Tuesday, 27 October 2015

Cannot Access WebSEAL after applying the ISAM Fix Pack or Updates in Virtual Appliance

Yes this issue occurs in most of the cases when you are upgrading ISAM VA.

Unfortunately most of the interfaces does not communicate or get unresponsive.
Sometimes there are even cases where ISAM users are deleted after applying fixpack but that is a different issue

It is recommended to LDAP and DB2 data backup before applying a update or a fix pack.
On ISAM it is better to take a VM Level Snapshot.
The ISAM VA provides an option for taking snapshot from the ISAM console but it only takes a snapshot of the ISAM configurations and if by any chance your users are deleted it is very hard to restore them back.

When configuring interfaces on an ISAM 8.0.0.x appliance, it is advisable to not
configure IP addresses which reside in the same subnet across multiple interfaces.

Request packets might arrive over a particular interface/IP address, but possibly be returned over a different interface/IP address. In certain environments this proves to be a problem because switches can reject response packets which are returned over a different IP address.

Configuring the same subnet on multiple interfaces will result in the routing table
containing duplicate routes, one for each interface.

This may be the problem if some interfaces seem to become unresponsive or when the packet trace seems to capture traffic only on one side.

There are a couple of ways to address this problem:

Recommended method:

The recommended way to rectify this problem is to configure different interfaces to
be in different subnets. For example, changing the P.1 interface to a different subnet such as 192.168.20.250 / 24 will create distinct routing table entries:

192.168.20.170 - 0.0.0.0 - 255.255.255.0 - P1
192.168.30.170 - 0.0.0.0 - 255.255.255.0 - M1


Alternate method:

Starting with ISAM 8.0.0.5, reverse proxy instances have the capability of listening
on all interfaces and need not be tied to a specific application interface. This means
it is no longer mandatory to configure application interfaces on the appliance.

Note:

This approach is not advisable if the ISAM appliance is being installed in the DMZ.
Since the management interface and any reverse proxy instances would be sharing
the same IP address, management services could possibly end up being exposed to
the public.

a. During configuration of a new reverse proxy instance, specifying 0.0.0.0 for
the IP address of the primary interface ensures that the new instance listens
on all the interfaces including the management interface M.1



b. For existing reverse proxy instances, the primary interface can be changed by
selecting the instance -> Edit and modifying the values on the first tab
'Server'.



Note:

When changing the network interface on which an existing reverse proxy
instance is listening, ensure that no other services are listening on the ports
specified under 'HTTPS Port' and 'HTTP Port'. Otherwise the reverse proxy
instance will fail to start.

By default, ports 80 ad 443 on the management interface are used by the
LMI. If a reverse proxy instance needs to listen on those ports you can
change the default port values used by the LMI using these advanced tuning
parameters:


For Reference:
http://www-01.ibm.com/support/docview.wss?uid=swg21691208

Disabling Password Encryption on ISIM (DB,LDAP,WebSphere)

I have been really really busy that i have not been able to post anything in this blog....
I am back now and will be posting at least once in a month.

So i been working recently on pasword related issues and got a few good ones on how to decode or disable password encryption on ISIM.

These are the steps to do it:

To disable encryption and configure DB, LDAP and Application Server user passwords in ISIM 6.x as plaintext, make the following modifications:

For DB user:
- to disable password encryption, set enrole.password.database.encrypted= to false in enRole.properties
- to set plaintext password for Database user (database.db.user), type plaintext password for database.db.password= value in enRoleDatabase.properties

For LDAP user:
- to disable password encryption, set enrole.password.ldap.encrypted= to false in enRole.properties
- to set plaintext password for ldap Principal (java.naming.security.principal), type password for java.naming.security.credentials= value in enRoleLDAPConnection.properties

For Application Server users:
- to disable password encryption, set enrole.password.appServer.encrypted= to false in enRole.properties
- to set plaintext password for WebSphere administrator (enrole.appServer.systemUser), type password for enrole.appServer.systemUser.credentials= value in enRole.properties
- to set plaintext password for ISIM system user (enrole.appServer.ejbuser.principal), type password for enrole.appServer.ejbuser.credentials= value in enRole.properties

Once those changes are made, runConfig will work and you can re-enable encryption back on the Security tab of the System Configuration panel.

Monday, 27 July 2015

4 Simple steps to Configure Passthough Authentication in TDS and Configuring the same to ISAM.

Firstly, Thank you all for the Great Responses and Awesome Support Shown to this blog 
If you have any doubts or issues about the Posts please do comment and we would get back to you at the Earliest.
Thanks and Keep Supporting ............

Now Lets get to the Matter in hand.

Everyone in the current corporate jungle is always looking for an extra piece of security to safe guard their corporate information

For satisfying the strict mandatory security conditions with an ease of access portfolio in mind an IDM Component is designed to provide a lot of extra functionalities to over come them.
and a Product like IBM is no exception, 

One of those Functionalities is the support of Passthrough Authentication.
Pass-through authentication is a mechanism which allows a client to bind to a directory server even if the user credential is not available locally. Using this mechanism the server attempts to verify the credentials from another external directory server or a pass-through server on behalf of the client

So, In much simpler ways - 
If you are using TDS as a user base to store User Details for an application like ISAM or any other product, But you have all your user details in an AD or any other directory server and you want to leverage that information.

In this case i am configuring a passthrough from TDS to AD.
What happens is that when any system tries to validate your USERID and Password from TDS. 
The TDS gets the bind request and knows the passthrough is configured then in this case the TDS connects to the AD machine and gets the password and validates it with the user provided password, but the TDS does not store any password information and all the password information is stored in the passthrough server(In this case the AD) rather than the TDS.

Ok I know that you if you are reading this page then you have already done your research and dont want to hear all this again,
So without further adieu the steps to configure Passthrough authetication from TDS/SDS to AD:

There are lot of ways for configuring passthrough but the below steps are one of the easy ones:

Enabling Pass through authentication from WebAdmin(IDSWebApp)

Step 1: enable Passthrough authentication option on your TDS/SDS:
If you are doing it through WebAdmin console then after logging in expand the Server Administration and click on Manage Security Properties and click on Passthorugh authetication TAB and select the Passthrough authentication checkbox for enabling it.

Step 2: Adding the details of the Passthrough server(AD):
Click on Add Button and enter the details of the Passthrough server like the host name and port and in the DN enter the suffix in the TDS for which you want the Passthrough enabled.

Step 3: Now Click on Next and in the next screen and check the option Enable Attribute Mapping. 
Enter the Bind Credentials of the Passthrough(AD) server and click on search base and select the OU in the Passthrough server you want to configure to.
In the Attribute for this directory server make sure to select an attribute that is present in the TDS like CN,SN,uid or any unique attribute in TDS.
In the Attribute from the Passthrough Server select an attribute that is present in the Passthrough Server(AD) like sAMAccountName,UserPrincipleName e.t.c.
The Attribute might not showup in the dropdown so make sure to enter them manually.
Click on Finish.

Step 4: Restart the TDS Instance. The server restart should be enough.


Enabling Passthrough authentication from Command Line:

This is my favourite as it is very easy and very clean.
Step 1: Browse to the bin folder of your TDS installed Location and create an LDIF file with the below (only the ones that are in Bold) Entries in it.
In my case i created a file called PTA.ldif


dn: cn=Configuration
changetype: modify
replace: ibm-slapdPtaEnabled
ibm-slapdPtaEnabled: true

dn: cn=Passthrough Server1, cn=Passthrough Authentication, cn=Configuration
changetype: add
cn: Passthrough Server1
ibm-slapdPtaURL: ldap://<PTA hostname>:<port>
ibm-slapdPtaSubtree: o=sample1
ibm-slapdPtaAttrMapping: uid $ userPrincipalName
ibm-slapdPtaSearchBase: c=in,dc=com
ibm-slapdPtaBindDN: <bind DN>
ibm-slapdPtabindPW: <bind password>
objectclass: top
objectclass: ibm-slapdConfigEntry
objectclass: ibm-slapdPta
objectclass: ibm-slapdPtaExt



o=sample1 -- is the Suffix in the TDS instance on which you want the Passthrough Authentication enabled.
ibm-slapdPtaAttrMapping -- "uid" is the Attribute from the TDS and "userPrincipalName" is the attribute from the Passthrough Server(AD).
c=in,dc=com -- is the Suffix in the AD on which you want the passthrough to be configured to.

Step 2: Execute the Below command with your TDS instance details.
ldapmodify -h <hostname> -p <port> -D <adminDN> -w <adminPWD> -f <Location of the PTA.ldif file>

Step 3: Restart the TDS Instance.

Step 4: Have a Cup of Coffee or a bottle of Beer or both as you have successfully configured the Pass Through Authentication.


Note: You would need to keep the Password field in LDAP to Empty as the password is to be fetched from the Passthrough Server(AD)

Special Note: Make sure that you have all the required ports open in the firewall or else your Coffee/Beer can turn into a Nightmare at office.


Now For Configuring the Same to the ISAM.
While Configuring the Policy Server make sure to configure the LDAP suffix to the suffix on which the Passthough is enabled.


After configuring the Policy server and webseal instance modify the property auth-using-compare to no in the ivmgrd.conf and the webseald.conf file.

Make sure to restart the Policy Server and the Webeal for the changes to be reflected Properly.

Tuesday, 30 June 2015

Decrypting the Password from the ITIM property files in JAVA

Decrypting the Password from the ITIM property files in JAVA.

Yes we can decrypt an encrypted password from the ISIM Property files like enRoleLDAPConnection.properties and enRoledatabase.properties file.
This can be very helpful when you are trying to connect to ISIM LDAP or DB in the java code from workflows using FESI Extension or custom Extension or even in ISIM Hooked Reports.

The by default com.ibm.itim.common.properties package Provided by IBM in the websphere Libraries contains a class called PropertiesManager

Create an object for this class and check for the options of methods it provides from it.
Use the method called getEncryptedProperty and get the decrypted password.

Confused....... and probably wondering why the heck do you need all the above information right.
Ok then to make it much easier see the below sample code for reference.


Sample Code for reference

//add the below line along with your import statements
import com.ibm.itim.common.properties.PropertiesManager;

public class my class{

public myldapconnection(){
//creates an object for the PropertiesManager class
PropertiesManager pm =PropertiesManager.gInstance();
String ldapserverpwd =pm.getEncryptedProperty("enrole.ldap.connection","java.naming.security.credentials");


Ok so in the above code enrole.ldap.connection is actually an property in the properties.properties file in the <ISIM Installed location>/data/ folder
In my code The Properties Manager is refering to the properties.properties file and searching for the property file to look into.

Monday, 8 June 2015

java.io.FileNotFoundException in the TDI while using JNDI Connector as a feed to ISIM

ITIM from TDI using the JNDI connector result in java.io.FileNotFoundException.

Even though the file is present and it is of the correct format and in the correct location, TDI throws a file not found exception.
and yes it might not be because your file is not being able to be detected by the TDI but there can be other factors that are causing it.

There are typically two reasons for this error:
1. The port number defined in the URL definition is incorrect.
2. The name parameter on the TDI connection form is incorrect. (This actually results in a different error seen during the evaluation of this issue.

If a Certificate is deployed or if a VIP is defined for an Identity Manager WAS cluster, the URL to access the Identity Manager may look like this:

https://<ITIM VIP Hostname>/itim/console/main

But, the actual port where the enrole application is listening is not the standard 9080 or 80.

The Provider URL on the jndi connector - connection tab needs to match the port defined for the enrole application.

To determine the correct url/port:

Review the WAS Server's systemOut.log where the ITIM application is running.
Search for the startup details. For example:

WSVR0221I: Application started: ITIM
TCPC0001I: TCP Channel TCP_2 is listening on host * (IPv4) port 9082.


Therefore, on the TDI jndi connection tab, the ITIM Url must contain the correct (IPv4) port. For example,

http://<ITIM VIP Hostname>:9082/enrole/dsml2_event_handler
which matches the port defined in the WAS/Enrole.ear for the TCP listening port.

and finally
Verify the $dn is correctly formed based on the Naming Context/Search Base. For example:

ret.value="uid="+work.getString("UID")+","+<ConnectorName>.getConnectorParam("jndiSearchBase");

Thursday, 7 May 2015

Design Forms and Workflows in ISIM being blocked by the JAVA security Settings

Everyone has this issue when they are opening the workflows or design forms for the first time in any machine and you get this freaking error all the time.
The Easy solution for this is a simple configuration on your machine



There is things that you need to do, in order to fix this. 

1. Go to Control Panel and click on JAVA. But make sure you install the java first before doing this.
for ISIM I would recommend using 1.6 JDK or JRE for it 


2. Add the ITIM url to the trusted URL's in Java Configurations: <<<OR>>> (less secure)(3)


3. Lower the Security Level to Medium, so that all Java apps will be allowed after security danger promt (as always, change this setting at your own risk). 



4. Restart the browser, and try again 

Monday, 4 May 2015

ITIM WorkFlow: Steps to be followed in order to change a serial approval to work as parallel

Here are the steps to be followed in order to change a serial approval to work as parallel.


  1. ​​Login to IDSWebApp and connect to isim ldap. Must not use any other tool other than the IDSWebApp.
  2. Search for the workflow that needs change(this will be under operations ou in ldap).
  3. Go to attribute who stores the xml file export that binary.
  4. Open the xml in editor and search for the Loop name(workflow node). There will be SYNC attrbiute in the tag. Change this to ASYNC.
  5. Save the xml file.
  6. From IDS WebApp delete(assuming backup taken) the existing binary(xml file). Import the edited file.
  7. Save the changes and restart isim application.
  8. Test the work flow for the changes to reflect parallel approval.

Thursday, 19 March 2015

Configuring SSL between IBM security Identity manager and IBM TDS


There are 4 main concepts in doing this configuration.
Before doing this configuration first have the SSL configured on the IBM TDS LDAP instance…..if you refer my previous post of enabling ssl in IBM TDS LDAP instance you will be able to configure SSL on the TDS LDAP Instance.

First …..
Add the TDS certificate to Websphere CA Certs:
  1. Start the ikeyman utility. The utility (ikeyman.bat or ikeyman.sh) is in the WAS_HOME\bin.
  2. From the Key Database File menu, select Open.
  3. In the key database type, select JKS.
  4. In the File Name field, type cacerts.
  5. In the Location field, type WAS_HOME\java\jre\lib\security\.
  6. In the Password Prompt window, type the password for the keystore in the Password and Confirm Password window. The default password is changeit.
  7. Click OK.
  8. Add the certificate you created for the LDAP server into this certificate store.
    1. In the main window, in the Key database content area, select Signer Certificates from the list.
    2. Click Add.
    3. In the Certificate file name field, browse and locate the server certificate file that was created for the LDAP server, which is in Binary Der data. Verify that the appropriate directory is displayed in the Location field.
    4. Click OK.
    5. In the prompt, type a label for this certificate. For example, type LDAPCA.
    6. Click OK.

Secondly…..
Enabling ISIM to Communicate with LDAP using SSL Communication..
  1. Edit the enRoleLDAPConnection.properties file. This file is in the ISIM_HOME\data directory.
    1. Set the port value on the java.naming.provider.url property to the SSL port number configured on directory server [LDAP]. For example,
java.naming.provider.url=ldaps://localhost:636
    1. Set the value of the java.naming.security.protocol property to ssl. This setting directs the IBM Security Identity Manager Server to use SSL to communicate to LDAP.Alternately you can change the protocol in java.naming.provider.url from ldap to ldaps. For example,
java.naming.security.protocol=ssl
  1. Save the changes.
Thirdly……
Defining Custom JVM Properties in WebSphere
  1. Select Servers > Application Servers > server_name > Process Definition > Java Virtual Machine > Custom Properties > New.
  2. Define the name of the javax properties that you changed by using the ikeyman key management tool. You can create your own certificate store location, for which you must define some additional properties.
javax.net.ssl.trustStore – WebSphere jre_install_dir\lib\security\cacerts
eg: C:\Program Files\WebSphere\AppServer\java\jre\lib\security\cacerts
javax.net.ssl.trustStorePassword – changeit
javax.net.ssl.trustStoreType -- jks

Fourthly …..
Running LDAP Upgrade….
  1. Before running the ldapUpgrade utility, verify that enRoleLDAPConnections.properties, has java.naming.security.protocol set to ssl.
  2. Edit ISIM_HOME\bin\ldapUpgrade.lax file.
Add this property, which is one line:
lax.nl.java.option.additional=-Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStore=/opt/IBM/WebSphere/AppServer/java/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djava.ext.dirs=/opt/IBM/WebSphere/AppServer/java/jre/lib/ext:/opt/IBM/WebSphere/AppServer/plugins:/opt/IBM/WebSphere/AppServer/lib:/opt/IBM/WebSphere/AppServer/lib/ext
For example, on the Windows operating system:
lax.nl.java.option.additional=-Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStore=C:\Progra~1\IBM\WebSphere\AppServer\java\jre\lib\security\cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djava.ext.dirs= C:\Progra~1\IBM\WebSphere\AppServer\java\jre\lib\ext; C:\Progra~1\IBM\WebSphere\AppServer\plugins;
C:\Progra~1\IBM\WebSphere\AppServer\lib;
C:\Progra~1\IBM\WebSphere\AppServer\lib\ext
Note: On the UNIX systems, the delimiter for the list of directories in java.ext.dirs must be a colon. On the Windows systems, the delimiter for these directories must be a semi-colon. Also, on Windows systems, use 8.3 notation for the directory names as there can be no spaces in the list.
  1. Test if this property is set correctly.
    1. Copy the property into the ISIM_HOME\bin\ldapConfig.lax file.
    2. Click Test on the ldapConfig screen. If the test returns a success message, the property is set correctly.
Note: Do not click Continue on the ldapConfig screen. Click Cancel to exit.

Now Restart the complete WebSphere including nodes, clusters and DMGR.
with this you configuration is complete….


Wednesday, 18 March 2015

SSL Configuration on IBM TDS LDAP server



Configuring SSL for IBM TDS Instance is it possible.....
Yes below are the steps to do it....

Steps to enable SSL communication using self-signed certificates.

  1. Login to LDAP server
  2. Take a backup of ibmslapd.conf  file.
  3. Run the below command to create a key database (CMS) to contain the server certificates as well as the server’s private and public keys.gsk8capicmd_64.exe -keydb -create -db E:\serverkey -pw password -type cms –stash
  4. On successful completion of the above command, four files will be created: serverkey.kdb, serverkey.rdb, serverkey.crl, serverkey.sth
  5. Create a self-signed certificate using the below command:gsk8capicmd_64.exe -cert -create -db E:\serverkey.kdb -pw password -label label_name -dn "cn=ldapcert,dc=com" -default_cert yes -expire 999
  6. Create an ldif file to configure TDS server to use this certificate.
   dn: cn=SSL,cn=Configuration
   changetype: modify
   replace: ibm-slapdSslAuth
   ibm-slapdSslAuth: serverAuth
   -
   replace: ibm-slapdSecurity
   ibm-slapdSecurity: SSL

   dn: cn=SSL,cn=Configuration
   changetype: modify
   replace: ibm-slapdSSLKeyDatabase
   ibm-slapdSSLKeyDatabase: E:\serverkey.kdb
   -
   replace:ibm-slapdSslCertificate
   ibm-slapdSslCertificate: label_name
   -
   replace: ibm-slapdSSLKeyDatabasePW
   ibm-slapdSSLKeyDatabasePW: password
7.       Run ldapmodify command to update TDS server with SSL configuration:
ldapmodify -D cn=root -w bind_pwd -p port -i “ldif_file”


8.       Restart LDAP instance and admin server.

Monday, 23 February 2015

Migrating the ISAMESSO IMS Server DB

Yes! you heard it right the database of the ISAMESSO IMS server can be Copied/Migrated/Moved to a different db server.

How to do it........

Follow the steps below.


1. Have your DB Administrator move the IMS DB to the new server. Make sure that the entire DB, all tables, data, views, users and schema are copied over.
2. Make sure usernames, passwords and database schema are exactly the same on the new database.
3. In your IMS Server Configuration Utility open up the Data source
4. Your IMS Data source will show your old IMS DB info, change your IMS DB URI to point to your new DB server and click update.
5. Perform the same steps for the Log data source and update.
6. Let’s move over to the WebSphere Integrated Solutions Console.
7. Under Applications > Application Types > Websphere enterprise applications stop your TAM E-SSO IMS Server
8. Update the DB server information Resources > JDBC > Data Sources > TAM E-SSO IMS Server Data Source, you will need to change the server name for the “Common and required data source properties. 
9. Select OK
10. Save your changes
11. Restart Websphere 
12. Start your IMS Server


Tuesday, 10 February 2015

Script to Delete a file using ITDI

What you have heard is correct you can delete a file from the system using TDI.

It is easy just a two lines of code is enough to delete a file using ITDI but you would need to make sure that you have the required permissions to delete the file or not.


Script to delete a file from the system 

var dirObj = new java.io.File("c:\\temp\\mydir");
dirObj["delete"]();



Note: The delete method needs to be brackets because itdi sometimes is not able to detect the referenced methods so you will need to de-reference the delete method, If not you would face a parser exception.

Friday, 6 February 2015

Changing TIM's Case insensitivity to Case Sensitivity

By Default all the attributes of a person objectclass in TIM is setup in case insensitive.
Changing the case in TIM Identity data fields doesn't not work. To reproduce: Open an existing user, change a case of one or more letters in the name (cn), surname (sn), mail or postOfficeBox. Click submit.
After the request is completed check the values. They have not changed. Issues it is causing: If HR changes case in these values for an existing user, the HR feed tries to update these values every night and never suceeds.

Can you check in the TDS web admin tool to see if these attribute values are set to case insensitive? If they are, please try changing them to 'case sensitive' and test again.
Equality is currently set to caseIgnoreMatch. So is ordering and the substring. Shall we set all to caseExact or only the equality? What side effects does this introduce?
To be frank i am not sure of this.
i have done this change and the only difference i am seeing is that my search has also become case sensitive search

If you dont want this change then the alternative would be to change your details to something that is completely different and revert back the change to old one with the case sensitive format.
Confused --- don't be --see the below example.

Example:----
I have a cn called dummies i want it to be changed to DummieS
dummies change it to dummies1 and then change it to DummieS

Wednesday, 4 February 2015

Getting a list of registered users in ISAM ESSO using DB.


Yes This is possible but to get the list of registered users you need to connect to the database of ESSO and run the query to get the list of users.

The information about registered IMS users is held in the table 'IMSIDENTITYUNIQUEATTRIBUTE '
Each registered user will have 4 rows in this table, link by their unique IMS ID assigned when they registered.

You can look at the information in this table by using some simple SQL queries.
Connect to your IMSDB using the tools appropriate to your Database type, eg DB2, MS SQL.

1) To see just the users EnterpriseUserName:-

SELECT * FROM <SCHEMA>.IMSIDENTITYUNIQUEATTRIBUTE AS I WHERE I.ATTRNAME = 'Enterprise Login'

2) To see just the users userPrinicalName, then use 'EnterpriseUpn' for the ATTRNAME filter in the above SQL:-

SELECT * FROM <SCHEMA>.IMSIDENTITYUNIQUEATTRIBUTE AS I WHERE I.ATTRNAME = 'EnterpriseUpn'

3) To see both of these value per user, the following type of SQL can be used:-

SELECT T1.imsID, T1.Ent, T2.Upn FROM
(SELECT imsID, Attrvalue as Ent FROM <SCHEMA>.IMSIDENTITYUNIQUEATTRIBUTE
WHERE ATTRNAME = 'Enterprise Login') AS T1
JOIN
(SELECT imsID, Attrvalue as Upn FROM <SCHEMA>.IMSIDENTITYUNIQUEATTRIBUTE
WHERE ATTRNAME = 'EnterpriseUpn') AS T2
ON (T1.imsID = T2.imsID)


<SCHEMA> value will depend on your installation, eg IMSDB, DB2ADMIN, etc.



References:

Tuesday, 6 January 2015

How to modify the ISIM Person Form using LDIF File


 Steps to modify a ISIM Person attributes like adding a new custom attribute using LDIF rather than IDSWebApp:

1) Identify what type of attribute you want to add like a string type or a date type or an integer.

2) Next create an LDIF file like the one in the below format.(Just replace the below customattribute words to a naming of your preference) and name it as myschema.ldif
dn: cn=schemachangetype: modifyadd: attributetypesattributetypes: ( customattribute-oid NAME ( 'customattribute' )                  DESC 'An attribute I defined for my LDAP application'                  EQUALITY 2.5.13.2 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15                  {200} USAGE userApplications )-add: ibmattributetypesibmattributetypes: ( customattribute-oid  DBNAME ( 'customattribute' 'customattribute' )                     ACCESS-CLASS normal LENGTH 200 )

3) Now open the command prompt and browse to {LDAP installed location}\bin folder.
Eg: C:\IBM\ldap\V6.3\bin

4) Run the command with the appropriate parameters.
ldapmodify -D <admindn> -w <adminpw> -p <Port of the tds instance> -i myschema.ldif

5) Now your Attribute has been successfully added to IBM TDS.

6) Connect to your TDS instance using any third party browsers like Ldapbrowser or softera browser and connect to suffix called cn=schema using the cn=root userid.

7) Now check for your person objectclass attribute values which are represented using "$", If you are using inetorgperson object class then use the below example.

This example ldif file is for the default object class inetorgperson
If you are using your own objectclass then make sure you use the attributes that are specific for your objectclass.

dn: cn=schema
changetype: modify
replace: objectclasses
objectclasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'Defines entries representing people in an organizations enterprise network.' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ customattribute $ atsgroups $ o $ pager $ photo $ preferredLanguage $ roomNumber $ secretary $ uid $ userCertificate $ userPKCS12 $ userSMIMECertificate $ x500UniqueIdentifier ) )

8) Save your LDIF file as person.ldif. 

9) Use the below ldapmodify command.
ldapmodify -D <admindn> -w <adminpw> -p <Port of the tds instance> -i person.ldif

10) Now restart your instance and thats it your attribute is successfully added to your ISIM Person objectclass.