ISAM Adapter ForISIM IGI Slides
ISAM Adapter ForISIM IGI Slides
ISAM Adapter ForISIM IGI Slides
—
Antti Merihaara, Darren Pond, David Lounton, Gianluca Gargaro
Europe & MEA Technical Support for Security Identity and Access Management products
Goal of Session
Share information on how to use and troubleshoot IBM Security Access Manager Adapter (also
known as the ISAM Combo Adapter) with the latest level of the ISAM, ISIG and ISIM
GIANLUCA GARGARO
• Adapter Architecture
• History of ISAM API
• ISAM Java Admin and Authzn API – Traditional
• ISAM Java Admin and Authzn and Registry Direct API - Combined
• ISAM Registry Direct API – Stand-alone
• Integration Architecture
ISIM Appliance
ISAM Appliance
RMI
Dispatcher Service
ISAM API
ISIG Appliance ADAPTER
LDAP
Server
History of ISAM JAVA API
• Java Admin and Authnz API have been introduced first replicating C API.
• Registry Direct API was introduced later in Tivoli Access Manager version 6.1.1 along with User Self Care./
• One of the benefits of Registry Direct API compared to traditional Access Manager API was the improved
performance when handling access manager users ldap objects.
• Another benefit of Registry Direct API was the removal of a single point of failure with the Policy Server.
ISAM Java Admin and Authzn API -Traditional
ISAM Node
JAVA APP
ISAM Authzn Server
ISAM Java Runtime Policy DB
Replica
ISAM Admin API Classes ISAM Authzn API Classes LDAP Client
Policy DB
Policy DB
JAVA APP
ISAM Java Runtime
ISAM Runtime
LDAP LDAP
Server Server
LDAP Client
LDAP LDAP
Server Server
Policy DB
ISAM Appliance
ISAM Java Registry Direct API – Docker
JAVA APP
ISAM Java Runtime
(443+444)
Runtime
Full LMI
(9443)
Proxy
(443)
(443)
DSC
LDAP LDAP
Server Server
LDAP LDAP
Ports Server Server
Config AAC
WRP DSC
Container Runtime
Container Container
Container
Used in AAC runtime for USC
AAC Runtime
OTP services Email services SCIM Conf Services INFOMAP Auth Mech
Server Connection
Server Connection
Server Connection
LDAP LDAP
Server Server
LDAP LDAP
Server Server
Integration Architecture
LDAP LDAP
ISAM Adapter Server Server ISAM Adapter
ITDI ITDI
LDAP LDAP
Server Server
Federated Registry
ISIM ISIG
Runtime Runtime
ISAM Runtime
ISIM Appliance ISIG Appliance
ISAM appliance
ISAM WRP
ANTTI MERIHAARA
• Requirements
• Preparation
• Configuration
• Properties file
• Currently supported user registries are listed under subject "Supported registries" of the IBM Security
Access Manager documentation.
https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.6/com.ibm.isam.doc/config_web/concept/con
_sup_reg.html
• Novell eDirectory
Requirements
• Supported Java runtimes are documented in “Setting up an Access Manager Runtime for Java system”
https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.6/com.ibm.isam.doc/config_web/concept/c
on_sup_reg.html
1. Set up an Access Manager environment and at minimum configure Access Manager runtime i.e.
Policy Server.
2. Review the latest instructions under "Installing IBM Security Access Manager Runtime for Java" in
the ISAM documentation.
https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.6/com.ibm.isam.doc/adk/task/tsk_jrtep
gk_install.html
3. Get the file pdjrte-9.x.x.x.zip ( Access Manager Runtime for Java files ) from the Access Manager
appliance https://<isam appliance>/isam/downloads.
4. Copy ISAM runtime for java files into a server where the Registry Direct API access is required and
extract package.
Pdjrte download from ISAM Appliance
Preparation
Environment preparation prior configuring the Registry Direct API:
2. Get signer certificate from an user registry when planning to use secure connection between the
Registry Direct API and an user registry.
3. Set up a key store for the Registry Direct API to connect user registry over the secure connection.
Configuration
Configuration can be achieved either with SvrSslCfg or RgyConfig Java tools.
...
URL propertiesUrl = null;
try {
propertiesUrl = new URL("file", "", configFile);
}
catch (MalformedURLException e2) {
e2.printStackTrace();
System.exit(1);
}
DAVID LOUNTON
• IBM Tivoli Directory Integrator 7.1.1 + FP8 + 7.1.1-TDI-TDI-LA0040 (JRE Level: JRE 7.0 SR10 FP40)
• IBM Security Directory Integrator 7.2 + FP5 + 7.1.1-TDI-TDI-LA0040 (JRE Level: JRE 7.0 SR10
FP40)
Copy the com.tivoli.pd.rgy.jar file from IBM Security Access Manager installation directory to IBM Tivoli
Directory Integrator JRE installation directory.
Configure Java Runtime Environment
Configured Adapter into your IBM Security Access Manager secure domain.
Copy TAMComboUtils.jar to Directory Integrator
Copy TAMComboUtils.jar from the installation package to an appropriate IBM Tivoli Directory Integrator
location and restart dispatcher –
ISAM ldap.conf
Commands to run
DARREN POND
• Common Issues
Caused by incorrect Java Home Environment parameters or Incorrect Version of Java being used
handlers = java.util.logging.FileHandler
java.util.logging.FileHandler.formatter = java.util.logging.SimpleFormatter
com.tivoli.pd.rgy.ldap.level = FINEST
java.util.logging.FileHandler.pattern = /root/Desktop/ISAM9050_dev/java%
ISIM
ISIM support file
:https://www.ibm.com/support/knowledgecenter/en/SSRMWJ_7.0.1.7/com.ibm.isim.doc/admin/tsk/t_managing_support
_files.htm
ISIG
ISIG support file
https://www.ibm.com/support/knowledgecenter/SSGHJR_5.2.3/com.ibm.igi.doc/installing/tsk/t_managing_support_file
s.html
Follow us:
Select embedded_ldap_keys database and go to Manage > Edit SSL Certificates Database
Appendix – Getting signer cert from embedded
user registry cont.
Select one of existing key databases ( or create a new ) and go to Manage > Edit SSL Certificates Database.
On the "Edit SSL Certificate Database" window select "Signer Certificates" tab and browse to Manage > Load.
On the "Load Signer Certificate" window fill in details for connecting external user registry and click Load.
With successful connection signer certificate is pulled from external user registry and placed to the key database.
Back on the "Edit SSL Certificate Database" window select newly loaded signer certificate and browse to Manage
> Export.
Save the signer certificate on the disk for the next step.
Notice! Addition to above steps intermediate certificates may need to be fetched from an user registry.
Appendix – Setup Java Key Store
Following are an example steps to create a Java Key Store ( JKS ) and adding a signer
certificate of an user registry to the key store. Certificate in the created Java Key Store is used
by the Registry Direct API to successfully connect user registry over the secure connection.
2. Click "Add...".
5. Click "Open".
Appendix – Prepare Java Key Store continues
Signer certificate is now added to the key
store file and the ikeyman tool can be
closed.
Follow us on:
securitylearningacademy.com © Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for
informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of
LinkedIn - IBM Security Client Success direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives.
IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines
Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
youtube/user/ibmsecuritysupport or service marks of others.
twitter.com/AskIBMSecurity All names and references for organizations and other business institutions used in this deliverable’s scenarios are
fictional. Any match with real organizations or institutions is coincidental.
securityintelligence.com
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention,
xforce.ibmcloud.com detection and response to improper access from within and outside your enterprise. Improper access can result in
information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems,
including for use in attacks on others. No IT system or product should be considered completely secure and no single
IBM Security Community product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems, products or services to be most effective. IBM
does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the
malicious or illegal conduct of any party.