rsaauthentication manageradapter user guide · ibm security identity manager version 6.0...

IBM Security Identity ManagerVersion 6.0

RSA Authentication Manager AdapterUser Guide

SC27-4409-04

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 35.

Edition notice

Note: This edition applies to version 6.0 of IBM Security Identity Manager (product number 5724-C34) and to allsubsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2012, 2014.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Preface . . . . . . . . . . . . . . . ixAbout this publication . . . . . . . . . . . ixAccess to publications and terminology . . . . . ixAccessibility . . . . . . . . . . . . . . xTechnical training. . . . . . . . . . . . . xSupport information . . . . . . . . . . . . xStatement of Good Security Practices . . . . . . x

Chapter 1. Introduction to the RSAAuthentication Manager Adapter . . . . 1Adapter features . . . . . . . . . . . . . 1

Chapter 2. Checklist for configuring IBMSecurity Identity Manager to run theadapter . . . . . . . . . . . . . . . 3

Chapter 3. User account managementtasks . . . . . . . . . . . . . . . . 5Adapter operations prerequisites . . . . . . . 5User account reconciliation . . . . . . . . . 5

Reconciling a single user account . . . . . . 6Reconciling support data . . . . . . . . . 6Service form parameter for reconciling useraccounts and support data. . . . . . . . . 7

User accounts . . . . . . . . . . . . . . 7Attributes for adding user accounts. . . . . . 7Force Password Change and Certificate DNattribute specification . . . . . . . . . . 9User account life span determination . . . . . 10Support data attributes specification . . . . . 10User token assignment . . . . . . . . . 13User administrative role assignment . . . . . 13User group assignment . . . . . . . . . 14

User account modifications . . . . . . . . . 14Token attribute modification . . . . . . . . 14Token unassignment . . . . . . . . . . 14Administrative role unassignment . . . . . . 14User group unassignment . . . . . . . . 15User account password modification . . . . . 15

User account suspension . . . . . . . . . . 15User account restoration . . . . . . . . . . 15User account deletion . . . . . . . . . . . 16

Chapter 4. RSA Authentication ManagerAdapter error troubleshooting. . . . . 17Techniques for troubleshooting problems . . . . 17RSA Authentication Manager Adapter errors . . . 19

Appendix A. RSA AuthenticationManager Adapter attributes . . . . . . 23RSA Authentication Manager account formattributes . . . . . . . . . . . . . . . 23RSA Authentication Manager hidden attributes . . 24

Appendix B. Definitions for ITDI_HOMEand ISIM_HOME directories . . . . . . 27

Appendix C. Support information . . . 29Searching knowledge bases . . . . . . . . . 29Obtaining a product fix . . . . . . . . . . 30Contacting IBM Support . . . . . . . . . . 30

Appendix D. Accessibility features forIBM Security Identity Manager . . . . 33

Notices . . . . . . . . . . . . . . 35

Index . . . . . . . . . . . . . . . 39

© Copyright IBM Corp. 2012, 2014 iii

iv IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

Figures

© Copyright IBM Corp. 2012, 2014 v

vi IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

Tables

1. Required attributes for adding user accounts 72. Optional attributes for adding user accounts 83. Token attributes for adding user accounts 94. Adapter error messages, warnings, and

corrective actions. . . . . . . . . . . 195. Attributes on the RSA Authentication Manager

account form on IBM Security IdentityManager, their corresponding names on theTivoli Directory Server, and the RSAAuthentication Manager . . . . . . . . 23

6. Hidden attributes on the RSA AuthenticationManager account form on IBM SecurityIdentity Manager, their corresponding nameson the Tivoli Directory Server, and the RSAAuthentication Manager server . . . . . . 24

© Copyright IBM Corp. 2012, 2014 vii

viii IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

Preface

About this publication

The RSA Authentication Manager Adapter User Guide provides information that youcan use to manage user accounts on the RSA Authentication Manager server withthe IBM® Security Identity Manager.

IBM Security Identity Manager was previously known as Tivoli® Identity Manager.

The information describes user account management tasks, such as reconciliation,add, modify, suspend, restore, delete, and password change.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Identity Manager library.”v Links to “Online publications.”v A link to the “IBM Terminology website.”

IBM Security Identity Manager library

For a complete listing of the IBM Security Identity Manager and IBM SecurityIdentity Manager Adapter documentation, see the online library(http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome).

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Identity Manager libraryThe product documentation site (http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome) displays the welcome page andnavigation for the library.

IBM Security Systems Documentation CentralIBM Security Systems Documentation Central provides an alphabetical listof all IBM Security Systems product libraries and links to the onlinedocumentation for specific versions of each product.

IBM Publications CenterThe IBM Publications Center site ( http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss) offers customized search functionsto help you find all the IBM publications you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

© Copyright IBM Corp. 2012, 2014 ix

http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome



https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/IBM%20Security%20Systems%20Documentation%20Central/page/Welcome

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/globalization/terminology

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

Appendix C, “Support information,” on page 29 provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

Note: The Community and Support tab on the product information center canprovide additional support resources.

Statement of Good Security PracticesIT system security involves protecting systems and information throughprevention, detection and response to improper access from within and outsideyour enterprise. Improper access can result in information being altered, destroyed,misappropriated or misused or can result in damage to or misuse of your systems,including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measurecan be completely effective in preventing improper use or access. IBM systems,products and services are designed to be part of a comprehensive securityapproach, which will necessarily involve additional operational procedures, andmay require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES AREIMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THEMALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

x IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/probsub.html

Chapter 1. Introduction to the RSA Authentication ManagerAdapter

The RSA Authentication Manager Adapter provides connectivity between IBMSecurity Identity Manager and the RSA Authentication Manager.

The adapter runs as a service, independently of whether you are logged on to IBMSecurity Identity Manager.

The RSA Authentication Manager Adapter automates the following user accountmanagement tasks:v Adding RSA Authentication Manager user accountsv Modifying attributes of RSA Authentication Manager server user accountsv Changing passwords of RSA Authentication Manager server user accountsv Suspending and restoring RSA Authentication Manager server user accountsv Retrieving user accounts from the RSA Authentication Manager serverv Deleting user accounts from the RSA Authentication Manager server

The RSA Authentication Manager Adapter contains Tivoli Directory Integratorassembly lines that serve one or more user account operations. When the firstrequest is sent from IBM Security Identity Manager, the required assembly line isloaded into Tivoli Directory Integrator. The same assembly line is then cached toserve subsequent operations of the same type.

Note: The reconciliation and test assembly lines are not cached.

Adapter featuresThe adapter helps automate the user account reconciliation, support datareconciliation, token assignment, token enablement tasks.v Reconciling user accounts and other support data from the RSA Authentication

Manager server to the directory server of IBM Security Identity Manager. Forexample:– Security domains– Identity sources– User groups– Administrative role– Tokens of the specified realm

v Reconciling of a single user accountv Managing accounts on the RSA Authentication Manager server through IBM

Security Identity Manager. These tasks include:– Add– Modify– Change password– Suspend– Restore– Delete

© Copyright IBM Corp. 2012, 2014 1

v Assigning tokens, roles, and groups to users on the RSA Authentication Managerserver by using IBM Security Identity Manager

v Enabling and disabling tokens that are assigned to users on the RSAAuthentication Manager server by using IBM Security Identity Manager

v Clearing SecurID PINs of tokens that are assigned to user accounts

2 IBM Security Identity Manager: RSA Authentication Manager Adapter User Guide

Chapter 2. Checklist for configuring IBM Security IdentityManager to run the adapter

Use this checklist to configure IBM Security Identity Manager to run the adapter.

The following table provides an overview of the process for configuring IBMSecurity Identity Manager.

TaskFor information, see the section in thefollowing documentation:

Install the RSA Authentication ManagerAdapter

Installing the RSA Authentication ManagerAdapter in the RSA Authentication ManagerAdapter Installation and Configuration Guide

Import the adapter profile into IBMSecurity Identity Manager

Importing the adapter profile into the IBMSecurity Identity Manager Server in the RSAAuthentication Manager Adapter Installation andConfiguration Guide

Create a service for the RSA AuthenticationManager Adapter

Creating the service in the RSA AuthenticationManager Adapter Installation and ConfigurationGuideNote: After you create a RSA AuthenticationManager Adapter service, the IBM SecurityIdentity Manager server creates a defaultprovisioning policy for the adapter service.You can customize a provisioning policy forthe RSA Authentication Manager Adapterservice according to your organizationalrequirements. For more information, see thesection about customizing a provisioningpolicy in the IBM Security Identity Managerproduct documentation.

Configure the RSA Authentication ManagerAdapter

Configuring the RSA Authentication ManagerAdapter in the RSA Authentication ManagerAdapter Installation and Configuration Guide

Perform a reconciliation operation toretrieve user accounts and store them in theIBM Security Identity Manager server

Managing reconciliation schedules in the IBMSecurity Identity Manager productdocumentation

Adopt orphan accounts on IBM SecurityIdentity Manager

Assigning an orphan account to a user in theIBM Security Identity Manager productdocumentation


Chapter 3. User account management tasks

IBM Security Identity Manager uses the RSA Authentication Manager Adapter tomanage user accounts that are stored on the RSA Authentication Manager server.

You can do the following tasks, such as: reconciliation, add, modify, changepasswords, suspend, restore, and delete to manage your accounts. You canmanage:v Accounts for a specific personv Accounts for a service instancev Specific accounts by using the search function of IBM Security Identity Manager.

Adapter operations prerequisitesBefore using the adapter to perform any operations, ensure that you complete theconfiguration tasks to run the adapter, then run the Remote Method Invocation(RMI) Dispatcher.1. Perform the steps in Chapter 2, “Checklist for configuring IBM Security Identity

Manager to run the adapter,” on page 3.2. Use one of the following methods to run the Remote Method Invocation (RMI)

Dispatcher:v Windows services in service mode

a. In the Windows control panel, double-click Administrative Tools.b. Double-click Services.c. Right-click the IBM Tivoli Directory Integrator, and click Start.

v Windows command prompt in console modea. Go to the ITDI_HOME directory and set the TDI_SOLDIR environment

variable to the Tivoli Directory Integrator adapter solution directory. Forexample, set TDI_SOLDIR="c:\Program Files\IBM\TDI\V7.0\timsol"

b. Run the following command from the ITDI_HOME directory:ibmdisrv.bat -s timsol -c ITIM_RMI.xml -d

v UNIX command prompt in console modea. Log on to the UNIX command prompt.b. Run the following command:

/etc/init.d/ITIMAd start

User account reconciliationThe reconciliation operation retrieves the user account information from the RSAAuthentication Manager server and stores it in the directory server of IBM SecurityIdentity Manager.

You can schedule reconciliation to run at specific times and to return specificparameters. Running a reconciliation before its schedule time does not cancel thescheduled reconciliation. For more information about scheduling reconciliation andrunning a scheduled reconciliation, see the IBM Security Identity Manager productdocumentation.


You can also perform the following reconciliation tasks at any time from IBMSecurity Identity Manager:v Reconciling support datav Reconciling a single user account

Reconciling a single user accountReconciling a single user account means performing a filter reconciliation for aspecific user account by using IBM Security Identity Manager.

About this task

For example, you can choose to reconcile a single user account from the RSAAuthentication Manager server.

For more information about each of these attributes, see the RSA AuthenticationManager documentation.

To reconcile a single user account from the RSA Authentication Manager serverwithout reconciling all the user accounts:

Procedure1. Log on to IBM Security Identity Manager as an administrator.2. In the My Work pane, click Manage Services. The Manage Services page is

displayed.3. Select the type of service from the Service type list and click Search.4. Select the name of the service that you created for the RSA Authentication

Manager Adapter.5. Click the arrow icon to view the View popup menu and select Reconcile Now.

The Reconcile Now page is displayed.6. Click Define query.7. In the Reconcile accounts that match this filter field type:

(eruid=UserID)

where, UserID is the name of the user account that you want to reconcile.8. Click Submit.

Reconciling support dataIn addition to reconciling user accounts, the RSA Authentication Manager Adapteralso reconciles support data to IBM Security Identity Manager.

About this task

Support data for an RSA Authentication Manager server user account includes thefollowing information:v Security domainsv Identity sourcesv User groupsv Admin rolesv Tokens


For more information about each of these attributes, see the RSA AuthenticationManager documentation.

To reconcile only the support data, without reconciling the user accounts:

Procedure1. Log on to IBM Security Identity Manager as an administrator.2. In the My Work pane, click Manage Services. The Manage Services page is

displayed.3. Select the type of service from the Service type list and click Search.4. Select the name of the service that you created for the RSA Authentication

Manager Adapter.5. Click the arrow icon to view the pop-up menu and select Reconcile Now. The

Reconcile Now page is displayed.6. Click Define query.7. Select the Reconcile supporting data only check box and click Submit.

Service form parameter for reconciling user accounts andsupport data

You can specify the Recon limit attribute on the service form. This parameterlimits the number of user accounts and support data that you want to reconcilefrom the RSA Authentication Manager server. This value is used for only RSAAuthentication Manager v7.1 SP2 and earlier versions.

Later versions of the server ignore this value and return all user accounts, groups,and roles for each identity source.

User accountsYou can add user accounts at any time for either an existing person, or a newperson in the organization.

This section describes the adapter attributes that define the accounts on theaccount form. For specific procedures, see the IBM Security Identity Managerproduct documentation.

Appendix A, “RSA Authentication Manager Adapter attributes,” on page 23 mapsthe attributes on the account form to the attributes in the RSA AuthenticationManager server. For more detailed information about any of the attributes, see theRSA Authentication Manager documentation.

Attributes for adding user accountsTo add user accounts to the RSA Authentication Manager server, specify the userID, last name, security domain, and Identity Source attributes on the RSAAuthentication Manager account form.

Table 1. Required attributes for adding user accounts

Attribute Description

User ID User ID of the account. The permissiblecharacter limit for this attribute is 240.

Last Name Surname of the account holder

Chapter 3. User account management tasks 7

Table 1. Required attributes for adding user accounts (continued)


Security Domain Security domain name to which the userbelongs

Identity Source Directory server name that stores the useraccount data

Note: When you add a user from IBM Security Identity Manager, the adaptercreates a Global Unique Identifier (GUID) for the user on the RSA AuthenticationManager server.

In addition to the required attributes, you can also specify the other optionalattributes on the RSA Authentication Manager account form. If you specify groupor role attributes, you must reconcile support data before you create the account.

Table 2. Optional attributes for adding user accounts


First Name Given name of the account holder

Middle Name Middle name of the account holder

Certificate DN Distinguished name of the subject in acertificate that is issued to the user forauthentication

Notes Description of the user account

Email Email address of the account holder

Account Start Date Date and time at which the account becomesactive or available on the RSAAuthentication Manager server. If no startdate is specified, the account start date is thecurrent date and time.

Account Expire Date Date and time at which the account becomesinactive or unavailable on the RSAAuthentication Manager server. If no expiredate is specified, the account is activeindefinitely from the start date. The accountis inactive if the start date is the same orlater than the expire date.

Force Password Change Forces the user to change the password atthe next logon to the RSA AuthenticationManager server. This attribute might be usedwhen a default password that must bechanged is assigned, when the user starts touse the RSA Authentication Manageraccount.

User Group Groups of which the user is a member.Groups help define the RSA AuthenticationManager resources that the user can access.Select zero or more groups.

Admin Roles Administrative roles that are assigned to theuser. Roles define the privileges for the userand theRSA Authentication Managerresources that the user can access. Selectzero or more roles.


The following attributes can be specified on the Token tabs of the RSAAuthentication Manager account form. If you are going to specify token attributes,you must reconcile the support data before you create the account.

Table 3. Token attributes for adding user accounts


Assign Token Identifier for an authentication token toassign to the user. Select an unassignedtoken or clear the field to unassign anexisting token before you reassign it.

Security Domain The security domain to which the token isassigned

Token Notes Description of the token

Enable Token Enables the assigned token to be used forauthentication

Require PIN during authentication Requires that the user to enter a PIN whenthis token is used for authentication

Force PIN change on next login Forces the user to change the PIN the nexttime the user authenticates with this token

Clear Token PIN Clears the PIN associated with this token.This attribute is ignored for account creationor when its value is false.

Replace With Next Available Token Indicates that the RSA AuthenticationManager server must replace this token withthe next available token. Do not select thisoption if Replacement Token is specified. Ifyou do, this attribute will fail and will causea non-successful return status.

Replacement Token Identifier for the token to replace this token.You must select an unassigned token whenspecifying a replacement.

Token PIN The PIN for this token. The PIN mustadhere to any applicable policies on the RSAAuthentication Manager server.

Force Password Change and Certificate DN attributespecification

Force Password Change and Certificate Distinguished Name (DN) attributes arethe optional attributes on the RSA Authentication Manager account form. You canspecify these attributes in addition to the required attributes.

Specifying the Force Password Change attributeSelecting the Force Password Change check box forces you to change yourpassword the next time you log on to the RSA Authentication Managerserver. For example, you might be assigned a standard password that youwant to change when you start using the RSA Authentication Managerserver.

Specifying the Certificate DN attributeCertificate DN is the distinguished name of the certificate that is issued tothe user for authentication. Ensure that the value of the Certificate DNattribute on the RSA Authentication Manager account form matches thesubject line of that certificate.


User account life span determinationThe life span of a user account is the duration for which the user account is activeor available on the RSA Authentication Manager server. The value of the AccountExpire Date attribute specifies the expiration date of a user account on the RSAAuthentication Manager server.

If you do not specify a value for the Account Expire Date attribute, then the useraccount is valid indefinitely.

The following attributes determine the life span of a user account on the RSAAuthentication Manager server:

Account Start DateThe date from when the user account is active. The default value of thisattribute on the RSA Authentication Manager server account form is never.To specify a date, follow these steps:1. Clear the Never check box.2. Click the View Calendar icon and select the date.3. Click OK.

Account Expire DateThe date on which the user account becomes inactive and is unavailablefor use. The default value of this attribute on the RSA AuthenticationManager account form is never. To specify a date, follow these steps:1. Clear the Never check box.2. Click the View Calendar icon and select the date.3. Click OK.

Note: In the following situations, the status of a user account becomes inactive andis unavailable for use:v When the value of the Account Start Date attribute is same as the value of the

Account Expire Date attribute.v When the value of the Account Start Date attribute is later than the value of the

Account Expire Date attribute.

Support data attributes specificationYou can specify support data attributes on the RSA Authentication Manageraccount form.

The following attributes are support attributes for the RSA Authentication Manageraccount form.

Security Domain

Associates a user to a particular security domain. Each security domaincontains policies such as password policy, lockout policy, or SecurID Tokenpolicy.

Security domains are organized in a hierarchical tree on the RSAAuthentication Manager server. You can create a lower-level securitydomain under a top-level security domain and move users betweensecurity domains.

When you associate a user to a particular security domain from IBMSecurity Identity Manager, the adapter creates the user account on the RSAAuthentication Manager server. It also assigns the account to the specified


security domain. Security domains represent areas of administrativeresponsibility within the RSA Authentication Manager enterprise.

Identity Source

Directories that are integrated with RSA Authentication Manager are calledidentity sources. These directories store user data and group data.Information for other data, such as security domains, tokens, or roles, isstored in an internal database.

When you associate a user to a specific identity source from IBM SecurityIdentity Manager, the adapter creates the user account on the RSAAuthentication Manager server. It uses the specified identity source as theuser data store. The adapter sets the value of the Identity Source attributeon the RSA Authentication Manager server.

Note: The Identity Source attribute is non-modifiable.

User Group

User groups are collections of users, other user groups, or both. User groupmembership can be used to determine access permission in someapplications.

User groups have the following characteristics:v User groups can be made up of multiple users or user groups.v User groups can occur across security domains. For example, users in

security domain A and users in security domain B can both be membersof the same user group. Both sets of users can access the same protectedresources.

v A user or user group can be a member of multiple user groups.

Admin RolesAn administrative role defines the permissions to be granted to a user toaccomplish administrative tasks. You can assign the followingadministrative roles to a user from IBM Security Identity Manager:v Auth Mgr Agent Adminv Auth Mgr Help Deskv Auth Mgr Privileged Help Deskv Auth Mgr Realm Adminv Auth Mgr Security Domain Adminv Auth Mgr Token Administratorv Auth Mgr Trust Adminv Auth Mgr User Adminv Request Approverv Super Admin Rolev Token Distributorv Trusted Realm Admin Role

Note: You can also create custom administrative roles on the RSAAuthentication Manager server as required by your organization. For moreinformation about creating administrative roles, see RSA AuthenticationManager 7.1 Administrator's Guide

TokensYou can use tokens to authenticate your identity and to access the network


resources that are protected by the RSA Authentication Manager server. Atoken generates unique one-time codes called tokencodes. To gain access toprotected resources, you must enter your personal identification number(SecurID PIN) and the number that is displayed on your assigned token(tokencode). The combination of the SecurID PIN and the tokencode fromyour token is called the RSA SecurID token (Passcode).

Two types of SecurID tokens exist:

Hardware tokenThis type is a small physical device, such as a key chain or card,that generates tokencodes.

Software tokenThis type is a software-based token with an RSA SecurIDapplication that is on the computer, Personal Digital Assistant(PDA), or cell phone of the user. After you install the application,the software token generates tokencodes, which are displayed onthe device screen.

Two types of hardware and software tokens exist:

Time-based tokensTime-based tokens automatically generate new tokencodes atregular intervals, generally after every 60 seconds.

Event-based tokenEvent-based tokens change tokencodes when the user performs anaction, such as pressing a button on the token.

You can assign the following optional token attributes on the RSA AuthenticationManager account form:

Specifying the Security Domain attributeAssigns the token to the selected security domain. Click Search and selecta security domain from the list. The adapter assigns the token to selectedsecurity domain on the RSA Authentication Manager server.

Specifying the Clear SecurID PIN attributeEnables the creation of a new SecurID PIN on the RSA AuthenticationManager server. You can create a SecurID PIN if you forget your existingPIN.

When you select the Clear SecurID PIN check box from IBM SecurityIdentity Manager, the adapter modifies the user account on the RSAAuthentication Manager server. The adapter sets the value of the ClearSecurID PIN attribute on the RSA Authentication Manager server.

Specifying the Clear Token PIN attributeInstructs the RSA Authentication Manager to clear any existing PINassigned to the token. Do not select this option if you are specifying theToken PIN field.

This attribute is send-only. Its value is not directly stored in IBM SecurityIdentity Manager. Specifying this attribute can affect the value of the Istoken PIN set? and the Force PIN change on next login attributes. Youmust complete a recon after changing any token attributes.

Specifying the Replace With Next Available Token attributeReplaces the existing token with the next available token on the RSAAuthentication Manager server. The server selects a suitable replacement


based on expiration date and modifies both the assigned and replacementtokens’ status. Do not select this option if you are specifying a token in theReplacement Token field.

This attribute is send-only. Its value is not directly stored in IBM SecurityIdentity Manager. This attribute can affect the value of the ReplacementToken attribute. You must complete a recon after changing any tokenattributes.

Specifying the Require PIN during authentication attributeIndicates that the user must enter a PIN as well as a tokencode toauthenticate.

When you select the Require PIN during authentication check box fromIBM Security Identity Manager, the adapter modifies the user account. Theadapter sets the value of the User Authentication Requirement attributeon the RSA Authentication Manager server.

Specifying the Force PIN change on next login attributeForces the user to change the token PIN the next time the token is used tolog on to the RSA Authentication Manager server. This attribute must onlybe set for tokens that require a passcode for authentication.

When you select the Force PIN change on next login check box from IBMSecurity Identity Manager, the adapter modifies the user account. Theadapter sets the value of the Force PIN change on next login attribute onthe RSA Authentication Manager server.

Specifying the Token PIN attributeSets or clears the PIN for the token in the RSA Authentication Managerserver.

This attribute is send-only. Its value is not directly stored in IBM SecurityIdentity Manager. This attribute can affect the value of the Is token PINset? and the Force PIN change on next login attributes. You mustcomplete a recon after changing any token attributes.

User token assignmentTo assign tokens to users, specify the Assign Token attribute on the RSAAuthentication Manager account form.

Note: When you assign a token to a user, ensure that you also select the EnableToken check box on the RSA Authentication Manager account form. Selecting thecheck box enables the assigned token on the RSA Authentication Manager server.For more information about assigning tokens to users, see RSA AuthenticationManager 7.1 Administrator's Guide.

User administrative role assignmentTo assign administrative roles to any user, select the roles that are listed on theRSA Authentication Manager account form.

For example, you can select the Super Admin Role to grant a user fulladministrative permissions.

You can assign administrative roles to any user in your identity source. When youdo so, you give the user the permissions to perform the administrative actions


defined for that role. You can assign multiple administrative roles to a user. Whenyou assign roles to a user, ensure that you assign roles that grant enoughpermissions to accomplish user's tasks.

When you assign administrative roles to a user from IBM Security IdentityManager, the adapter creates the user account on the RSA Authentication Managerserver. The adapter sets the value of the Admin Roles attribute on the RSAAuthentication Manager server.

User group assignmentTo assign user groups to any user, select the groups that are listed on the RSAAuthentication Manager account form.

For example, you can select the Internal Database: Group to assign a user to thisgroup.

You can assign users to any user groups in your identity source. When you do so,the member users gain access to the network resources that are protected by theRSA Authentication Manager server.

When you associate a user or a group of users to a specific user group from IBMSecurity Identity Manager, the adapter creates the user account on the RSAAuthentication Manager server. The adapter sets the value of the User Groupattribute on the RSA Authentication Manager server.

User account modificationsYou can modify the user account attributes at any time with IBM Security IdentityManager. Identity Source is the only attribute on the account form that youcannot modify.

For specific procedures, see the IBM Security Identity Manager productdocumentation.

Token attribute modificationYou can modify token attributes after you assign them to users from IBM SecurityIdentity Manager.

For information about assigning tokens and types of tokens, see “User accounts”on page 7.

Token unassignmentYou can unassign an existing token by clearing it from IBM Security IdentityManager. The user can no longer use the token to authenticate and the token isdisabled.

If you reassign the token to another user, it is disabled unless you select theEnable Token check box on the account form. For more information aboutunassigning tokens, see RSA Authentication Manager 7.1 Administrator's Guide.

Administrative role unassignmentYou can use IBM Security Identity Manager to unassign administrative roles byremoving the user from the role membership. The user can no longer perform theadministrative tasks that are defined for that role.


When you use IBM Security Identity Manager to unassign a user from anyadministrative role, the adapter modifies the user account on the RSAAuthentication Manager server. The adapter clears the value of the Admin Rolesattribute on the RSA Authentication Manager server.

User group unassignmentYou can use IBM Security Identity Manager to unassign a user from a group byremoving the user from the group membership. The user can no longer access thenetwork resources that are accessed by that user group.

When you use IBM Security Identity Manager to unassign a user from any usergroup, the adapter modifies the user account on the RSA Authentication Managerserver. The adapter clears the value of the User Group attribute on the RSAAuthentication Manager server.

User account password modificationYou can change the password of any of the RSA Authentication Manager accountsthat exist on IBM Security Identity Manager.

For information about changing passwords, see the IBM Security Identity Managerproduct documentation.

User account suspensionWhen you suspend a user account, the status of the user account on IBM SecurityIdentity Manager becomes inactive, and the user account becomes unavailable foruse.

Suspending a user account does not remove the user account from IBM SecurityIdentity Manager. For more information about suspending user accounts, see theIBM Security Identity Manager product documentation.

When you suspend a user account from IBM Security Identity Manager, theadapter sets value of the account is disabled attribute on the RSA AuthenticationManager server. The adapter sets the value to TRUE.

User account restorationThe restore operation reinstates the suspended user accounts to IBM SecurityIdentity Manager.

After restoring a user account, the status of the user account on IBM SecurityIdentity Manager becomes active. For more information about restoring useraccounts, see the IBM Security Identity Manager product documentation.

When you restore a user account from IBM Security Identity Manager, the adaptersets the value of the following attributes on the RSA Authentication Managerserver. The adapter sets the values to FALSE.v Account is disabledv Account is locked by lockout policyv Account is locked out of emergency authentication


User account deletionUse the deprovision feature of IBM Security Identity Manager to delete useraccounts.

For more information about deleting user accounts, see the IBM Security IdentityManager product documentation.

When you delete a user account from IBM Security Identity Manager, the adapterremoves the user data from the RSA Authentication Manager identity source. Theaccount is no longer defined on the RSA Authentication Manager server and youcan no longer manage the account.


Chapter 4. RSA Authentication Manager Adapter errortroubleshooting

Troubleshooting can help you determine why a product does not function properly.This section provides information and techniques for identifying and resolvingproblems with the RSA Authentication Manager Adapter.

Techniques for troubleshooting problemsTroubleshooting is a systematic approach to solve a problem. The goal oftroubleshooting is to determine why something does not work as expected, andhow to resolve the problem. Certain common techniques can help with the task oftroubleshooting.

The first step in the troubleshooting process is to describe the problem completely.Problem descriptions help you and the IBM technical-support representative knowwhere to start to find the cause of the problem. This step includes asking yourselfbasic questions:v What are the symptoms of the problem?v Where does the problem occur?v When does the problem occur?v Under which conditions does the problem occur?v Can the problem be reproduced?

The answers to these questions typically lead to a good description of the problem,which can then lead you to a problem resolution.

What are the symptoms of the problem?

When starting to describe a problem, the most obvious question is “What is theproblem?” This question might seem straightforward; however, you can break itdown into several more-focused questions that create a more descriptive picture ofthe problem. These questions can include:v Who, or what, is reporting the problem?v What are the error codes and messages?v How does the system fail? For example, is it a loop, hang, crash, performance

degradation, or incorrect result?

Where does the problem occur?

Determining where the problem originates is not always easy, but it is one of themost important steps in resolving a problem. Many layers of technology can existbetween the reporting and failing components. Networks, disks, and drivers areonly a few of the components to consider when you are investigating problems.

The following questions help you to focus on where the problem occurs to isolatethe problem layer:v Is the problem specific to one platform or operating system, or is it common

across multiple platforms or operating systems?v Is the current environment and configuration supported?


v Do all users have the problem?v (For multi-site installations.) Do all sites have the problem?

If one layer reports the problem, the problem does not necessarily originate in thatlayer. Part of identifying where a problem originates is understanding theenvironment in which it exists. Take some time to completely describe the problemenvironment, including the operating system and version, all correspondingsoftware and versions, and hardware information. Confirm that you are runningwithin an environment that is a supported configuration; many problems can betraced back to incompatible levels of software that are not intended to run togetheror have not been fully tested together.

When does the problem occur?

Develop a detailed timeline of events leading up to a failure, especially for thosecases that are one-time occurrences. You can most easily develop a timeline byworking backward: Start at the time an error was reported (as precisely as possible,even down to the millisecond), and work backward through the available logs andinformation. Typically, you need to look only as far as the first suspicious eventthat you find in a diagnostic log.

To develop a detailed timeline of events, answer these questions:v Does the problem happen only at a certain time of day or night?v How often does the problem happen?v What sequence of events leads up to the time that the problem is reported?v Does the problem happen after an environment change, such as upgrading or

installing software or hardware?

Responding to these types of questions can give you a frame of reference in whichto investigate the problem.

Under which conditions does the problem occur?

Knowing which systems and applications are running at the time that a problemoccurs is an important part of troubleshooting. These questions about yourenvironment can help you to identify the root cause of the problem:v Does the problem always occur when the same task is being performed?v Does a certain sequence of events need to happen for the problem to occur?v Do any other applications fail at the same time?

Answering these types of questions can help you explain the environment inwhich the problem occurs and correlate any dependencies. Remember that justbecause multiple problems might have occurred around the same time, theproblems are not necessarily related.

Can the problem be reproduced?

From a troubleshooting standpoint, the ideal problem is one that can bereproduced. Typically, when a problem can be reproduced you have a larger set oftools or procedures at your disposal to help you investigate. Consequently,problems that you can reproduce are often easier to debug and solve.

However, problems that you can reproduce can have a disadvantage: If theproblem is of significant business impact, you do not want it to recur. If possible,


re-create the problem in a test or development environment, which typically offersyou more flexibility and control during your investigation.v Can the problem be re-created on a test system?v Are multiple users or applications encountering the same type of problem?v Can the problem be re-created by running a single command, a set of

commands, or a particular application?

For information about obtaining support, see Appendix C, “Support information,”on page 29.

RSA Authentication Manager Adapter errorsYou can refer to logs to identify the error messages that occur while running theRSA Authentication Manager Adapter. Whenever an operation fails, thecorresponding error messages are logged in the ibmdi.log file. This file is in theadapter solution\logs directory.

You can display the logs in the user interface by running the Dispatcher from thecommand prompt. You can also configure logging information for the adapter. Formore information, see the RSA Authentication Manager Adapter Installation andConfiguration Guide. Search for the sections that explain about displaying logs in theuser interface and configuring logging information for the adapter.

The following table lists the error messages and warnings that might occur whileperforming the RSA Authentication Manager 7.1 Adapter user tasks. The table alsoprovides the actions to resolve those errors.

Table 4. Adapter error messages, warnings, and corrective actions

Error message Possible cause Corrective action

Last Name is a required field. The family name of the accountholder was not specified.

Specify the family name of the accountholder on the RSA Authentication Manageraccount form. For example, Smith.Note: The Last Name attribute is a requiredattribute.

User ID is a required field. A User ID was not specified whencreating an account.

Provide a User ID with an account.Note: The User ID attribute is a requiredattribute.

Identity Source is null. The name of an identity source wasnot specified.

Specify the name of an identity source, suchas Internal Database and other identitysources that are defined on the RSAAuthentication Manager server for directoryservers. For example directory servers suchas, Sun Java™ Directory Server or MicrosoftActive Directory, or others.Note: The Identity Source attribute is arequired attribute.

Security Domain is null. The name of a security domain wasnot specified.

Specify the name of the security domain towhich you want the user account assigned.Note: The Security Domain attribute is arequired attribute.

The value of Last Namecontains invalid characters.

This error occurs when the value ofthe Last Name attribute containsnon-permissible characters.

Specify a value for the Last Name attributethat excludes the non-permissible characterssuch as: % and &.

Chapter 4. RSA Authentication Manager Adapter error troubleshooting 19

Table 4. Adapter error messages, warnings, and corrective actions (continued)


The value of User ID containsinvalid characters.

This error occurs when the value ofthe User ID attribute containsnon-permissible characters.

Specify a value for the User ID attribute thatexcludes the non-permissible characters suchas: % and &.

User ID must not be greaterthan 255 characters long.

During the add or modifyoperation, the value of the User IDattribute exceeded 255 characters.

This error occurs when the value of theattribute exceeds the permissible characterlimit.

Specify a User ID that does not exceed thepermissible character limit, that is, 255.

Email must not be greater than255 characters long.

During the add or modifyoperation, the value of the Emailattribute exceeded 255 characters.


Specify an email that does not exceed thepermissible character limit, that is, 255.

Middle Name must not begreater than 255 characters long.

During the add or modifyoperation, the value of the MiddleName attribute exceeded 255characters.


Specify a middle name that does not exceedthe permissible character limit, that is, 255.

The value of Middle Namecontains invalid characters.

This error occurs when the value ofthe Middle Name attribute containsnon-permissible characters.

Specify a value for the Middle Nameattribute that excludes the non-permissiblecharacters such as: % and &.

The value of Descriptioncontains invalid characters.

This error occurs when the value ofthe Notes attribute containsnon-permissible characters.

Specify a value for the Notes attribute thatexcludes the non-permissible characters suchas: % and &.Note: The Description attribute is mappedto the Notes attribute on the RSAAuthentication Manager account form.

Description must not be greaterthan 255 characters long.

During the add or modifyoperation, the value of the Notesattribute exceeded 255 characters.

Specify a description for the Notes attributethat contains less than 255 characters.Note: The Description attribute is mappedto the Notes attribute on the RSAAuthentication Manager account form.

First Name must not be greaterthan 255 characters long.

During the add or modifyoperation, the value of the FirstName attribute exceeded 255characters.


Specify a given name that does not exceedthe permissible character limit, that is, 255.

The value of First Namecontains invalid characters.

This error occurs when the value ofthe First Name attribute containsnon-permissible characters.

Specify a value for the First Name attributethat excludes the non-permissible characterssuch as: % and &.

ORA-12899: value too large forcolumn

"RSA_REP"."IMS_PRINCIPAL"."CERT_DN"

(actual: 256, maximum: 255)

During the add or modifyoperation, the value of theCertificate DN attribute exceeded255 characters.


Specify a Certificate DN that does notexceed the permissible character limit, thatis, 255.

The value of Certificate DNcontains invalid characters.

The value of the Certificate DNattribute contains non-permissiblecharacters.

Specify a value for the Certificate DNattribute that excludes the non-permissiblecharacters such as: % and &.




Token already assigned. The token that was assigned to theaccount holder is already in use.

Use IBM Security Identity Manager to assigna different token to the account holder.

User does not exist. A request was made to eithermodify, suspend, restore, or deletea user account that does not existon the RSA AuthenticationManager server.

Ensure that the user exists on the RSAAuthentication Manager server. Reconcilethe account data to get an updated list ofusers.

The value of Values containsinvalid characters.

This error occurs when the valuesof either of the following attributescontain non-permissible characters:

v User ID

v Last Name

v First Name

v Middle Name

v Certificate DN

Specify a value for the following attributesthat exclude the non-permissible characterssuch as: % and &:

v User ID

v Last Name

v First Name

v Middle Name

v Certificate DN


"RSA_REP"."IMS_PRINCIPAL_DATA"."LOGINUID"


During the add or modifyoperation, the value of the User IDattribute exceeded 255 characters.


Specify a User ID that does not exceed thepermissible character limit, that is, 255.


"RSA_REP"."IMS_PRINCIPAL"."LAST_NAME"


During the add or modifyoperation, the value of the LastName attribute exceeded 255characters.


Specify a family name that does not exceedthe permissible character limit, that is, 255.


"RSA_REP"."IMS_PRINCIPAL"."FIRST_NAME"


During the add or modifyoperation, the value of the FirstName attribute exceeded 255characters.


Specify a given name that does not exceedthe permissible character limit, that is, 255.


"RSA_REP"."IMS_PRINCIPAL"."FIRST_NAME"


During the add or modifyoperation, the value of the MiddleName attribute exceeded 255characters.


Specify a middle name that does not exceedthe permissible character limit, that is, 255.


"RSA_REP"."IMS_PRINCIPAL"."EMAIL"


During the add or modifyoperation, the value of the Emailattribute exceeded 255 characters.


Specify an email that does not exceed thepermissible character limit, that is, 255.


"RSA_REP"."IMS_PRINCIPAL_DATA"."DESCRIPTION"


During the add or modifyoperation, the value of the Notesattribute exceeded 255 characters.

Specify a description for the Notes attributethat contains less than 255 characters.Note: The Description attribute is mappedto the Notes attribute on the RSAAuthentication Manager account form.

Chapter 4. RSA Authentication Manager Adapter error troubleshooting 21



Values for column notes may beno longer than 255 characters.

During the add or modifyoperation, the value of the TokenNotes attribute exceeded 255characters.


Specify a description for the Token Notesattribute that does not exceed thepermissible character limit, that is, 255.

No tokens available for securitydomain.

This error occurs when no tokensare available on the RSAAuthentication Manager server toperform the Replace With NextAvailable Token operation.

Ensure that there is a minimum of oneunassigned token on the RSA AuthenticationManager server before you perform theReplace With Next Available Tokenoperation.

The user cannot be assignedwith more than three tokens.

A request was made to assign morethan three tokens to the same user.

Assign no more than three tokens to thesame user.

User does Not Exist (Exceptionin thread "main"

java.lang.ArrayIndexOutOfBoundsException: 0 atcom.ibm.itim.adapter.RSAAMTest.main(RSAAMTest.java:692)

A request was made to delete auser that does not exist on the RSAAuthentication Manager server.

Ensure that the user you want to deleteexists on the RSA Authentication Managerserver. Reconcile the account data to get anupdated list of users.

Password policy not satisfied. This error occurs when the value ofthe password does not adhere tothe password policy that isdescribed on the RSAAuthentication Manager server.

Ensure that your password adheres to thepassword policy that is described on theRSA Authentication Manager server.

Principal with userid alreadyexists in the realm: User ID

A request was made to add a userthat exists on the RSAAuthentication Manager server.

A user account with the specified user IDexists on the RSA Authentication Managerserver. Create a user account with anotheruser ID.

Required parameter missingduring password authenticationattempt.

A value for the Password attributeon the RSA AuthenticationManager service form was notspecified.

Specify a value for the Password attributeon the RSA Authentication Manager serviceform correctly.Note: The Password attribute is a requiredattribute on the RSA AuthenticationManager service form.

Access Denied. This error occurs when the attributevalues on the RSA AuthenticationManager service form are incorrect.

Specify the values of the following attributeson the RSA Authentication Manager serviceform correctly:

v Administrator name

v Password


Appendix A. RSA Authentication Manager Adapter attributes

IBM Security Identity Manager communicates with the RSA AuthenticationManager using attributes included in transmission packets sent over a network.

The combination of attributes included in the packets depends on the type ofaction the RSA Authentication Manager requests from the RSA AuthenticationManager Adapter.

RSA Authentication Manager account form attributesThe following table lists the mapping of the user account form attributes on IBMSecurity Identity Manager to the attributes on the RSA Authentication Manager.

The table lists:v The attributes that are displayed on the RSA Authentication Manager account

form on IBM Security Identity Managerv The corresponding names on the Tivoli Directory Serverv The names by which the attributes are referred to on the RSA Authentication

Manager server

Table 5. Attributes on the RSA Authentication Manager account form on IBM SecurityIdentity Manager, their corresponding names on the Tivoli Directory Server, and the RSAAuthentication Manager

Attribute name on theRSAAuthentication Manageraccount form on IBMSecurity Identity Manager

Attribute name on the TivoliDirectory Server

Attribute name on theRSA AuthenticationManager server

User ID eruid User ID

First Name erRsaAmFirstName First Name

Last Name erRsaAmLastName Last Name

Middle Name erRsaAmMiddleName Middle Name

Security Domain erRsaAmSecurityDomain Security Domain

Identity Source erRsaAmIdentitySource Identity Source

Certificate DN erRsaAmCertdn Certificate DN

Notes erRsaAmNotes Notes

Email erRsaAmEmail Email

Account Start Date erRsaAmStartDate Account Starts

Account Expire Date erRsaAmExpireDate Account Expires

User Group erRsaAmUserGroup User Group Name

Admin Roles erRsaAmAdminRole Administrative Role

Assign Token erRsaAmT1Assign SecurID Tokens

Security Domain (Token #1) erRsaAmT1SecurityDomain Security Domain

Token Notes erRsaAmT1TokenNotes Notes

Last Login Date erRsaAmT1LastLogonDate Last Logon

Enable Token erRsaAmT1Enable Disabled


Table 5. Attributes on the RSA Authentication Manager account form on IBM SecurityIdentity Manager, their corresponding names on the Tivoli Directory Server, and the RSAAuthentication Manager (continued)

Attribute name on theRSAAuthentication Manageraccount form on IBMSecurity Identity Manager



Require PIN duringauthentication

erRsaAmT1ReqAuthPasscode User AuthenticationRequirement

Force PIN change on nextlogin

erRsaAmT1ForcePINChange Require SecureID PINChange on Next Logon

SecurID PIN Set erRsaAmT1SetSecurIDPIN SecurID PIN Set

Clear SecurID PIN erRsaAmT1ClearSecurIDPIN Clear SecurID PIN

Replace With Next AvailableToken

erRsaAmT1RplNextToken Replace with NextAvailable SecurID Token

Replacement Token erRsaAmT1ReplacementToken Replacement

Token PIN None. This value is not stored. None. This value is notdisplayed.

Note: The attributes on the Token#1, Token#2, and Token#3 pages of the RSAAuthentication Manager account form are same.

RSA Authentication Manager hidden attributesHidden attributes are not automatically added to the account form. Use the IBMSecurity Identity Manager Form Customization feature to get these hiddenattributes on the RSA Authentication Manager account form.

The following table lists:v The attributes that are not the default attributes on the RSA Authentication

Manager account form on IBM Security Identity Managerv The corresponding names on the Tivoli Directory Serverv The names by which the attributes are referred to on the RSA Authentication

Manager server

Table 6. Hidden attributes on the RSA Authentication Manager account form on IBMSecurity Identity Manager, their corresponding names on the Tivoli Directory Server, and theRSA Authentication Manager server

Hidden attribute on theRSA AuthenticationManager account form onIBM Security IdentityManager



GUID erRsaAmGUID Guid

Is Admin erRsaAmIsAdmin Is Admin

Last Authentication Date erRsaAmLastAuthenticationDate Last Authentication

Last Modified Date erRsaAmLastMdfDate Last Modified

Last Modified By erRsaAmLastModifiedBy Last Modified

Date on Token Started erRsaAmT1StartDate Lifetime

Date on Token Imported erRsaAmT1ImportDate Imported


Table 6. Hidden attributes on the RSA Authentication Manager account form on IBMSecurity Identity Manager, their corresponding names on the Tivoli Directory Server, and theRSA Authentication Manager server (continued)

Hidden attribute on theRSA AuthenticationManager account form onIBM Security IdentityManager



Token imported By erRsaAmT1ImportedBy Imported

Date on Token Assigned erRsaAmT1AssignDate Assigned

Token Assigned By erRsaAmT1AssignedBy Assigned

Date on Token Enabled erRsaAmT1EnabledDate Enabled

Date on Token Expired erRsaAmT1ExpireDate Lifetime

Last Login Date erRsaAmT1LastLogonDate Last Logon

Appendix A. RSA Authentication Manager Adapter attributes 25

Appendix B. Definitions for ITDI_HOME and ISIM_HOMEdirectories

ITDI_HOME is the directory where Tivoli Directory Integrator is installed.ISIM_HOME is the directory where IBM Security Identity Manager is installed.

ITDI_HOMEThis directory contains the jars/connectors subdirectory that contains filesfor the adapters.

Windowsdrive\Program Files\IBM\TDI\ITDI_VERSION

For example the path for version 7.1:C:\Program Files\IBM\TDI\V7.1

UNIX/opt/IBM/TDI/ITDI_VERSION

For example the path for version 7.1:/opt/IBM/TDI/V7.1

ISIM_HOMEThis directory is the base directory that contains the IBM Security IdentityManager code, configuration, and documentation.

Windowspath\IBM\isim

UNIXpath/IBM/isim


Appendix C. Support information

You have several options to obtain support for IBM products.v “Searching knowledge bases”v “Obtaining a product fix” on page 30v “Contacting IBM Support” on page 30

Searching knowledge basesYou can often find solutions to problems by searching IBM knowledge bases. Youcan optimize your results by using available resources, support tools, and searchmethods.

About this task

You can find useful information by searching the product documentation for IBMSecurity Identity Manager. However, sometimes you must look beyond the productdocumentation to answer your questions or resolve problems.

Procedure

To search knowledge bases for information that you need, use one or more of thefollowing approaches:1. Search for content by using the IBM Support Assistant (ISA).

ISA is a no-charge software serviceability workbench that helps you answerquestions and resolve problems with IBM software products. You can findinstructions for downloading and installing ISA on the ISA website.

2. Find the content that you need by using the IBM Support Portal.The IBM Support Portal is a unified, centralized view of all technical supporttools and information for all IBM systems, software, and services. The IBMSupport Portal lets you access the IBM electronic support portfolio from oneplace. You can tailor the pages to focus on the information and resources thatyou need for problem prevention and faster problem resolution. Familiarizeyourself with the IBM Support Portal by viewing the demo videos(https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos)about this tool. These videos introduce you to the IBM Support Portal, exploretroubleshooting and other resources, and demonstrate how you can tailor thepage by moving, adding, and deleting portlets.

3. Search for content about IBM Security Identity Manager by using one of thefollowing additional technical resources:v IBM Security Identity Manager version 6.0 technotes and APARs (problem

reports).v IBM Security Identity Manager Support website.v IBM Redbooks®.v IBM support communities (forums and newsgroups).

4. Search for content by using the IBM masthead search. You can use the IBMmasthead search by typing your search string into the Search field at the top ofany ibm.com® page.

5. Search for content by using any external search engine, such as Google, Yahoo,or Bing. If you use an external search engine, your results are more likely to


http://www.ibm.com/software/support/isa/

http://www.ibm.com/support/entry/portal/overview/software/tivoli/tivoli_identity_manager

https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos

http://www.ibm.com/support/search.wss?rs=644&apar=include&tc=SSTFWV&dc=DB520+D800+D900+DA900+DA800+DB550+D100&dtm&atrn=SWVersion&atrv=5.1

http://www.ibm.com/support/search.wss?rs=644&apar=include&tc=SSTFWV&dc=DB520+D800+D900+DA900+DA800+DB550+D100&dtm&atrn=SWVersion&atrv=5.1

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

http://publib-b.boulder.ibm.com/Redbooks.nsf/portals/Tivoli

http://www.ibm.com/software/sysmgmt/products/support/Tivoli_Communities.html

include information that is outside the ibm.com domain. However, sometimesyou can find useful problem-solving information about IBM products innewsgroups, forums, and blogs that are not on ibm.com.

Tip: Include “IBM” and the name of the product in your search if you arelooking for information about an IBM product.

Obtaining a product fixA product fix might be available to resolve your problem.

About this task

You can get fixes by following these steps:

Procedure1. Obtain the tools that are required to get the fix. You can obtain product fixes

from the Fix Central Site. See http://www.ibm.com/support/fixcentral/.2. Determine which fix you need.3. Download the fix. Open the download document and follow the link in the

“Download package” section.4. Apply the fix. Follow the instructions in the “Installation Instructions” section

of the download document.

Contacting IBM SupportIBM Support assists you with product defects, answers FAQs, and helps usersresolve problems with the product.

Before you begin

After trying to find your answer or solution by using other self-help options suchas technotes, you can contact IBM Support. Before contacting IBM Support, yourcompany or organization must have an active IBM software subscription andsupport contract, and you must be authorized to submit problems to IBM. Forinformation about the types of available support, see the Support portfolio topic inthe “Software Support Handbook”.

Procedure

To contact IBM Support about a problem:1. Define the problem, gather background information, and determine the severity

of the problem. For more information, see the Getting IBM support topic in theSoftware Support Handbook.

2. Gather diagnostic information.3. Submit the problem to IBM Support in one of the following ways:

v Using IBM Support Assistant (ISA):Any data that has been collected can be attached to the service request.Using ISA in this way can expedite the analysis and reduce the time toresolution.a. Download and install the ISA tool from the ISA website. See

http://www.ibm.com/software/support/isa/.b. Open ISA.


http://www.ibm.com/support/fixcentral/

http://www14.software.ibm.com/webapp/set2/sas/f/handbook/offerings.html

http://www14.software.ibm.com/webapp/set2/sas/f/handbook/getsupport.html

http://www.ibm.com/software/support/isa/

c. Click Collection and Send Data.d. Click the Service Requests tab.e. Click Open a New Service Request.

v Online through the IBM Support Portal: You can open, update, and view allof your service requests from the Service Request portlet on the ServiceRequest page.

v By telephone for critical, system down, or severity 1 issues: For the telephonenumber to call in your region, see the Directory of worldwide contacts webpage.

Results

If the problem that you submit is for a software defect or for missing or inaccuratedocumentation, IBM Support creates an Authorized Program Analysis Report(APAR). The APAR describes the problem in detail. Whenever possible, IBMSupport provides a workaround that you can implement until the APAR isresolved and a fix is delivered. IBM publishes resolved APARs on the IBM Supportwebsite daily, so that other users who experience the same problem can benefitfrom the same resolution.

Appendix C. Support information 31

http://www.ibm.com/software/support/

http://www.ibm.com/planetwide/

Appendix D. Accessibility features for IBM Security IdentityManager

Accessibility features help users who have a disability, such as restricted mobilityor limited vision, to use information technology products successfully.

Accessibility features

The following list includes the major accessibility features in IBM Security IdentityManager.v Support for the Freedom Scientific JAWS screen reader applicationv Keyboard-only operationv Interfaces that are commonly used by screen readersv Keys that are discernible by touch but do not activate just by touching themv Industry-standard devices for ports and connectorsv The attachment of alternative input and output devices

The IBM Security Identity Manager library, and its related publications, areaccessible.

Keyboard navigation

This product uses standard Microsoft Windows navigation keys.

Related accessibility information

The following keyboard navigation and accessibility features are available in theform designer:v You can use the tab keys and arrow keys to move between the user interface

controls.v You can use the Home, End, Page Up, and Page Down keys for more

navigation.v You can launch any applet, such as the form designer applet, in a separate

window to enable the Alt+Tab keystroke to toggle between that applet and theweb interface, and also to use more screen workspace. To launch the window,click Launch as a separate window.

v You can change the appearance of applets such as the form designer by usingthemes, which provide high contrast color schemes that help users with visionimpairments to differentiate between controls.

IBM and accessibility

See the IBM Human Ability and Accessibility Center For more information aboutthe commitment that IBM has to accessibility.


http://www.ibm.com/able

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment to


IBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

If you are viewing this information softcopy, the photographs and colorillustrations might not appear.

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at http://www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Cell Broadband Engine and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.

Notices 37

http://www.ibm.com/legal/copytrade.shtml

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Privacy Policy Considerations

IBM Software products, including software as a service solutions, ("SoftwareOfferings") may use cookies or other technologies to collect product usageinformation, to help improve the end user experience, and to tailor interactionswith the end user or for other purposes. In many cases, no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offeringscan help enable you to collect personally identifiable information. If this SoftwareOffering uses cookies to collect personally identifiable information, specificinformation about this offering’s use of cookies is set forth below.

This Software Offering does not use cookies or other technologies to collectpersonally identifiable information.

If the configurations deployed for this Software Offering provide you as customerthe ability to collect personally identifiable information from end users via cookiesand other technologies, you should seek your own legal advice about any lawsapplicable to such data collection, including any requirements for notice andconsent.

For more information about the use of various technologies, including cookies, forthese purposes, see IBM's Privacy Policy at http://www.ibm.com/privacy andIBM’s Online Privacy Statement at http://www.ibm.com/privacy/details/us/ensections entitled "Cookies, Web Beacons and Other Technologies and SoftwareProducts and Software-as-a Service".


http://www.ibm.com/privacy

http://www.ibm.com/privacy/details/us/en

Index

Aaccessibility x, 33account

active status 15attributes 7changing passwords 15deleting 16deprovisioning 16form attributes 23lifespan 10reconciling 6restoring 15support data attributes 10suspension 15

administrative rolesassigning 13unassigning 15

attributesaccount form 23action dependencies 23adapter 23adding accounts 7certificate DN 9force password change 9hidden 24lifespan 10modifying tokens 14recon limit 7support data 10

automation 1account reconciliation 1support data reconciliation 1token assignment 1token enablement and disablement 1

Ccertificate DN 9checklists, configuration 3configuration, checklist 3

Ddata reconciliation 6

Eeducation xenable token 13errors

adapter 19troubleshooting 17warnings 17

Ffeatures, automation 1force password change 9form attributes 23

Ggroups

assigning user groups to user 14unassigning user groups 15

Groups Base Point DN 5

Hhidden attributes 24

IIBM

Software Support xSupport Assistant x

IBM Support Assistant 30identity source 14ISA 30ISIM_HOME definition 27ITDI_HOME definition 27

Kknowledge bases 29

Llifespan, account setting 10

Mmanagement tasks 5messages

error 19warning 19

Nnotices 35

Oonline

publications ixterminology ix

operationsadding 7modifying 14prerequisites 5

overview ix, 1

Ppassword change, forced 9problem-determination xpublications

accessing online ix

publications (continued)list of ix

Rreconciliation

parameters 7support data 5user accounts 5

Remote Method InvocationUNIX 5Windows 5Windows command prompt 5

rolesadministrative 15administrative, assigning 13unassigning 15

Sservice form, reconciliation parameters 7support contact information 30support data

attributes 10reconciliation 1reconciling 6

Ttasks, automation 1terminology ixtokens

assigning 13enabling 14modifying 14unassigning 14

training xtroubleshooting

adapter errors 17contacting support 30error messages 19getting fixes 30identifying problems 17searching knowledge bases 29support website xtechniques 17warning messages 19

Uuser account

management tasks 5user accounts

adding 7changing passwords 15deleting 16lifespan 10modifying 14reconciliation 1


user accounts (continued)reconciling 5, 6restoring 15suspending 15

user groupsassigning 14unassigning 15

Wwarning messages 19


��

Printed in USA

SC27-4409-04

rsaauthentication manageradapter user guide · ibm security identity manager version 6.0...

Documents