Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

Transcription

1 Tioli Identity Manager Version 5.1 Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide SC

2

3 Tioli Identity Manager Version 5.1 Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide SC

4 Note: Before using this information and the product it supports, read the information in Appendix C, Notices, on page 35. This edition applies to ersion 5.1 of this plug-in and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright IBM Corporation US Goernment Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

5 Preface About this book IBM Tioli Identity Manager proides the Password Synchronization for Actie Directory plug-in (Password Synchronization plug-in) to process password change requests between an Actie Directory domain controller and the Tioli Identity Manager serer. This book describes how to install and configure the plug-in. Note: The program that is used to connect the managed resource to the Tioli Identity Manager serer is now called an adapter. The term adapter replaces the preiously used term agent. The user interface used to configure the adapter still uses the term agent. Intended audience for this book Publications This book is intended for domain controller security administrators responsible for installing software on their site's computer systems. Readers are expected to understand Windows and domain controller concepts. The person completing the Password Synchronization plug-in installation procedure must also be familiar with their site's system standards and needs to hae appropriate Windows knowledge. Readers should be able to perform routine Windows and security administration tasks. This section lists publications in the Tioli Identity Manager library and related documents. The section also describes how to access Tioli publications online and how to order Tioli publications. Tioli Identity Manager library The publications in the technical documentation library for your product are organized into the following categories: Release Information Release Notes proide software and hardware requirements for the product and information about fix packs and support. Read This First card lists the publications for the product. Online user assistance Proides online help topics and an information center for administratie tasks. Serer installation and configuration Proides installation and configuration information for the product serer. Problem determination Proides problem determination, logging, and message information for the product. Technical supplements The following technical supplements are proided by deelopers or by other groups who are interested in this product: Performance and tuning information Copyright IBM Corp iii

6 Proides information needed to tune your production enironment at: 1. Click the I character in the A-Z product list to locate IBM Tioli Identity Manager products. 2. Click the link for your product. 3. Browse the information center for the Technical Supplements section. Redbooks and white papers are aailable at: IBMTioliIdentityManager.html 1. Naigate to the Self Help section, in the Learn category. 2. Click the Redbooks link. Technotes are aailable at: Field guides are aailable at: Field_Guides.html For an extended list of other Tioli Identity Manager resources, search the following IBM deeloperworks at: Adapter documentation The technical documentation library also includes a set of platform-specific documents for the adapter components of the product. Adapter information is aailable at: 1. Click the I character in the A-Z product list to locate IBM Tioli Identity Manager products. 2. Click the link for your product. 3. Browse the information center for the adapter information that you want. Prerequisite publications To use the information in this book effectiely, you must hae knowledge of the prerequisite products. Publications are aailable from the following locations: domain controller Operating systems IBM AIX Solaris Operating Enironment Red Hat Linux Microsoft Windows Serer Database serers IBM DB2 Uniersal Database i IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

7 - Support: - Information center: index.jsp - Documentation: winos2unix/support/8pubs.d2w/en_main - DB2 product family: - Fix packs: download8.html - System requirements: sysreqs.html Oracle Microsoft SQL serer Directory serer applications IBM Directory Serer en_us/html/ldapinst.htm Sun ONE Directory Serer WebSphere Additional information is aailable in the product directory or Web sites. WebSphere embedded messaging IBM HTTP Serer Related publications The Tioli Software Library proides a ariety of product-related publications, such as white papers, datasheets, demonstrations, Redbooks, and announcement letters. The Tioli Software Library is aailable at tioli/literature/. Accessing terminology online The Tioli Software Glossary includes definitions for many of the technical terms related to Tioli software. The Tioli Software Glossary is aailable at the following Tioli software library Web site: Preface

8 Accessibility The IBM Terminology Web site consolidates the terminology from IBM product libraries in one conenient location. You can access the Terminology Web site at the following Web address: Accessing publications online The documentation CD contains the publications that are in the product library. The format of the publications is PDF, HTML, or both. Refer to the readme file on the CD for instructions on how to access the documentation. The product CD contains the publications that are in the product library. The format of the publications is PDF, HTML, or both. To access the publications using a Web browser, open the infocenter.html file. The file is in the appropriate publications directory on the product CD. IBM posts publications for this and all other Tioli products, as they become aailable and wheneer they are updated, to the Tioli Information Center Web site at Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your local paper. Ordering publications You can order many Tioli publications online at Tioli technical training You can also order by telephone by calling one of these numbers: In the United States: In Canada: In other countries, contact your software account representatie to order Tioli publications. To locate the telephone number of your local representatie, perform the following steps: 1. Go to 2. Select your country from the list and click Go. 3. Click About this site in the main panel to see an information page that includes the telephone number of your local representatie. Accessibility features help users with a physical disability, such as restricted mobility or limited ision, to use software products successfully. With this product, you can use assistie technologies to hear and naigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface. For additional information, see Appendix B, Accessibility, on page 33. For Tioli technical training information, refer to the following IBM Tioli Education Web site at i IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

9 Tioli user groups Support information Tioli user groups are independent, user-run membership organizations that proide Tioli users with information to assist them in the implementation of Tioli Software solutions. Through these groups, members can share information and learn from the knowledge and experience of other Tioli users. Tioli user groups include the following members and groups: 23,000+ members 144+ groups Access the link for the Tioli Users Group at If you hae a problem with your IBM software, you want to resole it quickly. IBM proides the following ways for you to obtain the support you need: Online Go to the IBM Software Support site at software/support/probsub.html and follow the instructions. IBM Support Assistant The IBM Support Assistant is a free local software sericeability workbench that helps you resole questions and problems with IBM software products. The Support Assistant proides quick access to support-related information and sericeability tools for problem determination. To install the Support Assistant software, go to support/isa. Troubleshooting Guide For more information about resoling problems, see the problem determination information for this product. Conentions used in this book This publication uses seeral conentions for special terms and actions, operating system-dependent commands and paths. Typeface conentions This guide uses the following typeface conentions: Bold Italic Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) Keywords and parameters in text Command names Words defined in text Emphasis of words (words as words) New terms in text (except in a definition list) Preface ii

10 Variables and alues you must proide Monospace Examples and code examples Programming keywords, and other elements that are difficult to distinguish from surrounding text File names Message text and prompts addressed to the user Text that the user must type Values for arguments or command options Names of object classes Operating system-dependent ariables and paths This guide uses the Windows conention for specifying enironment ariables and for directory notation. When using the Unix command line, replace %ariable% with $ariable for enironment ariables and replace each backslash (\) with a forward slash (/) in directory paths. The names of enironment ariables are not always the same in Windows and UNIX. For example, %TEMP% in the Windows operating system is equialent to $tmp in a UNIX operating system. Note: If you are using the bash shell on a Windows system, you can use the UNIX conentions. iii IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

11 Contents Preface iii About this book iii Intended audience for this book iii Publications iii Tioli Identity Manager library iii Prerequisite publications i Related publications Accessing terminology online Accessing publications online i Ordering publications i Accessibility i Tioli technical training i Tioli user groups ii Support information ii Conentions used in this book ii Typeface conentions ii Operating system-dependent ariables and paths iii Chapter 1. Oeriew of the plug-in... 1 Features of the plug-in Interaction among Actie Directory, the adapter, and the plug-in Configuration 1: Forward password change... 1 Configuration 2: Reerse password change... 2 Supported configurations Configuration 1: Password Synchronization and Actie Directory Adapter on same domain controller workstation Configuration 2: Password Synchronization and Actie Directory Adapter on different domain controller workstations Configuration 3: Password Synchronization on a domain controller workstation and Actie Directory Adapter on a non-domain controller workstation Configuration 4: Password Synchronization and Actie Directory Adapter in different domains.. 5 Setting up registry access Using the winreg key to grant access to the registry Bypassing the Access Restriction Chapter 2. Planning to install the plug-in 9 Preinstallation road map Installation road map Prerequisites Information worksheet Downloading the software Chapter 3. Installing the plug-in Before you begin About this task Procedure Installing CA certificates What to do next Verifying the installation Chapter 4. Installing and uninstalling the plug-in by using the silent mode.. 17 Installing the plug-in by using the silent mode.. 17 Uninstalling the plug-in by using the silent mode. 19 Chapter 5. Configuring SSL authentication for the plug-in Oeriew of SSL and digital certificates Priate keys, public keys, and digital certificates 22 Self-signed certificates Certificate and key formats Configuring certificates when the plug-in operates as an SSL client Chapter 6. Taking the first steps after installation Chapter 7. Uninstalling the plug-in Appendix A. Support information Searching knowledge bases Search the information center on your local system or network Search the Internet Contacting IBM Software Support Determine the business impact of your problem 30 Describe your problem and gather background information Submit your problem to IBM Software Support 31 Appendix B. Accessibility Naigating the interface using the keyboard Magnifying what is displayed on the screen Appendix C. Notices Trademarks Index Copyright IBM Corp ix

12 x IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

13 Chapter 1. Oeriew of the plug-in Features of the plug-in The IBM Tioli Identity Manager Password Synchronization plug-in enables connectiity between the Tioli Identity Manager serer and a system running the domain controller. This installation guide proides the basic information that you need to install and configure the Password Synchronization plug-in. This chapter proides an oeriew of the plug-in and the features of the plug-in. The Password Synchronization plug-in intercepts the domain user password changes and communicates with IBM Tioli Identity Manager for password rules erification and synchronization. The new password is synchronized with other accounts managed by IBM Tioli Identity Manager for the domain user. Interaction among Actie Directory, the adapter, and the plug-in The Actie Directory and Password Synchronization plug-in work together for password change requests originating from Tioli Identity Manager. The password changes are done directly on the resource. The two following configurations are for password changes. Configuration 1: Forward password change IBM Tioli Identity Manager serer WebSphere Application Serer or WebLogic serer Single or Cluster Agent Serer d Windows Domain Controller Serer 1 Password Synchronization plug-in a Password Change Request Registry Actie Directory Adapter b Password Change c Actie Directory In this configuration, the Actie Directory user password change is initiated from Tioli Identity Manager. The password change request is sent to the Actie Directory Adapter in DAML format. The following is sequence of operations. 1. The Actie Directory Adapter detects password change. It stores user ID and password in the registry in the key PasswordChanges. The user ID and password are stored in the encrypted format. See a in the illustration. 2. The Actie Directory Adapter then initiates a password change operation on Actie directory. See b in the illustration. 3. Before the password is actually changed on the resource, Password Synchronization plug-in is inoked. The user ID and password to be changed are passed to Password Synchronization by the Windows operating system. See c in the illustration. 4. When the Connect to Windows Actie Directory Adapter Registry is enabled, the Password Synchronization plug-in accesses Actie Directory Adapter registry to determine if the change is initiated from Tioli Identity Manager. For Copyright IBM Corp

14 this the password sync plug-in connects to Actie Directory Adapter registry and reads PasswordChanges key. It reads in all the user ID-password pairs from the key and compares them with the input user ID and password. If a match is found, Password Synchronization plug-in ignores the request because password from Tioli Identity Manager is already complying with the password rules. Also because the password change is initiated from Tioli Identity Manager, the password synchronization is performed by Tioli Identity Manager. See d in the illustration. 5. The Actie Directory Adapter deletes the expired user ID - password pair from the Actie Directory Adapter registry. This is done wheneer a password is specified in any of the Actie Directory Adapter supported operations, such as, Add, Modify, Password Change, or Restore. This flushes the registry and restricts it growth. This also ensures that any older user ID and password pair is not used during the comparison. Note: All user ID - password pair are treated as expired after 10 minutes of their creation. Configuration 2: Reerse password change a User changes windows password Windows Domain Controller Serer 1 Actie Directory b Password Synchronization plug-in d Password Synchronization with IBM Tioli Identity Manager IBM Tioli Identity Manager serer WebSphere Application Serer or WebLogic serer Single or Cluster Agent Serer c Registry Actie Directory Adapter In this configuration, the Actie Directory user password change is initiated from the resource. Following is the sequence of the operations. 1. The user changes account password by first selecting Ctrl + Alt + Delete and then clicking Change Password. The password change on the resource can also be initiated by a. On a domain controller workstation, select Start -> Programs -> Administratie Tools -> Actie Directory Users and Computers. b. Browse to the appropriate container or organization unit. Select the user whose password is to be changed. Right click on the user and click Reset password. 2 IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

15 Supported configurations See a in the illustration. 2. The Windows operating system captures the password change eent. Before the password is actually changed on the resource, the Password Synchronization plug-in is inoked. The user ID and password are passed to the plug-in. See b in the illustration. 3. When the Connect to Windows Actie Directory Adapter Registry is enabled, the Password Synchronization plug-in accesses Actie Directory Adapter registry to determine if the password change is initiated from Tioli Identity Manager. In this case, because the password is directly changed on the resource, no matching user ID password pair is found in Actie Directory Adapter registry. The Password Synchronization plug-in determines that the password change is initiated by the user on the resource directly. See c in the illustration. 4. If Enable Password rules is enabled for Password Synchronization plug-in, the plug-in sends the password to Tioli Identity Manager for rules erification. If the password matches the rules defined in Tioli Identity Manager then Tioli Identity Manager sends success back to Password Synchronization plug-in. The plug-in notifies the Windows operating system that password complies to the password rules and can proceed. The password is then actually changed on the resource. After password change, the Windows operating system again inokes Password Synchronization to indicate that the password change operation is successful. Password Synchronization plug-in then sends SUCCESS to Tioli Identity Manager for password change operation. Upon receipt of success, Tioli Identity Manager then synchronizes the password with rest of the accounts of the user. See d in the illustration. Following are the configurations for Password Synchronization and Actie Directory Adapter. Password Synchronization is always deployed on a domain controller workstation. The adapter can be deployed on domain controller or non-domain controller workstation Configuration 1: Password Synchronization and Actie Directory Adapter on same domain controller workstation Domain 1 IBM Tioli Identity Manager serer WebSphere Application Serer or WebLogic serer Single or Cluster DAML Windows Actie Directory Domain Controller Password Synchronization plug-in Registry DAML Actie Directory Adapter Chapter 1. Oeriew of the plug-in 3

16 In this configuration, Actie Directory Adapter and Password Synchronization are installed on same domain controller. No specific registry permissions are required. Password Synchronization can directly access the Actie Directory Adapter registry. Configuration 2: Password Synchronization and Actie Directory Adapter on different domain controller workstations Domain 1 IBM Tioli Identity Manager serer WebSphere Application Serer or WebLogic serer Single or Cluster DAML Windows Actie Directory Domain Controller Password Synchronization plug-in Windows Actie Directory Domain Controller Registry DAML Actie Directory Adapter In this configuration Password Synchronization and Actie Directory Adapter are installed on different domain controller workstations in the same domain. Registry permissions need to be granted to allow Password Synchronization access to the Actie Directory Adapter registry. See Setting up registry access on page 5 to determine which permissions need to be set for this configuration. Configuration 3: Password Synchronization on a domain controller workstation and Actie Directory Adapter on a non-domain controller workstation Domain 1 IBM Tioli Identity Manager serer WebSphere Application Serer or WebLogic serer Single or Cluster DAML Windows Actie Directory Domain Controller Password Synchronization plug-in Any non Domain Controller machine Registry DAML Actie Directory Adapter In this configuration Password Synchronization is installed on a domain controller workstation. Actie Directory Adapter is installed on non-domain controller workstation. Password Synchronization and Actie Directory Adapter are in the same domain. Registry permissions need to be granted to allow Password Synchronization access to the Actie Directory Adapter registry. See Setting up registry access on page 5 to determine which permissions need to be set for this configuration. 4 IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

17 Configuration 4: Password Synchronization and Actie Directory Adapter in different domains Domain 1 IBM Tioli Identity Manager serer WebSphere Application Serer or WebLogic serer Single or Cluster DAML Windows Actie Directory Domain Controller Password Synchronization plug-in Domain Controller or non Domain Controller machine Registry DAML Actie Directory Adapter Cross Domain Trust Setting up registry access In this configuration Password Synchronization is installed on a domain controller workstation. Actie Directory Adapter is installed on a domain controller or non-domain controller workstation. Password Synchronization and Actie Directory Adapter are in different domains. Cross domain trust is required to enable Password Synchronization access to the Actie Directory Adapter registry. See Setting up registry access to determine which permissions need to be set for this configuration. The to perform the forward and reerse password change operations, Password Synchronization needs to access to the Actie Directory Adapter registry to determine if the password change is initiated from Tioli Identity Manager. Password Synchronization requires read and write access for reading the alues and flushing the alues. The following steps explain how the permissions are set on Actie Directory Adapter registry key to enable registry access from same or different workstation. Table 1. Registry access permissions Step Description Configuration 1. Set up appropriate permissions on HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurePipeSerers\ winreg key.see Using the winreg key to grant access to the registry on page 6 for more information. 2. Alternatie to step 1 is to bypass winreg key and use HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\SecurePipeSerers\winreg\AllowedPaths key. See Bypassing the Access Restriction on page 7 for more information. 3. Go to key HKEY_LOCAL_MACHINE\SOFTWARE\Access360. Go to Menu > Security > Permissions. Add the user or group to which access is to be granted. Grant full access to the user or group. Configuration 2 Configuration 3 Configuration 4 Configuration 2 Configuration 3 Configuration 4 Configuration 2 Configuration 3 Workstation that the step applies to Actie Directory Adapter workstation Actie Directory Adapter workstation Actie Directory Adapter workstation Chapter 1. Oeriew of the plug-in 5

18 Table 1. Registry access permissions (continued) Step Description Configuration 4. Ensure that the time on the workstation where Actie Directory Adapter is installed is synchronized to the domain controller. 5. Ensure that the domain administrators are members of the local Administrators group on the workstation where Actie Directory Adapter is installed. 6. Ensure that the Remote Registry Serice is started and running in Automatic mode. To check this serice, go to Control Panel > Serices > Remote Registry Serice. Configuration 2 Configuration 3 Configuration 4 Configuration 2 Configuration 3 Configuration 4 Configuration 2 Configuration 3 Configuration 4 Workstation that the step applies to Actie Directory Adapter workstation, Password Synchronization workstation Actie Directory Adapter workstation Actie Directory Adapter workstation If the Actie Directory Adapter serer and Password Synchronization are in different domains, following steps are required for registry access oer domains. 7. Ensure that domain functional leel and forest functional leel are setup correctly for two-way trust relationship. Mix-mode domain functional leel might hae errors while setting up trust relationship. 8. Ensure that domain trust relationship is two-way, transitie and of type Forest. 9. Ensure that all the domain controller workstations in the domains and the Actie Directory Adapter serer workstation are time synchronized. Configuration 4 Configuration 4 Configuration 4 All domain controller workstations All domain controller workstations All domain controller workstations, Actie Directory Adapter workstation If the Actie Directory Adapter is located on the domain controller, following additional steps needs to be done. 10. Go to Control Panel > Administratie Tools > Domain Security Policy. GotoSecurity Settings > Local Policies > Security Options. Add Software\Access360\ADAgent to option Network access: Remotely accessible registry paths and sub-paths 11. Under Security Settings > System Serices > Remote Registry, ensure that it is started automatically eery time. Gie permission to eeryone. 12. Go to Control Panel > Administratie Tools > Domain Controller Security Policy. Perform steps 3 to 6 for Domain Controller Security Policy. Configuration 2 Configuration 4 Configuration 2 Configuration 4 Configuration 2 Configuration 4 Actie Directory Adapter workstation Actie Directory Adapter workstation Actie Directory Adapter workstation Note: For modifying registry settings use regedt32.exe for Windows 2000 platform and regedit.exe for Windows 2003 platform. Using the winreg key to grant access to the registry In Windows 2000 and later, only Administrators and Backup Operators hae default network access to the registry. To restrict or grant network access for any particular group or user to the registry, follow the steps listed below to create the following Registry key: Table 2. Registry key Registry key HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurePipeSerers\ winreg Type REG_SZ Value REG_SZ 6 IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

19 The Security permissions set on this key define what users or groups can connect to the system for remote registry access. The default Windows installation defines this key and sets the access control list (ACL) to restrict remote registry access as follows: Administrators hae Full Control. The default configuration for Windows operating systems permits only administrators remote access to the Registry. Changes to this key to allow users remote registry access require a system restart before they take effect. To create the registry key to grant access to the registry: 1. Start Registry Editor (regedit.exe) and go to the following sub-key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control 2. On the Edit menu, click Add Key. 3. Enter the following alues: Key Name: SecurePipeSerers Class: REG_SZ. 4. Go to the following sub-key: HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\SecurePipeSerers 5. On the Edit menu, click Add Key. 6. Enter the following alues: Key Name: winreg Class: REG_SZ. 7. Go to the following sub-key: HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\SecurePipeSerers\winreg 8. On the Edit menu, click Add Value. 9. Enter the following alues: Value Name: Description Data Type: REG_SZ String: Registry Serer. 10. Go to the following sub-key HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\SecurePipeSerers\winreg 11. Select winreg. Click Security and then click Permissions. Add users or groups to which you want to grant access. 12. Exit Registry Editor and restart the Windows operating system. Note: If you later want to change the list of users that can access the registry, repeat steps Bypassing the Access Restriction You can either add the account name that the serice is running under to the access list of the winreg key, or you can configure Windows to bypass the access restriction to certain keys by listing them in the workstation alue under the AllowedPaths key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurePipeSerers\winreg\AllowedPaths. For remote access to Actie Directory Adapter registry, append alue SOFTWARE\Access360\ADAgent to this key. Chapter 1. Oeriew of the plug-in 7

20 8 IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

21 Chapter 2. Planning to install the plug-in Preinstallation road map Installing and configuring the adapter inoles seeral steps that you must complete in an appropriate sequence. Reiew the road maps before you begin the installation process. You must prepare the enironment before you can install the plug-in. Table 3. Preinstallation road map Task Obtain the installation software Verify that the software and hardware requirements for the adapter that you want to install hae been met. Collect the necessary information for the installation and configuration. For more information Download the software from Passport Adantage. See Downloading the software on page 10. See Prerequisites on page 10. See Information worksheet on page 10. Installation road map You must complete the necessary steps to install the plug-in including completing post-installation configuration tasks and erifying the installation. Table 4. Installation road map Task For more information Install the plug-in. See Chapter 3, Installing the plug-in, on page 11. Verify the installation. See Verifying the installation on page 16. Configure SSL communications. See Chapter 5, Configuring SSL authentication for the plug-in, on page 21. Copyright IBM Corp

22 Prerequisites Table 5 identifies installation prerequisites for this plug-in. Verify that all of the prerequisites hae been met before installing the Password Synchronization plug-in. Table 5. Prerequisites to install the plug-in Prerequisite Description System A Windows Serer running Actie Directory on the following 32-bit or 64-bit operating systems: Windows 2003 Windows 2003 R2 Windows 2008 System Administrator Authority Adapter Compatibility Tioli Identity Manager serer Version 5.1 Note: The Password Synchronization supports only x64 architecture, howeer, the Password Synchronization does not hae Itanium support. The person completing the Password Synchronization installation procedure must hae system administrator authority to complete the steps in this chapter. IBM Tioli Identity Manager Actie Directory Adapter, ersion 5.1 Information worksheet The following worksheet lists information necessary to complete the installation of the plug-in. Gather this information prior to beginning the installation process. Table 6. Information worksheet Required information Installation directory Tioli Identity Manager Application serer Target DN for the serice IBM Tioli Identity Manager account IBM Tioli Identity Manager account password Description The location where the plug-in is installed. The default is C:\Tioli\PwdSync IP address and SSL port On the Tioli Identity Manager serer The account under which the requests are submitted. The password for the IBM Tioli Identity Manager account under which the requests are submitted. Downloading the software Download the adapter software from your account in IBM Passport Adantage Online at: 10 IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

23 Chapter 3. Installing the plug-in Before you begin About this task The following sections contain the information that you will need to install the Password Synchronization. Make sure you do the following: Verify that your site meets all the prerequisite requirements. See Prerequisites on page 10. Obtain a copy of the installation software. See Downloading the software on page 10. Obtain system administrator authority. This task proides all the necessary steps for installing the Password Synchronization software. Procedure 1. If you downloaded the installation software from Passport Adantage, perform the following steps: a. Create a temporary directory on the computer on which you want to install the software. b. Extract the contents of the compressed file into the temporary directory. 2. Start the installation program with the SetupPwdSynch.exe file in the temporary directory. Note: When you install the Windows Password Sync plug-in by using Windows Remote Desktop, ensure that you open the remote desktop connection by using the command mstsc/console. If you do not do so, the following issue might occur: The Windows Password Sync plug-in is installed successfully, howeer, on restarting the domain controller the TioliPwdSync DLL is not loaded and the PwdSync.log file is not created under the plug-in's log directory. 3. Select a language and click OK. 4. On the Introduction window, click Next. 5. Specify where you want to install the adapter in the Directory Name field. Perform one of the following steps: Click Next for the default location. Click Choose and naigate to a different directory and click Next. 6. In the License Agreement window: a. Reiew the license agreement and select Accept. b. Click Next. Copyright IBM Corp

24 7. Choose the CA certificate file and click Next. For information about CA certificates installation after Password Synchronization adapter installation, see Installing CA certificates on page Reiew the installation settings in the Pre-Installation Summary window and do one of the following: Click Preious and return to a preious window to change any of these settings. Click Install when you are ready to begin the installation. 9. In the PFConfig window, complete all of the text fields in the window. The following information describes the fields: Installation Path Specifies the installation path for the Password Synchronization plug-in. The alue specified must match with the installation directory alue entered earlier in the installation process. ITIM Host Name or IP Specifies the IP address for the Tioli Identity Manager serer. SSL Port Number Specifies the SSL port for the Tioli Identity Manager serer. The default SSL port for WebSphere Application Serer is 9443 on a single serer setup. If you hae a WebShpere Application Serer cluster, the IBM HTTP Serer needs to be configured for SSL. The default port for HTTP SSL is 443. For example, shreth.tilab.austin.ibm.com:9443 Note: For more information about configuring certificate see Installing CA certificates on page 15. Serice DN Specifies the Target DN of the serice that is being monitored. At the Serice DN field, click Configure Target Serices. A list of configured target serices appears. Note: One copy of the Password Synchronization client can monitor multiple base points. Enter each of the points using the Target Serices window. To edit a target serice, click the serice and click Edit. The Base Point and Serice Target DN specifications appear. The base point in the Actie Directory must match the serice Target DN on the Tioli Identity Manager serer. Base Point The base points specified must be identical to the base points configured in your Actie Directory Adapter. The default base point is the root domain of the Actie Directory. Example 1 If the root of Actie Directory is Cascades.Irine.IBM.com, the Base Point must be specified as: dc=cascades,dc=irine,dc=ibm,dc=com Example 2 If you installed the Windows Actie Directory Adapter 12 IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

25 in an OU (organizational short name) of your Actie Directory, Users, for example, the Base Point would be entered as: cn=users,dc=cascades,dc=irine,dc=ibm,dc=com Serice Target DN The format is: ersericename=nameofserice,o=organizationname ou=organizationshortname,dc=com Note: Although DN formatting is used for the Serice DN alue, this is not the DN of the serice being monitored. These are parameter alues to the Password Synchronization plug-in. ersericename Specifies the name of the target serice used by the Tioli Identity Manager serer o Specifies the name of the organization on the Tioli Identity Manager serer ou Specifies the short name defined for the organization during installation and configuration of the Tioli Identity Manager serer. If this alue is not known, it can be determined by opening the LDAP configuration tool for your product and locating the new root suffix created during the IBM Tioli Identity Manager installation. dc=com Specifies the root of the directory tree. For example, if you installed the Tioli Identity Manager serer in the root LDAP suffix called ITIM and your Windows Actie Directory serice is named WinAD Corp Serer and is installed in an organization named Finance Org, the IBM Tioli Identity Manager organization chart would look similar to the following diagram: + ITIM Home + Corporate Org + IT Org Unit + HR Org Unit + Finance Org + Accounts Payable Org Unit This Windows Actie Directory Adapter example has the following Serice DN alue: ersericename=winad Corp Serer,o=Finance Org, ou=itim,dc=com ITIM Principal Specifies the IBM Tioli Identity Manager account under which the password change requests are submitted. The account must hae the proper authority to submit password change requests for the desired people. This authority is granted when you create the access control information (ACI) for the Principal account by granting read and write permissions to all the attributes that were listed. Chapter 3. Installing the plug-in 13

26 At a minimum, the principal needs to be granted read and write permissions to perform the following tasks for password synchronization: a. Search for the account that triggered the password synchronization b. Search for that account s owner. c. Search for any accounts that should hae their passwords synchronized. d. Modify those same accounts, with write access to their password attributes. You need to create an account specifically for these types of requests. Refer to the IBM Tioli Identity Manager Information Center for more information on creating accounts and priileges. Password Specifies the password for the IBM Tioli Identity Manager account under which the password change requests are submitted Verify Password Specifies the erification field for the IBM Tioli Identity Manager account password Max Notify Thread Count Specifies the maximum number of Password Change requests which can be processed by the plug-in at any one time. The plug-in processes password synchronization requests in a multi-threaded manner. This alue limits the number of threads to be created, so that requests can be processed in parallel. For example, if this alue is specified as 15, then the password synchronization plug-in processes only 15 parallel password change requests at any one time. The next password change request after 15 fails. The default alue for this parameter is 10. Agent Host Machine Specifies the name of the computer where the Windows Actie Directory Adapter is installed and running. For example, \\mymachine Agent Name Specifies the adapter's registry key name. This alue is ADAgent. Enable Password Synchronization Specifies if password synchronization should be enabled or disabled. When password synchronization is enabled, all password change requests are sent to IBM Tioli Identity Manager in order to synchronize all passwords affected by the change request. When password synchronization is not enabled, the Password Synchronization plug-in ignores all password change requests on the managed resource. Enable Password Rules Verification Validates that the password complies with the password rules defined for the user. When this option is selected, the new password is checked against the password policy rules defined for each account type to be 14 IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

27 Installing CA certificates synchronized. Unless the password is alid for all accounts, the password change fails with an error indicating that the new password does not meet specified password rules. Refer to the IBM Tioli Identity Manager Information Center for more information on setting IBM Tioli Identity Manager password policies. Require ITIM Response This option is enabled only if Enable Password Rules Verification is selected. When this option is selected, passwords cannot be changed on Actie Directory if Tioli Identity Manager is unaailable. Enable Logging Allows administrators to enable logging for password change requests sent to the Actie Directory Serer. Connect to the Windows Actie Directory Adapter Registry When you select this check box, Tioli Password Sync attempts to connect to Windows Actie Directory Adapter registry. Howeer, when you clear this heck box, Tioli Password Sync does not attempt to connect to Windows Actie Directory Adapter registry. An informatie message is logged in log file. You must use the serer side recursion control to aoid looping. Tioli Identity Manager ersion 4.6 Fix Pack 61 or later and Tioli Identity Manager ersion 5.0 Fix Pack 02 or later also has serer side recursion control. 10. In the Install Complete window, answer the question about restarting the system, and click Done. 11. Restart the Actie Directory Serer. Notes: a. The connection information can be modified at a later time by running the pfconfig.exe program. This program opens the IBM Tioli Identity Manager Password Change Notification Configuration page. b. The Restart panel might not be displayed. For password synchronization to function correctly, you must install CA certificate and restart the system. c. When you make any changes in SSL configuration such as adding a new certificate or remoing a certificate, you must restart the system. To install the CA certificates after you install the Password Synchronization adapter, perform the following steps: 1. Go to Start>Run and type mmc and click OK or press Enter. 2. From the Console menu, select the Add/Remoe Snap-in. 3. From the Add/Remoe Snap-in window, click Add to display the Add Standalone Snap-in window. 4. From the Add Standalone Snap-in window, select Certificates and click Add. 5. On the Certificates Snap-in window, select Computer Account and click Next to display the Select Computer window. 6. Select Local computer and click Finish, Close, and then OK. 7. Expand Certificates (Local computer)>trusted Root Certification Authorities and select Certificates. 8. Right-click Certificates and select All Tasks>Import to display the Certificate Import Wizard and click Next. Chapter 3. Installing the plug-in 15

28 What to do next Verifying the installation 9. Browse or type the name of the CA certificate for the Tioli Identity Manager serer and click Next. 10. Select Place all certificates in the following store option and click Next and then click Finish. You can also use the CertMgr.exe command line tool to install the CA certificates after the Password Synchronization adapter installation. When you use the CertMgr.exe command line tool to install the CA certificates, run the following command: CertMgr -add -c certificate file -s -r localmachine root where, certificate file is the full path to the certificate file. After you finish the installation, you must install CA certificates. See Installing CA certificates on page 15. If the adapter is installed correctly, these directories are created: bin jre license log Uninstall_Tioli Windows Password Synch Plugin The following files are created in the system32 directory, for example, C:\Windows\system32. Table 7. Operating system and file Operating system 32-bit operating system 64-bit operating system File TioliPwdSync.dll TioliPwdSync64.dll Reiew the installer log file (Tioli_Windows_Password_Synch_Plugin_InstallLog.log) located in the installation directory, for example, C:\Tioli\PasswordSynch for any errors. When you use regedit.exe or regedt32.exe ensure that Windows registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages includes the TioliPwdSync for 32-bit operating systems and TioliPwdSync64 for 64-bit operating systems. Ensure that your certificates are installed correctly. The SSL handshake fails when the certificate or the CA is not installed. 16 IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

29 Chapter 4. Installing and uninstalling the plug-in by using the silent mode Silent installation suppresses the adapter installation wizard and the Launcher User Interfaces (UIs). It does not display any information or require interaction. You can use the silent option to install or uninstall the adapter in silent mode. Note: The plug-in installs run time files from Microsoft. The installer for these run times shows some user interfaces and you cannot suppress these user interfaces. If you install the plug-in in silent mode, the uninstaller runs in silent mode irrespectie of whether you are using silent option or not. Installing the plug-in by using the silent mode Installing the plug-in with default options To install the adapter with the silent option: 1. Naigate to the location where you hae stored the SetupPwdSync.exe. 2. Run the following command from command prompt: SetupPwdSync.exe -i silent -DLICENSE_ACCEPTED=TRUE The adapter is installed in the adapter installation directory, C:\Tioli\PasswordSynch. A log file, pwd_out.txt, is created and the plug-in is installed with the default alue, %SYSTEM_DRIVE_ROOT%:\Tioli\ passwordsynch. After you install the plug-in, you must: 1. Run the pfconfig.exe (For 32-bit ersion of the plug-in) and pfconfig64.exe (For 64-bit ersion of the plug-in) from the bin directory and configure the plug-in. 2. Install the CA certificates. For information about CA certificates installation, see Installing CA certificates on page Restart the workstation. Installing the plug-in with command line options You can specify the listed installation options from the command prompt when you install the plug-in by using the silent mode. For example, if you want to oerride the default installation directory path then, run the following command: SetupPwdSynch.exe -i silent -DLICENSE_ACCEPTED=TRUE -DUSER_INSTALL_DIR= "D:\Tioli\MyFolder" Note: The -D option is followed by a ariable and a alue pair without any space after the -D option. You must wrap arguments with quotation marks when the arguments contain spaces. Copyright IBM Corp

30 Table 8. Installation options Option -DUSER_INSTALL_DIR=Value -DLICENSE_ACCEPTED=Value Value Value oerrides the default installation directory path. For example, D:\Tioli\MyFolder. Accept the IBM license for plug-in, the alue must be TRUE. When you do not specify this option, the default alue is FALSE. -DUSER_CERT_FILE=Value -DPATH_OF_CERT_FILE=Value The name of the CA certificate file for your IBM Tioli Identity Manager serer. For example, My_CertfileName.cer. The full path of the CA certificate file (excluding the file name) for your IBM Tioli Identity Manager serer. For example, C:\CA_My_Folder. After you install the plug-in, you must: 1. Run the pfconfig.exe (For 32-bit ersion of the plug-in) and pfconfig64.exe (For 64-bit ersion of the plug-in) from the bin directory and configure the plug-in. 2. Restart the workstation. Installing the plug-in by using the response file Generating the response file You can use response file to proide inputs during silent installation. Response file can be generated by running the following command. This runs the installer in interactie mode and install the plug-in. SetupPwdSync.exe r "Full path of response file" For example: SetupPwdSync.exe r "c:\temp\pwdsynresponse.txt" Note: If you are running this command to only generate the response file, you must uninstall the plug-in by using the uninstaller. Creating the response file manually You can also manually create the response file with the following content: #Start of Response file #Choose Install Folder # USER_INSTALL_DIR=Value #Has the license been accepted # LICENSE_ACCEPTED=TRUE #Select CA Certificate file. # USER_CERT_FILE=Value PATH_OF_CERT_FILE=Value #End of Response file 18 IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

31 After you create the response file you can use it as: SetupPwdSynch.exe i silent -f "Full path of response file" After you install the Windows Tioli Password Synchronization plug-in, you must: 1. Run the pfconfig.exe (For 32-bit ersion of the plug-in) and pfconfig64.exe (For 64-bit ersion of the plug-in) from the bin directory and configure the plug-in. 2. Reboot the workstation. Uninstalling the plug-in by using the silent mode Run the following command from command line to uninstall the Windows Tioli Password Synchronization plug-in by using the i silent option. Specify the full path when you are not running the command from Uninstall_Tioli Windows Password Synch Plugin directory in the installation directory of the plug-in. "Uninstall Tioli Windows Password Synch Plugin.exe" -i silent For example, "C:\Tioli\PasswordSynch\Uninstall_Tioli Windows Password Synch Plugin\Uninstall Tioli Windows Password Synch Plugin.exe" -i silent. Note: Restart the workstation to completely remoe plug-in. Chapter 4. Installing and uninstalling the plug-in by using the silent mode 19

33 Chapter 5. Configuring SSL authentication for the plug-in In order to establish a secure connection between a IBM Tioli Identity Manager adapter and the Tioli Identity Manager serer, you must configure the adapter and the serer to use the Secure Sockets Layer (SSL) authentication. By configuring the adapter for SSL, you ensure that the Tioli Identity Manager serer erifies the identity of the adapter before a secure connection is established. The Password Synchronization plug-in uses http with SSL to establish secure communications. Note: In a production enironment, you need to enable SSL security. For testing purposes you might want to disable SSL. Howeer, if an external application that communicates with the adapter (such as Tioli Identity Manager serer) is set to use serer authentication, you must enable SSL on the adapter to erify the certificate that the application presents. You can configure SSL authentication for connections that originate from the Tioli Identity Manager serer or from the adapter. Typically, the Tioli Identity Manager serer initiates a connection to the adapter in order to set or retriee the alue of a managed attribute on the adapter. Howeer, depending on the security requirements of your enironment, you might need to configure SSL authentication for connections that originate from the adapter. For example, if the adapter uses eents to notify the Tioli Identity Manager serer of changes to attributes on the adapter, you can configure SSL authentication for Web connections that originate from the adapter to the Web serer that is used by the Tioli Identity Manager serer. This chapter presents an oeriew of SSL authentication and digital certificates. Oeriew of SSL and digital certificates When you deploy IBM Tioli Identity Manager into an enterprise network, you must secure communication between the Tioli Identity Manager serer and the software products and components with which the serer communicates. The industry-standard SSL protocol, which uses signed digital certificates from a certificate authority (ca) for authentication, is used to secure communication in a IBM Tioli Identity Manager deployment. Additionally, SSL proides encryption of the data exchanged between the applications. Encryption makes data transmitted oer the network intelligible only to the intended recipient. Signed digital certificates enable two applications connecting in a network to authenticate each other's identity. An application acting as an SSL serer presents its credentials in a signed digital certificate to erify to an SSL client that it is the entity it claims to be. An application acting as an SSL serer can also be configured to require the application acting as an SSL client to present its credentials in a certificate, thereby completing a two-way exchange of certificates. Signed certificates are issued by a third-party certificate authority for a fee. Some utilities, such as those proided by OpenSSL, can also issue signed certificates. A certificate-authority certificate (ca certificate) must be installed to erify the origin of a signed digital certificate. When an application receies another application's signed certificate, it uses a ca certificate to erify the originator of the Copyright IBM Corp

34 certificate. A certificate authority can be well-known and widely used by other organizations, or it can be local to a specific region or company. Many applications, such as Web browsers, are configured with the ca certificates of well known certificate authorities to eliminate or reduce the task of distributing ca certificates throughout the security zones in a network. Priate keys, public keys, and digital certificates Keys, digital certificates, and trusted certificate authorities are used to establish and erify the identities of applications. SSL uses public key encryption technology for authentication. In public key encryption, a public key and a priate key are generated for an application. Data encrypted with the public key can only be decrypted using the corresponding priate key. Similarly, the data encrypted with the priate key can only be decrypted using the corresponding public key. The priate key is password-protected in a key database file so that only the owner can access the priate key to decrypt messages that are encrypted using the corresponding public key. A signed digital certificate is an industry-standard method of erifying the authenticity of an entity, such as a serer, client, or application. In order to ensure maximum security, a certificate is issued by a third-party certificate authority (ca). A certificate contains the following information to erify the identity of an entity: Organizational information This section of the certificate contains information that uniquely identifies the owner of the certificate, such as organizational name and address. You supply this information when you generate a certificate using a certificate management utility. Public key The receier of the certificate uses the public key to decipher encrypted text sent by the certificate owner to erify its identity. A public key has a corresponding priate key that encrypts the text. Certificate authority's distinguished name The issuer of the certificate identifies itself with this information. Digital signature The issuer of the certificate signs it with a digital signature to erify its authenticity. This signature is compared to the signature on the corresponding ca certificate to erify that the certificate originated from a trusted certificate authority. Web browsers, serers, and other SSL-enabled applications generally accept as genuine any digital certificate that is signed by a trusted Certificate Authority and is otherwise alid. For example, a digital certificate can be inalidated because it has expired or the ca certificate used to erify it has expired, or because the distinguished name in the digital certificate of the serer does not match the distinguished name specified by the client. Self-signed certificates You can use self-signed certificates to test an SSL configuration before you create and install a signed certificate issued by a certificate authority. A self-signed certificate contains a public key, information about the owner of the certificate, and the owner's signature. It has an associated priate key, but it does not erify the origin of the certificate through a third-party certificate authority. Once you 22 IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

35 generate a self-signed certificate on an SSL serer application, you must extract it and add it to the certificate registry of the SSL client application. This procedure is the equialent of installing a ca certificate that corresponds to a serer certificate. Howeer, you do not include the priate key in the file when you extract a self-signed certificate to use as the equialent of a ca certificate. Use a key management utility to generate a self-signed certificate and priate key, extract a self-signed certificate, and add a self-signed certificate. Where and how you choose to use self-signed certificates depends on your security requirements. In order to achiee the highest leel of authentication between critical software components, do not use self-signed certificates, or use them selectiely. For example, you can choose to authenticate applications that protect serer data with signed digital certificates, and use self-signed certificates to authenticate Web browsers or IBM Tioli Identity Manager adapters. If you are using self-signed certificates, in the following procedures you can substitute a self-signed certificate for a certificate and ca certificate pair. Certificate and key formats Certificates and keys are stored in files with the following formats:.pem format A priacy-enhanced mail (.pem ) format file begins and ends with the following lines: -----BEGIN CERTIFICATE END CERTIFICATE----- A.pem file format supports multiple digital certificates, including a certificate chain. If your organization uses certificate chaining, use this format to create ca certificates..arm format An.arm file contains a base-64 encoded ASCII representation of a certificate, including its public key, but not its priate key. An.arm file format is generated and used by the IBM Key Management utility..der format A.der file contains binary data. A.der file can only be used for a single certificate, unlike a.pem file, which can contain multiple certificates..pfx format (PKCS12) A PKCS12 file is a portable file that contains a certificate and a corresponding priate key. This format is useful for conerting from one type of SSL implementation to a different implementation. Configuring certificates when the plug-in operates as an SSL client In this configuration, the plug-in operates as an SSL client. For example, the plug-in initiates the connection and the Web serer responds by presenting its certificate to the plug-in. Figure 1 on page 24 illustrates how a IBM Tioli Identity Manager plug-in operates as an SSL seer and an SSL client. When communicating with the Tioli Identity Manager serer, the plug-in sends its certificate for authentication. When communicating with the Web serer, the plug-in receies the certificate of the Web Chapter 5. Configuring SSL authentication for the plug-in 23

36 serer. Certificate A CA Certificate C CA Certificate A Tioli Identity Manager Adapter A Hello Certificate A Tioli Identity Manager Serer B Certificate C Hello Web serer Certificate C C Figure 1. IBM Tioli Identity Manager plug-in operating as an SSL serer and an SSL client If the Web Serer is configured for two-way SSL authentication, it erifies the identity of the plug-in, which sends its signed certificate to the Web serer (not shown in the illustration). In order to enable two-way SSL authentication between the plug-in and Web serer, use the following procedure: 1. Configure the Web serer to use client authentication. 2. Follow the procedure for creating and installing a signed certificate on the Web serer. 3. Install the ca certificate on the plug-in. 4. Add the ca certificate corresponding to the signed certificate of the plug-in to the Web serer. For more information on configuring certificates when the plug-in initiates a connection to the Web serer (used by the Tioli Identity Manager Serer) to send a notification, see the Tioli Identity Manager Information Center. 24 IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

37 Chapter 6. Taking the first steps after installation After installing and configuring the adapter: 1. Install the CA certificate if you hae not installed it during plug-in installation. For information about CA certificates installation after Password Synchronization plug-in installation, see Installing CA certificates on page Restart the domain controller. Note: After you restart the domain controller, ensure that the PwdSync.log file is created in the log directory. Copyright IBM Corp

39 Chapter 7. Uninstalling the plug-in This section describes the procedures for uninstalling the Password Synchronization plug-in. Inform users that the resource will be unaailable prior to remoing the client. If the serer is taken offline, Password Synchronization requests that are not completed may not be recoered when the serer is back online. Complete the following procedure to remoe the Password Synchronization plug-in and directories. 1. From the Windows Control Panel, select Add/Remoe Programs > Tioli Windows Password Synch Plugin. 2. On the Introduction window, click Uninstall. 3. On the Uninstall Complete window, click Done. 4. Restart the workstation. Note: To ensure that the Password Synchronization directories, subdirectories, and files are remoed from the system, iew the directory tree. When you use regedit.exe or regedt32.exe ensure that Windows registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ Notification Packages does not include the TioliPwdSync for 32-bit operating systems and TioliPwdSync64 for 64-bit operating systems. Copyright IBM Corp

41 Appendix A. Support information Searching knowledge bases Use the following options to obtain support for IBM products: Searching knowledge bases Contacting IBM Software Support If you hae a problem with your IBM software, you want it resoled quickly. Begin by searching the aailable knowledge bases to determine whether the resolution to your problem is already documented. Search the information center on your local system or network IBM proides extensie documentation that can be installed on your local computer or on an intranet serer. You can use the search function of this information center to query conceptual information, instructions for completing tasks, reference information, and support documents. Search the Internet If you cannot find an answer to your question in the information center, search the Internet for the latest, most complete information that might help you resole your problem. To locate Internet resources for your product, open one of the following Web sites: Performance and tuning information Proides information needed to tune your production enironment, aailable on the Web at: Click the I character in the A-Z product list to locate IBM Tioli Identity Manager products. Click the link for your product, and then browse the information center for the Technical Supplements section. Redbooks and white papers are aailable on the Web at: IBMTioliIdentityManager.html Browse to the Self Help section, in the Learn category, and click the Redbooks link. Technotes are aailable on the Web at: Field guides are aailable on the Web at: For an extended list of other Tioli Identity Manager resources, search the following IBM deeloperworks Web address: Contacting IBM Software Support IBM Software Support proides assistance with product defects. Copyright IBM Corp

42 Before contacting IBM Software Support, your company must hae an actie IBM software maintenance contract, and you must be authorized to submit problems to IBM. The type of software maintenance contract that you need depends on the type of product you hae: For IBM distributed software products (including, but not limited to, Tioli, Lotus, and Rational products, as well as DB2 and WebSphere products that run on Windows or UNIX operating systems), enroll in Passport Adantage in one of the following ways: Online: Go to the Passport Adantage Web page ( serices/passport.nsf/webdocs/ Passport_Adantage_Home) and click How to Enroll By phone: For the phone number to call in your country, go to the IBM Software Support Web site ( contacts.html) and click the name of your geographic region. For IBM eserer software products (including, but not limited to, DB2 and WebSphere products that run in zseries, pseries, and iseries enironments), you can purchase a software maintenance agreement by working directly with an IBM sales representatie or an IBM Business Partner. For more information about support for eserer software products, go to the IBM Technical Support Adantage Web page ( If you are not sure what type of software maintenance contract you need, call IBMSERV ( ) in the United States or, from other countries, go to the contacts page of the IBM Software Support Handbook on the Web ( and click the name of your geographic region for phone numbers of people who proide support for your location. Follow the steps in this topic to contact IBM Software Support: 1. Determine the business impact of your problem. 2. Describe your problem and gather background information. 3. Submit your problem to IBM Software Support. Determine the business impact of your problem When you report a problem to IBM, you are asked to supply a seerity leel. Therefore, you need to understand and assess the business impact of the problem you are reporting. Use the following criteria: Seerity 1 Seerity 2 Seerity 3 Seerity 4 Critical business impact: You are unable to use the program, resulting in a critical impact on operations. This condition requires an immediate solution. Significant business impact: The program is usable but is seerely limited. Some business impact: The program is usable with less significant features (not critical to operations) unaailable. Minimal business impact: The problem causes little impact on operations, or a reasonable circumention to the problem has been implemented. 30 IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

43 Describe your problem and gather background information When explaining a problem to IBM, be as specific as possible. Include all releant background information so that IBM Software Support specialists can help you sole the problem efficiently. To sae time, know the answers to these questions: What software ersions were you running when the problem occurred? Do you hae logs, traces, and messages that are related to the problem symptoms? IBM Software Support is likely to ask for this information. Can the problem be re-created? If so, what steps led to the failure? Hae any changes been made to the system? (For example, hardware, operating system, networking software, and so on.) Are you currently using a workaround for this problem? If so, please be prepared to explain it when you report the problem. Submit your problem to IBM Software Support You can submit your problem in one of two ways: Online: Go to the "Submit and track problems" page on the IBM Software Support site ( Enter your information into the appropriate problem submission tool. By phone: For the phone number to call in your country, go to the contacts page of the IBM Software Support Handbook on the Web ( techsupport.serices.ibm.com/guides/contacts.html) and click the name of your geographic region. If the problem you submit is for a software defect or for missing or inaccurate documentation, IBM Software Support creates an Authorized Program Analysis Report (APAR). The APAR describes the problem in detail. Wheneer possible, IBM Software Support proides a workaround for you to implement until the APAR is resoled and a fix is deliered. IBM publishes resoled APARs on the IBM product support Web pages daily, so that other users who experience the same problem can benefit from the same resolutions. For more information about problem resolution, see Searching knowledge bases. Appendix A. Support information 31

45 Appendix B. Accessibility Accessibility features help users with physical disabilities, such as restricted mobility or limited ision, to use software products successfully. The major accessibility features in this product enable users to do the following: Use assistie technologies, such as screen-reader software and digital speech synthesizer, to hear what is displayed on the screen. Consult the product documentation of the assistie technology for details on using those technologies with this product. Operate specific or equialent features using only the keyboard. Magnify what is displayed on the screen. In addition, the product documentation was modified to include the following features to aid accessibility: All documentation is aailable in both HTML and conertible PDF formats to gie the maximum opportunity for users to apply screen-reader software. All images in the documentation are proided with alternatie text so that users with ision impairments can understand the contents of the images. Naigating the interface using the keyboard Standard shortcut and accelerator keys are used by the product and are documented by the operating system. Refer to the documentation proided by your operating system for more information. Magnifying what is displayed on the screen You can enlarge information on the product windows using facilities proided by the operating systems on which the product is run. For example, in a Microsoft Windows enironment, you can lower the resolution of the screen to enlarge the font sizes of the text on the screen. Refer to the documentation proided by your operating system for more information. Copyright IBM Corp

47 Appendix C. Notices This information was deeloped for products and serices offered in the U.S.A. IBM may not offer the products, serices, or features discussed in this document in other countries. Consult your local IBM representatie for information on the products and serices currently aailable in your area. Any reference to an IBM product, program, or serice is not intended to state or imply that only that IBM product, program, or serice may be used. Any functionally equialent product, program, or serice that does not infringe any IBM intellectual property right may be used instead. Howeer, it is the user's responsibility to ealuate and erify the operation of any non-ibm product, program, or serice. IBM may hae patents or pending patent applications coering subject matter described in this document. The furnishing of this document does not gie you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drie Armonk, NY U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo , Japan The following paragraph does not apply to the United Kingdom or any other country where such proisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-ibm Web sites are proided for conenience only and do not in any manner sere as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it beliees appropriate without incurring any obligation to you. Copyright IBM Corp

48 Licensees of this program who wish to hae information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact: IBM Corporation 2ZA4/ Burnet Road Austin, TX U.S.A. Such information may be aailable, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material aailable for it are proided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equialent agreement between us. Any performance data contained herein was determined in a controlled enironment. Therefore, the results obtained in other operating enironments may ary significantly. Some measurements may hae been made on deelopment-leel systems and there is no guarantee that these measurements will be the same on generally aailable systems. Furthermore, some measurements may hae been estimated through extrapolation. Actual results may ary. Users of this document should erify the applicable data for their specific enironment. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly aailable sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is aailable on the Web at "Copyright and trademark information" at copytrade.shtml. Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both. Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom. 36 IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

49 Jaa and all Jaa-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a trademark of Linus Toralds in the U.S., other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Goernment Commerce, and is registered in the U.S. Patent and Trademark Office. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Goernment Commerce. Other company, product, and serice names may be trademarks or serice marks of others. Appendix C. Notices 37

51 Index A access restrictions bypassing 7 accessibility i, 33 adapter silent installation 17 silent uninstallation 19 administrator authority 10 B books, see publications iii, i bypassing access restrictions 7 C Certificate Authority definition 21 certificates definition 21 key formats 23 oeriew 21 priate keys and digital certificates 22 self-signed 22 changing passwords 1 client alidation, SSL 23 configurations supported 3 customer support, see Software Support 29 D document conentions ii documents IBM Tioli Identity Manager library related E education, see Tioli technical training encryption SSL 21, 22 enironment ariables, notation iii H HKEY_LOCAL_MACHINE 5 I import PKCS12 file 23 inatallation erify 16 information centers, searching to find software problem resolution 29 installation plug-in 11 iii i installation prerequisites administrator authority 10 communication with Tioli Identity Manager serer 10 plug-in compatibility 10 serer 10 system 10 internet software problem resolution, searching for 29 K knowledge bases, searching to find software problem resolution 29 M manuals, see publications N notation enironment ariables path names iii typeface iii O online access publications i terminology ordering publications i iii, i iii P passwords changing forward 1 reerse 2 permmissions 5 plug-in features 1 installation 11 installation oeriew 1 plug-in compatibility 10 plug-in oeriew 1 priate key definition 21 problem determination describing problem for IBM Software Support 31 determining business impact for IBM Software Support 30 submitting problem to IBM Software Support 31 protocol SSL oeriew 21 two-way configuration 23 public key 22 publications accessing online i IBM Tioli Identity Manager library iii Copyright IBM Corp

52 publications (continued) ordering i related W winreg 6 R registry bypassing access restrictions 7 registry access 5 winreg key 6 remote access bypassing restrictions 7 S self-signed certificate 22 serer prerequisites 10 silent adapter installation 17 silent adapter uninstallation 19 silent installation adapter 17 silent uninstallation adapter 19 Software Support contacting 29 describing problem for IBM Software Support 31 determining business impact for IBM Software Support 30 submitting problem to IBM Software Support 31 SSL certificate installation 21 encryption 21 key formats 23 oeriew 21 priate keys and digital certificates 22 self-signed certificates 22 two-way configuration 23 support information ii system prerequisites 10 T terminology, accessing online Tioli Identity Manager Adapter communication with the serer 23 SSL communication 23 Tioli software information center i Tioli technical training i Tioli user groups ii two-way configuration SSL client and serer 23 U user groups, Tioli ii V ariables, notation for erifying installation 16 iii 40 IBM Tioli Identity Manager: Password Synchronization for Actie Directory Plug-in Installation and Configuration Guide

53

54 Printed in USA SC