Modifying labels in ITIM UI

For Account/Service field labels modify the $ITIM_HOME/data/CustomLabels.properties file. Find the attribute whose label that needs to be modify/create.

Example: To change the label for the erUid attribute, from 'User Id' to 'Account ID', change the following line from:


erUid=User Id

To:

erUid=Account ID

For General UI labels modify the $ITIM_HOME/data/Labels.properties file. 

Example: To change the wording "Create Password" (on the Password Management screen), to "Have ITIM Create a Random Password" modify the line:


generatePassword=Create Password

To:

generatePassword=Have ITIM Create a Random Password

Check for existing ID's via the ITIM Identity Policies and increasing Max Search results from 1000 objects.

In the Default Identity Policy, the line following checks for ID's in All services and in the Recycle Bin:

IdentityPolicy.userIDExists(baseidentity, true, true);

The first boolean expression is for CheckAllServices, the second is for CheckRecycleBin.

Setting either of these values to false will disable ID checking in that area. When CheckAllServices is set to true, it will only create a new ID for that user on a service if no other user has that ID on any service.

To increase the Max Search Results, modify the "enrole.ui.maxSearchResults" line in the $ITIM_HOME/data/ui.properties file (shown below)

enrole.ui.maxSearchResults=1000

Unable to access IMS Configuration Utility after IMS server machine IP address is changed

Steps to resolve this issue.

1. Go to network connection in the PC, and change the network setting of 
IP Environment: TAM ESSO IMS> 
Solution: 
If the IP address has changed, you will need to modify a tomcat 
configuration file as follow: 
1. Go to [IMS Server installation folder]\conf 
2. Open server.xml 
3. Search for "WebConfigurator-Service" - this should be the "name" 
attribute value of the element node "Service" 
4. Within the "Service" node, edit the second IP address in the 
attribute node "allow" of the element node "Value" 
5. Save the xml file 
6. Restart the IMS Server

Hooked Reports/Custom Reports in IBM Security Identity Manager

One of the most important and popular concept of every Identity Management product is the Reporting.

And Yes IBM identity manager also provides concept of reporting.

The report system in ISIM provides a set of default reports that show historical activity in Tivoli

Identity Manager, current entities, and data elements present in the Tivoli Identity Manager

LDAP directory. You can also create custom reports using the report tools.

One of the most interesting concepts in ISIM is the creation of Custom Reports also called as Hooked reports in most of the Countries.

You can refer to this example to create more customized Hooked Report.

Steps to create a Hooked report.

1. Develop a servlet or a JSP page to take the User Input from User as Report criterion.

2. If a servlet is developed, then place the servlet mapping entries in the web.xml file of enRole application present in

   <WAS_HOME>\profiles\<profile-name>\config\cells\<node-name>\applications\ITIM.ear\deployments\ITIM\itim_console.war\WEB-INF

   and

   <WAS_HOME>\profiles\<profile-name>\installedApps\<node-name>\ITIM.ear\itim_console.war\WEB-INF directory.

3. Write java code in the servlet itself or in any new java file to query the database depending upon the user input

4. Also write code to display the results to the user in the form of CSV or PDF form.

5. Add the report entry into the report.xml present under <ITIM-HOME>\data

6. If custom java or servlet is developed, then put the class files (or archived jar files) in the class path

   One can edit the MANIFEST file present under <WAS_HOME>\profiles\<profile-name>\installedApps\<node-name>\ITIM.ear\itim_console.war\META-INF\    directory by adding the name of the custom jar file to place the custom jar file in the Application Server classpath.

7. Restart the Application Server.

8. The report name "Hooked Report" mentioned in the report.xml file above will appear in the Run Report Tab of Report component of ITIM GUI under section "Custom Reports".

9. Run the report as any other ITIM report.

Please note****: ITIM Administrator can define ACI on the Hooked Report. However, other ACI enforcement in the ITIM will not be applicable for the data displayed on the Hooked Report. Therefore please be cautious when defining ACI to run the Hooked Report to the non-admin users as the user can see any data that will be displayed on the Hooked Report.

To work with the example Hooked Report:

1. Copy the HookedReport.jsp into <WAS_HOME>\profiles\<profile-name>\installedApps\<node-name>\ITIM.ear\itim_console.war\report(Create new folder report)

2. Edit the HookedReport.jsp and replace the values of the variables (jdbcdriver, jdbcurl, dbuser and dbpassword) with correct values

3. Copy the HookedReport.jar into <WAS_HOME>\profiles\<profile-name>\installedApps\<node-name>\ITIM.ear

4. Add the entry, HookedReport.jar into  <WAS_HOME>\profiles\<profile-name>\installedApps\<node-name>\ITIM.ear\itim_console.war\META-INF\MANIFEST.INF file

5. Place the servlet url mapping in the web.xml present under folder

<WAS_HOME>\profiles\<profile-name>\config\cells\<node-name>\applications\ITIM.ear\deployments\ITIM\itim_console.war\WEB-INF

and

<WAS_HOME>\profiles\<profile-name>\installedApps\<node-name>\ITIM.ear\itim_console.war\WEB-INF

            <servlet>

                        <servlet-name>HookedReportGeneratorServlet</servlet-name>

                        <description>HookedReportGeneratorServlet</description>

                        <servlet-class>com.ibm.itim.hookedreport.HookedReportGeneratorServlet</servlet-class>

            </servlet>

            <servlet-mapping >

                        <servlet-name>HookedReportGeneratorServlet</servlet-name>

                        <url-pattern>HookedReport_Generator_Servlet</url-pattern>

            </servlet-mapping>

6. Edit the report.xml present under <ITIM-HOME>\data and add entry the following entry:

            <report name="Hooked Report" action="popup">

                        <url>./HookedReport.jsp</url>

            </report>

7. Copy the HookedReport.jar file in ITIM Lib folder

8. Add the entry(${ITIM_HOME}/lib/HookedReport.jar) in the shared library(ITIM-LIB) in Websphere console

9. Re-start the Application Server and go to Report->Run Report. Make sure that "Hooked Report" is present under "Custom Report" section.

Note: For Cluster setup, repeat steps 1 to 6 mentioned above for each node in the cluster, then restart the cluster.

                                                                                                By Nandavaram Pavan Kumar

Forgot the password and cannot access WebSphere Application Server administrative console.

There are 2 possible methods for disabling security:

By way of wsadmin command:

1. <WAS_INSTALL_DIR>/bin/> wsadmin -conntype NONE
2. wsadmin> securityoff
3. wsadmin> exit
4. Restart the servers.
5. Enable the security from administrative console.
6. Restart the servers.

By way of manual edit of security.xml file, which is typically located in <WAS_POFILE_HOME>/config/cells<CELL_NAME> /:

1. Create a copy for security.xml file, in case you need to roll back.
2. Disable the security from the security.xml file (change the very first occurrence of... enabled="true" to enabled="false")
3. Restart the servers.
4. Enable the security from administrative console.
5. Restart the servers.

If your websphere is installed in cluster environment then you will need to change the security.xml file present in 

DMGR  ----  <WAS_HOME>/Dmgr/config/cells<CELL_NAME> /:

and all Application servers ---- <WAS_HOME>/Appsrv01/config/cells<CELL_NAME> /:

WARNING: Please use this as the last resort and make sure the server is not in the middle of processing any transactions.

Linux red hat 6.4 Pre-requisities for installing any ibm product (IBM Db2, TDS, ISIM, ISAM-eb, ISAMESSO, TFIM, TSPM, Websphere)

For Linux red hat 6.4, ensure as a first task install the below 32 and 64 bit packages. This is irrespective of the product you are installing.

 

64 bit:

yum install compat-libstdc++-33-3.2.3-69.el6.x86_64

yum install compat-db-4.6.21-15.el6.x86_64

yum install libXp-1.0.0-15.1.el6.x86_64

yum install libXmu-1.1.1-2.el6.x86_64

yum install libXtst-1.2.1-2.el6.x86_64

yum install pam-1.1.1-13.el6.x86_64

yum install libXft-2.3.1-2.el6.x86_64

yum install gtk2-2.18.9-12.el6.x86_64

yum install gtk2-engines-2.18.4-5.el6.x86_64

 

32 bit:

yum install compat-libstdc++-33-3.2.3-69.el6.i686

yum install compat-db-4.6.21-15.el6.i686

yum install libXp-1.0.0-15.1.el6.i686

yum install libXmu-1.1.1-2.el6.i686

yum install libXtst-1.2.1-2.el6.i686

yum install pam-1.1.1-13.el6.i686

yum install libXft-2.3.1-2.el6.i686

yum install gtk2-2.18.9-12.el6.i686

yum install gtk2-engines-2.18.4-5.el6.i686

ADT Issue - Save Failed org/apache/xml/serialize/OutputFormat

This issue is one of the most common Issue faced after installing ADT (Adapter Development Tool).

Why the issue is caused:
Mismatch in the Version of IBM Java.
ADT uses 32x IBM Java where as the TDI installed is of 64x which uses 64x bit IBM Java.

Steps to Fix:
The best way is to copy the JRE folder from the TDI to the ADT install folder. That way the ADT works even if your ADT dev machine's TDI is 64-bit (though this means you have to get the 32-bit java from another TDI installation).
Place the jre folder in the ADT home directory.

User cannot log into Websphere console due to SRVE0260E error

When administrative user tries to log into newly configured Network Deployment console for WebSphere Process Server, browser shows error and does not proceed to the console. Page refresh and dmgr restart do not resolve this issue.

Error Page Exception
SRVE0260E: The server cannot use the error page specified for your application to handle the Original Exception printed below.

Original Exception:
Error Message: java.lang.NullPointerException
Error Code: 500
Target Servlet:
Error Stack:
java.lang.NullPointerException
     at com.ibm.isclite.container.provider.PortletContainerContextProvider.addContainerService(PortletContainerContextProvider.java:101)

This happens because of Open files limit set to too low value

Steps to resolve this:

Raise open files OS limit on linux systems to 8192

$> ulimit -n 8192

and restart the deployment manager server afterwards.

Configuring a websphere cluster to run as a service (Windows)

 Steps to be executed:
 

1. Configure your node agent or node agents, to run as a service by using the WASService command line tool.

The following example code uses the Local System account, SYSTEM, as the default user ID. If you want to use a different account, you can specify your own user ID by using the -userid option.

C:\IBM\WebSphereND855\AppServer\bin>WASService

-add "myNode01" -servername nodeagent

-profilePath C:\IBM\WebSphereND855\AppServer\profiles\Custom01

-wasHome C:\IBM\WebsphereND855\Appserver

-logFile C:\IBM\WebSphereND855\AppServer\profiles\Custom01\

  logs\nodeagent\startNode.log

-logRoot C:\IBM\WebSphereND855\AppServer\profiles\Custom01\logs\nodeagent

-restart true -startType automatic

Adding Service: ImyNode01

        Config Root: C:\IBM\WebSphereND855\AppServer\profiles\Custom01\config

        Server Name: nodeagent

        Profile Path: C:\IBM\WebSphereND855\AppServer\profiles\Custom01

        Was Home: C:\IBM\WebsphereND855\Appserver\

        Start Args:

        Restart: 1

IBM WebSphere Application Server V8.5.5 - myNode01 service successfully added.

2. Configure your cluster members to restart automatically:

1. Log in to the WebSphere administrative console.
2. Click Servers > Application Servers > server_name.
3. Expand Java and Process Management and select Monitoring Policy.
4. Change the node restart state to RUNNING.
5. Click OK and Save.

Repeat this step for each server in the cluster.

3. Shut down your node agents by using the stopNode command:

4. Shut down your cluster by using the WebSphere administrative console.
5. Start your node agents by using the Windows Services Console. Your cluster will automatically restart.

Note: Your node agents and cluster members must now run in the context of the Local System account instead of your own user account, unless you specified a different account when you ran the WASService command in step 1

You can now safely log out of your Windows user account and your cluster will continue to run.

How to customize the login page of WebSEAL to render the images properly

Customizing the login.html pages :
1. Open webseal configuration file and search for stanza [content-mime-types] add line as shown below
css = text/css
2. Go to webseal docs directory (Eg :/opt/pdweb/www-webseald/docs/) and place all the css, image files or folders.
3. Change the permission of the folder to 750 (Eg: chmod 750 icons)
4. Change the permission of the images and css file to 440 (Eg: chmod -R 440 * or chmod 440 * r chmod 440 icon-phone-red.png)
5. Change the owner name of all the folders of images and css to ivmgr (Eg: chown ivmgr:ivmgr * )
6. Customize the page as required
7. login to pdadmin
8. Attach unauth ACL to the folders or images (Eg : acl attach /WebSEAL/myssoenv-webseald/_CSS unauth)
Note : Steps 3, 4, and 5 required only if WebSEAL is installed on linux or AIX servers.

By
Nandavaram Pavan Kumar

How to Configure extended attributes in WebSEAL

Steps to Configure extended attributes

1 Login to WebSEAL server.
2 Open the WebSEAL instance configuration file.
Location: /web/pdweb/etc/webseald-<instance-name>.conf
3 In the [aznapi-entitlement-services] stanza, add the property
ISAM_CRED_ATTRS_IDS = azn_ent_cred_attrs
4 In the [aznapi-configuration] stanza, add the property
cred-attribute-entitlement-services= ISAM_CRED_ATTRS_IDS
5 At the end of the file, add the following lines of properties

[ISAM_CRED_ATTRS_IDS]
user = azn_cred_registry_id
[ISAM_CRED_ATTRS_IDS:user]
tagvalue_credattrs_givenname = givenname
tagvalue_credattrs_sn = sn
tagvalue_credattrs_uid = uid


Run the below commands to set the extended attributes at the junction level

pdadmin sec_master> object list /WebSEAL
pdadmin sec_master> object modify /WebSEAL/myssoenv-mywebinst1/MyJct set attribute HTTP-Tag-Value credattrs_uid=SM_USER
or
pdadmin sec_master> object modify /WebSEAL/myssoenv-mywebinst1/MyJct set attribute HTTP-Tag-Value credattrs_uid=uid
pdadmin sec_master> object modify /WebSEAL/myssoenv-mywebinst1/MyJct set attribute HTTP-Tag-Value credattrs_sn=sn
pdadmin sec_master> object show /WebSEAL/myssoenv-mywebinst1/MyJct                                                

Where MyJct is my Junction name

By

Nandavaram Pavan Kumar

How to call ISIM API from ITDI

How to call ISIM API from ITDI

To call the ISIM APIs from within an ITDI Assembly Line, the following jar files must be placed in the ITDI classpath (e.g. $ITDI_HOME/jars/3rdparty/IBM/isim):

• <ISIM_HOME>/lib/api_ejb.jar
• <ISIM_HOME>/lib/itim_api.jar
• <ISIM_HOME>/lib/itim_common.jar
• <ISIM_HOME>/lib/itim_server.jar
• <ISIM_HOME>/lib/itim_server_api.jar
• <ISIM_HOME>/lib/jlog.jar
• <ISIM_HOME>/lib/com.ibm.cv.kmip.ext.jar
• <WAS_HOME>/plugins/com.ibm.ws.ejbportable.jar
• <WAS_HOME>/plugins/com.ibm.ws.emf.jar
• <WAS_HOME>/plugins/com.ibm.ws.runtime.jar
• <WAS_HOME>/runtimes/com.ibm.ws.admin.client_7.0.0.jar
• <WAS_HOME>/runtimes/com.ibm.ws.webservices.thinclient_7.0.0.jar
•  

The "jaas_login_was.conf" file can be found in $ISIM_HOME/extensions/6.0/examples/apps/bin, and has the contents:

WSLogin {
com.ibm.ws.security.common.auth.module.proxy.WSLoginModuleProxy required delegate=com.ibm.ws.security.common.auth.module.WSLoginModuleImpl;
};

The "sas.client.props" and "ssl.client.props" files can be found in $WAS_HOME/AppServer/profiles/<your_profile>/properties. If ITDI is on a separate machine from WebSphere, those files will need to be copied to the ITDI machine. "sas.client.props" should have settings of:

com.ibm.CORBA.securityEnabled=true
com.ibm.CORBA.authenticationTarget=BasicAuth
com.ibm.CORBA.authenticationRetryEnabled=true
com.ibm.CORBA.authenticationRetryCount=3
com.ibm.CORBA.validateBasicAuth=true
com.ibm.CORBA.securityServerHost=isimsvr
com.ibm.CORBA.securityServerPort=2809
com.ibm.CORBA.loginTimeout=300
com.ibm.CORBA.loginSource=prompt

# RMI/IIOP user identity
com.ibm.CORBA.loginUserid=
com.ibm.CORBA.loginPassword=

"com.ibm.CORBA.securityServerHost" should be the hostname of your WebSphere server. It must be resolvable from the ITDI machine. You can use "ping hostname" to check if the machine can be found on the network with that name. "com.ibm.CORBA.securityServerPort" should be set to the port number listed for BOOTSTRAP_ADDRESS in the WebSphere Admin console under: Servers -> Server types -> WebSphere application servers -> <your_appserver> -> Ports.

If ITDI is on a separate machine from WebSphere, you will need to edit the "ssl.client.props" file to refer to local copies of the key and truststores.

The "appServerURL" used in the example code should match this line from your enRole.properties file:
enrole.appServer.url=corbaloc:iiop:isimsvr:2809

When defining the CORBA and SSL ConfigURL settings in the example code, it is VERY important that the values be prefixed with "file:". The WebSphere client code is expecting a correctly formatted URL string, and leaving out the "file:" protocol string will cause it to fail.

If you are experiencing errors when setting this up, please enable client tracing for the WebSphere jar files used by ITDI. Edit %ITDI_HOME%\ibmdisrv.bat [Windows] or $ITDI_HOME/ibmdisrv [UNIX] to add the following JVM flags:

-Dcom.ibm.CORBA.Debug=true -Dcom.ibm.CORBA.CommTrace=true -Dcom.ibm.CORBA.Debug.Output=client.log -DtraceSettingsFile=/path/to/TraceSettings.properties

The original JVM string from ibmdisrv.bat:
"%TDI_JAVA_PROGRAM%" -classpath "%TDI_HOME_DIR%\IDILoader.jar" %ENV_VARIABLES% com.ibm.di.loader.ServerLauncher %*

The DEBUG JVM string from ibmdisrv.bat:
"%TDI_JAVA_PROGRAM%" -classpath "%TDI_HOME_DIR%\IDILoader.jar" %ENV_VARIABLES% -Dcom.ibm.CORBA.Debug=true -Dcom.ibm.CORBA.CommTrace=true -Dcom.ibm.CORBA.Debug.Output=client.log -DtraceSettingsFile=c:/IBM/Solutions/TraceSettings.properties com.ibm.di.loader.ServerLauncher %*

An example "TraceSettings.properties" file can be found in $WAS_HOME/AppServer/properties. For this case, it should have the following contents:

traceFileName=MyTraceFile.log
com.ibm.ws.security.*=all=enabled
com.ibm.websphere.security.*=all=enabled

Unless a full path is specified, "MyTraceFile.log" and "client.log" will be written to whatever directory was chosen as the $SOLUTION_DIR when starting ITDI.

Configuring ISAM ESSO with ISIM.

Configuring ISAM ESSO with ISIM.

1) As ISAM ESSO is a TDI based adapter, make sure only one instance of TDI is running on the box where you are configuring ISAM ESSO. In my case, there were two instances which results in communication error.

2) Also as part of configuration, in the ISAM ESSO Adapter document he has mentioned configuring the SSL between the Dispatcher and IMS is an optional step. But without the SSL configuration, you cannot integrate ISAM ESSO with ISIM.

Following are the steps to be followed while configuring ISAM ESSO with ISIM.

1) Copy SAMESSOConnector.jar file from the installation package to the TivoliDirectory Integrator directory. The location depends on your operating system. For Windows: ITDI_HOME\jars\connectors

2) Configure the IBM Security Access Manager Enterprise Single Sign-On IMS Server.

a) Start the IMS Configuration Utility.

b) Click IMS Bridges on the left side under Advanced settings.

c) Select IMS Bridge from the Add configuration group drop-down box and Click Configure.

d) Define a name and an IMS Bridge password, a shared secret, in the available test input boxes.

e) Enter an IMS Bridge IP address value. This address is the IP address of the systems on which Tivoli Directory Integrator is installed.

f) Click Add. Set the value for IMS Bridge Type to Provisioning.

g) Click Add.. Log on to IBM Security Access Manager Enterprise Single Sign-On AccessAdmin.

h) Navigate to System Policies > Sign up Policies > Option for specifying secret. Choose Secret not required.

i) Click Update.

j) At the WebSphere console, restart the IMS Server application for the changes to take effect.

3) Configure the SSL connection between Dispatcher and the IMS Server

a) Go to https://SAM_ESSO_server/. The SAM_ESSO_server is the IMS Server hostname.

b) View the certificate. Click SSL lock. If your browser reports that revocation information is not available, click View Certificate. Click Certification Path. Select the CA Root certificate. Export the certificate into a file encoded in the Base64 format.

c)  If the Dispatcher already has a configured keystore, use the keytool.exe program to import the IMS Server certificate. If the keystore is not configured, create it by running the following command from a command prompt. Type the command on a single line.

keytool -import -alias ims -file c:\TAMESSO.cer -keystore c:\truststore.jks –storepass passw0rd

d) Edit ITDI_HOME/timsol/solution.properties file to specify truststore and keystore information.

è javax.net.ssl.trustStore=truststore.jks

è javax.net.ssl.trustStorePassword=passw0rd

è javax.net.ssl.trustStoreclass=jks

e) After modifying the solution.properties file, restart the RMI Dispatcher. And then Import the adapter profile into the IBM Security Identity Manager server.