IBM Security Identity Manager How To

How to cleanup ISIM recycle bin

Take backup of the LDAP:

db2ldif -o /opt/backups/ldapdump-backup.ldif

Run the subtree removal command (make sure you are using Bash):

ldapmodify -D cn=root -w $CN_ROOT_PWD -f <(echo -e "dn: ou=recycleBin,ou=company,dc=com\ncontrol: 1.2.840.113556.1.4.805 true\nchangetype: delete\n")

This command will take a while. You can monitor the progress in another console by running

idsldapsearch -D cn=root -w $CN_ROOT_PWD -s base -b ou=recycleBin,ou=company,dc=com objectclass=* numSubordinates

This will tell you how many entries there is still left in the recycle bin.
After the subtree removal is done you will need to recreate the OU entry. Run this:

idsldapadd -D cn=root -w $CN_ROOT_PWD -f <(echo -e "dn: ou=recycleBin,ou=company,dc=com\nou: recycleBin\nobjectclass: organizationalUnit\n")

How to update or apply a fixpack to ISIM 7 VA

You cannot install a fix pack by using the local management interface, since it's too big for a browser to upload. You need an IBM upload tool uses REST API /upload command to send multipart chunked data and is a bit slow. It specifies the upload_file_type "fixpack".
The IBM Security Identity Manager virtual appliance has two partitions with separate firmware on each partition. The partitions are swapped during the firmware updates to roll back the firmware updates when required. Either of the partition can be active on the IBM Security Identity Manager virtual appliance.
The maintenance must be applied to all primary and member nodes individually.

java -jar FileUpload.jar isimva.ibm.com admin [password] temptrust.jks WebAS 7.0.1-ISS-SIM-FP0007.pkg
  • Once the upload is done the server will reply with a sha256 sum of the uploaded file that you could (but do not have to) verify against your copy to make sure it was not corrupted during transfer
  • Once the pkg file is transferred, use the appliance CLI to install the firmware:
isim upgrade install 
reboot

Official IBM upgrade instructions are here.

How to get root on the ISIM 7 virtual appliance

Please use this responsibly and think of the consequences before changing the appliance internals. The reason IBM closed root off in the first place is to prevent people from screwing the app beyond its intended function and introducing customizations that can't be upgraded later.

Shell injection method

Note: this method worked before 7.0.1.7.1
All you need for this method is an admin access to the command line (LMI aka mesa_cli) over ssh or directly.
Run

isim utilities sap set_cron

For the version enter

'\\; /bin/bash #

Hit 6. Enjoy your root.
At this point you might want to unlock the root login by removing the leading !! from the password in /etc/shadow so you can login as root directly and have SFTP/SCP working
The password is identical to "admin"s password. You might also want to put some code into /userdata to retain access in case future fixpack remove the shell injection vulnerability.

Note: Before FP 7 the same worked on isim utilities db_purge, select option 1, then enter the same bash injection command, then option 7

Disk mount method

This method works if you have no active VM snapshots, but requires access to the appliance's virtual disk image. If you have snapshots, snapshots themselves are not mountable directly. Consolidate (delete all except the last) snapshots to get a single solid disk or follow the side boot method or another method. Do not try to mount the underlying disk directly as your edits will likely corrupt the disk by messing up the snapshots that have data write logs.
Mount the disk partition 5 and 6 (recovery).

mount disk root partition #5  - vmware-mount BLAH.vmdk 5 /media/temp

or

modprobe nbd
qemu-nbd -c /dev/nbd0 <vdi-file>
mount /dev/nbd0p5 /mount/temp

Edit /etc/shadow - remove "!!" from the front of the root password to unlock root. root password is the same as the admin password. This way you get root shell if logged as root and mesa shell if logged as admin
Alternatively you can edit /etc/passwd to change the default shell for admin to /bin/sh. Mesa shell can be started by running /usr/sbin/mesa_cli
you can also mount boot partition #1 and edit boot/grub/menu.lst to remove 'quiet' option (not very exiting through)
to see the grub menu switch the order of serial in console on the terminal --timeout line in /boot/grub/menu.lst
You could also
/etc/settings.sys set sys.cli.testmode = 1 to use mesa cli test mode. Not sure what it actually does, but the prompt changes to TEST
Umount the disk - it could be corrupted if you edit it via the mount while it's mounted to a system

vmware-mount -x 

or

umount /media/temp
qemu-nbd -d /dev/nbd0

Side boot method

This method works even if you have active snapshots, but requires the ability to mount an ISO to the appliance and boot into it.
Boot the VA into gparted-live/parted-magic and mount partitions from the inside of a running vm, then follow the disk mount method.

Other methods

mesa_cli is a compiled binary that has hardcoded entries for running shell scripts and external code. It has poor user input sanitize and is potentially exploitable, for example with a buffer overflow of the help command argument.

How to run ISIM Virtual appliance on Virtual Box

Fake VMWare:
VBoxManage setextradata "<vm name>" "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "VMware Virtual Platform"
FYI the VMWare check is in /etc/hwdetect.d/vmware.hwdetect

How to decrypt ISIM passwords

Look at the https://github.com/alexivkin/ISIM-Crypto-Seer
For bulk decryption use reencrypter.py from https://github.com/alexivkin/ISIM-LDAP-Sifter


How to analyze and split out ISIM LDAP data

Look here: https://github.com/alexivkin/ISIM-LDAP-Sifter

How to configure ISIM to start and stop via systemctl

Create a startup script

#!/bin/bash
/opt/IBM/WebSphere/AppServer/bin/startManager.sh &
sleep 10 # really blunt method for stagering
/opt/IBM/WebSphere/AppServer/bin/startNode.sh -profileName AppSrv01 &
sleep 15 # node needs to be up before server1
/opt/IBM/WebSphere/AppServer/bin/startServer.sh isimServer1 -profileName AppSrv01 &
sleep 5
/opt/IBM/WebSphere/AppServer/bin/startServer.sh isimMsgServer1 -profileName AppSrv01 &

and a shutdown script

#!/bin/bash
if [[ $# -eq 0 ]]; then
   echo Need a password for wsadmin
   exit 1
fi
/opt/IBM/WebSphere/AppServer/bin/stopServer.sh isimServer1 -profileName AppSrv01 -username wasadmin -password $1
/opt/IBM/WebSphere/AppServer/bin/stopServer.sh isimMsgServer1 -profileName AppSrv01 -username wasadmin -password $1
/opt/IBM/WebSphere/AppServer/bin/stopNode.sh -profileName AppSrv01 -username wasadmin -password $1
/opt/IBM/WebSphere/AppServer/bin/stopManager.sh -username wasadmin -password $1

Then create the systemctl script

# Start of service file
[Unit]
Description=IBM Security Identity Manager Server 1
After=network.target

[Service]
Type=forking
ExecStart=/opt/start-isim
ExecStop=/opt/stop-isim ${WASADMIN_PWD}
TimeoutStopSec=60

[Install]
WantedBy=multi-user.target
# End of service file

copy it to /etc/systemd/system/

chmod it to u+x

run 'systemctl enable isim1.service'

Note: Websphere requires a wasadmin password to stop. That password is hardcoded into isim1.service If you ever change the password, do not forget to change it in the service files, then run
systemctl daemon-reload

How to start ISIM on the main node

As root run the following

/opt/IBM/WebSphere/AppServer/bin/startManager.sh
/opt/IBM/WebSphere/AppServer/bin/startNode.sh -profileName AppSrv01
/opt/IBM/WebSphere/AppServer/bin/startServer.sh isimServer1 -profileName AppSrv01
/opt/IBM/WebSphere/AppServer/bin/startServer.sh isimMsgServer1 -profileName AppSrv01

Which is equivalent to
sudo systemctl start isim1.service

How to start ISIM on the secondary node

/opt/IBM/WebSphere/AppServer/bin/startNode.sh
/opt/IBM/WebSphere/AppServer/bin/startServer.sh isimServer2
/opt/IBM/WebSphere/AppServer/bin/startServer.sh isimMsgServer2

Which is equivalent to
sudo systemctl start isim2.service

How to stop ISIM on the main node

/opt/IBM/WebSphere/AppServer/bin/stopServer.sh isimServer1 -profileName AppSrv01 -username wasadmin -password $1
/opt/IBM/WebSphere/AppServer/bin/stopServer.sh isimMsgServer1 -profileName AppSrv01 -username wasadmin -password $1
/opt/IBM/WebSphere/AppServer/bin/stopNode.sh -profileName AppSrv01 -username wasadmin -password $1
/opt/IBM/WebSphere/AppServer/bin/stopManager.sh -username wasadmin -password $1

Which is equivalent to
sudo systemctl stop isim1.service

How to stop ISIM on the secondary node

/opt/IBM/WebSphere/AppServer/bin/stopServer.sh isimServer2 -username wasadmin -password $1
/opt/IBM/WebSphere/AppServer/bin/stopServer.sh isimMsgServer2  -username wasadmin -password $1
/opt/IBM/WebSphere/AppServer/bin/stopNode.sh -username wasadmin -password $1

Which is equivalent to
sudo systemctl stop isim2.service


How to install ISIM Web app (WAR) manually

To redeploy ISIM war do the following. Note that it does not do all the installation steps that runConfigFirstTime does on WAS.
PATH=/opt/IBM/isim/jre/jre/bin/:$PATH
/opt/IBM/isim/bin/SetupEnrole install user:wasadmin password:Passw0rd ejbuser:wasadmin ejbpassword:Passw0rd
check /opt/IBM/isim/install_logs/setupEnrole.stdout
https://www.ibm.com/support/knowledgecenter/en/SSRMWJ_6.0.0.13/com.ibm.isim.doc/installing/tsk/tsk_ic_ins_itim_cluster_deploy.htm

Enable XA for the itimdb user

On Oracle

sudo su - oracle
export ORACLE_SID=itimdb
sqlplus -S "/ as sysdba" @/install/oracle-isim-setup/enable_xa_for_itim.sql

How to synchronize ISIM cryptography between nodes

  1. Stop second node
  2. Make a backup of files in /opt/IBM/isim/data/keytabs/ and copy them from node1
  3. Also copy
  4. enRole.properties. Edit it to correct enrole.appServer.name
  5. enRoleLDAPConnecton.properties
  6. enRoleDatabase.properties

How to quickly restart ISIM application

  1. Login to the WAS administrative console (ISC - integrated solutions console)

https://istim:9044/ibm/console

  1. Restart ITIM application by going to Applications -> Enterprise Applications, selecting ITIM clicking stop, and then start.

How to remove ISIM with data without uninstalling middleware or the middleware fixpacks

Official approach


/opt/IBM/isim/itimUninstallerData/Uninstall_ITIM
but you will need to clean up WAS as well a bit - the security domain and security auth realm.

Brute force



ISIM1

/opt/IBM/WebSphere/AppServer/bin/manageprofiles.sh -delete -profileName AppSrv01
/opt/IBM/WebSphere/AppServer/bin/manageprofiles.sh -delete -profileName Dmgr01
rm -rf /opt/IBM/WebSphere/AppServer/profiles/AppSrv01
rm -rf /opt/IBM/WebSphere/AppServer/profiles/Dmgr01
rm -rf /opt/IBM/isim
rm -rf /opt/IBM/tivoli

or
mv /opt/IBM/isim/ /opt/IBM/isim.bak
mv /opt/IBM/tivoli/ /opt/IBM/tivoli.bak

ISIM2

/opt/IBM/WebSphere/AppServer/bin/manageprofiles.sh -delete -profileName AppSrv01
rm -rf /opt/IBM/WebSphere/AppServer/profiles/AppSrv01
rm -rf /opt/IBM/isim
rm -rf /opt/IBM/tivoli

or
mv /opt/IBM/isim/ /opt/IBM/isim.bak
mv /opt/IBM/tivoli/ /opt/IBM/tivoli.bak

LDAP

/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k
/opt/ibm/ldap/V6.4/sbin/64/idsidrop -n -I isimldap
pkill -9 -u isimldap
userdel -r isimldap
groupdel isimldap
rm /var/db2/global.reg

Oracle DB

echo -e "shutdown immediate;\nstartup mount exclusive restrict;\ndrop database;\n" | sqlplus "/ as sysdba"


How to configure an email drop-box

If you want to have a folder that would catch and store all received emails in flat files you can do it on a windows server like this:

  1. Install SMTP server on a Windows server, using the server manager (Add Features/Add Required Role Services)
  2. In the Website/virtual directory, double click "SMTP E-mail", Click on "Deliver e-mail to SMTP server"
  3. Make sure that SMTP virtual server/default smtp server is running,
  4. The default folder for the incoming emails is C:\Inetpub\Mailroot
  5. Configure ISIM to use the target IIS as the smtp server. The default SMTP port is 25.

How to examine and clean MQ queues

  1. On the ITIM server
  2. Run ibm\WebSphere MQ\bin\runmqsc.exe WAS_isim_server1

You will not see a prompt, continue to the next step

  1. Type

dis ql(‘W*’) CURDEPTH

  1. Make sure all depths are 0
  2. If not issue the clear queue command

clear ql(queue)

  1. If the queue is held back from clearing stop ITIM enRole app (not the WAS server) before issuing the clear command
  2. Exit from MQ by typing

end

How to set the session expiration time on ITIM

  1. in the WAS admin console
  2. go to Application servers > server1 > Session management for a server wide setting, or to
  3. applications->enterprise applications->itim-> Session management for ITIM only (make sure to select the check box at the top to overwrite the server settings)

How to refresh QA and Dev data from Prod

Extract config data and create delete ldif scripts
$DISTRO_DIR/install-scripts/code/dataextractor.py -d itimexport.ldif
On LDAP1 Take a backup of the current ldap

/opt/IBM/ldap/V6.4/sbin/db2ldif -o /tmp/ldapdump.ldif

Remove old entries. Before you can use the ldif2db command for the other entries you need to stop the ldap instance

/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -k

Run the ldif2db
Start the ldap instance back up

/opt/IBM/ldap/V6.4/sbin/ibmslapd -I isimldap -n -t

Optional: make sure the cluster replication is pushing the changes to the peer ldap. Run the following command to make sure pending replication count is decreasing

/opt/IBM/ldap/V6.4/bin/idsldapsearch -D cn=root -w $CN_ROOT_PWD -s sub -b dc=com objectclass=ibm-replicationagreement ibm-replicationPendingChangeCount

How to enable TLSv1.2 on ISIM


Stop isim server. Expand the list of the available protocols to include TLSv1.2

sed -i.bak "s/SSL_TLS/SSL_TLSv2/" /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/isimCell01/security.xml

Start isim server
Test

openssl s_client -connect server:port -tls1_2

It should com back with a server certificate.
Do not set it to "TLSv1.2" because other components (MQ Server) will try to connect over TLSv1 and isimServer1 fail.


How to configure Eclipse to compile ITIM Java Extensions (IBMJS)

  • First, get and install IBM Java 1.6
    • You could also just copy the JDK contents if you do not want to install it and potentially mess up your Java browser plugins:

xcopy /E /Y /I x:\folder\Tools\Java\ibm_sdk60 C:\Program Files\ibm_sdk60

  • Configure the new JDK as an alternative Java build path:
    • Go into the properties of your project -> Java Build Path -> Libraries -> Add Library
    • Pick Alternative JRE, click Installed JREs, on the new window click Add and define the new JRE by pointing to the directory where IBM Java 1.6 is installed.
  • Add the ITIM API libraries and the WAS libraries to your build path by copying them from the working ITIM system
    • The easies way to pull them off is to use the ITIM Remote API scripts.
    • Then add user libraries of F:\Program Files\IBM\itim\lib and "F:\Program Files\IBM\WebSphere\AppServer\runtimes"
  • If you are using ANT to build your Java Extensions add the following to the <javac ...> item

fork="yes" executable="C:\IBM\ibm_sdk60\bin\javac.exe"

How to limit a user to have no more than one account on a service?

I.e. if a user already has an account, there should not be an option available for to request it for them (I know we can terminate the add workflow once it was requested, I am looking for a UI option, prevent from even requesting it)

The ISIM Identity Service Center will warn user if an account is already present on a service, but will let them proceed with the account request. You can enforce one account state by UID collision. Define an identity policy on the service to only generate a single ID per user (default identity policy in ISIM generates sequential IDs). This will cause the adapter to fail if request is submitted even after the warning was presented.

As far as hiding an ability to request access, ISC only prevents from requesting if a user is not entitled. But if they have an account they are entitled. So there is no way to resolve this contradiction without modifying the ISC itself.

How to hide certain accesses from a user in the Identity Service Center UI?

I.e. certain users should only be able to see and request only certain accesses based on some role/group/person attribute.

If there are no provisioning policies that allow a user to have an account on a system, then access associated with that account will not show up in the Identity Service Center. The same [probably] applies to a group access request in ISC. For a role request you would have to use ACIs.

How to detect that there is another request already in progress for that person, when a person is being suspended?

And how to react in some way (notify, suspend or cancel request)?

You need a workflow extension to sift through the requests and find pending request for the person. Add the custom extension to the suspend workflow.

How to to request same access for multiple people at the same time?

I.e the opposite of "multiple accesses for a single person".
Create a role that gives people appropriate access. You can then add multiple people to that role.

How to provide a "like-mike" functionality with ISIM?

I.e. copy access pattern from one person to another, through the UI, without extensive customizations?
Use IGI or develop a custom app. It's possible to add custom tasks via "create custom task" on the Manage View that will forward to IGI or a custom app for cloning access.

How to implicitly exclude values in ITIM Provisioning Policies?

Explicit Exclude:
To the "General" policy, add the attribute "Group" with the value "Administrators", and set this to Excluded.
NOTE: this will exclude only the value "Administrators"....and would require any other values that need to be excluded to be added in this fashion.

Implicit Exclude:
To the "General" policy, add the attribute "Group" with the value: .* (that is a dot star)
Set this as Regular Expression and Excluded.
This will tell ITIM to exclude any values that are not explicitly defined as Default/Allowed/Mandatory.
This would NOT require any other excluded values to be maintained in this list.
End result of either method would be that the User would gain the Administrator group membership when they are added to the AD Administrator Org Role...and would lose the Administrator group membership when they are no longer in the AD Administrator Org Role.

How to display manager name in Reports

In order to configure ISIM to display the Supervisor's user-friendly name (cn) in the Reports, ISIM can make use of a DB2 User Defined Function to convert the DN value to the Supervisor's CN (common name) value.

  1. Create a User Defined Function in DB2, that will use the Supervisor DN value to lookup and return the Supervisor's CN value:
db2 create function mgrcn(mgrdn varchar(255))
returns varchar(255)
language SQL
return
select cn
from itimuser .person_cn
where dn = mgrcn.mgrdn
NOTE: replace itimuser with your ITIM db user name.
  1. Register your new function with ISIM
    1. Add the name of your new function to $ISIM_HOME/data/DatabaseFunctions.conf
Example: user:mgrcn - 1
NOTE: in ISIM 7 the DatabaseFunctions.conf file can be modified through the ISIM 7 Virtual Appliance console:
Navigate to: Configure > Advanced Configuration > Custom File Management
Expand Directories and select the "data" folder
Select DatabaseFunctions.conf
click the Download button
edit the file as per step 2a (above)
save the file
upload the file back to the data folder, using the Upload button
  1. Use your new function in an ISIM report:
    1. Navigate to Reports > Design Reports.
    2. Create a new report or open an existing one.
    3. Click on the Contents tab.
    4. Add or select Person (Entity) and Supervisor (Attribute).
    5. Select the function (example: mgrcn) from the "Apply Case" dropdown list.
    6. Finish designing the report.

NOTE: once the User Function has been created, full data synchronizations in may fail. This is due to the fact that full synchronizations drop the related tables and recreate with new data. DB2 will not allow the drop of a table that is referenced by user functions.
In order to synchronize data for ISIM reports you must do one of the following:

- Use the ISIM incremental synchronizer, as this does not drop the tables.
- Remove the User Function, run the full synch, then redefine the user function.

How to check what files are updated by a FixPack

Review the .pak file contents, it is a zip file. Look in the path of "repository\itim.home\data\". This is the list of files that will be updated during installation of the noted Fix Pack.

How to set an ITIM session timeout (expiration)

  1. In the WebSphere console
  2. Click on Servers->Server Types->Application Servers->server1->Session Management->Set Timeout to 480
  3. Click Ok, and then Save.

How to get a list of all manual changes to workflows in TIM

Connect to the ITIMDB and run
select * from enrole.audit_event where itim_event_category='entityoperationmanagement' and timestamp > '20100409' order by timestamp
There is much more interesting stuff in that table that is not [easily] accessible in the UI

How to build an automatic to-do approver

You need to start by creating a HumanResourceMO object. If you use the constructor that takes an AccountMO as a third argument, and pass an AccountMO that represents an ITIM account, then you can then use the getAssignments method to get the to-do list for that ITIM account. Note that to-do lists are associated with ITIM accounts -- not the persons who own the accounts.

The getAssignments method will give you a collection of WorkflowAssignmentMO objects. Each of these represents one item in the ITIM account's to-do list. Most information about the to-do list item is available on the Assignment object returned by the WorkflowAssignmentMO's getData method. Either the Assignment's getActivityType or getActivitySubtype methods will tell you what type of to-do list item it is. I can't remember off the top of my head which of these will tell you whether you are dealing with an approval, RFI, work order, or compliance alert.

You can approve or reject approvals by calling the WorkflowAssignmentMO's complete method with an ActivityResult argument that tells it what the activity's result should be. You can create ActivityResult's for approval and rejection. The ActivityResult class has static fields that define the different result types. Work orders can be completed in the same way, but with an ActivityResult having a status of success, warning or failure. I've never been able to figure out how to complete an RFI or compliance alert through the APIs.

Setting a user's forgotten password information is not done through the to-do list assignments. This must be done using the ChallengeResponseManager class. It has been a while since I've worked with this, so I'm not certain how it responds when you have authenticated as a user who has not setup their challenge responses. I don't know if it returns null when you ask for the user's challenges, or if it returns a ChallengesAndResponses object that is empty. If you determine that a newly authenticated user has no challenge responses defined then you should then force them to do so. You load their challenges and responses into a ChallengesAndResponses object. This should be the same object returned by the getChallengesAndResponses method, if it returned one to you. You can then pass this object to one of ChallengeResponseManager's setChallengesAndResponses methods.

How to configure field population for TAM GSO provisioning policy

Edit the PP with the following

User Id *
Description
Distinguished Name *
Full Name *
Last Name *
{subject.getProperty("uid")[0];}
{subject.getProperty("uid")[0];}
{subject.getProperty("displayName")[0];}
{subject.getProperty("sn")[0];}
{subject.getProperty("x500uniqueidentifier")[0]}
{"cn=" + subject.getProperty("givenname")[0] + "." + subject.getProperty("sn")[0] +",c=us";}
{subject.getProperty("givenname")[0] + " " + subject.getProperty("sn")[0];}
{subject.getProperty("sn")[0];}


How to create a forgot your password link from TAM login page to TIMs challenge response interface

Make sure that the user name is sent correctly via POST to the forgot password servlet.
This is the javascript I used on the login page to have a "forgot your password" forward from TAM to TIM:

function forgotPassword() {
 if ( document.loginForm.username != null && document.loginForm.username.value.length > 0 ) {
  document.loginForm.logonID.value = document.loginForm.username.value;
  document.loginForm.action = document.location.protocol + "//" + document.location.host + "/enrole/question";
  document.loginForm.submit();
 } else {
  alert( "Please enter your username and press the \"Forgot your password?\" link" );
 }
}

This is the form used for POST-ing. Notice the hidden variable.

<FORM name="loginForm" METHOD=POST ACTION="/pkmslogin.form">
<table align="center" border="0" cellpadding="5" cellspacing="0" >
  <tr><td colspan=3 height=5></td></tr>
  <tr>
    <td> User Name:</td>
    <td> Password:</td>
    <td></td>
  </tr>
  <tr>
    <td><INPUT NAME="username" SIZE="15"></td>
    <td><INPUT TYPE="PASSWORD" NAME="password" SIZE="15"></td>
    <td><INPUT TYPE="image" VALUE="Login" src="/images/submit.png"></td>
  </tr>
    <td colspan=3><a href="Javascript:forgotPassword();">Forgot Your Password?</a>
    </td>
  <tr>
  </tr>
</table>
<INPUT TYPE="hidden" NAME="logonID"><INPUT TYPE="HIDDEN" NAME="login-form-type" VALUE="pwd">
</FORM>

Also make sure your TIM ChallengeResponse interface is exposed correctly via TAM's ACL's since anybody clicking on the "forgot your password" link is NOT authenticated. Attach ACL's like this:


Group iv-admin Tcmdbsvarxl
Group webseal-servers Tgmdbsrxl
User sec_master Tcmdbsvarxl
Any-other Trx
Unauthenticated Trx

If exposing the TIM's interface run the following:


object create /WebSEAL/WebSEALCluster/enrole/question Desc 8
object create /WebSEAL/WebSEALCluster/enrole/login_scripts.js Desc 8
object create /WebSEAL/WebSEALCluster/enrole/en/images Desc 8
object create /WebSEAL/WebSEALCluster/enrole/change_password Desc 8
object create /WebSEAL/WebSEALCluster/enrole/images Desc 8
object create /WebSEAL/WebSEALCluster/enrole/script_library.js Desc 8
object create /WebSEAL/WebSEALCluster/enrole/help.js Desc 8
object create /WebSEAL/WebSEALCluster/enrole/image_cache.js Desc 8
object create /WebSEAL/WebSEALCluster/enrole/adhoc.js Desc 8
acl attach /WebSEAL/WebSEALCluster/enrole/question ACL-all
acl attach /WebSEAL/WebSEALCluster/enrole/login_scripts.js ACL-all
acl attach /WebSEAL/WebSEALCluster/enrole/en/images ACL-all
acl attach /WebSEAL/WebSEALCluster/enrole/change_password ACL-all
acl attach /WebSEAL/WebSEALCluster/enrole/images ACL-all
acl attach /WebSEAL/WebSEALCluster/enrole/script_library.js ACL-all
acl attach /WebSEAL/WebSEALCluster/enrole/help.js ACL-all
acl attach /WebSEAL/WebSEALCluster/enrole/image_cache.js ACL-all
acl attach /WebSEAL/WebSEALCluster/enrole/adhoc.js ACL-all


How to determine the ITIM version if UI is not available

Look for ui.properties and search for the enrole.build.version string. It will contain the ITIM version and build information.

Alternative Method:
Use included utility to display jar manifest contents containing build date.

Command:

java -cp itim_server.jar com.ibm.itim.serviceability.ManifestReader itim*jar

<small>

  • **** [/opt/IBM/itim/lib]root@spar$ java -cp itim_server.jar com.ibm.itim.serviceability.ManifestReader itim*jarFile Name: itim_api.jarEntries: 483IdentityManagerServiceabilityBuild-Date=February 11 2010Build-Time=08:43:41 ESTBuild-Jar=itim_api.jarBuild-Product-Version=5.0.0.8Build-Maintenance-Level=IF0099Build-User=bpevansBuild-Number=201002110843Build-Server=spar

</small>

How to enable TIM agent tracing

use agentCfg -agent AGENTNAME and look for a Activity Logging - enable everything Now the importan part - RESTART the agent by doing StopAgent, StartAgent


How to fix TIM case insensitivity of value change

Changing the case in TIM Identity data fields doesn't not work. To reproduce: Open an existing user, change a case of one or more letters in the name (cn), surname (sn), mail or postOfficeBox. Click submit. After the request is completed check the values. They have not changed. Issues it is causing: If HR changes case in these values for an existing user, the HR feed tries to update these values every night and never suceeds.

  • Can you check in the TDS web admin tool to see if these attribute values are set to case insensitive? If they are, please try changing them to 'case sensitive' and test again.
  • Equality is currently set to caseIgnoreMatch. So is ordering and the substring. Shall we set all to caseExact or only the equality? What side effects does this introduce?

How safe is the change since it is a schema change? Is there another way to instruct Tim to treat the case properly?

  • This is the only way I know of that would change the behavior. If LDAP doesn't care about case sensitivity, when we compare the entries, the entry won't be updated because the only difference is the case of the entry. Otherwise you would have to do a two step change. e.g. change entry "jon doe" to 'jon doe1', then to 'Jon Doe'.
  • Setting caseExact would have an effect on searches, when you search a person, this is now a case-insensitive search. This would become a case-sensitive search
  • I'm not aware of any other way to achieve your desired behavior other than the two step change 'jon doe' change to 'jon doe1', then change to 'Jon Doe'. This was suggested by development, and they were not aware of any dangers of making this change.

How to find ITIM accounts for people who have answered challenge response

So, follow this workaround to get ITIM accounts who have defined Password Challenge-Response questions:

ldapsearch -D cn=<user> -w <password> -p <port> -h <hostname> -b dc=com -s sub "erlostpasswordanswer=*" eruid

For instance,

ldapsearch -D cn=root -w ******** -p 389 -h <hostname> -b "ou=systemUser,ou=itim,ou=std,dc=com" -s sub "erlostpasswordanswer=*" eruid

How to get account entry and service entry templates from LDAP

Form templates - search for

erformname=er"serivcename"*

then select either AccountTemplate or ServiceTemplate. They are in

ou=formTemplates,ou=itim,ou=company,dc=com

How to get provisioning policy and javascript for entitlements from LDAP

objectclass=erProvisioningPolicy

or search by the erPolicyItemName. They are located in

ou=policies,erglobalid=00000000000000000000,ou=company,dc=com
entitlements are in an xml file in the erEntitlements attribute

How to get service profile from LDAP

search for

erobjectprofilename=servicename*

they are in

ou=serviceProfile,ou=itim,ou=company,dc=com

How to import service profiles from command line

/opt/IBM/isim/bin/unix/config_remote_services.sh -profile ADprofile -jar ADprofile-6.1.23.jar

How to prevent deletion of certain accounts

If service accounts like 'root' are owned within ITIM and "Correct non-compliance" is specified for the related services, there is a possibility that they may be altered or deleted due to changes to related provisioning policies Solution

  1. Identify service accounts for all end-points.
  2. Do not adopt service accounts. Auto-provisioning actions will never apply to orphan accounts.
  3. If you do allow service accounts to be adopted, ensure that the provisioning policy allowing the entitlement remain tightly managed.
  4. Be wary of enabling "Correct non-compliance" for a service if you haven't addressed service accounts.
  5. Configure ITIM to exclude reconciliation of service accounts from the end-point(s). Review the topic "Excluding accounts from reconciliations" in ITIM's documentation. This procedure will allow specification of accounts by service type that are to be excluded from reconciliations. This is the safest technique to protect these accounts.

For example, here are sample ldif statements will exclude a series of TAM service accounts from being reconciled:


dn: ou=excludeAccounts, ou=itim, ou=IBM, dc=com
ou: excludeAccounts
objectClass: top
objectClass: organizationalUnit

dn: cn=TAM4Profile, ou=excludeAccounts, ou=ITIM, ou=IBM, dc=com
erObjectProfileName: TAM4Profile
objectClass: top
objectClass: erIdentityExclusion
cn: TAM4Profile
erAccountID: sec_master
erAccountID: ivmgrd/master
erAccountID: ivmgrd/master
erAccountID: default-webseald/xxx
erAccountID: default-webseald/xxx
erAccountID: amwpm/xxxx
erAccountID: amwpm/xxx
erAccountID: default-webseald/xxx
erAccountID: default-webseald/xxx

http://www-1.ibm.com/support/docview.wss?rs=644&context=SSTFWV&q1=exclude+accounts&uid=swg21214530&loc=en_US&cs=utf-8&lang=en

How to unlock/restore accounts on a password reset

By default, ITIM doesn't allow users to unlock their accounts, they can only reset passwords - admins must do the unlocking. Currently, the Netware adapter is the only known adapter that allows you to configure an unlock on password reset.

You can allow users to self-service unlock accounts as part of challenge/response solution by adding an extension to the operational workflow for changepassword, using the built-in extension for restoreAccount. It is possible to always process a RESUME after a password reset.


@HowTo @ITIM




Backlinks: idmdepot.com:How To:Running ISIM or ISIG VA on VirtualBox