RSA Authentication Manager Adapter User Guide

Transcription

1 IBM Security Identity Manager Version 6.0 RSA Authentication Manager Adapter User Guide SC

2

3 IBM Security Identity Manager Version 6.0 RSA Authentication Manager Adapter User Guide SC

4 Note Before using this information and the product it supports, read the information in Notices on page 35. Edition notice Note: This edition applies to version 6.0 of IBM Security Identity Manager (product number 5724-C34) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation 2012, US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents Figures v Tables vii Preface ix About this publication ix Access to publications and terminology..... ix Accessibility x Technical training x Support information x Statement of Good Security Practices x Chapter 1. Introduction to the RSA Authentication Manager Adapter Adapter features Chapter 2. Checklist for configuring IBM Security Identity Manager to run the adapter Chapter 3. User account management tasks Adapter operations prerequisites User account reconciliation Reconciling a single user account Reconciling support data Service form parameter for reconciling user accounts and support data User accounts Attributes for adding user accounts Force Password Change and Certificate DN attribute specification User account life span determination Support data attributes specification User token assignment User administrative role assignment User group assignment User account modifications Token attribute modification Token unassignment Administrative role unassignment User group unassignment User account password modification User account suspension User account restoration User account deletion Chapter 4. RSA Authentication Manager Adapter error troubleshooting Techniques for troubleshooting problems RSA Authentication Manager Adapter errors Appendix A. RSA Authentication Manager Adapter attributes RSA Authentication Manager account form attributes RSA Authentication Manager hidden attributes.. 24 Appendix B. Definitions for ITDI_HOME and ISIM_HOME directories Appendix C. Support information Searching knowledge bases Obtaining a product fix Contacting IBM Support Appendix D. Accessibility features for IBM Security Identity Manager Notices Index Copyright IBM Corp. 2012, 2014 iii

6 iv IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

7 Figures Copyright IBM Corp. 2012, 2014 v

8 vi IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

9 Tables 1. Required attributes for adding user accounts 7 2. Optional attributes for adding user accounts 8 3. Token attributes for adding user accounts 9 4. Adapter error messages, warnings, and corrective actions Attributes on the RSA Authentication Manager account form on IBM Security Identity Manager, their corresponding names on the Tivoli Directory Server, and the RSA Authentication Manager Hidden attributes on the RSA Authentication Manager account form on IBM Security Identity Manager, their corresponding names on the Tivoli Directory Server, and the RSA Authentication Manager server Copyright IBM Corp. 2012, 2014 vii

10 viii IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

11 Preface About this publication The RSA Authentication Manager Adapter User Guide provides information that you can use to manage user accounts on the RSA Authentication Manager server with the IBM Security Identity Manager. IBM Security Identity Manager was previously known as Tivoli Identity Manager. The information describes user account management tasks, such as reconciliation, add, modify, suspend, restore, delete, and password change. Access to publications and terminology This section provides: v A list of publications in the IBM Security Identity Manager library. v Links to Online publications. v A link to the IBM Terminology website. IBM Security Identity Manager library For a complete listing of the IBM Security Identity Manager and IBM Security Identity Manager Adapter documentation, see the online library ( Online publications IBM posts product publications when the product is released and when the publications are updated at the following locations: IBM Security Identity Manager library The product documentation site ( knowledgecenter/ssrmwj/welcome) displays the welcome page and navigation for the library. IBM Security Systems Documentation Central IBM Security Systems Documentation Central provides an alphabetical list of all IBM Security Systems product libraries and links to the online documentation for specific versions of each product. IBM Publications Center The IBM Publications Center site ( linkweb/publications/servlet/pbi.wss) offers customized search functions to help you find all the IBM publications you need. IBM Terminology website The IBM Terminology website consolidates terminology for product libraries in one location. You can access the Terminology website at software/globalization/terminology. Copyright IBM Corp. 2012, 2014 ix

12 Accessibility Technical training Support information Accessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully. With this product, you can use assistive technologies to hear and navigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. For technical training information, see the following IBM Education website at IBM Support provides assistance with code-related problems and routine, short duration installation or usage questions. You can directly access the IBM Software Support site at Appendix C, Support information, on page 29 provides details about: v What information to collect before contacting IBM Support. v The various methods for contacting IBM Support. v How to use IBM Support Assistant. v Instructions and problem-determination resources to isolate and fix the problem yourself. Note: The Community and Support tab on the product information center can provide additional support resources. Statement of Good Security Practices IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. x IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

13 Chapter 1. Introduction to the RSA Authentication Manager Adapter Adapter features The RSA Authentication Manager Adapter provides connectivity between IBM Security Identity Manager and the RSA Authentication Manager. The adapter runs as a service, independently of whether you are logged on to IBM Security Identity Manager. The RSA Authentication Manager Adapter automates the following user account management tasks: v Adding RSA Authentication Manager user accounts v Modifying attributes of RSA Authentication Manager server user accounts v Changing passwords of RSA Authentication Manager server user accounts v Suspending and restoring RSA Authentication Manager server user accounts v Retrieving user accounts from the RSA Authentication Manager server v Deleting user accounts from the RSA Authentication Manager server The RSA Authentication Manager Adapter contains Tivoli Directory Integrator assembly lines that serve one or more user account operations. When the first request is sent from IBM Security Identity Manager, the required assembly line is loaded into Tivoli Directory Integrator. The same assembly line is then cached to serve subsequent operations of the same type. Note: The reconciliation and test assembly lines are not cached. The adapter helps automate the user account reconciliation, support data reconciliation, token assignment, token enablement tasks. v Reconciling user accounts and other support data from the RSA Authentication Manager server to the directory server of IBM Security Identity Manager. For example: Security domains Identity sources User groups Administrative role Tokens of the specified realm v Reconciling of a single user account v Managing accounts on the RSA Authentication Manager server through IBM Security Identity Manager. These tasks include: Add Modify Change password Suspend Restore Delete Copyright IBM Corp. 2012,

14 v v v Assigning tokens, roles, and groups to users on the RSA Authentication Manager server by using IBM Security Identity Manager Enabling and disabling tokens that are assigned to users on the RSA Authentication Manager server by using IBM Security Identity Manager Clearing SecurID PINs of tokens that are assigned to user accounts 2 IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

15 Chapter 2. Checklist for configuring IBM Security Identity Manager to run the adapter Use this checklist to configure IBM Security Identity Manager to run the adapter. The following table provides an overview of the process for configuring IBM Security Identity Manager. Task Install the RSA Authentication Manager Adapter Import the adapter profile into IBM Security Identity Manager Create a service for the RSA Authentication Manager Adapter Configure the RSA Authentication Manager Adapter Perform a reconciliation operation to retrieve user accounts and store them in the IBM Security Identity Manager server Adopt orphan accounts on IBM Security Identity Manager For information, see the section in the following documentation: Installing the RSA Authentication Manager Adapter in the RSA Authentication Manager Adapter Installation and Configuration Guide Importing the adapter profile into the IBM Security Identity Manager Server in the RSA Authentication Manager Adapter Installation and Configuration Guide Creating the service in the RSA Authentication Manager Adapter Installation and Configuration Guide Note: After you create a RSA Authentication Manager Adapter service, the IBM Security Identity Manager server creates a default provisioning policy for the adapter service. You can customize a provisioning policy for the RSA Authentication Manager Adapter service according to your organizational requirements. For more information, see the section about customizing a provisioning policy in the IBM Security Identity Manager product documentation. Configuring the RSA Authentication Manager Adapter in the RSA Authentication Manager Adapter Installation and Configuration Guide Managing reconciliation schedules in the IBM Security Identity Manager product documentation Assigning an orphan account to a user in the IBM Security Identity Manager product documentation Copyright IBM Corp. 2012,

16 4 IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

17 Chapter 3. User account management tasks IBM Security Identity Manager uses the RSA Authentication Manager Adapter to manage user accounts that are stored on the RSA Authentication Manager server. You can do the following tasks, such as: reconciliation, add, modify, change passwords, suspend, restore, and delete to manage your accounts. You can manage: v Accounts for a specific person v Accounts for a service instance v Specific accounts by using the search function of IBM Security Identity Manager. Adapter operations prerequisites User account reconciliation Before using the adapter to perform any operations, ensure that you complete the configuration tasks to run the adapter, then run the Remote Method Invocation (RMI) Dispatcher. 1. Perform the steps in Chapter 2, Checklist for configuring IBM Security Identity Manager to run the adapter, on page Use one of the following methods to run the Remote Method Invocation (RMI) Dispatcher: v Windows services in service mode a. In the Windows control panel, double-click Administrative Tools. b. Double-click Services. c. Right-click the IBM Tivoli Directory Integrator, and click Start. v Windows command prompt in console mode a. Go to the ITDI_HOME directory and set the TDI_SOLDIR environment variable to the Tivoli Directory Integrator adapter solution directory. For example, set TDI_SOLDIR="c:\Program Files\IBM\TDI\V7.0\timsol" b. Run the following command from the ITDI_HOME directory: v ibmdisrv.bat -s timsol -c ITIM_RMI.xml -d UNIX command prompt in console mode a. Log on to the UNIX command prompt. b. Run the following command: /etc/init.d/itimad start The reconciliation operation retrieves the user account information from the RSA Authentication Manager server and stores it in the directory server of IBM Security Identity Manager. You can schedule reconciliation to run at specific times and to return specific parameters. Running a reconciliation before its schedule time does not cancel the scheduled reconciliation. For more information about scheduling reconciliation and running a scheduled reconciliation, see the IBM Security Identity Manager product documentation. Copyright IBM Corp. 2012,

18 You can also perform the following reconciliation tasks at any time from IBM Security Identity Manager: v Reconciling support data v Reconciling a single user account Reconciling a single user account Reconciling a single user account means performing a filter reconciliation for a specific user account by using IBM Security Identity Manager. About this task For example, you can choose to reconcile a single user account from the RSA Authentication Manager server. For more information about each of these attributes, see the RSA Authentication Manager documentation. To reconcile a single user account from the RSA Authentication Manager server without reconciling all the user accounts: Procedure 1. Log on to IBM Security Identity Manager as an administrator. 2. In the My Work pane, click Manage Services. The Manage Services page is displayed. 3. Select the type of service from the Service type list and click Search. 4. Select the name of the service that you created for the RSA Authentication Manager Adapter. 5. Click the arrow icon to view the View popup menu and select Reconcile Now. The Reconcile Now page is displayed. 6. Click Define query. 7. In the Reconcile accounts that match this filter field type: (eruid=userid) where, UserID is the name of the user account that you want to reconcile. 8. Click Submit. Reconciling support data In addition to reconciling user accounts, the RSA Authentication Manager Adapter also reconciles support data to IBM Security Identity Manager. About this task Support data for an RSA Authentication Manager server user account includes the following information: v Security domains v Identity sources v User groups v Admin roles v Tokens 6 IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

19 User accounts For more information about each of these attributes, see the RSA Authentication Manager documentation. To reconcile only the support data, without reconciling the user accounts: Procedure 1. Log on to IBM Security Identity Manager as an administrator. 2. In the My Work pane, click Manage Services. The Manage Services page is displayed. 3. Select the type of service from the Service type list and click Search. 4. Select the name of the service that you created for the RSA Authentication Manager Adapter. 5. Click the arrow icon to view the pop-up menu and select Reconcile Now. The Reconcile Now page is displayed. 6. Click Define query. 7. Select the Reconcile supporting data only check box and click Submit. Service form parameter for reconciling user accounts and support data You can specify the Recon limit attribute on the service form. This parameter limits the number of user accounts and support data that you want to reconcile from the RSA Authentication Manager server. This value is used for only RSA Authentication Manager v7.1 SP2 and earlier versions. Later versions of the server ignore this value and return all user accounts, groups, and roles for each identity source. You can add user accounts at any time for either an existing person, or a new person in the organization. This section describes the adapter attributes that define the accounts on the account form. For specific procedures, see the IBM Security Identity Manager product documentation. Appendix A, RSA Authentication Manager Adapter attributes, on page 23 maps the attributes on the account form to the attributes in the RSA Authentication Manager server. For more detailed information about any of the attributes, see the RSA Authentication Manager documentation. Attributes for adding user accounts To add user accounts to the RSA Authentication Manager server, specify the user ID, last name, security domain, and Identity Source attributes on the RSA Authentication Manager account form. Table 1. Required attributes for adding user accounts Attribute User ID Last Name Description User ID of the account. The permissible character limit for this attribute is 240. Surname of the account holder Chapter 3. User account management tasks 7

20 Table 1. Required attributes for adding user accounts (continued) Attribute Description Security Domain Security domain name to which the user belongs Identity Source Directory server name that stores the user account data Note: When you add a user from IBM Security Identity Manager, the adapter creates a Global Unique Identifier (GUID) for the user on the RSA Authentication Manager server. In addition to the required attributes, you can also specify the other optional attributes on the RSA Authentication Manager account form. If you specify group or role attributes, you must reconcile support data before you create the account. Table 2. Optional attributes for adding user accounts Attribute Description First Name Given name of the account holder Middle Name Middle name of the account holder Certificate DN Distinguished name of the subject in a certificate that is issued to the user for authentication Notes Description of the user account address of the account holder Account Start Date Date and time at which the account becomes active or available on the RSA Authentication Manager server. If no start date is specified, the account start date is the current date and time. Account Expire Date Date and time at which the account becomes inactive or unavailable on the RSA Authentication Manager server. If no expire date is specified, the account is active indefinitely from the start date. The account is inactive if the start date is the same or later than the expire date. Force Password Change Forces the user to change the password at the next logon to the RSA Authentication Manager server. This attribute might be used when a default password that must be changed is assigned, when the user starts to use the RSA Authentication Manager account. User Group Groups of which the user is a member. Groups help define the RSA Authentication Manager resources that the user can access. Select zero or more groups. Admin Roles Administrative roles that are assigned to the user. Roles define the privileges for the user and thersa Authentication Manager resources that the user can access. Select zero or more roles. 8 IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

21 The following attributes can be specified on the Token tabs of the RSA Authentication Manager account form. If you are going to specify token attributes, you must reconcile the support data before you create the account. Table 3. Token attributes for adding user accounts Attribute Description Assign Token Identifier for an authentication token to assign to the user. Select an unassigned token or clear the field to unassign an existing token before you reassign it. Security Domain The security domain to which the token is assigned Token Notes Description of the token Enable Token Enables the assigned token to be used for authentication Require PIN during authentication Requires that the user to enter a PIN when this token is used for authentication Force PIN change on next login Forces the user to change the PIN the next time the user authenticates with this token Clear Token PIN Clears the PIN associated with this token. This attribute is ignored for account creation or when its value is false. Replace With Next Available Token Indicates that the RSA Authentication Manager server must replace this token with the next available token. Do not select this option if Replacement Token is specified. If you do, this attribute will fail and will cause a non-successful return status. Replacement Token Identifier for the token to replace this token. You must select an unassigned token when specifying a replacement. Token PIN The PIN for this token. The PIN must adhere to any applicable policies on the RSA Authentication Manager server. Force Password Change and Certificate DN attribute specification Force Password Change and Certificate Distinguished Name (DN) attributes are the optional attributes on the RSA Authentication Manager account form. You can specify these attributes in addition to the required attributes. Specifying the Force Password Change attribute Selecting the Force Password Change check box forces you to change your password the next time you log on to the RSA Authentication Manager server. For example, you might be assigned a standard password that you want to change when you start using the RSA Authentication Manager server. Specifying the Certificate DN attribute Certificate DN is the distinguished name of the certificate that is issued to the user for authentication. Ensure that the value of the Certificate DN attribute on the RSA Authentication Manager account form matches the subject line of that certificate. Chapter 3. User account management tasks 9

22 User account life span determination The life span of a user account is the duration for which the user account is active or available on the RSA Authentication Manager server. The value of the Account Expire Date attribute specifies the expiration date of a user account on the RSA Authentication Manager server. If you do not specify a value for the Account Expire Date attribute, then the user account is valid indefinitely. The following attributes determine the life span of a user account on the RSA Authentication Manager server: Account Start Date The date from when the user account is active. The default value of this attribute on the RSA Authentication Manager server account form is never. To specify a date, follow these steps: 1. Clear the Never check box. 2. Click the View Calendar icon and select the date. 3. Click OK. Account Expire Date The date on which the user account becomes inactive and is unavailable for use. The default value of this attribute on the RSA Authentication Manager account form is never. To specify a date, follow these steps: 1. Clear the Never check box. 2. Click the View Calendar icon and select the date. 3. Click OK. Note: In the following situations, the status of a user account becomes inactive and is unavailable for use: v v When the value of the Account Start Date attribute is same as the value of the Account Expire Date attribute. When the value of the Account Start Date attribute is later than the value of the Account Expire Date attribute. Support data attributes specification You can specify support data attributes on the RSA Authentication Manager account form. The following attributes are support attributes for the RSA Authentication Manager account form. Security Domain Associates a user to a particular security domain. Each security domain contains policies such as password policy, lockout policy, or SecurID Token policy. Security domains are organized in a hierarchical tree on the RSA Authentication Manager server. You can create a lower-level security domain under a top-level security domain and move users between security domains. When you associate a user to a particular security domain from IBM Security Identity Manager, the adapter creates the user account on the RSA Authentication Manager server. It also assigns the account to the specified 10 IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

23 security domain. Security domains represent areas of administrative responsibility within the RSA Authentication Manager enterprise. Identity Source Directories that are integrated with RSA Authentication Manager are called identity sources. These directories store user data and group data. Information for other data, such as security domains, tokens, or roles, is stored in an internal database. When you associate a user to a specific identity source from IBM Security Identity Manager, the adapter creates the user account on the RSA Authentication Manager server. It uses the specified identity source as the user data store. The adapter sets the value of the Identity Source attribute on the RSA Authentication Manager server. Note: The Identity Source attribute is non-modifiable. User Group User groups are collections of users, other user groups, or both. User group membership can be used to determine access permission in some applications. User groups have the following characteristics: v User groups can be made up of multiple users or user groups. v User groups can occur across security domains. For example, users in security domain A and users in security domain B can both be members of the same user group. Both sets of users can access the same protected resources. v A user or user group can be a member of multiple user groups. Admin Roles An administrative role defines the permissions to be granted to a user to accomplish administrative tasks. You can assign the following administrative roles to a user from IBM Security Identity Manager: v Auth Mgr Agent Admin v Auth Mgr Help Desk v Auth Mgr Privileged Help Desk v Auth Mgr Realm Admin v Auth Mgr Security Domain Admin v Auth Mgr Token Administrator v Auth Mgr Trust Admin v Auth Mgr User Admin v Request Approver v Super Admin Role v Token Distributor v Trusted Realm Admin Role Note: You can also create custom administrative roles on the RSA Authentication Manager server as required by your organization. For more information about creating administrative roles, see RSA Authentication Manager 7.1 Administrator's Guide Tokens You can use tokens to authenticate your identity and to access the network Chapter 3. User account management tasks 11

24 resources that are protected by the RSA Authentication Manager server. A token generates unique one-time codes called tokencodes. To gain access to protected resources, you must enter your personal identification number (SecurID PIN) and the number that is displayed on your assigned token (tokencode). The combination of the SecurID PIN and the tokencode from your token is called the RSA SecurID token (Passcode). Two types of SecurID tokens exist: Hardware token This type is a small physical device, such as a key chain or card, that generates tokencodes. Software token This type is a software-based token with an RSA SecurID application that is on the computer, Personal Digital Assistant (PDA), or cell phone of the user. After you install the application, the software token generates tokencodes, which are displayed on the device screen. Two types of hardware and software tokens exist: Time-based tokens Time-based tokens automatically generate new tokencodes at regular intervals, generally after every 60 seconds. Event-based token Event-based tokens change tokencodes when the user performs an action, such as pressing a button on the token. You can assign the following optional token attributes on the RSA Authentication Manager account form: Specifying the Security Domain attribute Assigns the token to the selected security domain. Click Search and select a security domain from the list. The adapter assigns the token to selected security domain on the RSA Authentication Manager server. Specifying the Clear SecurID PIN attribute Enables the creation of a new SecurID PIN on the RSA Authentication Manager server. You can create a SecurID PIN if you forget your existing PIN. When you select the Clear SecurID PIN check box from IBM Security Identity Manager, the adapter modifies the user account on the RSA Authentication Manager server. The adapter sets the value of the Clear SecurID PIN attribute on the RSA Authentication Manager server. Specifying the Clear Token PIN attribute Instructs the RSA Authentication Manager to clear any existing PIN assigned to the token. Do not select this option if you are specifying the Token PIN field. This attribute is send-only. Its value is not directly stored in IBM Security Identity Manager. Specifying this attribute can affect the value of the Is token PIN set? and the Force PIN change on next login attributes. You must complete a recon after changing any token attributes. Specifying the Replace With Next Available Token attribute Replaces the existing token with the next available token on the RSA Authentication Manager server. The server selects a suitable replacement 12 IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

25 based on expiration date and modifies both the assigned and replacement tokens status. Do not select this option if you are specifying a token in the Replacement Token field. This attribute is send-only. Its value is not directly stored in IBM Security Identity Manager. This attribute can affect the value of the Replacement Token attribute. You must complete a recon after changing any token attributes. Specifying the Require PIN during authentication attribute Indicates that the user must enter a PIN as well as a tokencode to authenticate. When you select the Require PIN during authentication check box from IBM Security Identity Manager, the adapter modifies the user account. The adapter sets the value of the User Authentication Requirement attribute on the RSA Authentication Manager server. Specifying the Force PIN change on next login attribute Forces the user to change the token PIN the next time the token is used to log on to the RSA Authentication Manager server. This attribute must only be set for tokens that require a passcode for authentication. When you select the Force PIN change on next login check box from IBM Security Identity Manager, the adapter modifies the user account. The adapter sets the value of the Force PIN change on next login attribute on the RSA Authentication Manager server. Specifying the Token PIN attribute Sets or clears the PIN for the token in the RSA Authentication Manager server. This attribute is send-only. Its value is not directly stored in IBM Security Identity Manager. This attribute can affect the value of the Is token PIN set? and the Force PIN change on next login attributes. You must complete a recon after changing any token attributes. User token assignment To assign tokens to users, specify the Assign Token attribute on the RSA Authentication Manager account form. Note: When you assign a token to a user, ensure that you also select the Enable Token check box on the RSA Authentication Manager account form. Selecting the check box enables the assigned token on the RSA Authentication Manager server. For more information about assigning tokens to users, see RSA Authentication Manager 7.1 Administrator's Guide. User administrative role assignment To assign administrative roles to any user, select the roles that are listed on the RSA Authentication Manager account form. For example, you can select the Super Admin Role to grant a user full administrative permissions. You can assign administrative roles to any user in your identity source. When you do so, you give the user the permissions to perform the administrative actions Chapter 3. User account management tasks 13

26 defined for that role. You can assign multiple administrative roles to a user. When you assign roles to a user, ensure that you assign roles that grant enough permissions to accomplish user's tasks. When you assign administrative roles to a user from IBM Security Identity Manager, the adapter creates the user account on the RSA Authentication Manager server. The adapter sets the value of the Admin Roles attribute on the RSA Authentication Manager server. User group assignment To assign user groups to any user, select the groups that are listed on the RSA Authentication Manager account form. User account modifications For example, you can select the Internal Database: Group to assign a user to this group. You can assign users to any user groups in your identity source. When you do so, the member users gain access to the network resources that are protected by the RSA Authentication Manager server. When you associate a user or a group of users to a specific user group from IBM Security Identity Manager, the adapter creates the user account on the RSA Authentication Manager server. The adapter sets the value of the User Group attribute on the RSA Authentication Manager server. You can modify the user account attributes at any time with IBM Security Identity Manager. Identity Source is the only attribute on the account form that you cannot modify. For specific procedures, see the IBM Security Identity Manager product documentation. Token attribute modification You can modify token attributes after you assign them to users from IBM Security Identity Manager. For information about assigning tokens and types of tokens, see User accounts on page 7. Token unassignment You can unassign an existing token by clearing it from IBM Security Identity Manager. The user can no longer use the token to authenticate and the token is disabled. If you reassign the token to another user, it is disabled unless you select the Enable Token check box on the account form. For more information about unassigning tokens, see RSA Authentication Manager 7.1 Administrator's Guide. Administrative role unassignment You can use IBM Security Identity Manager to unassign administrative roles by removing the user from the role membership. The user can no longer perform the administrative tasks that are defined for that role. 14 IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

27 When you use IBM Security Identity Manager to unassign a user from any administrative role, the adapter modifies the user account on the RSA Authentication Manager server. The adapter clears the value of the Admin Roles attribute on the RSA Authentication Manager server. User group unassignment You can use IBM Security Identity Manager to unassign a user from a group by removing the user from the group membership. The user can no longer access the network resources that are accessed by that user group. When you use IBM Security Identity Manager to unassign a user from any user group, the adapter modifies the user account on the RSA Authentication Manager server. The adapter clears the value of the User Group attribute on the RSA Authentication Manager server. User account password modification You can change the password of any of the RSA Authentication Manager accounts that exist on IBM Security Identity Manager. User account suspension User account restoration For information about changing passwords, see the IBM Security Identity Manager product documentation. When you suspend a user account, the status of the user account on IBM Security Identity Manager becomes inactive, and the user account becomes unavailable for use. Suspending a user account does not remove the user account from IBM Security Identity Manager. For more information about suspending user accounts, see the IBM Security Identity Manager product documentation. When you suspend a user account from IBM Security Identity Manager, the adapter sets value of the account is disabled attribute on the RSA Authentication Manager server. The adapter sets the value to TRUE. The restore operation reinstates the suspended user accounts to IBM Security Identity Manager. After restoring a user account, the status of the user account on IBM Security Identity Manager becomes active. For more information about restoring user accounts, see the IBM Security Identity Manager product documentation. When you restore a user account from IBM Security Identity Manager, the adapter sets the value of the following attributes on the RSA Authentication Manager server. The adapter sets the values to FALSE. v Account is disabled v Account is locked by lockout policy v Account is locked out of emergency authentication Chapter 3. User account management tasks 15

28 User account deletion Use the deprovision feature of IBM Security Identity Manager to delete user accounts. For more information about deleting user accounts, see the IBM Security Identity Manager product documentation. When you delete a user account from IBM Security Identity Manager, the adapter removes the user data from the RSA Authentication Manager identity source. The account is no longer defined on the RSA Authentication Manager server and you can no longer manage the account. 16 IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

29 Chapter 4. RSA Authentication Manager Adapter error troubleshooting Troubleshooting can help you determine why a product does not function properly. This section provides information and techniques for identifying and resolving problems with the RSA Authentication Manager Adapter. Techniques for troubleshooting problems Troubleshooting is a systematic approach to solve a problem. The goal of troubleshooting is to determine why something does not work as expected, and how to resolve the problem. Certain common techniques can help with the task of troubleshooting. The first step in the troubleshooting process is to describe the problem completely. Problem descriptions help you and the IBM technical-support representative know where to start to find the cause of the problem. This step includes asking yourself basic questions: v What are the symptoms of the problem? v Where does the problem occur? v When does the problem occur? v Under which conditions does the problem occur? v Can the problem be reproduced? The answers to these questions typically lead to a good description of the problem, which can then lead you to a problem resolution. What are the symptoms of the problem? When starting to describe a problem, the most obvious question is What is the problem? This question might seem straightforward; however, you can break it down into several more-focused questions that create a more descriptive picture of the problem. These questions can include: v Who, or what, is reporting the problem? v What are the error codes and messages? v How does the system fail? For example, is it a loop, hang, crash, performance degradation, or incorrect result? Where does the problem occur? Determining where the problem originates is not always easy, but it is one of the most important steps in resolving a problem. Many layers of technology can exist between the reporting and failing components. Networks, disks, and drivers are only a few of the components to consider when you are investigating problems. The following questions help you to focus on where the problem occurs to isolate the problem layer: v v Is the problem specific to one platform or operating system, or is it common across multiple platforms or operating systems? Is the current environment and configuration supported? Copyright IBM Corp. 2012,

30 v v Do all users have the problem? (For multi-site installations.) Do all sites have the problem? If one layer reports the problem, the problem does not necessarily originate in that layer. Part of identifying where a problem originates is understanding the environment in which it exists. Take some time to completely describe the problem environment, including the operating system and version, all corresponding software and versions, and hardware information. Confirm that you are running within an environment that is a supported configuration; many problems can be traced back to incompatible levels of software that are not intended to run together or have not been fully tested together. When does the problem occur? Develop a detailed timeline of events leading up to a failure, especially for those cases that are one-time occurrences. You can most easily develop a timeline by working backward: Start at the time an error was reported (as precisely as possible, even down to the millisecond), and work backward through the available logs and information. Typically, you need to look only as far as the first suspicious event that you find in a diagnostic log. To develop a detailed timeline of events, answer these questions: v Does the problem happen only at a certain time of day or night? v How often does the problem happen? v What sequence of events leads up to the time that the problem is reported? v Does the problem happen after an environment change, such as upgrading or installing software or hardware? Responding to these types of questions can give you a frame of reference in which to investigate the problem. Under which conditions does the problem occur? Knowing which systems and applications are running at the time that a problem occurs is an important part of troubleshooting. These questions about your environment can help you to identify the root cause of the problem: v Does the problem always occur when the same task is being performed? v Does a certain sequence of events need to happen for the problem to occur? v Do any other applications fail at the same time? Answering these types of questions can help you explain the environment in which the problem occurs and correlate any dependencies. Remember that just because multiple problems might have occurred around the same time, the problems are not necessarily related. Can the problem be reproduced? From a troubleshooting standpoint, the ideal problem is one that can be reproduced. Typically, when a problem can be reproduced you have a larger set of tools or procedures at your disposal to help you investigate. Consequently, problems that you can reproduce are often easier to debug and solve. However, problems that you can reproduce can have a disadvantage: If the problem is of significant business impact, you do not want it to recur. If possible, 18 IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

31 re-create the problem in a test or development environment, which typically offers you more flexibility and control during your investigation. v Can the problem be re-created on a test system? v Are multiple users or applications encountering the same type of problem? v Can the problem be re-created by running a single command, a set of commands, or a particular application? For information about obtaining support, see Appendix C, Support information, on page 29. RSA Authentication Manager Adapter errors You can refer to logs to identify the error messages that occur while running the RSA Authentication Manager Adapter. Whenever an operation fails, the corresponding error messages are logged in the ibmdi.log file. This file is in the adapter solution\logs directory. You can display the logs in the user interface by running the Dispatcher from the command prompt. You can also configure logging information for the adapter. For more information, see the RSA Authentication Manager Adapter Installation and Configuration Guide. Search for the sections that explain about displaying logs in the user interface and configuring logging information for the adapter. The following table lists the error messages and warnings that might occur while performing the RSA Authentication Manager 7.1 Adapter user tasks. The table also provides the actions to resolve those errors. Table 4. Adapter error messages, warnings, and corrective actions Error message Possible cause Corrective action Last Name is a required field. The family name of the account holder was not specified. Specify the family name of the account holder on the RSA Authentication Manager account form. For example, Smith. Note: The Last Name attribute is a required attribute. User ID is a required field. A User ID was not specified when Provide a User ID with an account. creating an account. Note: The User ID attribute is a required attribute. Identity Source is null. Security Domain is null. The value of Last Name contains invalid characters. The name of an identity source was not specified. The name of a security domain was not specified. This error occurs when the value of the Last Name attribute contains non-permissible characters. Specify the name of an identity source, such as Internal Database and other identity sources that are defined on the RSA Authentication Manager server for directory servers. For example directory servers such as, Sun Java Directory Server or Microsoft Active Directory, or others. Note: The Identity Source attribute is a required attribute. Specify the name of the security domain to which you want the user account assigned. Note: The Security Domain attribute is a required attribute. Specify a value for the Last Name attribute that excludes the non-permissible characters such as: % and &. Chapter 4. RSA Authentication Manager Adapter error troubleshooting 19

32 Table 4. Adapter error messages, warnings, and corrective actions (continued) Error message Possible cause Corrective action The value of User ID contains invalid characters. User ID must not be greater than 255 characters long. This error occurs when the value of the User ID attribute contains non-permissible characters. During the add or modify operation, the value of the User ID attribute exceeded 255 characters. Specify a value for the User ID attribute that excludes the non-permissible characters such as: % and &. This error occurs when the value of the attribute exceeds the permissible character limit. must not be greater than 255 characters long. During the add or modify operation, the value of the attribute exceeded 255 characters. Specify a User ID that does not exceed the permissible character limit, that is, 255. This error occurs when the value of the attribute exceeds the permissible character limit. Middle Name must not be greater than 255 characters long. The value of Middle Name contains invalid characters. The value of Description contains invalid characters. Description must not be greater than 255 characters long. First Name must not be greater than 255 characters long. The value of First Name contains invalid characters. ORA-12899: value too large for column "RSA_REP"."IMS_ PRINCIPAL"."CERT_DN" (actual: 256, maximum: 255) The value of Certificate DN contains invalid characters. During the add or modify operation, the value of the Middle Name attribute exceeded 255 characters. This error occurs when the value of the Middle Name attribute contains non-permissible characters. This error occurs when the value of the Notes attribute contains non-permissible characters. During the add or modify operation, the value of the Notes attribute exceeded 255 characters. During the add or modify operation, the value of the First Name attribute exceeded 255 characters. This error occurs when the value of the First Name attribute contains non-permissible characters. During the add or modify operation, the value of the Certificate DN attribute exceeded 255 characters. The value of the Certificate DN attribute contains non-permissible characters. Specify an that does not exceed the permissible character limit, that is, 255. This error occurs when the value of the attribute exceeds the permissible character limit. Specify a middle name that does not exceed the permissible character limit, that is, 255. Specify a value for the Middle Name attribute that excludes the non-permissible characters such as: % and &. Specify a value for the Notes attribute that excludes the non-permissible characters such as: % and &. Note: The Description attribute is mapped to the Notes attribute on the RSA Authentication Manager account form. Specify a description for the Notes attribute that contains less than 255 characters. Note: The Description attribute is mapped to the Notes attribute on the RSA Authentication Manager account form. This error occurs when the value of the attribute exceeds the permissible character limit. Specify a given name that does not exceed the permissible character limit, that is, 255. Specify a value for the First Name attribute that excludes the non-permissible characters such as: % and &. This error occurs when the value of the attribute exceeds the permissible character limit. Specify a Certificate DN that does not exceed the permissible character limit, that is, 255. Specify a value for the Certificate DN attribute that excludes the non-permissible characters such as: % and &. 20 IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide