Tivoli Identity Manager

Transcription

1 Tivoli Identity Manager Version 4.6 Lotus QuickPlace Adapter Installation and Configuration Guide SC

2

3 Tivoli Identity Manager Version 4.6 Lotus QuickPlace Adapter Installation and Configuration Guide SC

4 Note: Before using this information and the product it supports, read the information in Appendix D, Notices, on page 71. First Edition (April 2006) This edition applies to version 4.6 of this adapter and to all subsequent releases and modifications until otherwise indicated in new editions. This edition replaces all previous editions. Copyright International Business Machines Corporation All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents Preface v Who should read this book v Publications and related information......v Tivoli Identity Manager library v Prerequisite Product Publications vii Related Publications viii Accessing publications online viii Accessibility viii Support information viii Conventions used in this book ix Typeface conventions ix Operating system differences ix Definitions for HOME and other directory variables x Chapter 1. Overview of the Lotus QuickPlace Adapter Features of the adapter Software and operating system requirements...1 Supported configurations Scenario 1: Single instance of Tivoli Identity Manager Server and Lotus QuickPlace Adapter single server configuration Scenario 2: Multiple instances of Tivoli Identity Manager Server and Lotus QuickPlace Adapter single server configuration Scenario 3: Single instance of Tivoli Identity Manager Serverand Lotus QuickPlace Adapter single server configuration communicating with LDAP Server Scenario 4: Multiple instances of Tivoli Identity Manager Server and Lotus QuickPlace Adapter single server configuration communicating with LDAP Server Chapter 2. Adapter interactions with the Tivoli Identity Manager Server Data Transfer from the Tivoli Identity Manager Server to the adapter Basic configuration for server-to-adapter SSL communication Chapter 3. Installing and configuring the Lotus QuickPlace Adapter System Requirements Installation worksheets Configuring the Lotus Domino Server Configuring the Windows server Installing the adapter Importing the adapter profile into the Tivoli Identity Manager Server Creating a Lotus QuickPlace service Configuring the adapter Chapter 4. Configuring the Lotus QuickPlace Adapter for IBM Tivoli Identity Manager Starting the adapter configuration tool Viewing configuration settings Changing protocol configuration settings Configuring event notification Setting event notification triggers Modifying an event notification context Changing the configuration key Changing activity logging settings Changing registry settings Modifying non-encrypted registry settings...27 Modifying encrypted registry settings Changing advanced settings Viewing statistics Changing code page settings Accessing help and additional options Chapter 5. Configuring SSL authentication for the Lotus QuickPlace Adapter Overview of SSL and digital certificates Private keys, public keys, and digital certificates 36 Self-signed certificates Certificate and key formats The use of SSL authentication Configuring certificates for SSL authentication...38 Configuring certificates for one-way SSL authentication Configuring certificates for two-way SSL authentication Configuring certificates when the adapter operates as an SSL client Managing SSL certificates using CertTool Starting CertTool Generating a private key and certificate request 43 Installing the certificate Installing the certificate and key from a PKCS12 file Viewing the installed certificate Installing a CA certificate Viewing CA certificates Deleting a CA certificate Viewing registered certificates Registering a certificate Unregistering a certificate Exporting a certificate and key to PKCS12 file..47 Chapter 6. Customizing the Lotus QuickPlace adapter Copy the QuickPlaceProfile.jar file and extract the files Copyright IBM Corp iii

6 Create a new JAR file and install the new attributes on the Tivoli Identity Manager Server Managing passwords when restoring accounts...50 Chapter 7. Verification of the Lotus QuickPlace Adapter installation Chapter 8. Troubleshooting the Lotus QuickPlace adapter installation Chapter 9. Upgrading the Lotus QuickPlace Adapter or the ADK Upgrading the Lotus QuickPlace adapter Upgrading the ADK Log files Chapter 10. Uninstalling the Lotus QuickPlace Adapter Appendix A. Files Appendix B. Adapter attributes Attribute descriptions Lotus QuickPlace Adapter attributes by action...64 System Login Add System Login Change System Login Delete System Login Suspend System Login Restore Reconciliation Appendix C. Support information Searching knowledge bases Search the information center on your local system or network Search the Internet Contacting IBM Software Support Determine the business impact of your problem 68 Describe your problem and gather background information Submit your problem to IBM Software Support 69 Appendix D. Notices Trademarks Index iv IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

7 Preface Who should read this book The IBM Tivoli Identity Manager Lotus QuickPlace Adapter (Lotus QuickPlace Adapter) enables connectivity between the IBM Tivoli Identity Manager Server and a system running the Domino QuickPlace Server. The Lotus QuickPlace Adapter must be installed on a machine where the Domino QuickPlace Server is running. Once the adapter is installed and configured, Tivoli Identity Manager manages access to Lotus Domino Server resources, using the Lotus Domino Server s ID. This book describes how to install and configure the Lotus QuickPlace Adapter. Note: The program that is used to connect the managed resource to the Tivoli Identity Manager Server is now called an adapter. The term adapter replaces the previously used term agent. The user interface used to configure the adapter still refers to an adapter as an agent. This book is intended for Lotus QuickPlace system and security administrators responsible for installing software on their site s computer systems. Readers are expected to understand Lotus QuickPlace concepts. The person completing the installation procedure must also be familiar with their site s system standards and needs to have appropriate Lotus QuickPlace experience and knowledge. Readers must be able to perform routine Lotus QuickPlace system and security administration tasks. Publications and related information Read the descriptions of the Tivoli Identity Manager library. To determine which additional publications you might find helpful, read the Prerequisite Product Publications on page vii and the Related Publications on page viii. After you determine the publications you need, refer to the instructions in Accessing publications online on page viii. Tivoli Identity Manager library The publications in the technical documentation library for your product are organized into the following categories: v Release information v Online user assistance v Server installation and configuration v Problem determination v Technical supplements v Adapter installation and configuration Release Information: v Release Notes Provides software and hardware requirements for the product, and additional fix, patch, and other support information. v Read This First Card Lists the publications for the product. Copyright IBM Corp v

8 Online user assistance: Provides online help topics and an information center for administrative tasks. Server installation and configuration: Provides installation and configuration information for the product server. Problem determination: Provides problem determination, logging, and message information for the product. Technical supplements: The following technical supplements are provided by developers or by other groups who are interested in this product: v Performance and tuning information Provides information needed to tune your production environment, available on the Web at: Click the I character in the A-Z product list to locate Tivoli Identity Manager products. Click the link for your product, and then browse the information center for the Technical Supplements section. v Redbooks and white papers are available on the Web at: IBMTivoliIdentityManager.html Browse to the Self Help section, in the Learn category, and click the Redbooks link. v Technotes are available on the Web at: v Field guides are available on the Web at: v For an extended list of other Tivoli Identity Manager resources, search the following IBM developerworks Web address: Adapter installation and configuration: The technical documentation library also includes a set of platform-specific installation documents for the adapter components of the product. Adapter information is available on the Web at: Passport_Advantage_Home Click Support & downloads. Browse to the Downloads and drivers. Click the link for the adapter. Skills and training: The following additional skills and technical training information were available at the time that this manual was published: vi IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

9 v Virtual Skills Center for Tivoli Software on the Web at: v Tivoli Education Software Training Roadmaps on the Web at: v Tivoli Technical Exchange on the Web at: supp_tech_exch.html Prerequisite Product Publications To use the information in this book effectively, you must have knowledge of the products that are prerequisites for your product. Publications are available from the following locations: v Lotus Domino Server v Operating systems IBM AIX Solaris Red Hat Linux Microsoft Windows Server v Database servers IBM DB2 Universal Database - Support: - Information center: index.jsp - Documentation: winos2unix/support/v8pubs.d2w/en_main - DB2 product family: - Fix packs: downloadv8.html - System requirements: sysreqs.html Oracle Microsoft SQL Server v Directory server applications IBM Directory Server en_us/html/ldapinst.htm Preface vii

10 Related Accessibility Sun ONE Directory Server v WebSphere Application Server Additional information is available in the product directory or Web sites. v WebSphere embedded messaging v IBM HTTP Server Publications Information that is related to your product is available in the following publications: v The Tivoli Software Library provides a variety of Tivoli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tivoli Software Library is available on the Web at: v The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available from the Glossary link of the Tivoli Software Library Web page at: Accessing publications online IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli software information center Web site. Access the Tivoli software information center at the following Web address: Click the I character in the A-Z list, and then click the link for your product to access the product library. Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your paper. The product documentation includes the following features to aid accessibility: v Documentation is available in convertible PDF format to give the maximum opportunity for users to apply screen-reader software. v All images in the documentation are provided with alternative text so that users with vision impairments can understand the contents of the images. Support information If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: viii IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

11 v Searching knowledge bases: You can search across a large collection of known problems and workarounds, Technotes, and other information. v Contacting IBM Software Support: If you still cannot solve your problem, and you need to work with someone from IBM, you can use a variety of ways to contact IBM Software Support. For more information about these ways to resolve problems, see Appendix C, Support information, on page 67. Conventions used in this book Typeface This reference uses several conventions for special terms and actions and for operating system-dependent commands and paths. conventions This guide uses the following typeface conventions: Bold Italic v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) v Keywords and parameters in text v Words defined in text v Emphasis of words (words as words) v New terms in text (except in a definition list) v Variables and values you must provide Monospace v Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options Operating system differences This guide uses the UNIX convention for specifying environment variables and for directory notation. When using the Windows command line, replace $variable with %variable% for environment variables and replace each forward slash (/) with a backslash (\) in directory paths. The names of environment variables are not always the same in Windows and UNIX. For example, %TEMP% in the Windows operating system is equivalent to $tmp in a UNIX operating system. Note: If you are using the bash shell on a Windows system, you can use the UNIX conventions. Preface ix

12 Definitions for HOME and other directory variables The following table contains the default definitions that are used in this guide to represent the HOME directory level for various product installation paths. You can customize the installation directory and HOME directory for your specific implementation. If this is the case, you need to make the appropriate substitution for the definition of each variable represented in this table. The value of path varies for these operating systems: v Windows: drive:\program Files v AIX: /usr v Other UNIX: /opt Path Variable Default Definition Description DB_INSTANCE_HOME Windows: path\ibm\sqllib UNIX: v AIX, Linux: /home/dbinstancename v Solaris: /export/home/dbinstancename LDAP_HOME v For IBM Directory Server Version 5.2 Windows: path\ibm\ldap UNIX: path/ibm/ldap AIX, Linux: path/ldap Solaris: path/ibmldaps v For IBM Directory Server Version 6.0 Windows: path\ibm\ldap UNIX: /opt/ibm/ldap/ AIX, Solaris: /opt/ibm/ldap/ Linux: /opt/ibm/ldap/ v For Sun ONE Directory Server Windows: path\sun\mps UNIX: /var/sun/mps The directory that contains the database for your Tivoli Identity Manager product. The directory that contains the directory server code. x IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

13 Path Variable Default Definition Description IDS_instance_HOME For IBM Directory Server Version 6.0 Windows: drive\ idsslapd-instance_owner_name The value of drive might be C:\. An example of instance_owner_name might be ldapdb2. For example, the log file might be C:\idsslapd-ldapdb2\logs\ ibmslapd.log. UNIX: INSTANCE_HOME/idsslapd-instance_name The directory that contains the IBM Directory Server Version 6.0 instance. HTTP_HOME ITIM_HOME WAS_HOME WAS_MQ_HOME WAS_NDM_HOME Tivoli_Common_Directory On Linux and AIX systems, the default home directory is the /home/instance_name/idsslapdinstance_name directory. On Solaris systems, for example, the directory is the /export/home/ldapdb2/idsslapdldapdb2. directory. Windows: path\ibmhttpserver UNIX: path/ibmhttpserver Windows: path\ibm\itim UNIX: path/ibm/itim Windows: path\websphere\appserver UNIX: path/websphere/appserver Windows: path\ibm\websphere MQ UNIX: path/mqm Windows: path\websphere\deploymentmanager UNIX: path/websphere/deploymentmanager Windows: path\ibm\tivoli\common\ UNIX: path/ibm/tivoli/common/ The directory that contains the IBM HTTP Server code. The base directory that contains the Tivoli Identity Manager code, configuration, and documentation. The WebSphere Application Server home directory The directory that contains the WebSphere MQ code. The home directory on the deployment manager The central location for all serviceability-related files, such as logs and first-failure data capture Preface xi

14 xii IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

15 Chapter 1. Overview of the Lotus QuickPlace Adapter Features of the adapter An adapter is a program that provides an interface between a managed resource and the Tivoli Identity Manager Server. Adapters might or might not reside on the managed resource and the Tivoli Identity Manager Server manages access to the resource by using your security system. Adapters function as trusted virtual administrators on the target platform, performing such tasks as creating login IDs, suspending IDs, and performing other functions administrators normally run manually. The adapter runs as a service, independent of whether or not a user is logged on to the Tivoli Identity Manager Server. The Lotus QuickPlace Adapter enables connectivity between the Tivoli Identity Manager Server and a system running the Lotus QuickPlace Server. The following sections provide information about the Lotus QuickPlace Adapter: v Features of the adapter v Software and operating system requirements v Supported configurations on page 2 You can use the Lotus QuickPlace Adapter to automate the following administrative tasks: v Adding local users to single or multiple existing places v Adding local users to single or multiple new places v Adding external users to single or multiple existing places v Adding external users to single or multiple new places v Changing local user attributes v Changing editable external user attributes v Changing local or external users ACLs in place v Removing local or external users from a place v Changing the Lotus QuickPlace local user account password v Suspending, restoring, and deleting Lotus QuickPlace local or external user accounts v Searching for local or external user operations for Lotus QuickPlace user accounts v Reconciling Lotus QuickPlace local or external user accounts Software and operating system requirements The following table lists the software and operating system requirements that are required to run the Lotus QuickPlace Adapter. Table 1. Requirements to install the adapter Requirements Version Copyright IBM Corp

16 Table 1. Requirements to install the adapter (continued) Lotus QuickPlace Server on Lotus Domino Server One of the following versions of the Lotus QuickPlace Server software: v 3.01 v 6.5 v 7.0 One of the following versions of the Lotus Domino Server software: v 5 v 6.5 v 7.0 Operating System v Windows 2000 v Windows 2003 Tivoli Identity Manager Server v 4.5 and above Supported configurations You can install the Lotus QuickPlace Adapter on the same system where the Lotus QuickPlace Server is installed. The Lotus QuickPlace Adapter supports four configurations. In each configuration, the Lotus QuickPlace Adapter uses the server ID to communicate with the Lotus Domino Server. Scenario 1: Single instance of Tivoli Identity Manager Server and Lotus QuickPlace Adapter single server configuration The first supported configuration includes a single Tivoli Identity Manager Server, a single system running the Lotus QuickPlace Server, one instance of the Lotus QuickPlace Adapter, and a single Lotus Domino Server. } } Lotus Domino Server (External Directory), Lotus QuickPlace Server and Lotus QuickPlace Adapter Tivoli Identity Manager Server Figure 1. Single Tivoli Identity Manager Server and Lotus QuickPlace Adapter single server configuration Note: The dotted line in the figure indicates the interaction between the adapter and the Lotus Domino Server. Scenario 2: Multiple instances of Tivoli Identity Manager Server and Lotus QuickPlace Adapter single server configuration The second supported configuration includes multiple Tivoli Identity Manager Servers and a single system running the Lotus QuickPlace Server, which is 2 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

17 installed on a Lotus Domino Server running one instance of the Lotus QuickPlace Adapter. } Tivoli Identity Manager Server } Tivoli Identity Manager Server } Tivoli Identity Manager Server } Lotus Domino Server (External Directory), Lotus QuickPlace Server and Lotus QuickPlace Adapter Figure 2. Multiple instances of Tivoli Identity Manager Server and Lotus QuickPlace Adapter single server configuration Note: The dotted line in the figure indicates the interaction between the adapter and the Lotus Domino Server. Scenario 3: Single instance of Tivoli Identity Manager Serverand Lotus QuickPlace Adapter single server configuration communicating with LDAP Server The third supported configuration includes a single Tivoli Identity Manager Server and a single system running the Lotus QuickPlace Server, which is installed on a Lotus Domino Server running one instance of the Lotus QuickPlace Adapter. Lotus Domino Server, } } } LDAP Server Lotus QuickPlace Server and Lotus QuickPlace Adapter Tivoli Identity Manager Server (External Directory) Figure 3. Single instance of Tivoli Identity Manager Server and Lotus QuickPlace Adapter single server configuration communicating with LDAP Server Scenario 4: Multiple instances of Tivoli Identity Manager Server and Lotus QuickPlace Adapter single server configuration communicating with LDAP Server The fourth supported configuration includes multiple Tivoli Identity Manager Servers and a single system running the Lotus QuickPlace Server, which is Chapter 1. Overview of the Lotus QuickPlace Adapter 3

18 installed on a Lotus Domino Server running one instance of the Lotus QuickPlace Adapter. } Tivoli Identity Manager Server } Tivoli Identity Manager Server } Tivoli Identity Manager Server } Lotus Domino Server, Lotus QuickPlace Server and Lotus QuickPlace Adapter LDAP Server }(External Directory) Figure 4. Multiple instances of the Tivoli Identity Manager Server and Lotus QuickPlace Adapter single server configuration communicating with an LDAP Server Note: The dotted line in the figure indicates the interaction between the adapter and the LDAP Server. 4 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

19 Chapter 2. Adapter interactions with the Tivoli Identity Manager Server Data Transfer from the Tivoli Identity Manager Server to the adapter The Lotus QuickPlace Adapter is a software program that must reside on the system where the Lotus Domino Server is installed. Data is transferred between the Lotus QuickPlace Adapter and the Tivoli Identity Manager Server using the Directory Access Markup Language (DAML) protocol. DAML uses Secure Sockets Layer (SSL) to send XML-formatted messages between the adapter and the server. Tivoli Identity Manager communicates with the Lotus QuickPlace Adapter in order to administer user accounts. When the Tivoli Identity Manager Server issues a request to the Lotus QuickPlace Adapter, the server opens a TCP/IP connection. This connection stays open until the adapter completes the request and responds back to the server with an acknowledgement message. After the Tivoli Identity Manager Server receives the response, it drops the connection to the adapter. Basic configuration for server-to-adapter SSL communication The following information pertains to a Tivoli Identity Manager deployment on either the WebSphere or the WebLogic application server. In this scenario, the Tivoli Identity Manager Server initiates communication with the adapter (server-to-adapter) using either RSA SSL-C or Open SSL. For additional information about SSL, refer to Chapter 5, Configuring SSL authentication for the Lotus QuickPlace Adapter, on page 35. Copyright IBM Corp

20 6 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

21 Chapter 3. Installing and configuring the Lotus QuickPlace Adapter Installing and configuring the Lotus QuickPlace Adapter involves several steps that you must complete in the appropriate sequence. Review the prerequisites before you begin the installation process. You can also create an account on the managed resource for the adapter to use. System Requirements Table 2 identifies the system requirements to install the Lotus QuickPlace Adapter. Verify that all of the requirements have been met before installing the Lotus QuickPlace Adapter. Also, complete the installation worksheet before installing the adapter. Table 2. Requirements to install the Lotus QuickPlace Adapter System, memory, and disk space Operating System v Windows 2000 v A 32-bit x86-based microprocessor. v A minimum of 256 MB of memory. v At least 300 MB of free disk space. Lotus QuickPlace Server on Lotus Domino Server v Windows 2003 One of the following versions of the Lotus QuickPlace Server software: v 3.01 v 6.5 v 7.0 One of the following versions of the Lotus Domino Server software: v 5 v 6.5 v 7.0 Java Developer's Kit (JDK) One of the following versions of the JDK: Network Connectivity v TCP/IP network v for version 3.01 of the Lotus QuickPlace Server v for version 6.5 of the Lotus QuickPlace Server v for version 7.0 of the Lotus QuickPlace Server v SSL enabled Tivoli Identity Manager Server Version 4.5 or later v For security purposes, the adapter should be installed on a Windows NT File System (NTFS). Copyright IBM Corp

22 Installation worksheets Use one of the following worksheets to document information required to install and configure the Lotus QuickPlace Adapter. Complete the applicable worksheet before starting the installation procedure. The worksheet identifies the information you need to modify during the installation process. Make a copy of the worksheet for each server where you are installing the Lotus QuickPlace Adapter. For example, if you have five Windows servers where you are installing the Lotus QuickPlace Adapter, you need five copies of the worksheet. Table 3. Installation worksheet when external directory is not used Option Description User directory Specifies the name of the external directory to which the Lotus QuickPlace Server is configured as the user directory. Domino Directory location Specifies the path for the Lotus Domino Server. Lotus QuickPlace Server name Specifies the name of the system on which the Lotus QuickPlace Server is installed. Server ID file location Specifies the location of the server ID file. The adapter uses this file to access the Lotus QuickPlace Server. Server ID password Specifies the password for the server ID used by the Lotus QuickPlace Adapter to connect to the Lotus QuickPlace Server. Table 4. Installation worksheet when the external directory is LDAP Option Description User directory Specifies the name of the external directory to which the Lotus QuickPlace Server is configured as the user directory. Domino Directory location Specifies the path for the Lotus Domino Server. Lotus QuickPlace Server name Specifies the name of the server on which the Lotus QuickPlace Server is installed. Server ID file location Specifies the location of the server ID file. The adapter uses this file to access the Lotus QuickPlace Server. Server ID password Specifies the password for the server ID used by the Lotus QuickPlace Adapter to connect to the Lotus QuickPlace Server. LDAP Server Specifies the name of the LDAP Server configured to use the Lotus QuickPlace Adapter. LDAP port Specifies the port for the LDAP Server. User ID Specifies the user ID when anonymous bind does not have access to the search function. User password Specifies the password for the user ID. 8 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

23 Table 5. Installation worksheet when external directory is Lotus Domino Server Option Description User directory Specifies the name of the external directory to which the Lotus QuickPlace Server is configured as the user directory. Domino Directory location Specifies the path for the Lotus Domino Server. Lotus QuickPlace Server name Specifies the name of the system on which the Lotus QuickPlace Server is installed. Server ID file location Specifies the location of the server ID file. The adapter uses this file to access the Lotus QuickPlace Server. Server ID password Specifies the password for the server ID used by the Lotus QuickPlace Adapter to connect to the Lotus QuickPlace Server. Domino Address Book Specifies the name of the Lotus Domino Server address book used by the adapter if the name is not NAMES.NSF. Configuring the Lotus Domino Server You must configure the Lotus Domino Server to ensure that the Lotus QuickPlace Adapter functions correctly. Complete these steps to access the Lotus QuickPlace Java APIs: 1. Install the adapter on the same system where the Lotus QuickPlace Server is installed. 2. Install the supported Java Developer's Kit (JDK). Refer to Table 2 on page 7 for information about the supported JDK. 3. Add the following path environment variables: Configuring the Windows server v The Lotus Domino Server program, for example, C:\Lotus\Domino v The Java JDK bin directory, for example, C:\Program Files\Java\jre1.5.0_01\ bin You must configure the Windows server to ensure that the Lotus QuickPlace Adapter functions correctly. To configure the Windows server, you must add the directory path for the nnotes.dll file to the path environment variables. To do this, complete these steps: 1. From the Windows desktop, right-click on the My Computer icon, and then select the Properties menu. 2. From the System Properties window, click the Advanced tab. 3. From the Advanced window, click Environment variables. 4. Under System variables, select Path and click Edit. 5. In the Variable Value field, type the path for the Lotus Domino Server, for example, C:\Lotus\Domino 6. In the Variable Value field, type the Java JDK bin directory, for example,c:\program Files\Java\jre1.5.0_01\bin 7. From the Environment variables window, click OK. 8. From the System Properties window, click Apply, and then click OK. Chapter 3. Installing and configuring the Lotus QuickPlace Adapter 9

24 Installing the adapter 9. If the Lotus QuickPlace Adapter is running, stop and restart the adapter. If the Lotus QuickPlace Adapter is not automatically installed with your Tivoli Identity Manager product, use the adapter installer to manually install the adapter. The Tivoli Identity Manager Lotus QuickPlace Adapter installation program is available for download from the IBM Web site. Contact your IBM account representative for the Web address and download instructions. Before you install the Lotus QuickPlace Adapter, verify that the following conditions are met: v Ensure that you have configured the Lotus Domino Server. Refer to Configuring the Lotus Domino Server on page 9 for information about how to configure the Lotus Domino Server. v Ensure that you have configured the Windows server. Refer to Configuring the Windows server on page 9 for information about how to configure the Windows server. The Lotus QuickPlace Adapter installer provides the following options for managing users: Manage local users on the Lotus QuickPlace resource Select this option to manage only local users. You cannot manage external users if you select this option. Manage external users on the Lotus QuickPlace resource using an external Lotus Domino Server Select this option to manage these users on a Lotus QuickPlace resource. v Local users v External users with the Lotus Domino Server Manage external users on the Lotus QuickPlace resource using an external LDAP Server Select this option to manage these users on a Lotus QuickPlace resource. v Local users v External users with the LDAP Server To manually install the adapter, complete these steps. Note: All directory paths apply to Windows operating systems. Change the directory paths as needed for UNIX operating systems. 1. Download the Lotus QuickPlace Adapter compressed file from the IBM Web site. 2. Extract the contents of the compressed file into a temporary directory and navigate to that directory. 3. Start the installation program using the setup.exe file in the temporary directory. For example, select Run from the Start menu, and type C:\TEMP\setup.exe in the Open field. 4. On the Welcome window, click Next. 5. On the License Agreement window, review the license agreement and decide if you accept the terms of the license. If you do, select Accept and then click Next. 10 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

25 6. On the Select Destination Directory window, specify where you want to install the adapter in the Directory Name field. You can accept the default location, or click Browse to specify a different directory. Then, click Next. Figure 5. Select Destination Directory window 7. On the Lotus QuickPlace Server Information window, specify the required information about your Lotus QuickPlace Server in the following fields: External Directory Specify the user directory used as the external directory for adding existing users to the Lotus QuickPlace Server. v Select None if no external directory is used v Select Domino Directory if the external directory is the Lotus Domino Server v Select LDAP Directory if the external directory is the LDAP Server Lotus QuickPlace Server Type the Lotus QuickPlace Server name in the following format: CN=<Server Name>/O=<Organization Name> For example, CN=Condor/O=IBM Domino Directory Path Type the path of the directory where the Lotus Domino Server is installed, for example, C:\Lotus\Domino Then, click Next. 8. On the Server ID Information window, specify the required information about your server ID in the following fields: Chapter 3. Installing and configuring the Lotus QuickPlace Adapter 11

26 Server ID location Type the path of the server ID file that the adapter will use for authentication, for example, C:\Lotus\Domino\data\server.id Server password Type the password for the server ID. Passwords are case-sensitive. Then, click Next. 9. On the Synchronization Information window, specify whether or not you want to refresh data after each reconciliation operation. Click Yes to synchronize the external directory and the Lotus QuickPlace Server after each reconciliation. Otherwise, click No. Then, click Next. If you selected LDAP as your external directory, proceed to the next step. If you chose Domino as your external directory, skip the next step. 10. If the external directory is the LDAP, specify information in the following fields for the LDAP Server: LDAP Server name Type the name of the LDAP Server that is configured for the Lotus QuickPlace Server. For example, ps2125.peristent.co.in. LDAP Port Number Type the port number for the LDAP Server. For example, cn=root. User User ID Type the user ID used for authentication if anonymous bind is denied access for a search operation. For example, cn=root. ID Type the password for the user ID. Then, click Next. 11. If the external directory is DOMINO, from the External Domino Directory window, specify information in the Notes Address Book field. In the Notes Address Book field, type the name of the Lotus Domino Server address book used by the adapter, if the address book is different from the default address book. Then, click Next. The default address book is NAMES.NSF. 12. On the Installation Summary window, review the installation settings. Click Back to change any of these settings. Otherwise, click Next to begin the installation. 13. On the Installation Completed window, click Finish to exit the program. Importing the adapter profile into the Tivoli Identity Manager Server An adapter profile defines the types of resources that the Tivoli Identity Manager Server can manage. The profile is used to create a service on the Tivoli Identity Manager Server and to communicate with the adapter. You must import the adapter profile into the Tivoli Identity Manager Server before using the Lotus QuickPlace Adapter. Before you import the adapter profile, verify that the following conditions are met: v The Tivoli Identity Manager Server must be installed and running. v You must have root or Administrator authority on the Tivoli Identity Manager Server. 12 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

27 The adapter profile is included in the JAR file for the adapter, QuickPlaceProfile.jar. To import the adapter profile, complete these steps: 1. Log in to the Tivoli Identity Manager Server using an account that has the authority to perform administrative tasks. 2. Import the adapter profile using the import feature for your Tivoli Identity Manager product. Refer to the information center or the online help for specific instructions about importing the adapter profile. When you import the adapter profile, if you receive an error related to the schema, refer to the trace.log file for information about the error. The trace.log file location is specified using the handler.file.filedir property defined in the Tivoli Identity Manager enrolelogging.properties file. The enrolelogging.properties file is installed in the Tivoli Identity Manager \data directory. Creating a Lotus QuickPlace service You must create a service for the Lotus QuickPlace Adapter before the Tivoli Identity Manager Server can use the adapter to communicate with the managed resource. To create a service, complete these steps: 1. Log in to the Tivoli Identity Manager Server using an account that has the authority to perform administrative tasks. 2. Create the service using the information for your Tivoli Identity Manager product. Refer to the information center or the online help for specific instructions about creating a service. To create or change a service, you must use the service form to provide information for the service. Service forms might vary depending on the adapter. The Lotus QuickPlace Adapter service form contains the following fields: Service Name Specify a name that defines this Lotus QuickPlace service on the Tivoli Identity Manager Server. Service Name is a required field. Description Specify an optional description for this service. URL Specify the location and port number of the Lotus QuickPlace Adapter. The port number is defined in the protocol configuration using the agentcfg program. For additional information about protocol configuration settings, see Changing protocol configuration settings on page 16. URL is a required field. User If https is specified as part of the URL, the adapter must be configured to use SSL authentication. If the adapter is not configured to use SSL authentication, specify http for the URL. For additional information about configuring the adapter to use SSL authentication, see Chapter 5, Configuring SSL authentication for the Lotus QuickPlace Adapter, on page 35. Id Specify the DAML protocol user name. The user name is defined in the protocol configuration using the agentcfg program. For additional information about the protocol configuration settings, see Changing protocol configuration settings on page 16. User Id is a required field. Password Specify the password for the DAML protocol user name. This password is defined in the protocol configuration using the agentcfg program. For Chapter 3. Installing and configuring the Lotus QuickPlace Adapter 13

28 additional information about the protocol configuration settings, see Changing protocol configuration settings on page 16. Password is a required field. Owner Specify the service owner, if any. Owner is an optional field. Service Configuring the adapter Prerequisite Specify an existing Tivoli Identity Manager service that is a prerequisite for the Lotus QuickPlace service. Service Prerequisite is an optional field. Once you have installed the Tivoli Identity Manager Lotus QuickPlace Adapter, configuration is required to ensure that it functions correctly. Before you begin to configure the Lotus QuickPlace Adapter, you must obtain a production certificate from a well-known Certificate Authority or create your own certificate using your own Certificate Authority. The Lotus QuickPlace Adapter does not come prepackaged with a certificate. In order to configure the Lotus QuickPlace Adapter, complete these steps: 1. Start the Lotus QuickPlace Adapter service using the Windows Services Tool. 2. Configure Directory Access Markup Language (DAML) to ensure communication with the Tivoli Identity Manager Server. For more information on configuring DAML, see Changing protocol configuration settings on page Configure the Lotus QuickPlace Adapter to communicate with the Tivoli Identity Manager Server by configuring the adapter for event notification. For more information on configuring event notification, see Configuring event notification on page For secure communication, install a certificate on the system where the adapter resides and on the Tivoli Identity Manager Server. For more information on installing certificates, see Chapter 5, Configuring SSL authentication for the Lotus QuickPlace Adapter, on page Install the adapter profile on the Tivoli Identity Manager Server. For more information on installing the adapter profile, see Importing the adapter profile into the Tivoli Identity Manager Server on page Configure the adapter service form. For more information on configuring the service form, see Creating a Lotus QuickPlace service on page Use the agentcfg utility to modify the adapter parameters. For more information on parameter configuration, see Chapter 4, Configuring the Lotus QuickPlace Adapter for IBM Tivoli Identity Manager, on page Configure the adapter account form. For more information on configuring the account form, refer to the IBM Tivoli Identity Manager Information Center. 9. Verify that you have correctly installed and configured the Lotus QuickPlace Adapter. See Chapter 7, Verification of the Lotus QuickPlace Adapter installation, on page 53 for more information on verifying the installation and configuration of the adapter. 14 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

29 Chapter 4. Configuring the Lotus QuickPlace Adapter for IBM Tivoli Identity Manager Use the adapter configuration program, agentcfg, to view or modify the Lotus QuickPlace Adapter parameters. All changes that you make to parameters with this tool take effect immediately. Starting the adapter configuration tool In order to start the adapter configuration tool, agentcfg, for Lotus QuickPlace Adapter parameters, complete these steps: 1. From the Start Menu, select Programs Accessories Command Prompt. 2. At the command prompt, change to the \bin directory for the adapter. For example, type the following command, if the Lotus QuickPlace Adapter is in the default location: cd C:\Tivoli\Agents\QuickPlaceAgent\bin\ 3. Type the following command: agentcfg -agent QuickPlaceAgent You can also use agentcfg to view or change configuration settings from a remote computer. See the table in Accessing help and additional options on page 32 for procedures on using additional arguments. 4. At the Enter configuration key for Agent QuickPlaceAgent prompt, type the configuration key for the Lotus QuickPlace Adapter. The default configuration key is agent. You must change the configuration key once installation completes, to prevent unauthorized access to the configuration of the adapter. See Changing protocol configuration settings on page 16 for procedures to change the configuration key. The Main Configuration Menu is displayed. QuickPlaceAgent Agent Main Configuration Menu A. Configuration Settings. B. Protocol Configuration. C. Event Notification. D. Change Configuration Key. E. Activity Logging. F. Registry Settings. G. Advanced Settings. H. Statistics. I. Codepage Support. X. Done. Select menu option: From the Main Menu, you can configure the protocol, view statistics, and modify settings, including configuration, registry, and advanced settings. Table 6. Options for the main configuration menu Option Configuration task For more information A Viewing protocol configuration settings See page 16. Copyright IBM Corp

30 Table 6. Options for the main configuration menu (continued) Option Configuration task For more information B Changing protocol configuration settings See page 16. C Configuring event notification See page 19. D Changing the configuration key See page 25. E Changing activity logging settings See page 25. F Changing registry settings See page 27. G Changing advanced settings See page 30. H Viewing statistics See page 31. I Changing code page settings See page 31. Viewing configuration settings The following procedure describes how to view the Lotus QuickPlace Adapter configuration settings. 1. At the Agent Main Configuration Menu, type A. The configuration settings for the Lotus QuickPlace Adapter are displayed. The following screen is an example of the Lotus QuickPlace Adapter configuration settings. Configuration Settings Name : QuickPlaceAgent Version : ADK Version : 4.67 ERM Version : 4.67 enrole Version : 4.0 License : NONE Asynchronous ADD Requests : FALSE (Max.Threads:3) Asynchronous MOD Requests : FALSE (Max.Threads:3) Asynchronous DEL Requests : FALSE (Max.Threads:3) Asynchronous SEA Requests : FALSE (Max.Threads:3) Available Protocols : DAML Configured Protocols : DAML Logging Enabled : TRUE Logging Directory : C:\Tivoli\Agents\QuickPlaceAgent\Log Log File Name : QuickPlaceAgent.log Max. log files : 3 Max.log file size (Mbytes) : 1 Debug Logging Enabled : TRUE Detail Logging Enabled : FALSE Thread Logging Enabled : FALSE Press any key to continue 2. Press any key to return to the Main Menu. Changing protocol configuration settings The Lotus QuickPlace Adapter uses the DAML protocol to communicate with the Tivoli Identity Manager Server. By default, when the adapter is installed, the DAML protocol is configured to be used in nonsecure mode. In order to configure a secure environment, you must configure the DAML protocol to use SSL and install a certificate. Refer to Installing the certificate on page 44 for more information about installing certificates. 16 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

31 In previous versions of this adapter, you could add and remove protocols. However, in the latest version of this adapter, the DAML protocol is the only supported protocol that you can use. Therefore, you will not need to add or remove a protocol. In order to configure the DAML protocol for the Lotus QuickPlace Adapter, complete the following steps: 1. At the Agent Main Configuration Menu, type B. The DAML protocol is configured and available by default for the Lotus QuickPlace Adapter. Agent Protocol Configuration Menu Available Protocols: DAML Configured Protocols: DAML A. Add Protocol. B. Remove Protocol. C. Configure Protocol. X. Done Select menu option 2. At the Agent Protocol Configuration Menu, type C. The DAML Protocol Properties Menu is displayed. 3. At the DAML Protocol Properties Menu, type C. The protocol properties for the configured protocol is displayed. The properties on your menu might be different from the ones shown in the examples. The following screen is an example of the DAML protocol properties: DAML Protocol Properties A. USERNAME ****** ;Authorized user name. B. PASSWORD ****** ;Authorized user password. C. MAX_CONNECTIONS 100 ;Max Connections. D. PORTNUMBER ;Protocol Server port number. E. USE_SSL FALSE ;Use SSL secure connection. F. SRV_NODENAME ;Event Notif. Server name. G. SRV_PORTNUMBER 9443 ;Event Notif. Server port number. H. HOSTADDR ANY ;Listen on address < or "ANY" > I. VALIDATE_CLIENT_CE FALSE ;Require client certificate. J. REQUIRE_CERT_REG FALSE ;Require registered certificate. X. Done Select menu option: 4. Type the letter of the menu option for the protocol property that you want to configure. See Table 7 below for additional information about the properties that you can configure for the DAML protocol. Table 7. Options for the DAML protocol menu Option Configuration task A The following prompt is displayed: Modify Property USERNAME : Type a user ID. This value is the user ID that the Tivoli Identity Manager Server uses to connect to the adapter. The default user ID is agent. Chapter 4. Configuring the Lotus QuickPlace Adapter for IBM Tivoli Identity Manager 17

32 Table 7. Options for the DAML protocol menu (continued) Option Configuration task B The following prompt is displayed: Modify Property PASSWORD : Type a password. This value is the password for the user ID that the Tivoli Identity Manager Server uses to connect to the adapter. The default password is agent. C The following prompt is displayed: Modify Property MAX_CONNECTIONS : Enter the maximum number of concurrent open connections that the adapter supports. The default number is 100. D The following prompt is displayed: Modify Property PORTNUMBER : Type a different port number. This value is the port number that the Tivoli Identity Manager Server uses to connect to the adapter. The default port number is E The following prompt is displayed: Modify Property USE_SSL : Enter TRUE or FALSE to specify whether a secure SSL connection will be used to connect to or from the adapter. The default value is FALSE. You must install a certificate when USE_SSL is set to TRUE. For more information on certificate installation, see Installing the certificate on page 44. F The following prompt is displayed: Modify Property SRV_NODENAME : Type a server name or an IP address, for example, This value is the DNS name or IP address of the Tivoli Identity Manager Server that is used for event notification and asynchronous request processing. Note: If your platform supports Internet Protocol version 6 (IPv6) connections, you can specify an IPv6 server. G The following prompt is displayed: Modify Property SRV_PORTNUMBER : Type a different port number to access the Tivoli Identity Manager Server. This value is the port number that the adapter uses to connect to the Tivoli Identity Manager Server. The default port number for WebLogic is The default port number for WebSphere Application Server (WAS) is IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

33 Table 7. Options for the DAML protocol menu (continued) Option Configuration task H The HOSTADDR option is useful when the system where the adapter is running has more than one network adapter. The user can select which IP Address the adapter will listen to. The default value is ANY. I The following prompt is displayed: Modify Property VALIDATE_CLIENT_CE : Type TRUE to require the Tivoli Identity Manager Server to send a certificate when it communicates with the adapter. Type FALSE to allow the Tivoli Identity Manager Server to communicate with the adapter without a certificate. The default value is FALSE. Notes: 1. If you set this option to TRUE, you must configure options D through I. 2. The property name is actually VALIDATE_CLIENT_CERT. It is truncated by agentcfg to fit onto the screen. 3. You must use CertTool to install the appropriate CA certificates and optionally register the Tivoli Identity Manager Server certificate. For more information on using CertTool, see Managing SSL certificates using CertTool on page 41. J The following prompt is displayed: Modify Property REQUIRE_CERT_REG : This value only applies when option I is set to TRUE. Type TRUE to require the client certificate from the Tivoli Identity Manager Server to be registered with the adapter before it will accept an SSL connection. Type FALSE to require the client certificate only be verified against the list of CA certificates. The default value is FALSE. For more information on certificates, see Chapter 5, Configuring SSL authentication for the Lotus QuickPlace Adapter, on page 35. Configuring event notification 5. At the prompt, change the value, and press Enter. The Protocol Properties Menu is displayed with your new settings. If you do not want to change the value, just press Enter to return to the Protocol Properties Menu. 6. Repeat steps 4 and 5 to configure as many protocol properties as you need to. 7. At the Protocol Properties Menu, type X to exit the menu. Event notification is a feature of the Lotus QuickPlace Adapter that updates the Tivoli Identity Manager Server at set intervals. Event notification detects changes that are made on the managed resource and updates the Tivoli Identity Manager Server with the changes. You can enable event notification if you want to have updated information from the managed resource sent back to the Tivoli Identity Manager Server between full reconciliations. Event notification is not intended to replace reconciliations on the Tivoli Identity Manager Server. Chapter 4. Configuring the Lotus QuickPlace Adapter for IBM Tivoli Identity Manager 19

34 When event notification is enabled, a database of the reconciliation data is kept on the machine where the adapter is installed. The database is updated with the changes that are requested by the Tivoli Identity Manager Server and will remain synchronized with the server. You can specify an interval for the event notification process to compare the database to data that currently exists on the managed resource. When the interval has elapsed, any differences between the managed resource and the database are forwarded to the Tivoli Identity Manager Server and updated in the local snapshot database. There are several steps to enabling event notification. These steps assume that the adapter is communicating successfully with the managed resource and the Tivoli Identity Manager Server. First, you must configure the host name, port number, and login information for the Tivoli Identity Manager Server. In order to identify the server for the DAML protocol to use, complete the following steps: 1. At the Agent Protocol Configuration Menu, select Configure Protocol. For more information on configuring a protocol, see Changing protocol configuration settings on page Type the letter of the menu option for the SRV_NODENAME property. 3. Specify the IP address or server name that identifies the Tivoli Identity Manager Server, and press Enter. The Protocol Properties Menu is displayed with your new settings. 4. Type the letter of the menu option for the SRV_PORTNUMBER property. 5. Specify the port number that the adapter uses to connect to the Tivoli Identity Manager Server for event notification and press Enter. The Protocol Properties Menu is displayed with your new settings. The example menu shows all of the options displayed when Event Notification is enabled. If Event Notification is disabled, not all of the options are displayed. In order to set Event Notification for the Tivoli Identity Manager Server, complete the following steps: 1. At the Agent Main Configuration Menu, type C. The Event Notification Menu is displayed. Event Notification Menu * Reconciliation interval : 1 day(s) * Next Reconciliation time : 23 hour(s) 56 min(s). 23 sec(s). * Configured Contexts : Jupiter, dd309 A. Enabled B. Time interval between reconciliations. C. Set Processing cache size. (currently: 50 Mbytes) D. Start event notification now. E. Set attributes to be reconciled. F. Reconciliation process priority. (current: 1) G. Add Event Notification Context. H. Modify Event Notification Context. I. Remove Event Notification Context. J. List Event Notification Contexts. X. Done Select menu option: Note: This menu shows all of the options that are displayed when Event Notification is enabled. If Event Notification is disabled, all of the options will not be displayed. 20 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

35 2. Type the letter of the menu option that you want to change. Option A must be enabled in order for the values of the other options to take effect. Press Enter to return to the Agent Event Notification Menu without changing the value. Table 8. Options for the event notification menu Option Configuration task A If this option is enabled, the adapter updates the Tivoli Identity Manager Server with changes to the adapter at regular intervals. When the option is set to: v Disabled, pressing the A key changes to enabled v Enabled, pressing the A key changes to disabled Type A to toggle between the options. B The following prompt is displayed: Enter new interval ([ww:dd:hh:mm:ss]) Type a different reconciliation interval. For example, [00:01:00:00:00] Note: This value is the interval to wait once event notification completes before it is run again. The event notification process is resource intensive, therefore this value must not be set to run too frequently. C The following prompt is displayed: Enter new cache size[50]: Type a different value to change the processing cache size. D If this option is selected, event notification is started. E The Event Notification Entry Types Menu is displayed. See Setting event notification triggers on page 22 for more information. F The following prompt is displayed: Enter new thread priority [1-10]: Type a different thread value to change the event notification process priority. Note: Setting the thread priority to a lower value reduces the impact that the event notification process has on the performance of the adapter. A lower value might also cause event notification to take longer. G The following prompt is displayed: Enter new context name: Type the new context name, and press Enter. The new context is added. H A menu listing the available contexts is displayed. See Modifying an event notification context on page 23 for more information. I The Remove Context Menu is displayed. Select the context to remove. The following prompt is then displayed: Delete context context1? [no]: Press Enter to exit without deleting the context, or type Yes and press Enter to delete the context. Chapter 4. Configuring the Lotus QuickPlace Adapter for IBM Tivoli Identity Manager 21

36 Table 8. Options for the event notification menu (continued) Option Configuration task J The Event Notification Contexts are displayed in the following format: Context Name : Context1 Target DN : erservicename=context1,o=ibm, ou=ibm,dc=com --- Attributes for search request --- {search attributes listed} If you changed the value for options B, C, E, or F, press Enter. The other options are automatically changed when you type the corresponding letter of the menu option. The Event Notification Menu is displayed with your new settings. Setting event notification triggers By default, all attributes are queried for value changes. Certain attributes that change frequently (for example, password age or last successful logon) must be omitted. 1. At the Event Notification Menu, type E. The Event Notification Entry Types Menu is displayed. Event Notification Entry Types A. USER B. GROUP X. Done Select menu option: The USER and GROUP types will not appear in the above menu until the following conditions have been met: a. Event notification has been enabled b. A context has been created and configured c. A full reconciliation has been run 2. Type A for a list of the attributes returned during a user reconciliation, or type B for attributes returned during a group reconciliation. The Event Notification Attribute Listing for the selected reconciliation type is displayed. The default setting lists all attributes that the adapter supports. The example below lists example attributes, and might differ from the list that is displayed on your machine. Event Notification Attribute Listing (A) **eraccountstatus (B) **erqpaccessibilitymod (C) **erqp address (D) **erqpfirstname (E) **erqplastname (F) **erqpotherinfo (G) **erqpphonenumber (H) **erqpplaceaccess (I) **erqpreceivenewssumma (J) **erqpsubscribetocalen (K) **erqpusertype (L) **eruid (p)rev page 1 of 1 (n)ext X. Done 3. Type the letter of the menu option for the attribute to exclude from an event notification. 22 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

37 Attributes that are marked with two asterisks (**) are returned during the event notification. Attributes that are not marked with asterisks are not returned during the event notification. Modifying an event notification context An event notification context corresponds to a service on the Tivoli Identity Manager Server. Some adapters support multiple services. One Lotus QuickPlace Adapter can have several Tivoli Identity Manager services, by specifying a different base point for each service. The base point for the Lotus QuickPlace Adapter is the point in the directory server that is used as the root for the adapter. This point can be an organizational unit (OU) or domain container (DC) base point. Because the base point is an optional value, if a value is not specified, the adapter uses the default domain of the machine on which it is installed. You can have multiple event notification contexts, but you must have at least one adapter. In the example screen below, note that Context1, Context2, and Context3 are three different contexts, all having a different base point. In order to modify an event notification context, complete the following steps: 1. At the Event Notification Menu, type H. The Modify Context Menu is displayed. Modify Context Menu A. Context1 B. Context2 C. Context3 X. Done Select menu option: 2. Type the letter of the menu option that you want to modify. The Modify Context Menu for the selected context is displayed. A. Set attributes for search B. Target DN: C. Delete Baseline Database X. Done Select menu option: Table 9. Options for the modify context menu Option Configuration task For more information A Adding search attributes for event notification See page 23. B Configuring the target DN for event notification contexts C Removing the baseline database for event notification contexts See page 24. See page 25. Adding search attributes for event notification For some adapters, you might need to specify an attribute-value pair for one or more contexts. These attribute-value pairs, which are defined by completing the steps below, serve multiple purposes: v When multiple services are supported by a single adapter, each service needs to specify one or more attributes to differentiate it from the other services. Chapter 4. Configuring the Lotus QuickPlace Adapter for IBM Tivoli Identity Manager 23

38 v The search attributes are passed to the event notification process, once the event notification interval has occurred or is started manually. For each context, a full search request is sent to the adapter. Additionally, the attributes specified for that context are passed to the adapter. v When the Tivoli Identity Manager Server initiates a reconciliation process, the adapter replaces the local database that represents this service with the new database. In order to add search attributes, complete the following steps: 1. At the Modify Context Menu for the context, type A. The Reconciliation Attribute Passed to Agent Menu is displayed. Reconciliation Attributes Passed to Agent for Context: Context A. Add new attribute B. Modify attribute value C. Remove attribute X. Done Select menu option: The Lotus QuickPlace Adapter does not have any attributes that need to be specified for Event Notification. 2. Type the letter of the menu option that you want to change. The supported attribute names will be displayed with two asterisks (**) in front of each name. When you type the letter of an attribute, it will toggle the asterisks on and off. Attributes without asterisks will not be updated during an event notification. The Reconciliation Attributes Passed to Agent Menu is displayed with the changes displayed. Configuring the target DN for event notification contexts The target DN field holds the unique name of the service that receives event notification updates. In order to configure the target DN, complete the following steps: 1. At the Modify Context Menu for the context, type B. 2. At the Enter Target DN prompt, type the target DN for the context, and press Enter. The target DN for the event notification context must be in the following format: erservicename=erservicename,o=organizationname,ou=tenantname,rootsuffix Each element of the DN is defined as follows: Table 10. DN elements and definitions Element Definition erservicename Specifies the name of the target service o Specifies the name of the organization ou Specifies the name of the tenant in which the organization is in rootsuffix Specifies the root of the directory tree The Modify Context Menu is displayed with the new target DN listed. 24 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

39 Removing the baseline database for event notification contexts This option is only available once a context is created and a reconciliation is run on the context to create a Baseline Database file. At the Modify Context Menu for the context, type C. The Modify Context Menu is displayed with the Delete Baseline Database option removed. Changing the configuration key You use the configuration key as a password to access the configuration tool for the adapter. In order to change the Lotus QuickPlace Adapter configuration key, complete the following steps: 1. At the Main Menu prompt, type D. 2. Change the value of the configuration key, and press Enter. Press Enter to return to the Main Configuration Menu without changing the configuration key. The default configuration key is agent. Make sure that you choose passwords that cannot be easily guessed. The following message is displayed: Configuration key successfully changed. Changing activity logging settings The configuration program exits, and the Main Menu prompt is displayed. When you enable logging, Lotus QuickPlace Adapter maintains a dated log file of all transactions, QuickPlaceAgent.log. By default, the log file is in the \log directory. In order to change the Lotus QuickPlace Adapter activity logging settings, complete the following steps: 1. At the Main Menu prompt, type E. The Agent Activity Logging Menu is displayed. The following example shows the default activity logging settings. Agent Activity Logging Menu A. Activity Logging (Enabled). B. Logging Directory (current: C:\Tivoli\Agents\QuickPlaceAgent\Log). C. Activity Log File Name (current: QuickPlaceAgent.log). D. Activity Logging Max. File Size ( 1 mbytes) E. Activity Logging Max. Files ( 3 ) F. Debug Logging (Enabled). G. Detail Logging (Disabled). H. Base Logging (Disabled). I. Thread Logging (Disabled). X. Done Select menu option: 2. Type the letter of the Activity Logging Menu option that you want to change. Option A must be enabled in order for the values of the other options to take effect. Press Enter to return to the Agent Activity Logging Menu without changing the value. Chapter 4. Configuring the Lotus QuickPlace Adapter for IBM Tivoli Identity Manager 25

40 Table 11. Options for the activity logging menu Option Configuration task A Set this option to enabled to have the adapter maintain a dated log file of all transactions. When the option is set to: v Disabled, pressing the A key changes to enabled v Enabled, pressing the A key changes to disabled Type A to toggle between the options. B The following prompt is displayed: Enter log file directory: Type a different value for the logging directory, for example, C:\Log. When the logging option is enabled, details about each access request are stored in the logging file that is in this directory. C The following prompt is displayed: Enter log file name: Type a different value for the log file name. When the logging option is enabled, details about each access request are stored in the logging file. D The following prompt is displayed: Enter maximum size of log files (mbytes): Type a new value, for example, 10. The oldest data is archived when the log file reaches the maximum file size. File size is measured in megabytes. It is possible for the activity log file size to exceed disk capacity. E The following prompt is displayed: Enter maximum number of log files to retain: Type a new value up to 100, for example, 5. The adapter automatically deletes the oldest activity logs beyond the specified limit. F If this option is set to enabled, the adapter includes the debug statements in the log file of all transactions. When the option is set to: v Disabled, pressing the F key changes the value to enabled v Enabled, pressing the F key changes the value to disabled Type F to toggle between the options. G If this option is set to enabled, the adapter maintains a detailed log file of all transactions. The detail logging option must be used for diagnostic purposes only. Detailed logging enables more messages from the adapter and might increase the size of the logs. When the option is set to: v Disabled, pressing the G key changes the value to enabled v Enabled, pressing the G key changes the value to disabled Type G to toggle between the options. 26 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

41 Table 11. Options for the activity logging menu (continued) Option Configuration task H If this option is set to enabled, the adapter maintains a log file of all transactions in the Adapter Development Kit (ADK) and library files. Base logging will substantially increase the size of the logs. When the option is set to: v Disabled, pressing the H key changes the value to enabled v Enabled, pressing the H key changes the value to disabled Type H to toggle between the options. I If this option is enabled, the log file will contain thread IDs, in addition to a date and timestamp on every line of the file. When the option is set to: v Disabled, pressing the I key changes the value to enabled v Enabled, pressing the I key changes the value to disabled Type I to toggle between the options. Changing registry settings 3. Press Enter if you changed the value for option B, C, D, or E. The other options are changed automatically when you type the corresponding letter of the menu option. The Agent Activity Logging Menu is displayed with your new settings. In order to change the Lotus QuickPlace Adapter registry settings, complete the following steps: 1. At the Main Menu prompt, type F. The Registry Menu is displayed. QuickPlaceAgent Agent Registry Menu A. Modify Non-encrypted registry settings. B. Modify encrypted registry settings. C. Multi-instance settings. X. Done Select menu option: 2. See the following procedures on modifying registry settings. Modifying non-encrypted registry settings In order to modify the non-encrypted registry settings, complete the following steps: 1. At the Agent Registry Menu, type A. The Non-encrypted Registry settings menu is displayed. Chapter 4. Configuring the Lotus QuickPlace Adapter for IBM Tivoli Identity Manager 27

42 Agent Registry Items Domino Directory C: \Lotus\Domino 02. ENROLE_VERSION External Directory NONE 04. QuickPlace Server '' 05. Server ID Location C: \Lotus\Domino\data\server.id' Page 1 of 1 A. Add new attribute B. Modify attribute value C. Remove attribute 2. Type the letter of the menu option for the action that you want to perform on an attribute. Table 12. Attribute configuration option descriptions Option Configuration task A Add new attribute B Modify attribute value C Remove attribute 3. Type the registry item name, and press Enter. See Table 13 for a description of each registry key. 4. If you selected option A or B, type the registry item value and press Enter. The Non-encrypted Registry Settings Menu displays your new setting(s). Table 13 describes the registry keys and their available settings: Table 13. Registry key descriptions Key Description ENROLE_VERSION Specifies the version of the adapter. External directory Specifies the name of the external directory to which the QuickPlace Server is configured as the user directory. The possible values are NONE, DOMINO, and LDAP. Domino directory Specifies the path for the Lotus Domino Server. For example, C:\Lotus\Domino QuickPlace Server Specifies the name of the server on which the QuickPlace Server is installed. For example, CN=arni/O=IBM Server ID location Specifies the location of the server ID file. The adapter uses this file to access the QuickPlace Server. For example, C:\Lotus\Domino\data\server.id Server ID Password Specifies the password for the server ID used by the Lotus QuickPlace Adapter to connect to the QuickPlace Server. This is an encrypted password, therefore the value of the password is in ADK encrypted format. 28 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

43 Table 13. Registry key descriptions (continued) Key Description Domino Address Book Specifies the name of the Lotus Domino Server address book used by the adapter if the name used is not names.nsf. The default value for the address book is names.nsf. LDAP Server Specifies the name of the LDAP Server configured to use the Lotus QuickPlace Adapter. For example, hostname LDAP Port Specifies the port for the LDAP Server. For example, 389 LDAP User ID Specifies the user ID when anonymous bind does not have access to the search function. For example, cn=directory manager LDAP Password Specifies the password for the user ID. This is an encrypted password, therefore the value of the password is in ADK encrypted format. Optional update upon reconciliation Specifies whether or not to synchronize user information from the external directory with the user information on the QuickPlace Server. If this value is set to TRUE, the adapter synchronizes the user information. If the value is set to FALSE, the user information is not synchronized. Modifying encrypted registry settings In order to modify the encrypted registry settings, complete the following steps: 1. At the Agent Registry Menu, type B. The Encrypted Registry Settings Menu is displayed. Agent Encrypted Registry Items Server ID Password ***** Page 1 of 1 A. Add new attribute B. Modify attribute value C. Remove attribute X. Done Select menu option: 2. Type the letter of the menu option for the action that you want to perform on an attribute. Table 14. Attribute configuration option descriptions Option Configuration task A Add new attribute B Modify attribute value C Remove attribute 3. Type the registry item name, and press Enter. Chapter 4. Configuring the Lotus QuickPlace Adapter for IBM Tivoli Identity Manager 29

44 Changing advanced settings 4. If you selected option A or B, type the registry item value and press Enter. The Encrypted Registry Settings Menu displays your new settings. You can change the Lotus QuickPlace Adapter thread count settings for the following types of requests: v System Login Add v System Login Change v System Login Delete v Reconciliation These settings determine the maximum number of requests that the Lotus QuickPlace Adapter processes concurrently. In order to change these settings, complete the following steps: 1. At the Main Menu prompt, type G. The Advanced Settings Menu is displayed. The following example shows the default thread count settings. QuickPlaceAgent Advanced Settings Menu A. Single Thread Agent (current:true) B. ADD max. thread count. (current:3) C. MODIFY max. thread count. (current:3) D. DELETE max. thread count. (current:3) E. SEARCH max. thread count. (current:3) F. Allow User EXEC procedures (current:false) G. Archive Request Packets (current:false) H. UTF8 Conversion support (current:true) I. Pass search filter to agent (current:false) J. Thread Priority Level (1-10) (current:4) X. Done Select menu option: 2. Type the letter of the menu option of the advanced setting that you want to change. For a description of each option, see Table 15. Table 15. Options for the advanced settings menu Option Description A Forces the adapter to allow only one request at a time. The default value is TRUE. B Controls how many simultaneous ADD requests can run at one time. The default value is 3. C Controls how many simultaneous MODIFY requests can run at one time. The default value is 3. D Controls how many simultaneous DELETE requests can run at one time. The default value is 3. E Controls how many simultaneous SEARCH requests can run at one time. The default value is 3. F Determines whether the adapter allows pre- and post-exec functions. Enabling this option is a potential security risk. The default value is FALSE. 30 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

45 Table 15. Options for the advanced settings menu (continued) Option Description G This option is no longer supported. H This option is no longer supported. I Currently, this adapter does not support processing filters directly. This option must always be FALSE. J Sets the thread priority level for the adapter. The default value is Change the value, and press Enter. The Advanced Settings Menu is displayed with your new settings. Viewing statistics In order to view an event log for the Lotus QuickPlace Adapter, complete the following steps: 1. At the Main Menu prompt, type H. The activity history for the adapter is displayed. QuickPlaceAgent Agent Request Statistics Date Add Mod Del Ssp Res Rec /15/ X. Done Changing code page settings 2. Type X to return to the Main Configuration Menu. In order to list the supported code page information for the Lotus QuickPlace Adapter, the adapter must be running. Run the following command to view the code page information: agentcfg -agent [adapter_name] -codepages In order to change the code page settings for the Lotus QuickPlace Adapter, complete the following steps: 1. At the Main Menu prompt, type I. The Code Page Support Menu for the adapter is displayed. Chapter 4. Configuring the Lotus QuickPlace Adapter for IBM Tivoli Identity Manager 31

46 QuickPlaceAgent Codepage Support Menu * Configured codepage: US-ASCII * ******************************************* * Restart Agent After Configuring Codepages ******************************************* A. Codepage Configure. X. Done Select menu option: 2. Type A to configure a code page. Note: The QuickPlaceAgent code page uses unicode, therefore this option is not applicable. 3. Type X to return to the Main Configuration Menu. Accessing help and additional options In order to access the agentcfg help menu and use the help arguments, complete the following steps: 1. At the Main Menu prompt, type X. The command prompt is displayed, and you are in the \bin directory. 2. Type agentcfg -help at the prompt to view the help menu. The following list of possible commands is displayed: -version ; Show version -hostname < value> ; Target nodename to connect to (Default:Local host IP address) -findall ; Find all agents on target node -list ; List available agents on target node -agent <value> ; Name of agent -tail ; Display agent s activity log -schema ; Display agent s attribute schema -portnumber <value>; Specified agent s TCP/IP port number -netsearch <value> ; Lookup agents hosted on specified subnet -confidencetest ; Confidence test -setup ; Confidence test setup -help ; Display this help screen Table 16 describes each argument. Table 16. Arguments and descriptions for the agentcfg help command Argument Description -version Use this argument to display the version of the agentcfg tool. -hostname <value> Use the -hostname argument with any of the following arguments to specify a different host: v v v v -findall -list -tail -agent Enter a host name or IP address as the value. 32 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

47 Table 16. Arguments and descriptions for the agentcfg help command (continued) Argument Description -findall Use this argument to search and display all port addresses between and and their assigned adapter names. This option will timeout on unused port numbers, so it might take several minutes to complete. Add the -hostname argument to search a remote host. -list Use this argument to display the adapters that are installed on the local host of the Lotus QuickPlace Adapter. By default, the first time you install an adapter, it is either assigned to port address or to the next available port number. All subsequently installed adapters are then assigned to the next available port address. Once an unused port is found, the listing stops. Use the -hostname argument to search a remote host. -agent <value> Use this argument to specify the adapter that you want to configure. Enter an adapter name as the value. Use this argument with the -hostname argument to modify the configuration setting from a remote host. You can also use this argument with the -tail argument. -tail Use this argument with the -agent argument to display the activity log for an adapter. Add the -hostname argument to display the log file for an adapter on a different host. -schema This option is no longer supported. -portnumber <value> Use this argument with the -agent argument to specify the port number that is used for connections for the agentcfg tool. -netsearch <value> Use this argument with the -findall argument to display all active adapters on the system. You must specify a subnet address as the value. -confidencetest Use this argument to run a test to add, modify, search, and delete a request to the adapter. The confidence test allows you to test the connection between the adapter and the Lotus Domino Server. This allows you to verify that the adapter can connect to Lotus Domino Server without the Tivoli Identity Manager Server. -setup Use this argument, along with the confidence argument, to configure the confidence test. -help Use this argument to display the Help information for the agentcfg command. -codepages Use this argument to display a list of available codepages. 3. Type agentcfg and one or more of the supported arguments at the prompt. You must type agentcfg before every argument to run the adapter configuration tool. Type agentcfg -list to list all of the adapters on the local host IP address. Note that the port address for the Tivoli Identity Manager Server is The output is similar to the following output: Agent(s) installed on node QuickPlaceAgent (44970) Chapter 4. Configuring the Lotus QuickPlace Adapter for IBM Tivoli Identity Manager 33

48 Type agentcfg -agent QuickPlaceAgent to display the Main Menu of the agentcfg tool, which is used to view or modify the Lotus QuickPlace Adapter parameters. Type agentcfg -list -hostname to list the adapters on a host whose IP address is The output is similar to the following output: Agent(s) installed on node QuickPlaceAgent (44970) Type agentcfg -agent QuickPlaceAgent -hostname to display the Main Menu of the agentcfg tool for a host whose IP address is Use the menu options to view or modify the Lotus QuickPlace Adapter parameters. 34 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

49 Chapter 5. Configuring SSL authentication for the Lotus QuickPlace Adapter In order to establish a secure connection between a Tivoli Identity Manager adapter and the Tivoli Identity Manager Server, you must configure the adapter and the server to use the Secure Sockets Layer (SSL) authentication with the default communication protocol, DAML. By configuring the adapter for SSL, you ensure that the Tivoli Identity Manager Server verifies the identity of the adapter before a secure connection is established. You can configure SSL authentication for connections that originate from the Tivoli Identity Manager Server or from the adapter. Typically, the Tivoli Identity Manager Server initiates a connection to the adapter in order to set or retrieve the value of a managed attribute on the adapter. However, depending on the security requirements of your environment, you might need to configure SSL authentication for connections that originate from the adapter. For example, if the adapter uses events to notify the Tivoli Identity Manager Server of changes to attributes on the adapter, you can configure SSL authentication for Web connections that originate from the adapter to the Web server used by the Tivoli Identity Manager Server. In a production environment, you need to enable SSL security; however, for testing purposes you might want to disable SSL. If an external application that communicates with the adapter (such as the Tivoli Identity Manager Server) is set to use server authentication, you must enable SSL on the adapter to verify the certificate that the application presents. This chapter presents an overview of SSL authentication, certificates, and how to enable SSL authentication using the CertTool utility. Overview of SSL and digital certificates When you deploy Tivoli Identity Manager in an enterprise network, you must secure communication between the Tivoli Identity Manager Server and the software products and components with which the server communicates. The industry-standard SSL protocol, which uses signed digital certificates from a certificate authority (CA) for authentication, is used to secure communication in a Tivoli Identity Manager deployment. Additionally, SSL provides encryption of the data exchanged between the applications. Encryption makes data transmitted over the network intelligible only to the intended recipient. Signed digital certificates enable two applications connecting in a network to authenticate each other s identity. An application acting as an SSL server presents its credentials in a signed digital certificate to verify to an SSL client that it is the entity it claims to be. An application acting as an SSL server can also be configured to require the application acting as an SSL client to present its credentials in a certificate, thereby completing a two-way exchange of certificates. Signed certificates are issued by a third-party certificate authority for a fee. Some utilities, such as those provided by OpenSSL, can also issue signed certificates. A certificate-authority certificate (CA certificate) must be installed to verify the origin of a signed digital certificate. When an application receives another application s signed certificate, it uses a CA certificate to verify the originator of Copyright IBM Corp

50 the certificate. A certificate authority can be well-known and widely used by other organizations, or it can be local to a specific region or company. Many applications, such as Web browsers, are configured with the CA certificates of well known certificate authorities to eliminate or reduce the task of distributing CA certificates throughout the security zones in a network. Private keys, public keys, and digital certificates Keys, digital certificates, and trusted certificate authorities are used to establish and verify the identities of applications. SSL uses public key encryption technology for authentication. In public key encryption, a public key and a private key are generated for an application. Data encrypted with the public key can only be decrypted using the corresponding private key. Similarly, the data encrypted with the private key can only be decrypted using the corresponding public key. The private key is password-protected in a key database file so that only the owner can access the private key to decrypt messages that are encrypted using the corresponding public key. A signed digital certificate is an industry-standard method of verifying the authenticity of an entity, such as a server, client, or application. In order to ensure maximum security, a certificate is issued by a third-party certificate authority. A certificate contains the following information to verify the identity of an entity: Organizational information Public This section of the certificate contains information that uniquely identifies the owner of the certificate, such as organizational name and address. You supply this information when you generate a certificate using a certificate management utility. key The receiver of the certificate uses the public key to decipher encrypted text sent by the certificate owner to verify its identity. A public key has a corresponding private key that encrypts the text. Certificate authority s distinguished name The issuer of the certificate identifies itself with this information. Digital Self-signed signature The issuer of the certificate signs it with a digital signature to verify its authenticity. This signature is compared to the signature on the corresponding CA certificate to verify that the certificate originated from a trusted certificate authority. Web browsers, servers, and other SSL-enabled applications generally accept as genuine any digital certificate that is signed by a trusted certificate authority and is otherwise valid. For example, a digital certificate can be invalidated because it has expired or the CA certificate used to verify it has expired, or because the distinguished name in the digital certificate of the server does not match the distinguished name specified by the client. certificates You can use self-signed certificates to test an SSL configuration before you create and install a signed certificate issued by a certificate authority. A self-signed certificate contains a public key, information about the owner of the certificate, and the owner s signature. It has an associated private key, but it does not verify the origin of the certificate through a third-party certificate authority. Once you 36 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide

51 generate a self-signed certificate on an SSL server application, you must extract it and add it to the certificate registry of the SSL client application. This procedure is the equivalent of installing a CA certificate that corresponds to a server certificate. However, you do not include the private key in the file when you extract a self-signed certificate to use as the equivalent of a CA certificate. Use a key management utility to generate a self-signed certificate and a private key, to extract a self-signed certificate, and to add a self-signed certificate. Where and how you choose to use self-signed certificates depends on your security requirements. In order to achieve the highest level of authentication between critical software components, do not use self-signed certificates, or use them selectively. For example, you can choose to authenticate applications that protect server data with signed digital certificates, and use self-signed certificates to authenticate Web browsers or Tivoli Identity Manager adapters. If you are using self-signed certificates, in the following procedures you can substitute a self-signed certificate for a certificate and CA certificate pair. Certificate and key formats Certificates and keys are stored in files with the following formats:.pem format A privacy-enhanced mail (.pem ) format file begins and ends with the following lines:.arm.der -----BEGIN CERTIFICATE END CERTIFICATE----- The use of SSL authentication A.pem file format supports multiple digital certificates, including a certificate chain. If your organization uses certificate chaining, use this format to create CA certificates. format An.arm file contains a base-64 encoded ASCII representation of a certificate, including its public key, but not its private key. An.arm file format is generated and used by the IBM Key Management utility. format A.der file contains binary data. A.der file can only be used for a single certificate, unlike a.pem file, which can contain multiple certificates..pfx format (PKCS12) A PKCS12 file is a portable file that contains a certificate and a corresponding private key. This format is useful for converting from one type of SSL implementation to a different implementation. For example, you can create and export a PKCS12 file using the IBM Key Management utility, then import the file to another machine using the CertTool utility. When you start the adapter, the available connection protocols are loaded. The DAML protocol is the only available protocol that supports the use of SSL authentication. You can specify to use the DAML SSL implementation. The DAML SSL implementation uses a certificate registry to store private keys and certificates. The location of the certificate registry is managed internally by the Chapter 5. Configuring SSL authentication for the Lotus QuickPlace Adapter 37

52 CertTool key and certificate management tool; therefore, you do not specify the location of the registry when you perform certificate management tasks. For more information on the DAML protocol, see Changing protocol configuration settings on page 16. Configuring certificates for SSL authentication Use the following procedures to configure the adapter for one-way or two-way SSL authentication using signed certificates. In order to perform these procedures, use the CertTool utility. Configuring certificates for one-way SSL authentication In this scenario, the Tivoli Identity Manager Server and the Tivoli Identity Manager adapter are set to use SSL. Client authentication is not set on either application. The Tivoli Identity Manager Server operates as the SSL client and initiates the connection. The adapter operates as the SSL server and responds by sending its signed certificate to the Tivoli Identity Manager Server. The Tivoli Identity Manager Server uses the CA certificate that is installed to validate the certificate sent by the adapter. In Figure 6, Application A operates as the Tivoli Identity Manager Server, and Application B operates as the Tivoli Identity Manager adapter. Tivoli Identity Manager Server (SSL client) 1 Hello Tivoli Identity Manager adapter (SSL server) C Keystore CA Certificate A Verify Send Certificate B Certificate A Figure 6. One-way SSL authentication (server authentication) In order to configure one-way SSL, perform the following tasks for each application: 1. On the adapter, complete these steps: a. Start the CertTool utility. b. In order to configure the SSL-server application with a signed certificate issued by a certificate authority: 1) Create a certificate signing request (CSR) and private key. This step creates the certificate with an embedded public key and a separate private key and places the private key in the PENDING_KEY registry value. 2) Submit the CSR to the certificate authority using the instructions supplied by the CA. When you submit the CSR, specify that you want the root CA certificate returned with the server certificate. 2. On the Tivoli Identity Manager Server, complete one of these steps: 38 IBM Tivoli Identity Manager: Lotus QuickPlace Adapter Installation and Configuration Guide