IBM Security Identity Manager Setup How To

How to enable TLS v1.2

https://developer.ibm.com/answers/questions/242997/how-to-configure-websphere-application-server-to-u.html
https://developer.ibm.com/answers/questions/206952/how-do-i-configure-websphere-application-server-ss/

To enable JDK 7.0 TLS V1.0, V1.1 and V1.2 support for the default JSSE provider
Add the following property to system/SystemDefault.properties
com.ibm.jsse2.overrideDefaultProtocol=<SSL or TLS Value>

Possible Values
SSLv3 : sets SSL V3.0
SSL_TLS : sets SSL V3.0 and TLS 1.0
SSL_TLSv2 : sets SSL V3.0, TLS 1.0, TLS 1.1, and TLS 1.2
TLS : sets TLS 1.0
TLSv1 : sets TLS 1.0
TLSv11 : sets TLS 1.1
TLSv12 : sets TLS 1.2

  1. If your application uses javax.net.ssl.HttpsURLConnection,set the https.protocols system property explicitly to disallow SSL V3.0, which otherwise defaults to allow SSL V3.0. For example, use the following command line option:
For the initial release of Java 6.0.1 (J9 VM2.6), Java 6 service refresh 9 and Java 5.0:
For Java 6.0.1 service refresh 1 (J9 VM2.6), Java 6 service refresh 10, and all later releases:

Now you can edit the java.security file from C:\WebSphereV8.5\java_1.7.1_64\jre\lib\security or C:\WebSphereV8.5\java\jre\lib\security ( depend on your websphere java path)

Note: Take a backup before modify the java.security file.

Added the following line at the end of java.security and this property will disable TLSV1.0

jdk.tls.disabledAlgorithms=TLSv1
For testing purpose, listed below you can find various test server location.

SSL test servers
https://www.ssllabs.com:10301/ TLS v1.0
https://www.ssllabs.com:10302/ TLS v1.1
https://www.ssllabs.com:10303/ TLS v1.2

Overriding the SSL protocol defined by the default SSL socket factory

If you have not explicitly configured an SSL socket factory, you can use a system property to override the SSL protocol that is specified by the default SSL socket factory.
To improve security, SSL socket factories should be explicitly configured instead of using the default SSL socket factory. The use of system properties to configure SSL socket factories is not recommended. However, the system property com.ibm.jsse2.overrideDefaultProtocol can be specified to set a different SSL protocol at run time.

com.ibm.jsse2.overrideDefaultProtocol=<option>


SSLv3: sets SSL V3.0 (See Note)
SSL_TLS: sets SSL V3.0 (See Note) and TLS 1.0
SSL_TLSv2: sets SSL V3.0 (See Note), TLS 1.0, TLS 1.1, and TLS 1.2
TLS: sets TLS 1.0
TLSv1: sets TLS 1.0
TLSv11: sets TLS 1.1

add com.ibm.jsse2.overrideDefaultProtocol=SSL_TLSv2 jvm custom property.

If a value is not set, the system default SSL protocol is used.
IBM JDK Security Guide

How to configure ldapConfig and ldapUpgrade to work with SSL on Windows

Your enroleLDAPConnection.properties needs to have the following option set
java.naming.security.protocol=ssl

Now you need to edit "f:\Program Files\IBM\itim\bin\ldapConfig.lax" and "f:\Program Files\IBM\itim\bin\ldapUpgrade.lax" and change the lax.nl.java.option.additional line to read
lax.nl.java.option.additional=-Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStore=F:\Progra~1\IBM\WebSphere\AppServer\java\jre\lib\security\cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djava.ext.dirs=F:\Progra~1\IBM\WebSphere\AppServer\java\jre\lib\ext;F:\Progra~1\IBM\WebSphere\AppServer\plugins;F:\Progra~1\IBM\WebSphere\AppServer\lib;F:\Progra~1\WebSphere\AppServer\lib\ext

The short DOS (8.3) file and folder names, as well as the semi-colons in the dir list are important. Make sure that the referenced cacerts file contains your signing CA (open with ikeyman and verify)

changeit is a default WAS password, as documented by IBM

How to change the DB after ITIM has been configured

runconfig
And change the parameters was console - resources->jdbc->Data sources > TIM Bus
DataSource -> change the host

Data sources > ITIM Data Source-> change the host

How to configure ITIM to create SSL connections and accept certificates when actioning as an ssl client

Define javax trustStore custom properties on the JVM of the ITIM application server. Because the Tivoli Identity Manager Server runs as a Java application, and not as an embedded part of WebSphere Application Server, it does not use the WebSphere SSL Configuration Repertoires settings listed under the WebSphere Administrative Console Security -> SSL tab. Instead, you configure SSL settings using the following menus to specify javax properties: In the admin console Servers -> Application Servers -> server1 -> Process Definition -> Additional Properties -> Java Virtual Machine -> Custom Properties -> New Define two new properties, javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword. The value of javax.net.ssl.trustStore is the path to the Java KeyStore file created in step1. The value of javax.net.ssl.trustStorePassword is the password for this Java KeyStore from step1. Note these same entries and Java KeyStore file can also be used for SSL setup between ITIM 4.6 and Adapters, and ITIM 4.6 and Tivoli Directory Integrator.

How to check websphere users

wsadmin>AdminTask.getUserRegistryInfo()
'[[serverId ] [serverPassword ] [realm defaultWIMFileBasedRealm] [ignoreCase true] [useRegistryServerId false] [primaryAdminId wasadmin] [useRegistryRealm false] [registryClassName com.ibm.ws.wim.registry.WIMUserRegistry] [properties ] [_Websphere_Config_Data_Id cells/isimCell01|security.xml#WIMUserRegistry_1] [_Websphere_Config_Data_Type WIMUserRegistry] ]'
wsadmin>AdminTask.listRegistryUsers('-securityRealmName defaultWIMFileBasedRealm')
'wasadmin@defaultWIMFileBasedRealm'
wsadmin>AdminTask.listSecurityRealms()
'defaultWIMFileBasedRealm\nitimCustomRealm'
wsadmin>AdminTask.listRegistryUsers('-securityRealmName itimCustomRealm')
'isimsystem@itimCustomRealm\nITIM Manager@itimCustomRealm'
wsadmin>AdminTask.getUserRegistryInfo('-securityDomainName "ISIMSecurityDomain"')
'[[realm itimCustomRealm] [ignoreCase true] [useRegistryRealm false] [customRegistryClassName com.ibm.itim.authentication.registry.ItimUserRegistry] [properties ] [_Websphere_Config_Data_Id waspolicies/default/securitydomains/ISIMSecurityDomain|domain-security.xml#CustomUserRegistry_1487716352843] [_Websphere_Config_Data_Type CustomUserRegistry] ]'


https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.base.doc/ae/rxml_7securityrealm.html

How to configure TIM to talk secure LDAP

Update the ITIM enRoleLDAPConnections.properties file to use SSL. Edit the <itim home>\data\enRoleLDAPConnections.properties file, change the port number, ldap to ldaps, and uncomment and set the protocol to be ssl. Example original lines in file:

java.naming.provider.url=ldap://hostname:38900

Example new lines in my file:

java.naming.provider.url=ldaps://hostname:636
java.naming.security.protocol=ssl

Define javax trustStore custom properties on the JVM of the ITIM application server. Because the Tivoli Identity Manager Server runs as a Java application, and not as an embedded part of WebSphere Application Server, it does not use the WebSphere SSL Configuration Repertoires settings listed under the WebSphere Administrative Console Security -> SSL tab. Instead, you configure SSL settings using the following menus to specify javax properties: Servers -> Application Servers -> server1 -> Process Definition -> Additional Properties -> Java Virtual Machine -> Custom Properties -> New Define two new properties, javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword. The value of javax.net.ssl.trustStore is the path to the Java KeyStore file created in step1. The value of javax.net.ssl.trustStorePassword is the password for this Java KeyStore from step1. Note these same entries and Java KeyStore file can also be used for SSL setup between ITIM 4.6 and Adapters, and ITIM 4.6 and Tivoli Directory Integrator. Save changes in Websphere Admin Console and restart WebSphere Application Server. 1

How to do an SSL lockdown for ITIM

Securing a ITIM-LDAP link On the LDAP server

  1. Create a self-signed certificate using the iKeyman utility that is included in the IBM Tivoli Directory Server, and then extract the certificate to make it available for secure communication.
    1. Start the iKeyman utility. F:\Program Files\IBM\GSK7\bin\gsk7ikm
           if it complains about java_home , it needs to be set in your personal, or, preferably, server environment variable to F:\Program Files\IBM\LDAP\V6.0\_jvm\jre\
  1. On the IBM® Key Management page, click Key Database File > New.
  2. Select a default database type of CMS.
  3. In the File Name field, type a name for the CMS key database file.
          timserverd-ldap.kdb, located in f:\
  1. On the Password menu that appears, type and then confirm a password. Then, specify Stash the password to a file. No password expiration Click OK.
  2. Click Create > New Self Signed Certificate and specify a label that matches the CMS key database file name, such as timserverD-LDAP.
  3. Pick the organization, change expiration to 3650 days (approx 10yrs), accept the remaining field default values, and then click OK.
  4. A self-signed certificate now exists, including public and private keys.
  5. For subsequent use with clients, extract the contents of the certificate into an ASCII Base-64 Encoded file. Complete these steps:
  6. In iKeyman, Select Extract Certificate (bottom right corner)
  7. Specify a data type of Binary DER Data.
  8. Specify the name of the certificate file name you created, such as timserverd-ldap.der. Specify a location such as F:\, in which you previously stored the key database file. Click OK.
  9. Verify that the F:\ directory contains the following files:
        timserverd-ldap.crl Certificate revocation list. Not used.
           timserverd-ldap.der The certificate.
           timserverd-ldap.kbd Key database file that has the certificate.
           timserverd-ldap.rdb  Not used in this example.
           timserverd-ldap.sth Stash file that has the password.

  1. Next, set up the WebSphere Application Server to enable SSL communication between Tivoli Identity Manager and the directory server.Complete these steps:
    1. On TIM server
    2. Manually copy all aforementioned files from the F:\ directory on the directory server to the F:\ directory on the WebSphere Application Server.
    3. Start the iKeyman utility. F:\Program Files\IBM\GSK7\bin\gsk7ikm. If it complains about java_home, it needs to be set in your personal, or, preferably, server environment to F:\Program Files\ibm\WebSphere\AppServer\java\jre
  2. Click New Key Database File. In the New page, complete these steps:
  3. In the Key database type field, select JKS. In the File Name field, browse for a file name such as timserver-was.jks. In the Location field, type f:\. Then, click OK. Type and confirm the password and then click OK.
  4. Click Add to add a certificate from a file. On the Add CA's Certificate from a File menu, complete these steps, and then click OK:
    1. Specify a data type of Binary DER Data.
    2. Browse for the certificate name, such as timserverd-ldap.der. Type a value for the location, such as f:\.
    3. Type a label for the certificate, such as ITIM2LDAP, which is a convenience in remembering the purpose of the certificate on the WebSphere Application Server. Then, click OK.
    4. Examine the list of signer certificates to ensure that it contains the ITIM2LDAP certificate.
  5. Exit the iKeyman utility.
  6. Next, start the WebSphere Application Server Administrative Console to enable SSL communication between Tivoli Identity Manager and the directory server.
    1. Open the WebSphere Application Server Administrative Console. https://timserver:9043/ibm/console/logon.jsp. Log on as the WebSphere Application Server administrator.
    2. Click Servers > Application servers > Server1 > Java and Process Management > Process Definition > Java Virtual Machine > Custom Properties. In the Applications Servers page, select New to specify these custom properties:
                 javax.net.ssl.trustStore f:\timserver-was.jks
                 javax.net.ssl.trustStorePassword password that you initially specified for the self-signed certificate.
                 javax.net.ssl.trustStoreType jks

  1. Click Save.
  2. Next, configure the Tivoli Identity Manager Server to communicate with the computer and port on which the directory server listens for secure communication. Complete these steps:
  3. On the computer that has the Tivoli Identity Manager Server, edit the property that specifies the LDAP connection. Complete these steps:
  4. In the f:\program files\IBM\itim\data directory, edit the enRoleLDAPConnection.properties file.
  5. In the properties file, change the java.naming.provider.url property to specify the computer and port on which the directory server is listening.
           java.naming.provider.url=timserverd.corp.dom:636
           java.naming.security.protocol=ssl

  1. Save and close the enRoleLDAPConnection.properties file.
  2. Restart the WebSphere Application Server.
  3. Finally, test the SSL communication between the Tivoli Identity Manager Server and the directory server.Complete these steps:
  4. Test that the directory server is listening. on AxTIMD run
           ldapsearch –p 636 –K f:\timserverd-ldap.kdb  -s base objectclass=* -b dc=com
  1. The result has entries for the top level schema similar to these:
           dc=com
           objectclass=top
           objectclass=domain
           dc=com

  1. Try to login to ITIM

Securing Browser-ITIM link:

  1. Request a web server certificate from the certificate singing authority
    1. Generate a certificate request
      1. On TIM, start iKeyman following the procedure mentioned in the ITIM-LDAP section. Create timserver-ihs.kdb store
      2. Select "personal certificate requests" in the drop down box and click New.
      3. Label it ITIM certificate, make sure the proper server name is in the CN field (timserver.corp.dom) - this should match the name what is referenced in the e-mails sent to people. Use of any other name (http://timserver) will result in a browser warning once SSL is enabled. Enter the file name F:\certreq.arm and click ok.
  2. Request the certificate
    1. Login to https://ipvcert/certsrv/
    2. Click on advanced certificate request< Font> >
                 Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
                 Open the F:\certreq.arm file in notepad, copy and paste the contents into the "Base-64-encoded certificate request" box in the browser
                 Click Submit

  1. Call the person responsible for approving certificate requests to approve it (Megan?). Download newly issued certificate with chain using both available formats.
  2. In iKeyman, open timserver-ihs.kdb store and import the newly approved certificate. Approve all chained certificates.
  3. Exit iKeyman, the kdb is saved automatically.
  4. Enable SSL directives in the httpd.conf configuration file of the IBM HTTP Server.
  5. On AxTIM Edit "F:\Program Files\ibm\HTTPServer\conf\httpd.conf"
  6. Uncomment the LoadModule ibm_ssl_module modules/mod_ibm_ssl.dll configuration directive.
  7. Create an SSL virtual host stanza in the httpd.conf file using the following examples and directives.
            <IfModule mod_ibm_ssl.c>
             Listen 0.0.0.0:443
             <VirtualHost *:443>
               SSLEnable
             </VirtualHost>
           </IfModule>
           SSLDisable
           KeyFile "f:\timserver-ihs.kdb"

  1. Restart the IBM HTTP Server.
  2. Test the configuration by using a browser in an HTTPS session to the IBM HTTP Server (https://timserver).
  3. Test by going to ITIM over SSL (https://timserver/itim/console).
  4. Change "F:\Program Files\ibm\HTTPServer\conf\httpd.conf.down" similarly to display a downtime notice over SSL
  5. Once tests are successful first make sure that the e-mails are updated to include only the SSL enabled link, communicate the change to the users, give grace period for the old e-mails to be looked at, keeping both the SSL and the NON-SSL access open and then, eventually disable non-ssl access by editing httpd.conf file and removing SSLDisable and the port 80 bindings. Change "A:\Program Files\ibm\HTTPServer\conf\httpd.conf.down" accordingly.

Securing the ITIM-ITDI link

  1. On TDI server. Create a self-signed certificate.
    1. Start ITDI, click on Tools > Keymanager to start iKeyman
    2. Follow the steps outlined in the ITIM-LDAP section to create a self-signed certificate in a JKS store
    3. Export the certificate as DER file.
    4. Import the WAS certificate as the signer certificate.
  2. Change F:\ITDI_Config2\solution.properties (Adapters), I:\ITDI_Config2\Standalone\solution.properties (Standalones) and F:\ITDI_Config2\Feeds\solution.properties (Feeds) to all have the following lines
     javax.net.ssl.trustStore=F:\timserverp-itdi.jks
     javax.net.ssl.trustStorePassword=password
     javax.net.ssl.trustStoreType=jks
     javax.net.ssl.keyStore=F:\timserverp-itdi.jks
     javax.net.ssl.keyStorePassword=secret
     javax.net.ssl.keyStoreType=jks

  1. Edit root_directory/jvm/lib/security/java.security for the security provider list.
     security.provider.1=com.ibm.jsse.IBMJSSEProvider
     security.provider.2=com.ibm.crypto.provider.IBMJCE
     security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
     security.provider.4=com.ibm.security.cert.IBMCertPath

  1. Restart all ITDI services
  2. In ITIM
    1. Reconfigure all ITDI services to use the HTTPS protocol.
    2. Test

For more details see 2

One link that is still left unsecured is ITIM-SQL. This, however, requires that SSL is to be enabled on the MSSQL side first and needs to be worked out with the DB team. SSL is not required for WAS-IHS Plug-in link, if both components are on the same server.

How to install a custom logo

The logo is copied to:
$WAS_HOME/installedApps/<machine_name>/enRole.ear/app_web.war/images

How to recreate TIM schema after TIM has been installed

On IDS you might get by just copying the v3.modifiedschema file from the system that has TIM schema installed. Otherwise run the following on the TIM system (for DSML schema mods only)
e:\program files\ibm\itim\bin\win\loadDSLMSchema.cmd ..\..\config\ldap\er-schema.dsml ldap://server.com "cn=root" password

@HowTo @ITIM