steps:
1. Download the OS/400 Password Synchronization plug-in compressed file from
the IBM Web site.
2. Extract the contents of the OS/400 Password Synchronization plug-in
compressed file into a temporary directory.
3. To create the QITIM library of type *PROD (cannot be updated in debug/test
mode), type CRTLIB LIB(QITIM) TYPE(*PROD) , and press Enter.
4. To create a SAVF file, type RSTLIB SAVLIB(QITIM) DEV(*SAVF SaveFileName,
where SaveFileName is the qualified name of the installation file (save file) that
is used to restore data, and press Enter.
© Copyright IBM Corp. 2004, 2006 3
5. To add the QITIM library to the user portion of the library list, type ADDLIBLE
QITIM, and press Enter.
6. To display the library list, type DSPLIBL, and press Enter. Verify that the QITIM
library is displayed.
7. To display the objects, select Option 5, and then type WRKOBJPDM LIB(QITIM),
and press Enter. The following four objects should exist in the QITIM libary:
v QITIMPWSYN (*PGM)
v QITIMMSG (*MSGF)
v QITIMCFG (*VLDL)
v CHGITIMCFG (*CMD)
The QITIMCFG object might not be present if QITIM/CHGITIMCFG command
has not been previously executed.
Configuring the plug-in
To configure the OS/400 Password Synchronization plug-in, complete the
following steps:
1. Set the system value QRETSVRSEC = 1.
This system value is used to determine whether to store the encrypted data
from the Tivoli Identity Manager server in the Validation List Entry. If the
system value is set to 1 (Retain data), the encrypted data will be stored when
the Validation List Entry is added or changed, using the
QsyAddValidationLstEntry() and QsyChangeValidationLstEntry() APIs.
2. Set the system value QPWDVLDPGM = *REGFAC.
This system value provides the ability for a user-written program
(QITIMPWSYN in our case) to do additional validation on passwords. If the
value of QPWDVLDPGM is set to any other value, the validate password exit
programs will not be called.
3. Add the QITIMPWSYN program to the OS/400 registration facility to make it
exit program for password validation. To add this program, run the
ADDEXITPGM command and specify the following values:
v Exit Point = QIBM_QSY_VLD_PASSWRD
v Exit Point Format = VLDP0100
v Exit Program = QITIMPWSYN in Lib QITIM
Verify that the QITIMPWSYN program is now registered by running the
WRKREGINF EXITPNT(QIBM_QSY_VLD_PASSWRD) command.
Configuring the IBM Tivoli Identity Manager server
On the IBM Tivoli Identity Manager, complete the following steps to enable the
Password Synchronization option:
1. On the IBM Tivoli Identity Manager main menu, select Configuration.
2. Select the Properties tab.
3. Check the Enable password synchronization check box.
4. Press Apply changes.
4 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
Chapter 3. Configuring SSL authentication for the plug-in
In order to establish a secure connection between a Tivoli Identity Manager plug-in
and the Tivoli Identity Manager server, you must configure the plug-in and the
server to use the Secure Sockets Layer (SSL) authentication with the GSKit
communication protocol.
The plug-in notifies the Tivoli Identity Manager server of changes made to user
passwords on the managed resource. You can configure SSL authentication for Web
connections that originate from the plug-in to the Web server that is used by the
Tivoli Identity Manager server.
In a production environment you need to enable SSL security, but for testing
purposes you might want to disable SSL. However, if an external application that
communicates with the plug-in (such as the Tivoli Identity Manager server) is set
to use server authentication, you must enable SSL on the plug-in to verify the
certificate that the application presents.
This section presents an overview of SSL authentication, certificates, and how to
enable SSL authentication between Tivoli Identity Managerserver and the OS400
password synchronization plug-in using the OS400 Digital Certificate Manager.
Overview of SSL and digital certificates
When you deploy IBM Tivoli Identity Manager into an enterprise network, you
must secure communication between the IBM Tivoli Identity Manager server and
the software products and components with which the server communicates. The
industry-standard SSL protocol, which uses signed digital certificates from a
certificate authority (CA) for authentication, is used to secure communication in a
IBM Tivoli Identity Manager deployment. Additionally, SSL provides encryption of
the data exchanged between the applications. Encryption makes data transmitted
over the network intelligible only to the intended recipient.
Signed digital certificates enable two applications connecting in a network to
authenticate each other’s identity. An application acting as an SSL server presents
its credentials in a signed digital certificate to verify to an SSL client that it is the
entity it claims to be. An application acting as an SSL server can also be configured
to require the application acting as an SSL client to present its credentials in a
certificate, thereby completing a two-way exchange of certificates. Signed
certificates are issued by a third-party certificate authority for a fee. Some utilities,
such as those provided by OpenSSL, can also issue signed certificates.
A certificate-authority certificate (CA certificate) must be installed to verify the
origin of a signed digital certificate. When an application receives another
application’s signed certificate, it uses a CA certificate to verify the originator of
the certificate. A certificate authority can be well-known and widely used by other
organizations, or it can be local to a specific region or company. Many applications,
such as Web browsers, are configured with the CA certificates of well known
certificate authorities to eliminate or reduce the task of distributing CA certificates
throughout the security zones in a network.
© Copyright IBM Corp. 2004, 2006 5
Private keys, public keys, and digital certificates
Keys, digital certificates, and trusted certificate authorities are used to establish and
verify the identities of applications.
SSL uses public key encryption technology for authentication. In public key
encryption, a public key and a private key are generated for an application. Data
encrypted with the public key can only be decrypted using the corresponding
private key. Similarly, the data encrypted with the private key can only be
decrypted using the corresponding public key. The private key is
password-protected in a key database file so that only the owner can access the
private key to decrypt messages that are encrypted using the corresponding public
key.
A signed digital certificate is an industry-standard method of verifying the
authenticity of an entity, such as a server, client, or application. In order to ensure
maximum security, a certificate is issued by a third-party certificate authority. A
certificate contains the following information to verify the identity of an entity:
Organizational information
This section of the certificate contains information that uniquely identifies
the owner of the certificate, such as organizational name and address. You
supply this information when you generate a certificate using a certificate
management utility.
Public key
The receiver of the certificate uses the public key to decipher encrypted
text sent by the certificate owner to verify its identity. A public key has a
corresponding private key that encrypts the text.
Certificate authority’s distinguished name
The issuer of the certificate identifies itself with this information.
Digital signature
The issuer of the certificate signs it with a digital signature to verify its
authenticity. This signature is compared to the signature on the
corresponding CA certificate to verify that the certificate originated from a
trusted certificate authority.
Web browsers, servers, and other SSL-enabled applications generally accept as
genuine any digital certificate that is signed by a trusted certificate authority and is
otherwise valid. For example, a digital certificate can be invalidated because it has
expired or the CA certificate used to verify it has expired, or because the
distinguished name in the digital certificate of the server does not match the
distinguished name specified by the client.
Self-signed certificates
You can use self-signed certificates to test an SSL configuration before you create
and install a signed certificate issued by a certificate authority. A self-signed
certificate contains a public key, information about the owner of the certificate, and
the owner’s signature. It has an associated private key, but it does not verify the
origin of the certificate through a third-party certificate authority. Once you
generate a self-signed certificate on an SSL server application, you must extract it
and add it to the certificate registry of the SSL client application.
This procedure is the equivalent of installing a CA certificate that corresponds to a
server certificate. However, you do not include the private key in the file when
you extract a self-signed certificate to use as the equivalent of a CA certificate.
6 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
Use a key management utility to generate a self-signed certificate and private key,
extract a self-signed certificate, and add a self-signed certificate.
Where and how you choose to use self-signed certificates depends on your security
requirements. In order to achieve the highest level of authentication between
critical software components, do not use self-signed certificates, or use them
selectively. For example, you can choose to authenticate applications that protect
server data with signed digital certificates, and use self-signed certificates to
authenticate Web browsers or IBM Tivoli Identity Manager plug-ins.
If you are using self-signed certificates, in the following procedures you can
substitute a self-signed certificate for a certificate and CA certificate pair.
Certificate and key formats
Certificates and keys are stored in files with the following formats:
.pem format
A privacy-enhanced mail (.pem ) format file begins and ends with the
following lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
A .pem file format supports multiple digital certificates, including a
certificate chain. If your organization uses certificate chaining, use this
format to create CA certificates.
.arm format
An .arm file contains a base-64 encoded ASCII representation of a
certificate, including its public key, but not its private key. An .arm file
format is generated and used by the IBM Key Management utility.
.der format
A .der file contains binary data. A .der file can only be used for a single
certificate, unlike a .pem file, which can contain multiple certificates.
.pfx format (PKCS12)
A PKCS12 file is a portable file that contains a certificate and a
corresponding private key. This format is useful for converting from one
type of SSL implementation to a different implementation.
Configuring certificates when the plug-in operates as an SSL client
In this scenario, the plug-in operates as an SSL client. The plug-in initiates the
connection and the Web server responds by presenting its certificate to the plug-in.
Figure 1 on page 8 illustrates how a Tivoli Identity Manager plug-in operates as an
SSL sever and an SSL client. When communicating with the Tivoli Identity
Manager server, the plug-in sends its certificate for authentication. When
communicating with the Web server, the plug-in receives the certificate of the Web
server.
Chapter 3. Configuring SSL authentication for the plug-in 7
If the Web Server is configured for two-way SSL authentication, it verifies the
identity of the plug-in, which sends its signed certificate to the Web server (not
shown in the illustration). In order to enable two-way SSL authentication between
the plug-in and Web server, use the following procedure:
1. Configure the Web server to use client authentication.
2. Follow the procedure for creating and installing a signed certificate on the Web
server.
3. Install the CA certificate on the plug-in, using a certificate installation tool.
4. Add the CA certificate corresponding to the signed certificate of the plug-in to
the Web server.
For more information on configuring certificates when the plug-in initiates a
connection to the Web server (used by the Tivoli Identity Manager Server) to send
an event notification, see the Tivoli Identity Manager Information Center.
Installing CA certificates
Installing the self-signed CA certificate from the IBM Tivoli Identity Manager
server to each target iSeries server consists of transferring the certificate from the
IBM Tivoli Identity Manager server to the iSeries server, starting the certificate
installation tool, exporting the certificate, defining a CA trust list, and assigning the
certificate.
Extracting and transferring the self-signed CA certificate from
the Tivoli Identity Manager server
To extract and transfer the CA certificate used by Tivoli Identity Manager for
authentication with the iSeries server:
1. Use a Web browser, for example Internet Explorer, to connect to Tivoli Identity
Manager using SSL protocol (https://hostname:9443/enrole). A dialog box is
displayed requesting that you accept an untrusted certificate.
Note: This dialog box is not displayed if the SSL certificate is signed by a
well-known CA. In this situation you must use a certificate tool such as
ikeyman to extract the certificate.
2. Click View Certificate.
TivoliIdentityManagerplug-in
TivoliIdentityManagerserver
CA Certificate ACertificate ACA Certificate C
Certificate C
Web server
A B
C
Hello
Certificate A
Hello
Certificate C
Figure 1. IBM Tivoli Identity Manager plug-in operating as an SSL server and as an SSL
client
8 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
3. On the Details tab, click Copy to File.
4. Click Next.
5. Select to use DER encoded, type a file name in the field and click Finish.
6. FTP this file to the iSeries server:
a. Type ftp targetmachinename and press and press Enter.
b. Type your user name and press Enter.
c. Type the password associated with your user name and press Enter.
d. Type bin and press Enter.
e. Type cd/tmp and press Enter.
f. Type put filename, where filename is the certificate file that you extracted
and copied in the previous steps, and press Enter.
g. Type quit and press Enter.
Installing the CA certificate on an iSeries system
From an Internet browser, complete, complete the following steps:
1. Open the Web browser to http://iSerieshostname:2001, where iSerieshostname
is the host name of the iSeries server.
2. Enter your iSeries server user name and password, and click OK.
3. On the iSeries Tasks window, select Digital Certificate Manager.
4. On the Digital Certificate Manager window, select Create a Certificate
Authority (CA) in the left pane.
5. Type the information in the required fields.
Note: The Certificate Authority (CA) name describes the name of the iSeries
system.
6. Click Continue.
7. On the Install Local CA Certificate pane, click Continue. The certificate does
not need to be installed.
8. On the Certificate Authority (CA) Policy Data pane, accept the default settings
and click Continue.
9. On the Policy Data Accepted pane, a message The policy data for the
Certificate Authority (CA) was accepted. is displayed. Click Continue to
create the default server certificate store (*SYSTEM, if this was nto created
before) and a server certificate signed by your CA.
10. On the next Digital Certificate Manager window, type in the information for
the required fields.
Note: Specify a different name in the Certificate label field for the certificate
store (*SYSTEM database).The fields in the Subject Alternative Name section can be left blank. Click
Continue.
11. On the next Digital Certificate Manager window, a list of applications and
certificates is displayed. Click Select All then click Continue.
12. On the Application Status pane, a message The applications you selected
will use this certificate. is displayed. Click Cancel. The creation of a
signing certificate is optional.
13. On the Select a Certificate Store pane, select *SYSTEM and click Continue.
14. On the Certificate Store and Password pane, type the password for the
*SYSTEM Certificate Store database and click Continue.
Chapter 3. Configuring SSL authentication for the plug-in 9
15. Extract the CA certificate from the Tivoli Identity Manager system and copy
the file to the iSeries system. See “Extracting and transferring the self-signed
CA certificate from the Tivoli Identity Manager server” on page 8.
16. On the next Digital Certificate Manager window in the Fast Path menu, click
Work with CA Certificates .
17. A list of certificates is displayed. Click Import.
18. On the Import Certificate Authority (CA) Certificate pane, in the Import file:
field type:
/qibm/userdata/psdserver.der
(where psdserver.der is the name of the certificate you extracted from the
Tivoli Identity Manager system) and click Continue.
19. On the Import Certificate Authority (CA) Certificate pane, type a label name
in the CA certificate label: field, for example: Tivoli Identity Manager
server, and click Continue.
20. In the Fast Path menu, select Work with Client applications and click
Continue.
21. On the Applications registered to use certificates: pane, click Add Application.
22. On the next Digital Certificate Manager window in the Application: ID field,
type TIVOLI_PWD_SYNCH . Select Application description: and type a
description, for example, Password Sync Exit Handler. Click Add.
23. On the Work with Client Applications pane, a message The application has
been added. is displayed. Select Password Synch Exit Handler (the
description you gave the application) and Click Work with application.
24. On the next Digital Certificate Manager window, click Update Certificate
Assignment.
25. On the next Digital Certificate Manager window, select the certificate you just
created from the list and click Assign New Certificate.
26. In the Update Certificate Assignment pane, the message The certificate was
assigned to the application. is displayed.
27. In the Fast Path pane, click Work with CA certificates. Verify that Tivoli
Identity Manager server is listed as enabled in the Certificate Authority (CA)
list.
10 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
Appendix A. Support information
This section describes the following options for obtaining support for IBM
products:
v “Searching knowledge bases”
v “Contacting IBM Software Support”
Searching knowledge bases
If you have a problem with your IBM software, you want it resolved quickly. Begin
by searching the available knowledge bases to determine whether the resolution to
your problem is already documented.
Search the information center on your local system or
network
IBM provides extensive documentation that can be installed on your local
computer or on an intranet server. You can use the search function of this
information center to query conceptual information, instructions for completing
tasks, reference information, and support documents.
Search the Internet
If you cannot find an answer to your question in the information center, search the
Internet for the latest, most complete information that might help you resolve your
problem. To locate Internet resources for your product, open one of the following
Web sites:
v Performance and tuning information
Provides information needed to tune your production environment, available on
the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list to locate IBM Tivoli Identity
Manager products. Click the link for your product, and then browse the
information center for the Technical Supplements section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web address:
http://www.ibm.com/developerworks/
Contacting IBM Software Support
IBM Software Support provides assistance with product defects.
© Copyright IBM Corp. 2004, 2006 11
Before contacting IBM Software Support, your company must have an active IBM
software maintenance contract, and you must be authorized to submit problems to
IBM. The type of software maintenance contract that you need depends on the
type of product you have:
v For IBM distributed software products (including, but not limited to, Tivoli,
Lotus®, and Rational® products, as well as DB2 and WebSphere® products that
run on Windows or UNIX operating systems), enroll in Passport Advantage® in
one of the following ways:
– Online: Go to the Passport Advantage Web page (http://www.lotus.com/services/passport.nsf/WebDocs/ Passport_Advantage_Home) and click How
to Enroll
– By phone: For the phone number to call in your country, go to the IBM
Software Support Web site (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your geographic region.
v For IBM eServer™ software products (including, but not limited to, DB2 and
WebSphere products that run in zSeries®, pSeries®, and iSeries™ environments),
you can purchase a software maintenance agreement by working directly with
an IBM sales representative or an IBM Business Partner. For more information
about support for eServer software products, go to the IBM Technical Support
Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).
If you are not sure what type of software maintenance contract you need, call
1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to
the contacts page of the IBM Software Support Handbook on the Web
(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of
your geographic region for phone numbers of people who provide support for
your location.
Follow the steps in this topic to contact IBM Software Support:
1. Determine the business impact of your problem.
2. Describe your problem and gather background information.
3. Submit your problem to IBM Software Support.
Determine the business impact of your problem
When you report a problem to IBM, you are asked to supply a severity level.
Therefore, you need to understand and assess the business impact of the problem
you are reporting. Use the following criteria:
Severity 1 Critical business impact: You are unable to use the program,
resulting in a critical impact on operations. This condition
requires an immediate solution.
Severity 2 Significant business impact: The program is usable but is
severely limited.
Severity 3 Some business impact: The program is usable with less
significant features (not critical to operations) unavailable.
Severity 4 Minimal business impact: The problem causes little impact on
operations, or a reasonable circumvention to the problem has
been implemented.
12 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
Describe your problem and gather background information
When explaining a problem to IBM, be as specific as possible. Include all relevant
background information so that IBM Software Support specialists can help you
solve the problem efficiently. To save time, know the answers to these questions:
v What software versions were you running when the problem occurred?
v Do you have logs, traces, and messages that are related to the problem
symptoms? IBM Software Support is likely to ask for this information.
v Can the problem be re-created? If so, what steps led to the failure?
v Have any changes been made to the system? (For example, hardware, operating
system, networking software, and so on.)
v Are you currently using a workaround for this problem? If so, please be
prepared to explain it when you report the problem.
Submit your problem to IBM Software Support
You can submit your problem in one of two ways:
v Online: Go to the ″Submit and track problems″ page on the IBM Software
Support site (http://www.ibm.com/software/support/probsub.html). Enter
your information into the appropriate problem submission tool.
v By phone: For the phone number to call in your country, go to the contacts page
of the IBM Software Support Handbook on the Web (http://techsupport.services.ibm.com/guides/contacts.html) and click the name of your
geographic region.
If the problem you submit is for a software defect or for missing or inaccurate
documentation, IBM Software Support creates an Authorized Program Analysis
Report (APAR). The APAR describes the problem in detail. Whenever possible,
IBM Software Support provides a workaround for you to implement until the
APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the
IBM product support Web pages daily, so that other users who experience the
same problem can benefit from the same resolutions.
For more information about problem resolution, see Searching knowledge bases.
Appendix A. Support information 13
14 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
Appendix B. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2004, 2006 15
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both:
IBM
IBM logo
ibm.com
AIX
AS/400
DB2
Domino
i5/OS
Informix
iSeries
Linux
Lotus
Lotus Notes
MQSeries
Notes
OS/400
Power PC
Tivoli
16 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
Tivoli logo
Universal Database
WebSphere
Microsoft, Windows, Windows NT®, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel®, Intel Inside® (logos), MMX and Pentium® are trademarks of Intel
Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
Java™ and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or
both.
Other company, product, and service names may be trademarks or service marks
of others.
Appendix B. Notices 17
18 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
Index
Aaccessibility
pdf format, for screen-reader software viii
statement for documentation viii
text, alternative for document images viii
adapterconfiguration 4
features 1
administrator authority prerequisites 3
Bbooks
see publications viii
Ccertificate authority
definition 5
certificatesdefinition 5
key formats 7
overview 5
private keys and digital certificates 6
self-signed 6
client validation, SSL 7
configurationadapter 4
plug-in 4
conventionsHOME directory
Tivoli_Common_Directory xi
DB_INSTANCE_HOME x
HTTP_HOME xi
ITIM_HOME xi
LDAP_HOME x
WAS_HOME xi
WAS_MQ_HOME xi
WAS_NDM_HOME xi
typeface ix
UNIX variable, directory notation ix
used in this document ix
customer supportsee Software Support 11
DDB_INSTANCE_HOME
DB2 UDB installation directory x
definition x
directoryDB_INSTANCE_HOME x
HTTP_HOME xi
installationDB2 UDB x
IBM Directory Server x
IBM HTTP Server xi
WebSphere Application Server base product xi
directory (continued)installation (continued)
WebSphere Application Server Network Deployment
product xi
WebSphere MQ xi
installation for Sun ONE Directory Server x
ITIM_HOME xi
LDAP_HOME x
names, UNIX notation ix
WAS_HOME xi
WAS_MQ_HOME xi
WAS_NDM_HOME xi
disabilities, using documentation viii
documentsIBM Tivoli Identity Manager library v
related viii
Eencryption
SSL 5, 6
environment variableUNIX notation ix
Hhome directories
DB_INSTANCE_HOME x
HTTP_HOME xi
ITIM_HOME xi
LDAP_HOME x
WAS_HOME xi
WAS_MQ_HOME xi
WAS_NDM_HOME xi
HTTP_HOMEdefinition xi
IBM HTTP Server installation directory xi
Iimport
PKCS12 file 7
information centers, searching to find software problem
resolution 11
installationdirectory
DB2 UDB x
IBM Directory Server x
IBM HTTP Server xi
Sun ONE Directory Server x
WebSphere Application Server base product xi
WebSphere Application Server Network Deployment
product xi
WebSphere MQ xi
plug-in 3
installation prerequisitesadministrator authority 3
network connectivity 3
software 3
system 3
© Copyright IBM Corp. 2004, 2006 19
installation prerequisites (continued)Tivoli Identity Manager server communication 3
Internet, searching to find software problem resolution 11
ITIM_HOMEdefinition xi
directory xi
Kknowledge bases, searching to find software problem
resolution 11
LLDAP_HOME
definition x
IBM Directory Server installation directory x
Sun ONE Directory Server installation directory x
Mmanuals
see publications viii
Nnetwork connectivity prerequisites 3
Oonline publications
accessing viii
Ppath names, notation ix
pdf format, for screen-reader software viii
plug-inconfiguration 4
installation 3
installation overview 1
plug-in overview 1
private keydefinition 5
problem determinationdescribing problem for IBM Software Support 13
determining business impact for IBM Software Support 12
submitting problem to IBM Software Support 13
protocolSSL
overview 5
two-way configuration 7
public key 6
publicationsaccessing online viii
IBM Tivoli Identity Manager library v
related viii
Sself-signed certificate 6
server communication prerequisites 3
software prerequisites 3
Software Supportcontacting 11
describing problem for IBM Software Support 13
determining business impact for IBM Software Support 12
submitting problem to IBM Software Support 13
SSLcertificate installation 5
encryption 5
key formats 7
overview 5
private keys and digital certificates 6
self-signed certificates 6
two-way configuration 7
system prerequisites 3
Ttext, alternative for document images viii
Tivoli Identity Manager plug-incommunication with the server 7
SSL communication 7
Tivoli Identity Manager server communication prerequisitesserver 3
Tivoli software information center viii
Tivoli_Common_Directorydefinition xi
two-way configurationSSL
client and server 7
typeface conventions ix
WWAS_HOME
definition xi
WebSphere Application Server base installation
directory xi
WAS_MQ_HOMEdefinition xi
WebSphere MQ installation directory xi
WAS_NDM_HOMEdefinition xi
WebSphere Application Server Network Deployment
installation directory xi
20 IBM Tivoli Identity Manager: Password Synchronization for OS/400 Plug-in Installation and Configuration Guide
����
Printed in USA
SC23-5269-01