Tivoli Identity Manager

Transcription

1 Tioli Identity Manager Version 4.6 UNIX and Linux adapter Installation and Configuration Guide SC

2

3 Tioli Identity Manager Version 4.6 UNIX and Linux adapter Installation and Configuration Guide SC

4 Note: Before using this information and the product it supports, read the information in Appendix E, Notices, on page 51. Third Edition (Noember 2006) This edition applies to ersion 4.6 of this adapter and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation All rights resered. US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Contents Preface Who should read this book Publications and related information Tioli Identity Manager library Prerequisite product publications ii Related publications iii Accessing publications online iii Accessibility iii Support information iii Conentions used in this book ix Typeface conentions ix Operating system differences ix Definitions for HOME and other directory ariables ix Configuring certificates for SSL authentication...22 Configuring certificates for one-way SSL authentication Configuring certificates for two-way SSL authentication Chapter 5. Verifying the UNIX and Linux adapter profile installation Chapter 6. Troubleshooting the UNIX and Linux adapter Warning and error messages Logging information format Chapter 1. Oeriew of the UNIX and Linux adapter Features of the adapter Architecture of the adapter Supported configurations Chapter 2. Installing the UNIX and Linux adapter Prerequisites Installing the adapter Importing the adapter profile into the IBM Tioli Identity Manager serer Installing the Secure Shell protocol Creating an adapter user account Creating a serice Starting and stopping the adapter serice Chapter 3. Configuring the UNIX and Linux adapter Customizing the UNIX and Linux adapter profile.11 Adding support for preexec and postexec attributes Configuration properties of the adapter Changing the port number for the RMI Dispatcher 15 Configuring logging for the adapter Naming the log file Sizing the log file Configuring logging leels Displaying logs in the user interface Appending information to an existing log file..17 Managing passwords when restoring accounts...17 Chapter 4. Configuring SSL authentication for the UNIX and Linux adapter Oeriew of SSL and digital certificates Priate keys, public keys, and digital certificates 20 Self-signed certificates The use of SSL authentication Chapter 7. Uninstalling the UNIX and Linux adapter Appendix A. Adapter attributes Attribute descriptions Attributes by UNIX and Linux adapter actions..38 System Login Add System Login Change System Login Delete System Login Suspend System Login Restore Test Reconciliation Appendix B. Creating a super user on a supported operating system Creating a super user on an AIX operating system 41 Creating a super user on a Linux operating system 41 Creating a super user on a Solaris operating system 42 Creating a super user on an HP-UX NonTrusted operating system Creating a super user on an HP-UX Trusted operating system Appendix C. Key-based authentication for the UNIX and Linux adapter Enabling key-based authentication on Unix and Linux operating systems Appendix D. Support information Searching knowledge bases Search the information center on your local system or network Search the Internet Contacting IBM Software Support Determine the business impact of your problem 48 Describe your problem and gather background information Submit your problem to IBM Software Support 49 Copyright IBM Corp iii

6 Appendix E. Notices Trademarks Index i IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

7 Preface Who should read this book This installation guide proides the basic information that you need to install and configure the IBM Tioli Identity Manager UNIX and LinuxAdapter (UNIX and Linux adapter). The UNIX and Linux adapter enables connectiity between the IBM Tioli Identity Manager serer and a system running a UNIX or Linux operating system. The IBM Tioli Identity Manager serer is the serer for your Tioli Identity Manager product. This book is intended for UNIX and Linux operating system security administrators responsible for installing software on their site s computer systems. Readers are expected to understand operating system concepts. The person completing the UNIX and Linux adapter installation procedure must also be familiar with their site s system standards. Readers should be able to perform routine security administration tasks. Publications and related information Read the descriptions of the IBM Tioli Identity Manager library. To determine which additional publications you might find helpful, read the Prerequisite product publications on page ii and the Related publications on page iii. After you determine the publications you need, refer to the instructions in Accessing publications online on page iii. Tioli Identity Manager library The publications in the technical documentation library for your product are organized into the following categories: Release information Online user assistance Serer installation and configuration Problem determination Technical supplements Adapter installation and configuration Release Information: Release Notes Proides software and hardware requirements for the product, and additional fix, patch, and other support information. Read This First card Lists the publications for the product. Online user assistance: Proides online help topics and an information center for administratie tasks. Serer installation and configuration: Proides installation and configuration information for the product serer. Copyright IBM Corp. 2006

8 Problem determination: Proides problem determination, logging, and message information for the product. Technical supplements: The following technical supplements are proided by deelopers or by other groups who are interested in this product: Performance and tuning information Proides information needed to tune your production enironment, aailable on the Web at: Click the I character in the A-Z product list to locate IBM Tioli Identity Manager products. Click the link for your product, and then browse the information center for the Technical Supplements section. Redbooks and white papers are aailable on the Web at: IBMTioliIdentityManager.html Browse to the Self Help section, in the Learn category, and click the Redbooks link. Technotes are aailable on the Web at: Field guides are aailable on the Web at: For an extended list of other Tioli Identity Manager resources, search the following IBM deeloperworks Web address: Adapter installation and configuration: The technical documentation library also includes a set of platform-specific installation documents for the adapter components of the product. Adapter information is aailable on the Web at: Passport_Adantage_Home Click Support & downloads. Browse to the Downloads and driers. Click the link for the adapter. Skills and training: The following additional skills and technical training information were aailable at the time that this manual was published: Virtual Skills Center for Tioli Software on the Web at: Tioli Education Software Training Roadmaps on the Web at: Tioli Technical Exchange on the Web at: i IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

9 supp_tech_exch.html Prerequisite product publications To use the information in this book effectiely, you must hae knowledge of the products that are prerequisites for your product. Publications are aailable from the following locations: Operating systems IBM AIX Solaris Operating Enironment Red Hat Linux Microsoft Windows Serer Database serers IBM DB2 Uniersal Database - Support: - Information center: index.jsp - Documentation: winos2unix/support/8pubs.d2w/en_main - DB2 product family: - Fix packs: download8.html - System requirements: sysreqs.html Oracle Microsoft SQL Serer Directory serer applications IBM Directory Serer en_us/html/ldapinst.htm Sun ONE Directory Serer WebSphere Application Serer Additional information is aailable in the product directory or Web sites. WebSphere embedded messaging Preface ii

10 Related Accessibility IBM HTTP Serer publications Information that is related to your product is aailable in the following publications: The Tioli Software Library proides a ariety of Tioli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters. The Tioli Software Library is aailable on the Web at: The Tioli Software Glossary includes definitions for many of the technical terms related to Tioli software. The Tioli Software Glossary is aailable from the Glossary link of the Tioli Software Library Web page at: Accessing publications online IBM posts publications for this and all other Tioli products, as they become aailable and wheneer they are updated, to the Tioli software information center Web site. Access the Tioli software information center at the following Web address: Click the I character in the A-Z list, and then click the link for your product to access the product library. Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your paper. The product documentation includes the following features to aid accessibility: Documentation is aailable in conertible PDF format to gie the maximum opportunity for users to apply screen-reader software. All images in the documentation are proided with alternatie text so that users with ision impairments can understand the contents of the images. Support information If you hae a problem with your IBM software, you want to resole it quickly. IBM proides the following ways for you to obtain the support you need: Searching knowledge bases: You can search across a large collection of known problems and workarounds, Technotes, and other information. Contacting IBM Software Support: If you still cannot sole your problem, and you need to work with someone from IBM, you can use a ariety of ways to contact IBM Software Support. For more information about these ways to resole problems, see Appendix D, Support information, on page 47. iii IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

11 Conentions used in this book Typeface This reference uses seeral conentions for special terms and actions and for operating system-dependent commands and paths. conentions This guide uses the following typeface conentions: Bold Italic Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) Keywords and parameters in text Words defined in text Emphasis of words (words as words) New terms in text (except in a definition list) Variables and alues you must proide Monospace Examples and code examples File names, programming keywords, and other elements that are difficult to distinguish from surrounding text Message text and prompts addressed to the user Text that the user must type Values for arguments or command options Operating system differences This guide uses the UNIX conention for specifying enironment ariables and for directory notation. When using the Windows command line, replace $ariable with %ariable% for enironment ariables and replace each forward slash (/) with a backslash (\) in directory paths. The names of enironment ariables are not always the same in Windows and UNIX. For example, %TEMP% in the Windows operating system is equialent to $tmp in a UNIX operating system. Note: If you are using the bash shell on a Windows system, you can use the UNIX conentions. Definitions for HOME and other directory ariables The following table contains the default definitions that are used in this guide to represent the HOME directory leel for arious product installation paths. You can customize the installation directory and HOME directory for your specific implementation. If this is the case, you need to make the appropriate substitution for the definition of each ariable represented in this table. The alue of path aries for these operating systems: Windows: drie:\program Files Preface ix

12 AIX : /usr Other UNIX: /opt Path Variable Default Definition Description DB_INSTANCE_HOME Windows: path\ibm\sqllib UNIX: The directory that contains the database for your Tioli Identity AIX, Linux: /home/dbinstancename Manager product. Solaris: /export/home/dbinstancename LDAP_HOME For IBM Directory Serer Version 5.2 The directory that contains the Windows: directory serer path\ibm\ldap code. UNIX: path/ibm/ldap AIX, Linux: path/ldap Solaris: path/ibmldaps For IBM Directory Serer Version 6.0 Windows: path\ibm\ldap UNIX: /opt/ibm/ldap/ AIX, Solaris: /opt/ibm/ldap/ Linux: /opt/ibm/ldap/ For Sun ONE Directory Serer Windows: path\sun\mps UNIX: /ar/sun/mps IDS_instance_HOME For IBM Directory Serer Version 6.0 Windows: drie\ idsslapd-instance_owner_name The directory that contains the IBM Directory Serer Version 6.0 instance. The alue of drie might be C:\. An example of instance_owner_name might be ldapdb2. For example, the log file might be C:\idsslapd-ldapdb2\logs\ ibmslapd.log. UNIX: INSTANCE_HOME/idsslapd-instance_name On Linux and AIX systems, the default home directory is the /home/instance_name/idsslapdinstance_name directory. On Solaris systems, for example, the directory is the /export/home/ldapdb2/idsslapdldapdb2. directory. x IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

13 Path Variable Default Definition Description HTTP_HOME ITIM_HOME WAS_HOME WAS_MQ_HOME WAS_NDM_HOME Windows: path\ibmhttpserer UNIX: path/ibmhttpserer Windows: path\ibm\itim UNIX: path/ibm/itim Windows: path\websphere\appserer UNIX: path/websphere/appserer Windows: path\ibm\websphere MQ UNIX: path/mqm Windows: path\websphere\deploymentmanager UNIX: path/websphere/deploymentmanager The directory that contains the IBM HTTP Serer code. The base directory that contains the Tioli Identity Manager code, configuration, and documentation. The WebSphere Application Serer home directory The directory that contains the WebSphere MQ code. The home directory on the Deployment Manager Preface xi

14 Path Variable Default Definition Description ITDI_HOME Windows: The directory where For ersion 6.0: Tioli Directory Integrator is drie\program Files\IBM\ installed. IBMDirectoryIntegrator for ersion 6.1.0: drie\program Files\IBM\TDI\V6.1 for ersion 6.1.1: drie\program Files\IBM\TDI\V6.1.1 UNIX: For ersion 6.0: /opt/ibm/ibmdirectoryintegrator for ersion 6.1.0: /opt/ibm/tdi/v6.1 for ersion 6.1.1: /opt/ibm/tdi/v6.1.1 Tioli_Common_Directory The ITDI_HOME directory contains the jars/connectors subdirectory that contains files for the adapters. For example, the jars/connectors subdirectory contains the files for the UNIX adapter. Note: If Tioli Directory Integrator is not automatically installed with your Tioli Identity Manager product, the default directory path for Tioli Directory Integrator might be as follows: path/ibm/ibmdirectoryintegrator Windows: path\ibm\tioli\common\ UNIX: path/ibm/tioli/common/ The central location for all sericeability-related files, such as logs and first-failure data capture xii IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

15 Chapter 1. Oeriew of the UNIX and Linux adapter Features of the adapter An adapter is a program that proides an interface between a managed resource and the IBM Tioli Identity Manager serer. Adapters might or might not reside on the managed resource and the IBM Tioli Identity Manager serer manages access to the resource by using your security system. Adapters function as trusted irtual administrators on the target platform, performing such tasks as creating login IDs, suspending IDs, and performing other functions administrators normally run manually. The adapter runs as a serice, independent of whether or not a user is logged on to the IBM Tioli Identity Manager serer. The UNIX and Linux adapter enables communication between the IBM Tioli Identity Manager serer and any of the following operating systems: AIX, HPUX, Linux, and Solaris. The following sections proide information about the UNIX and Linux adapter: Features of the adapter Architecture of the adapter Architecture of the adapter Supported configurations on page 2 You can use the UNIX and Linux adapter to automate the following administratie tasks: Creating new users on a UNIX or Linux system Modifying user attributes on a UNIX or Linux system Changing user account passwords on a UNIX or Linux system Suspending, restoring, and deleting user accounts on a UNIX or Linux system Reconciling user and group accounts on a UNIX or Linux system IBM Tioli Identity Manager communicates with the UNIX and Linux adapter to administer user accounts. You can perform these actions on an account: Add, Delete, Modify, Restore, and Suspend. You can also search for account information and change an account password. The UNIX and Linux adapter consists of AssemblyLines. When the first request from the IBM Tioli Identity Manager serer is initiated to the UNIX and Linux adapter, the AssemblyLines are loaded into the Tioli Directory Integrator Serer. The AssemblyLines utilize the Tioli Directory Integrator UNIX and Linux adapter connector to remotely perform user management related tasks on a UNIX or Linux system, using the login user ID and password of a user that has administrator priileges. Figure 1 on page 2 shows the arious components that work together to complete user management tasks in a Tioli Directory Integrator enironment. Copyright IBM Corp

16 Figure 1. The architecture of the UNIX and Linux adapter For additional information about Tioli Directory Integrator, see the IBM Tioli Directory Integrator 6.0: Getting Started Guide. Supported configurations The UNIX and Linux adapter supports different configurations. The fundamental components in each enironment are a IBM Tioli Identity Manager serer, a Tioli Directory Integrator Serer, a UNIX or Linux system, and the UNIX and Linux adapter. In each configuration, the UNIX and Linux adapter must reside directly on the serer running the Tioli Directory Integrator Serer. For a single serer configuration, you must install the IBM Tioli Identity Manager serer, Tioli Directory Integrator Serer, and the UNIX and Linux adapter on one serer. The serer communicates with a UNIX or Linux operating system, which is installed on a different serer. Refer to Figure 2. Tioli Identity Manager Serer Tioli Directory Integrator Serer Managed resource Adapter Figure 2. Example of a single serer configuration 2 IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

17 Chapter 2. Installing the UNIX and Linux adapter Prerequisites Some adapters might be installed automatically with your IBM Tioli Identity Manager product. If your adapter is automatically installed with the product, you do not need to install the adapter. The UNIX and Linux adapter is automatically installed with IBM Tioli Identity Manager Express. The following sections proide information for installing and configuring the adapter. Prerequisites Installing the adapter on page 4 Importing the adapter profile into the IBM Tioli Identity Manager serer on page 5 Installing the Secure Shell protocol on page 6 Creating an adapter user account on page 6 Creating a serice on page 7 Starting and stopping the adapter serice on page 9 Table 1 identifies the software and operating system prerequisites for the UNIX and Linux adapter. Verify that all of the prerequisites hae been met before installing the adapter. Table 1. Prerequisites to run the adapter Prerequisites Version Tioli Directory Integrator Serer 6.0 Fix Pack 2 Hot Fix 8 or later IBM Tioli Identity Manager serer Fix Pack 1 Hot Fix 2 or later Copyright IBM Corp

18 Table 1. Prerequisites to run the adapter (continued) Operating systems The UNIX and Linux adapter can be used for user proisioning on the following operating systems. AIX HP-UX Linux AIX 5.1 AIX 5.2 AIX 5.3 HP-UX 11i Trusted HP-UX 11i Non-Trusted RedHat Linux Enterprise Serer 3.0 RedHat Linux Enterprise Serer 4.0 RedHat Linux Adanced Serer 3.0 RedHat Linux Adanced Serer 4.0 SuSE SLES 8 SuSE SLES 9 Solaris Solaris 9 Installing the adapter The UNIX and Linux adapter must be installed on the same system as the Tioli Directory Integrator Serer. In addition, the Secure Shell (SSH) protocol must be installed and running on the managed resource, a UNIX or Linux system. For information on the prerequisites and supported operating systems for Tioli Directory Integrator, refer to the IBM Tioli Directory Integrator 6.0: Administrator Guide. For additional information about the SSH protocol, refer to Installing the Secure Shell protocol on page 6. If the UNIX and Linux adapter is not automatically installed with your IBM Tioli Identity Manager product, use the adapter installer to manually install the adapter. To manually install the adapter, first ensure that the installer is run on the same system as the Tioli Directory Integrator Serer. Then complete these steps. Note: All directory paths apply to Windows operating systems. Change the directory paths as needed for UNIX operating systems. 1. Download the UNIX and Linux adapter compressed file from the IBM Web site. Contact your IBM account representatie for the Web address and download instructions. 2. Extract the contents of the compressed file into a temporary directory and naigate to that directory. 3. Start the installation program using the POSIXADAPTERINSTALL file in the temporary directory. For example, select Run... from the Start menu and type C:\Temp\POSIXADAPTERINSTALL.exe in the Open field. 4 IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

19 Note: If you are running the Tioli Directory Integrator on platforms other than Linux or Windows, please run the Jaa-based installer as directed. Run this installation program on the serer where the Tioli Directory Integrator is installed. The PosixAdapterInstall.jar file is a jaa-based installer. Ensure that Jaa is installed and configured for your system. Launch the install with the following command. jaa -jar PosixAdapterInstall.jar 4. On the Welcome window, click Next. 5. On the License Agreement window, reiew the license agreement and decide if you accept the terms of the license. If you do, click Accept, and then click Next. 6. On the Tioli Directory Integrator Based Adapter Installer window, specify the location where Tioli Directory Integrator is installed. You can accept the default location, C:\Program Files\IBM\IBMDirectoryIntegrator, or click Browse to specify a different directory. Then, click Next. 7. On the Adapter Solution Directory window, enter the Adapter Solution Directory. This is a separate solution directory for all Tioli Directory Integrator-based Tioli Identity Manager adapters. If the Adapter Solution Directory is already set, that is, the ADAPTER_SOLDIR entry is present in the global.properties file then the installer does not prompt for it. The folder that you enter for the Adapter Solution Directory needs to exist on the machine running the Tioli Directory Integrator. 8. On the Installation Summary window, reiew the installation settings. Click Back to change any of these settings. Otherwise, click Next. 9. On the confirmation window that displays the components to be installed and the upgrades to be completed, click Next to begin the installation. Otherwise, click Back to make changes. 10. On the Installation Completed window, click Finish to exit the program. Importing the adapter profile into the IBM Tioli Identity Manager serer An adapter profile defines the types of resources that the IBM Tioli Identity Manager serer can manage. The profile is used to create a serice on the IBM Tioli Identity Manager serer. You must import the adapter profile into the IBM Tioli Identity Manager serer before using the UNIX and Linux adapter. Before you import the adapter profile, erify that the following conditions are met: The IBM Tioli Identity Manager serer is installed and running. You hae root or Administrator authority on the IBM Tioli Identity Manager serer. The adapter profile is included in the JAR file for the adapter. To import the adapter profile, complete these steps: 1. Log in to the IBM Tioli Identity Manager serer using an account that has the authority to perform administratie tasks. 2. Import the adapter profile using the import feature for your IBM Tioli Identity Manager product. Refer to the information center or the online help for specific instructions about importing the adapter profile. Chapter 2. Installing the UNIX and Linux adapter 5

20 When you import the adapter profile, if you receie an error related to the schema, refer to the trace.log file for information about the error. The trace.log file location is specified using the handler.file.filedir property defined in the IBM Tioli Identity Manager enrolelogging.properties file. The enrolelogging.properties file is installed in the IBM Tioli Identity Manager \data directory. Installing the Secure Shell protocol The UNIX and Linux adapter uses the Secure Shell (SSH) protocol to communicate with a managed resource. SSH ersions 1.0 and ersion 1.5 are supported. Most implementations of SSH include ersions 1.0 and 1.5. If your system only supports ersion 2.0 for SSH, you must change the SSH configuration file or the adapter does not function correctly. To determine the ersion of SSH installed on your system, run this command:$ ssh V. The following sample output is displayed on a SuSE ELES 9.0 system: OpenSSH_3.8pl, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 For this example, no changes are needed to the configuration file because at least one of the supported ersions is installed on the system, ersion 1.5. If one of the supported ersions is not supported on your system, you must change the SSH configuration file. To change the SSH configuration file, complete these steps. These steps are required only if Password Based Authentication has been selected on the serice form. For details see Creating a serice on page From the directory where SSH is installed, open the sshd_config file. 2. Search for this line: PasswordAuthentication no 3. Comment out the line. For example, #PasswordAuthentication no The following list proides information to help you ensure that the UNIX-based managed resources in your network can operate with the UNIX and Linux adapter. HP-UX, Linux, and Solaris systems SSH is installed and enabled by default on these operating systems. Howeer, check to ensure that the SSH daemon is running before you attempt to connect a managed resource to the IBM Tioli Identity Manager serer. If SSH is not enabled, the connection fails. AIX systems SSH is not installed on AIX operating systems. If a supported ersion of SSH is not installed on your system, you might download and install SSH from an open source Web site. You must first install the OpenSSL product and then install the OpenSSH product because the OpenSSH product uses functionality proided by the OpenSSL product. After you install both products on the managed resource, check to ensure that the SSH daemon is running before you attempt to connect a managed resource to the IBM Tioli Identity Manager serer. If SSH is not enabled, the connection fails. Creating an adapter user account You must create a user account for the UNIX and Linux adapter on the managed resource. Account information is proided when you create a serice. The user account uses the administrator name and password proided on the serice form. Refer to Creating a serice on page 7 for information about creating a serice. 6 IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

21 Creating a serice The adapter user account must be the root account, a super user account (SUDO user), or hae root UID permissions to remotely connect to the managed resource using SSH. See Installing the Secure Shell protocol on page 6 for information about SSH. The adapter user account must also hae permissions to perform user administration tasks, such as add accounts, delete accounts, change passwords for accounts, suspend accounts, restore accounts, and retriee account data. You must create a serice for the UNIX and Linux adapter before the IBM Tioli Identity Manager serer can use the adapter to communicate with the managed resource. You must use the serice profile for your operating system to create a serice for that operating system. The following serice profiles exist for each operating system: POSIX AIX Profile, POSIX HP-UX Profile, POSIX Solaris Profile, and POSIX Linux Profile. To create a serice, complete these steps: 1. Log in to the IBM Tioli Identity Manager serer using an account that has the authority to perform administratie tasks. 2. Create the serice using the information for your IBM Tioli Identity Manager product. Refer to the information center or the online help for specific instructions about creating a serice. To create or change a serice, you must use the serice form to proide information for the serice. Serice forms might ary depending on the adapter. The UNIX and Linux adapter serice form has two tabs with the following fields: On the General Information tab: Serice Name Specify a name that defines this serice on the IBM Tioli Identity Manager serer. Description Optional: Specify a description for this serice. Tioli Directory Integrator location Optional: Specify the URL for the Tioli Directory Integrator instance. Valid syntax is rmi://ip-address:port/itdidispatcher, where ip-address is the Tioli Directory Integrator host and port is the port number for the RMI Dispatcher. The default URL is rmi://localhost:16231/itdidispatcher. See Changing the port number for the RMI Dispatcher on page 15 for information about changing the port number. Managed resource location Specify the IP address or host name of the managed resource. This uses the default SSH port. If the SSH port is different, then ip/host:port can be used. User registry This input field is aailable only on serice forms for AIX profiles. This adapter supports user management and authentication using files or using LDAP. Note: This field is case sensitie. 1. If the users on the managed resource are to be managed only through the /etc/password file, leae the field blank. Chapter 2. Installing the UNIX and Linux adapter 7

22 2. If this is a mixed setup and the users are to be managed through the /etc/password file, type files. Note: A mixed setup means that some users on the managed resource are on LDAP and some users are on files. These users are mutually exclusie and cannot be managed by a single serice. If you want Tioli Identity Manager to manage users on LDAP as well, ensure that you also create a serice to manage users through LDAP. 3. If this is a mixed setup and the users are to be managed through LDAP, type LDAP. Note: A mixed setup means that some users on the managed resource are on files and some users are on LDAP. These users are mutually exclusie and cannot be managed by a single serice. If you want Tioli Identity Manager to manage users on files as well, ensure that you also create a serice to manage users through files. Use a shadow file? Check this box if shadow passwords are enabled on the managed resource. This field applies to serice forms only when using the Linux or HP-UX serice profiles. For Linux operating systems, shadow passwords are enabled by default. Delete home directory when the account is deleted? Check this box if you want the home directory of the user to be deleted when the user is deleted. Owner Optional: Specify a Tioli Identity Manager user as a serice owner. Serice Prerequisite Optional: Specify a Tioli Identity Manager serice that is prerequisite to this serice. On the Authentication tab: Administrator name Specify the user name for the administrator. If you are specifying a super user, instead of a root user, see Appendix B, Creating a super user on a supported operating system, on page 41 for more information. Is sudo user? Check this box if the administrator name is a super user. Authentication method From the drop down menu select the authentication method to be used by the adapter when communicating with the managed resource for user management. Select Password Based Authentication or Key Based Authentication. If you select key-based authentication, see Appendix C, Key-based authentication for the UNIX and Linux adapter, on page 45 for more information. Note: This authentication method is only for adapter communication and does not apply to users created on the managed resource using this adapter. 8 IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

23 Password Required for password-based authentication: Specify the password for the administrator, if using password based authentication. Passphrase (Required for key based authentication) Specify the pass-phrase associated with priate key. See 1 on page 45 for more information. Priate key file (Required for key based authentication) Specify the full path and file name of the key store containing the priate key of the client. This key store must be on the machine running the Tioli Directory Integrator serer. See Appendix C, Key-based authentication for the UNIX and Linux adapter, on page 45 for more information. Starting and stopping the adapter serice After you edit the properties file for the adapter, you must stop and restart the adapter serice in order for the changes to take effect. The method used to stop and restart the adapter depends on the operating system. AIX The adapter installer creates a subsystem called ITIMAd when the adapter is first installed. ITIM_RMI.xml is the configuration file. Use these commands to start and stop the adapter serice. startsrc s ITIMAd stopsrc c s ITIMAd The adapter serice runs the ibmdisr.bat command. The bat file starts a Jaa process that does not stop when the adapter serice is stopped. To stop this process, obtain the process ID (PID) and then kill the process. To obtain the PID of the process, type this command: ps -ef grep <ITDI_HOME_DIR>/_jm/jre/bin/, where ITDI_HOME_DIR is the directory where Tioli Directory Integrator is installed. To kill the process, type this command: kill -9 <pid>. HP-UX The adapter installer copies the ITIMAd script file to the Adapter Solution Directory. This directory is a separate solution directory for all Tioli Directory Integrator-based Tioli Identity Manager adapters. From this directory, type these commands to start, stop, and restart the adapter serice. ITIMAd start ITIMAd stop ITIMAd restart Linux or Solaris The adapter installer automatically copies the ITIMAd script file to the /etc/init.d/ directory when the adapter is installed. From the /etc/init.d/ directory, type these commands to start, stop, and restart the adapter serice. ITIMAd start ITIMAd stop ITIMAd restart Windows From the Control Panel, select Administratie Tools > Serices. From the Chapter 2. Installing the UNIX and Linux adapter 9

24 Serices menu, you can start and stop the adapter serice. The serice name is IBM IBM Tioli Identity Manager Adapter. 10 IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

25 Chapter 3. Configuring the UNIX and Linux adapter This chapter describes the configuration options for the UNIX and Linux adapter. The following sections proide information for configuring the adapter. Customizing the UNIX and Linux adapter profile Configuration properties of the adapter on page 14 Changing the port number for the RMI Dispatcher on page 15 Configuring logging for the adapter on page 16 Managing passwords when restoring accounts on page 17 Customizing the UNIX and Linux adapter profile To customize the UNIX and Linux adapter profile, you must make changes to the UNIX and Linux adapter JAR file. You might customize the adapter profile to make changes to the account form or the serice form. You can also change the labels on the forms using the Form Designer or CustomLabels.properties. Each adapter has a CustomLabels.properties file for that adapter. The JAR file is included in the UNIX and Linux adapter compressed file that you downloaded from the IBM Web site. The JAR file and the files contained in the JAR file ary depending on your operating system. Note: You cannot modify the schemas for this adapter. Attributes cannot be added to or deleted from the schema. AIX (PosixAixProfile.jar) The following files are included in the AIX JAR file: CustomLabels.properties erposixaixaccount.xml erposixaixrmiserice.xml serice.def schema.dsml posixal.xml posixadd.xml posixdelete.xml posixmodify.xml posixtest.xml posixsearch.xml HP-UX (PosixHpuxProfile.jar) The following files are included in the HP-UX JAR file: CustomLabels.properties erposixhpuxaccount.xml erposixhpuxrmiserice.xml serice.def schema.dsml posixal.xml posixadd.xml Copyright IBM Corp

26 posixdelete.xml posixmodify.xml posixtest.xml posixsearch.xml Solaris (PosixSolarisProfile.jar) The following files are included in the Solaris JAR file: CustomLabels.properties erposixsolarisaccount.xml erposixsolarisrmiserice.xml serice.def schema.dsml posixal.xml posixadd.xml posixdelete.xml posixmodify.xml posixtest.xml posixsearch.xml Linux (PosixLinuxProfile.jar) The following files are included in the Linux JAR file: CustomLabels.properties erposixlinuxaccount.xml erposixlinuxrmiserice.xml serice.def schema.dsml posixal.xml posixadd.xml posixdelete.xml posixmodify.xml posixtest.xml posixsearch.xml To edit the JAR file, complete these steps: 1. Log on to the system where the UNIX and Linux adapter is installed. 2. Copy the JAR file into a temporary directory. 3. Extract the contents of the JAR file into the temporary directory by running the following command. The following example applies to the Linux adapter profile. Type the name of the JAR file for your operating system. #cd /tmp #jar -xf PosixLinuxProfile.jar The jar command extracts the files into the PosixLinuxProfile directory. 4. Edit the file that you want to change. After you edit the file, you must import the file into the IBM Tioli Identity Manager serer for the changes to take effect. To import the file, complete these steps: 12 IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

27 1. Create a new JAR file using the files in the /tmp directory by running the following commands: #cd /tmp #jar -cf PosixLinuxProfile.jar PosixLinuxProfile 2. Import the JAR file into the IBM Tioli Identity Manager Application Serer. For more information on importing the JAR file, refer to Importing the adapter profile into the IBM Tioli Identity Manager serer on page Stop and start the IBM Tioli Identity Manager serer. 4. Stop and start the UNIX and Linux adapter serice. Refer to Starting and stopping the adapter serice on page 9 for information about stopping and starting the UNIX and Linux adapter serice. Adding support for preexec and postexec attributes Use these attributes to perform commands on the resource before, after, or both on either the add or modify operation. To add these attributes to the schema: 1. Copy the following code to the schema.dsml file to add the schema definitions for preexec and postexec. <!-- ********************************************************* --> <!-- preexec --> <!-- ********************************************************** --> <attribute-type single-alue = "true"> <name>preexec</name> <description>comment</description> <object-identifier> </object-identifier> <syntax> </syntax> </attribute-type> <!-- ********************************************************** --> <!-- postexec --> <!-- ********************************************************** --> <attribute-type single-alue = "true"> <name>postexec</name> <description>comment</description> <object-identifier> </object-identifier> <syntax> </syntax> </attribute-type> Note: Ensure that the object-identifiers in these definitions are unique in the schema.dsml file. 2. Copy the following code to the schema.dsml file to add the two attributes to the Account Object Class. <attribute ref = "preexec" required = "false" /> <attribute ref = "postexec" required = "false" /> 3. Edit the account form definition xml file (for example erposixlinuxaccount.xml). Copy the following code to add the two form elements to tab 0. <formelement name="data.preexec" label="$preexec"> <input name="data.preexec" size="50" type="text"/> </formelement> <formelement name="data.postexec" label="$postexec"> <input name="data.postexec" size="50" type="text"/> </formelement> 4. To map the attributes, open PosixAL.xml in the Tioli Directory Integrator and perform the following for both the posixadd and the posixmodify assembly lines. a. In menu click the call/return tab. Chapter 3. Configuring the UNIX and Linux adapter 13

28 b. Add the preexec and postexec attributes to the Schema and Intial Work Entry attributes. c. Add the preexec and postexec attributes to the Output Map, in Schema and Connector attribute list. d. Sae the assembly line. 5. To split the assembly lines, in the ITDI_HOME directory issue the command: _jm\jre\bin\jaa.exe -classpath jars\itlmtoolkit.jar;jars\miconfig.jar;jars\ miserer.jar;jars\mmconfig.jar;jars\disererapi.jar;jars\log4j jar;jars\ itdiagents-common.jar com.ibm.di.utils.idiconfighelper "erposixlinuxaccount.xml" "PosixLinuxProfile" 6. To create the profile jar file, issue the command: jar cf PosixLinuxProfile.jar PosixLinuxProfile Note: The Linux profile is used in this example. If attribute support is required for other operating systems supported by the adapter, make the changes in the respectie profile. Use the correct paths for Tioli Directory Integrator jar files, if using a ersion other than Tioli Directory Integrator 6.0 Configuration properties of the adapter Table 2. Configuration properties for the adapter The global.properties and the itim_listener.properties files contain the configuration properties for the adapters. To configure the properties for an adapter, you must change one of these files. Table 2 lists the properties contained in the properties files. Property Properties File Description ALShutdownTimeout itim_listener.properties Specifies the amount of time, in milliseconds, before the RMI Dispatcher should shutdown when a shutdown request is sent to the dispatcher. All assembly lines that are being maintained are terminated when the dispatcher shuts down. The default alue 300,000 milliseconds, which is fie minutes. com.ibm.di.dispatcher.bindname global.properties Specifies the RMI bind name to be used. The default alue is ITDIDispatcher. com.ibm.di.dispatcher.disableconntectorcache global.properties Specifies whether or not the RMI Dispatcher should cache the connection to the managed resource so that no new connections are established upon subsequent calls. In this case, the same connection is used for all calls. The default alue is true. com.ibm.di.dispatcher.registryport global.properties Specifies the port on which the RMI Dispatcher listens for proisioning requests from IBM Tioli Identity Manager. The default alue is IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

29 Table 2. Configuration properties for the adapter (continued) Property Properties File Description ConnectorSleepTimeOut itim_listener.properties Specifies the amount of time, in milliseconds, to wait before deleting connectors that hae not been used. The default alue is 120,000 milliseconds, which is two minutes. MaximumConnectorsPerResource itim_listener.properties Specifies the maximum number of connectors that exist for a particular resource. The default alue is 10. ReaperThreadTimeOut itim_listener.properties Specifies the amount of time, in milliseconds, to wait between successie runs of the connector reaper thread. The default alue is 300,000 milliseconds, which is fie minutes. SearchALUnusedTimeout itim_listener.properties Specifies the amount of time, in milliseconds, to wait before deleting assembly lines that hae not been used. The default alue is 600,000 milliseconds, which is 10 minutes. SearchReaperThreadTimeOut itim_listener.properties Specifies the amount of time, in milliseconds, to release data from memory. This property is used during a reconciliation response. The default alue is 300,000 milliseconds, which is fie minutes. SearchResultSetSize itim_listener.properties Specifies the number of records, per response, returned during a reconciliation between IBM Tioli Identity Manager and the adapter. The default alue is 100. Changing the port number for the RMI Dispatcher If the Remote Method Inocation (RMI) Dispatcher is run as a serice, by default, the port number is The installer automatically sets this parameter in the global.properties file. If the Tioli Directory Integrator home directory is the same directory as the IBM Solutions directory, change the port number in the global.properties file. Otherwise, change the port number in the solutions.properties file in the IBM Solutions directory. To change the port number for the dispatcher, complete these steps. 1. Stop the serice that is used to run the adapter. Refer to Starting and stopping the adapter serice on page 9 for information about stopping and starting the UNIX and Linux adapter serice. 2. Change the global.properties file or the solutions.properties file to use the correct port number. com.ibm.di.dispatcher.registryport= Start the serice again. Chapter 3. Configuring the UNIX and Linux adapter 15

30 Configuring logging for the adapter Log files might proide information that is helpful for diagnosing and troubleshooting problems with the adapter. The type of information collected in your log file is determined by the settings in the log4j.properties file. To configure logging for the adapter, you must update this file. The file is located in the Adapter Solution Directory. To find the location of the Adapter Solution Directory, search for the ADAPTER_SOLDIR entry in the global.properties file in the ITDI_HOME directory. When multiple adapters are running on the same serer where Tioli Directory Integrator is installed, logging information for the adapters is stored in the same log file. The RMI Dispatcher logs are also stored in this log file. You cannot configure logging to store information about the different components in different log files. After you complete the changes to the log4j.properties file, you must stop and restart the serice for the adapter to iew the configuration changes. The following sections contain information about configuring logging for the adapter. Naming the log file The following entry in the log4j.properties file is used to configure the name of the log file: log4j.appender.default.file. To change the name of the log file, change the alue of the following entry in the log4j.properties file: log4j.appender.default.file. In the example below, the log file generated is ibmdi.log. log4j.appender.default.file=ibmdi.log Sizing the log file The following entry in the log4j.properties file is used to configure the maximum size of the log file: log4j.appender.default.maxfilesize. For example, log4j.appender.default.maxfilesize=8mb The number of log files generated is determined by the log4j.appender.default.maxbackupindex entry. In the example below, the number of log files generated is 10. log4j.appender.default.maxbackupindex=10 Configuring logging leels The logging leel is determined by the log4j.rootcategory attribute in the log file. The four leels for logging information are ERROR, WARN, INFO, and DEBUG. By default the logging leel is set to INFO. DEBUG The DEBUG leel logs all of the details related to a specific operation. This is the highest leel of logging. If logging is set to DEBUG, all other leels of logging information are displayed in the log file. ERROR The ERROR leel logs only error conditions. The ERROR leel proides the smallest amount of logging information. 16 IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

31 INFO The INFO leel logs information about workflow. It generally explains how an operation occurs. WARN The WARNING leel logs information when an operation completes successfully but there are issues with the operation. Displaying logs in the user interface If the RMI Dispatcher is running from the command prompt by calling ibmdisr.bat (Windows only), the logs can be displayed in the user interface. To display the logs in the user interface, change the alue of the following entry in the log4j.properties file: log4j.appender.default. For example, log4j.appender.default=org.apache.log4j.consoleappender Appending information to an existing log file By default, log file information is deleted and created again each time the RMI Dispatcher starts. To append information to an existing log file before or after the dispatcher starts, change the alue of the following entry from false to true in the log4j.properties file: log4jappender.default.append. For example, log4j.appender.default.append=true Managing passwords when restoring accounts When an account is restored from being preiously suspended, you are prompted to supply a new password for the reinstated account. Howeer, in some cases you might not want to be prompted for a password. The password requirement to restore an account falls into two categories: allowed and required. How each restore action interacts with its corresponding managed resource depends on either the managed resource, or the business processes that you implement. Certain resources reject a password when a request is made to restore an account. In this case, you can configure IBM Tioli Identity Manager to forego the new password requirement. You can set the UNIX and Linux adapter to require a new password when the account is restored, if your company has a business process in place that dictates that the account restoration process must be accompanied by resetting the password. In the serice.def file, you can define whether or not a password is required as a new protocol option. When you import the adapter profile, if an option is not specified, the adapter profile importer determines the correct restoration password behaior from the schema.dsml and xforms.xml files. Adapter profile components also enable remote serices to find out if you discard a password that is entered by the user in a situation where multiple accounts on disparate resources are being restored. In this scenario, only some of the accounts being restored might require a password. Remote serices will discard the password from the restore action for those managed resources that do not require them. Edit the serice.def file to add the new protocol options, for example: <Property Name = "com.ibm.itim.remoteserices.resourceproperties. PASSWORD_NOT_REQUIRED_ON_RESTORE"<alue>true</alue> </property> <Property Name = "com.ibm.itim.remoteserices.resourceproperties. PASSWORD_NOT_ALLOWED_ON_RESTORE"<alue>false</alue> </property> Chapter 3. Configuring the UNIX and Linux adapter 17

32 By adding the two options in the example aboe, you are ensuring that you will not be prompted for a password when an account is restored. 18 IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

33 Chapter 4. Configuring SSL authentication for the UNIX and Linux adapter In order to establish a secure connection between the adapter and the IBM Tioli Identity Manager serer, you must configure Tioli Directory Integrator and the IBM Tioli Identity Manager serer to use the Secure Sockets Layer (SSL) authentication. SSL authentication proides encryption of the data exchanged between two applications. Encryption makes data transmitted oer the network intelligible only to the intended recipient. Note: If you are using a single serer configuration, you do not need to use SSL authentication. For information about using a single serer configuration, refer to Supported configurations on page 2. By configuring Tioli Directory Integrator for SSL, you ensure that the IBM Tioli Identity Manager serer erifies the identity of the adapter before a secure connection is established. You can configure SSL authentication for connections that originate from the IBM Tioli Identity Manager serer. The IBM Tioli Identity Manager serer initiates a connection to the adapter in order to set or retriee the alue of a managed attribute on the adapter. In a production enironment, you must enable SSL security; howeer, for testing purposes you might want to disable SSL. If an external application that communicates with the adapter (such as the IBM Tioli Identity Manager serer) is set to use serer authentication, you must enable SSL for Tioli Directory Integrator to erify the certificate that the application presents. This chapter contains an oeriew of SSL authentication, certificates, and how to enable SSL authentication using the ikeyman command. Oeriew of SSL and digital certificates When you deploy IBM Tioli Identity Manager in an enterprise network, you must secure communication between the IBM Tioli Identity Manager serer and the software products and components with which the serer communicates. The industry-standard SSL protocol uses signed digital certificates from a certificate authority (CA) to secure communication in a IBM Tioli Identity Manager deployment. A signed digital certificate is an industry-standard method of erifying the authenticity of an entity, such as a serer, client, or application. Signed certificates are issued by a third-party certificate authority for a fee. Some utilities, such as the ikeyman utility, can also issue signed certificates. Signed digital certificates enable two applications connecting in a network to authenticate each other s identity. For example, an application acting as an SSL serer presents its credentials in a signed digital certificate to erify to an SSL client that it is the entity it claims to be. An application acting as an SSL serer can also be configured to require the application acting as an SSL client to present its credentials in a certificate, thereby completing a two-way exchange of certificates. Copyright IBM Corp

34 A CA certificate must be installed to erify the origin of a signed digital certificate. When an application receies another application s signed certificate, it uses a CA certificate to erify the originator of the certificate. Many applications, such as Web browsers, are configured with the CA certificates of well known certificate authorities to eliminate or reduce the task of distributing CA certificates throughout the security zones in a network. Priate keys, public keys, and digital certificates Keys, digital certificates, and trusted certificate authorities are used to establish and erify the identities of applications. SSL uses public key encryption technology for authentication. Public key encryption requires that a public key and a priate key be generated for an application. Data encrypted with the public key can only be decrypted using the corresponding priate key. Data encrypted with the priate key can only be decrypted using the corresponding public key. The priate key is stored in a key database file that is password-protected. Only the owner of the priate key can access the priate key to decrypt messages that are encrypted using the corresponding public key. In order to ensure maximum security, a certificate is issued by a third-party certificate authority. A certificate contains the following information to erify the identity of an entity: Organizational information Public This section of the certificate contains information that uniquely identifies the owner of the certificate, such as organizational name and address. You supply this information when you generate a certificate using a certificate management utility. key The receier of the certificate uses the public key to decipher encrypted text sent by the certificate owner to erify its identity. A public key has a corresponding priate key that encrypts the text. Certificate authority s distinguished name The issuer of the certificate identifies itself with this information. Digital Self-signed signature The issuer of the certificate signs it with a digital signature to erify its authenticity. This signature is compared to the signature on the corresponding CA certificate to erify that the certificate originated from a trusted certificate authority. Web browsers, serers, and other SSL-enabled applications generally accept as genuine any digital certificate that is signed by a trusted certificate authority and is otherwise alid. For example, a digital certificate can be inalidated because it has expired or the CA certificate used to erify it has expired, or because the distinguished name in the digital certificate of the serer does not match the distinguished name specified by the client. certificates You can use self-signed certificates to test an SSL configuration before you create and install a signed certificate issued by a certificate authority. A self-signed certificate contains a public key, information about the owner of the certificate, and the owner s signature. It has an associated priate key, but it does not erify the origin of the certificate through a third-party certificate authority. Once you 20 IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide

35 generate a self-signed certificate on an SSL serer application, you must extract it and add it to the certificate registry of the SSL client application. This procedure is the equialent of installing a CA certificate that corresponds to a serer certificate. Howeer, you do not include the priate key in the file when you extract a self-signed certificate to use as the equialent of a CA certificate. Use a key management utility, such as the ikeyman utility, to generate a self-signed certificate and a priate key, to extract a self-signed certificate, and to add a self-signed certificate. Where and how you choose to use self-signed certificates depends on your security requirements. In order to achiee the highest leel of authentication between critical software components, do not use self-signed certificates, or use them selectiely. For example, you can choose to authenticate applications that protect serer data with signed digital certificates, and use self-signed certificates to authenticate Web browsers or IBM Tioli Identity Manager adapters. If you are using self-signed certificates, in the following procedures you can substitute a self-signed certificate for a certificate and CA certificate pair. The use of SSL authentication When a Tioli Directory Integrator component is used as a serer, SSL mandates that a keystore be defined for and used by Tioli Directory Integrator. When a Tioli Directory Integrator component is used as a client, SSL mandates that a truststore be defined for and used by Tioli Directory Integrator. A keystore is a database of priate keys and the associated certificates needed to authenticate the corresponding public keys. Digital certificates are stored in a keystore file. A keystore also manages certificates from trusted entities. A truststore is a database of public keys for target serers. A truststore file is a key database file that contains the public keys for target serers. The public key is stored as a signer certificate. If the target uses a self-signed certificate, you must extract the public certificate from the serer keystore file. The global.properties file or the solutions.properties file specifies the properties for the Tioli Directory Integrator Serer and the Tioli Directory Integrator components running on the Tioli Directory Integrator Serer. If the solutions directory does not exist, these properties are defined in the global.properties file. If the solutions directory exists, the properties are defined in the solutions.properties file in the ITDI Solutions Directory. To use SSL authentication for Tioli Directory Integrator, complete these steps: 1. From the <ITDI_HOME> directory, edit the global.properties file. The example below includes the alues that must be changed. Substitute the actual keystore for the keystore proided in the example. jaax.net.ssl.keystore= C:\itdicertkeys\idiserer.jks jaax.net.ssl.keystorepassword=secret jaax.net.ssl.keystoretype=jks jaax.net.ssl.truststore= C:\itdicertkeys\idiserer.jks jaax.net.ssl.truststorepassword=secret Chapter 4. Configuring SSL authentication for the UNIX and Linux adapter 21

36 jaax.net.ssl.truststoretype=jks api.remote.on=false jaax.net.debug=ssl com.ibm.di.dispatcher.ssl=true 2. From the <ITDI_HOME>\_jm\jre\lib\security\ directory (for example, C:\Program Files\IBM\itim\itdi\home\_jm\jre\lib\security\), make these changes to the jaa.security file: security.proider.1=com.ibm.jsse.ibmjsseproider security.proider.2=com.ibm.crypto.proider.ibmjce security.proider.3=com.ibm.security.jgss.ibmjgssproider security.proider.4=com.ibm.security.cert.ibmcertpath ## SSLSererSocketFactory Proider ssl.serersocketfactory.proider=com.ibm.jsse.jsseserersocketfactory 3. Restart the serice you created for the adapter. In the imdi.log file, ensure that the alue for ssl is true (for example, ssl=true), and the RMI Dispatcher is using the SecureRMISererFactory. Configuring certificates for SSL authentication Use the following procedures to configure Tioli Directory Integrator for one-way or two-way SSL authentication using signed certificates. In order to perform these procedures, use a key management tool. Configuring certificates for one-way SSL authentication In this scenario, the IBM Tioli Identity Manager serer and Tioli Directory Integrator are set to use SSL. Client authentication is not set on either application. The IBM Tioli Identity Manager serer operates as the SSL client and initiates the connection. Tioli Directory Integrator operates as the SSL serer and responds by sending its signed certificate to the IBM Tioli Identity Manager serer. The IBM Tioli Identity Manager serer uses the CA certificate that is installed to alidate the certificate sent by Tioli Directory Integrator. In Figure 3, Application A operates as the IBM Tioli Identity Manager serer, and Application B operates as Tioli Directory Integrator. Tioli Identity Manager Serer (SSL client) 1 Hello Tioli Directory Integrator (SSL serer) Keystore CA Certificate A Verify Send Certificate B Certificate A Figure 3. One-way SSL authentication (serer authentication) 22 IBM Tioli Identity Manager: UNIX and Linux adapter Installation and Configuration Guide