IBM Security Identity Manager: UNIX and Linux Adapter Installation

IBM Security Identity Manager: UNIX and Linux Adapter Installation
IBM Security Identity Manager
Version 6.0
UNIX and Linux Adapter Installation
and Configuration Guide
SC27-4426-07
IBM Security Identity Manager
Version 6.0
UNIX and Linux Adapter Installation
and Configuration Guide
SC27-4426-07
Note
Before using this information and the product it supports, read the information in “Notices” on page 105.
Edition notice
Note: This edition applies to version 6.0 of IBM Security Identity Manager (product number 5724-C34) and to all
subsequent releases and modifications until otherwise indicated in new editions.
© Copyright IBM Corporation 2012, 2014.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Figures . . . . . . . . . . . . . . . v
Tables . . . . . . . . . . . . . . . vii
Preface . . . . . . . . . . . . . . . ix
About this publication . . . . . .
Access to publications and terminology
Accessibility . . . . . . . . .
Technical training. . . . . . . .
Support information . . . . . . .
Statement of Good Security Practices .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
. ix
. x
. x
. x
. x
Chapter 1. UNIX and Linux Adapter
Installation and Configuration Guide . . 1
Overview of the adapter .
Features of the adapter . .
Architecture of the adapter
Supported configurations .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Chapter 2. Adapter installation planning
Preinstallation roadmap
Installation roadmap. .
Prerequisites . . . .
Installation worksheet for
Software download . .
. . . .
. . . .
. . . .
the adapter
. . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1
1
1
2
5
.
.
.
.
.
.
.
.
.
.
5
5
6
8
8
Chapter 3. Adapter installation . . . . . 9
Dispatcher installation verification . . . . . .
Installing the UNIX and Linux Adapter . . . .
Installation verification . . . . . . . . .
Adapter service start, stop, and restart . . . .
Importing the adapter profile into the IBM Security
Identity Manager server . . . . . . . . .
Adapter profile installation verification . . . .
Communicating with the Secure Shell protocol .
Adapter user account creation . . . . . . .
Creating a service . . . . . . . . . . .
. 9
. 9
. 10
. 11
.
.
.
.
.
11
12
12
13
14
Chapter 4. Adapter installation and
uninstallation in silent mode . . . . . 21
Installing the adapter in silent mode . .
Uninstalling the adapter in silent mode .
.
.
. 21
. 22
Chapter 5. First steps after installation
23
Adapter configuration . . . . . . . . . .
Customizing the adapter profile . . . . .
Running user-defined scripts . . . . . .
Defining the maximum connection count for
adapter operations . . . . . . . . . .
User home directory creation . . . . . .
Editing adapter profiles on the UNIX or Linux
operating system . . . . . . . . . .
Adapter features customization and extension .
. 23
. 23
. 25
© Copyright IBM Corp. 2012, 2014
.
.
.
.
. 26
. 28
. 28
. 28
Optional feature configuration . . . . . . .
Customizing password prompt attributes . .
Adding home directory permissions on the
account form . . . . . . . . . . . .
Adding umask settings on the account form .
Setting up locales . . . . . . . . . .
Configuring alternative adapter scripts location
Reconciling with custom scripts . . . . .
Ending a user session after suspension . . .
Ending user processes to delete a user account
Configuring last access date support for Solaris
systems. . . . . . . . . . . . . .
Non-login account (passwd-N) support . . .
Password management for account restoration .
Language pack installation . . . . . . . .
Verifying that the adapter is working correctly .
. 29
. 29
. 30
. 31
. 32
32
. 33
. 34
34
.
.
.
.
.
35
36
38
39
39
Chapter 6. Adapter error
troubleshooting . . . . . . . . . . . 41
Techniques for troubleshooting problems . .
Warning and error messages. . . . . . .
Solving adapter installation and operational
problems . . . . . . . . . . . . .
Known adapter issues . . . . . . . . .
/tmp directory permissions . . . . . .
Home directory permissions . . . . . .
HP-UX password age issues . . . . . .
No support for adding the primary group of
user to the secondary groupset of the user .
.
.
.
.
.
.
.
a
.
. 41
. 43
.
.
.
.
.
46
48
48
48
48
. 49
Chapter 7. Adapter upgrade. . . . . . 51
Connector upgrade . . . . . . . .
Dispatcher upgrade. . . . . . . .
Upgrade of an existing adapter profile .
.
.
.
.
.
.
.
.
.
. 51
. 51
. 51
Chapter 8. Adapter uninstallation . . . 53
Uninstalling the adapter from the Tivoli Directory
Integrator server. . . . . . . . . . . .
Adapter profile removal from the IBM Security
Identity Manager server . . . . . . . . .
Chapter 9. Adapter reinstallation
. 53
. 53
. . . 55
Appendix A. Adapter attributes . . . . 57
Group form attributes . . . . . .
Attributes by UNIX and Linux Adapter
System Login Add . . . . . .
System Login Change . . . . .
System Login Delete . . . . .
System Login Suspend . . . .
System Login Restore . . . . .
Test . . . . . . . . . . .
Reconciliation . . . . . . .
Group add . . . . . . . .
. . .
actions
. . .
. . .
. . .
. . .
. . .
. . .
. . .
. . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
66
66
67
67
67
67
68
68
68
69
iii
Group change
Group delete .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 69
. 69
Appendix B. Adapter installation on a
z/OS operating system . . . . . . . . 71
IBM Tivoli Directory Integrator POSIX connector
installation . . . . . . . . . . . . .
. 71
Appendix C. Super user creation on a
supported operating system . . . . . 73
Creating a super user on an AIX operating system
Creating a super user on a Linux operating system
Creating a super user on a Solaris operating system
Creating a super user on an HP-UX Non-Trusted
operating system . . . . . . . . . . . .
Creating a super user on an HP-UX Trusted
operating system . . . . . . . . . . . .
Command setup for sudo . . . . . . . . .
73
74
75
iv
. 87
. 89
. 92
Appendix E. Definitions for ITDI_HOME
and ISIM_HOME directories . . . . . . 97
Appendix F. Support information . . . 99
Searching knowledge bases . . . . . . . . . 99
Obtaining a product fix . . . . . . . . . . 100
Contacting IBM Support. . . . . . . . . . 100
76
77
79
Appendix D. Key-based authentication
for the UNIX and Linux Adapter . . . . 85
Enabling RSA key-based authentication on UNIX
and Linux operating systems . . . . . . .
|
|
|
|
Enabling DSA key-based authentication on UNIX
and Linux operating systems . . . . . . .
Enabling RSA key-based authentication on UNIX
and Linux operating systems with Tectia SSH . .
Enabling DSA key-based authentication on UNIX
and Linux operating systems with Tectia SSH . .
Appendix G. Accessibility features for
IBM Security Identity Manager . . . . 103
Notices . . . . . . . . . . . . . . 105
Index . . . . . . . . . . . . . . . 109
. 85
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Figures
1.
The architecture of the UNIX and Linux
Adapter . . . . . . . . . . . .
© Copyright IBM Corp. 2012, 2014
.
. 2
2.
3.
Example of a single server configuration .
Example of multiple server configuration
.
. 2
3
v
vi
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Tables
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Preinstallation roadmap . . . . . . . . . 5
Installation roadmap . . . . . . . . . . 5
Prerequisites to install the adapter . . . . . 6
Required information to install the adapter
8
Adapter components . . . . . . . . . 10
Secure Shell configuration. . . . . . . . 13
silent mode parameters for installing . . . . 21
silent mode parameter for uninstalling . . . 22
No Password Account possible outcomes
37
Warning and error messages . . . . . . . 43
Search strings for software versions . . . . 46
Reconciliation file names . . . . . . . . 47
Account form attributes, descriptions,
permissions, and applicable operating systems . 57
Group form attributes . . . . . . . . . 66
Add request attributes for AIX, HPUX, Linux,
and Solaris . . . . . . . . . . . . . 67
Change request attributes for AIX, HPUX,
Linux, and Solaris . . . . . . . . . . 67
© Copyright IBM Corp. 2012, 2014
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
Delete request attributes for AIX and Solaris
Delete request attributes for HPUX and Linux
Suspend request attributes for AIX and Solaris
Suspend request attributes for HP-UX and
Linux . . . . . . . . . . . . . .
Restore request attributes for AIX . . . . .
Restore request attributes for Solaris . . . .
Test attributes . . . . . . . . . . . .
Reconciliation request attributes for AIX and
Solaris . . . . . . . . . . . . . .
Reconciliation request attributes for HP-UX
and Linux . . . . . . . . . . . . .
Group add request attribute for AIX, HPUX,
Linux, and Solaris . . . . . . . . . .
Group change request attribute for AIX,
HPUX, Linux, and Solaris . . . . . . . .
Sudo access command and file setup . . . .
67
67
67
67
68
68
68
68
68
69
69
79
vii
viii
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Preface
About this publication
The UNIX and Linux Adapter Installation and Configuration Guide provides the basic
information that you use to install and configure the IBM® Security Identity
Manager UNIX and Linux Adapter. The UNIX and Linux Adapter enables
connectivity between the IBM Security Identity Manager server and a system that
runs a UNIX or Linux operating system.
Access to publications and terminology
This section provides:
v A list of publications in the “IBM Security Identity Manager library.”
v Links to “Online publications.”
v A link to the “IBM Terminology website.”
IBM Security Identity Manager library
For a complete listing of the IBM Security Identity Manager and IBM Security
Identity Manager Adapter documentation, see the online library
(http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome).
Online publications
IBM posts product publications when the product is released and when the
publications are updated at the following locations:
IBM Security Identity Manager library
The product documentation site (http://www-01.ibm.com/support/
knowledgecenter/SSRMWJ/welcome) displays the welcome page and
navigation for the library.
IBM Security Systems Documentation Central
IBM Security Systems Documentation Central provides an alphabetical list
of all IBM Security Systems product libraries and links to the online
documentation for specific versions of each product.
IBM Publications Center
The IBM Publications Center site ( http://www-05.ibm.com/e-business/
linkweb/publications/servlet/pbi.wss) offers customized search functions
to help you find all the IBM publications you need.
IBM Terminology website
The IBM Terminology website consolidates terminology for product libraries in one
location. You can access the Terminology website at http://www.ibm.com/
software/globalization/terminology.
© Copyright IBM Corp. 2012, 2014
ix
Accessibility
Accessibility features help users with a physical disability, such as restricted
mobility or limited vision, to use software products successfully. With this product,
you can use assistive technologies to hear and navigate the interface. You can also
use the keyboard instead of the mouse to operate all features of the graphical user
interface.
Technical training
For technical training information, see the following IBM Education website at
http://www.ibm.com/software/tivoli/education.
Support information
IBM Support provides assistance with code-related problems and routine, short
duration installation or usage questions. You can directly access the IBM Software
Support site at http://www.ibm.com/software/support/probsub.html.
Appendix F, “Support information,” on page 99 provides details about:
v What information to collect before contacting IBM Support.
v The various methods for contacting IBM Support.
v How to use IBM Support Assistant.
v Instructions and problem-determination resources to isolate and fix the problem
yourself.
Note: The Community and Support tab on the product information center can
provide additional support resources.
Statement of Good Security Practices
IT system security involves protecting systems and information through
prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems,
including for use in attacks on others. No IT system or product should be
considered completely secure and no single product, service or security measure
can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a comprehensive security
approach, which will necessarily involve additional operational procedures, and
may require other systems, products or services to be most effective. IBM DOES
NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE
IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
x
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Chapter 1. UNIX and Linux Adapter Installation and
Configuration Guide
This installation guide provides the basic information to install and configure the
UNIX and Linux Adapter. The adapter enables connectivity between the IBM
Security Identity Manager server and the managed resource.
Overview of the adapter
An adapter provides an interface between a managed resource and the IBM
Security Identity Manager server.
Adapters might reside on the managed resource. The IBM Security Identity
Manager server manages access to the resource by using your security system.
Adapters function as trusted virtual administrators on the target platform. They do
tasks, such as creating, suspending, and restoring user accounts, and other
administrative functions that are done manually. The adapter runs as a service,
independently of whether you are logged on to the IBM Security Identity Manager
server.
The UNIX and Linux Adapter enables communication between the IBM Security
Identity Manager server and any of the following operating systems:
v
v
v
v
AIX®
HPUX
Linux
Solaris
Features of the adapter
The adapter automates the various user account administrative tasks.
The adapter automates the following user management tasks:
v Adding user accounts
v Modifying user account attributes
v Modifying user account passwords
v Suspending, restoring, and deleting user accounts
v Managing groups
v Reconciling user accounts and groups
Architecture of the adapter
You must install various components for the adapter to function correctly.
You install the following components:
v The Dispatcher
v The IBM Tivoli® Directory Integrator connector
v The IBM Security Identity Manager adapter profile
© Copyright IBM Corp. 2012, 2014
1
You must install the Dispatcher and the adapter profile; however, the Tivoli
Directory Integrator connector might already be installed with the base Tivoli
Directory Integrator product.
Figure 1 describes the components that work together to complete the user account
management tasks in a Tivoli Directory Integrator environment.
IBM Security RMI calls
Identity
Manager
Server
Dispatcher
Service
(an instance
of the IBM
Tivoli
Directory
Integrator)
Adapter
resource
Figure 1. The architecture of the UNIX and Linux Adapter
For more information about Tivoli Directory Integrator, see the Quick Start Guide in
the IBM Security Identity Manager product documentation.
Supported configurations
The adapter supports both single server and multiple server configurations.
There are fundamental components in each environment.
v The IBM Security Identity Manager server
v The IBM Tivoli Directory Integrator server
v The managed resource
v The adapter
The adapter must be directly on the server that runs the Tivoli Directory Integrator
server.
Single server configuration
Install the IBM Security Identity Manager server, the Tivoli Directory
Integrator server, and the UNIX and Linux Adapter on one server to
establish communication with the UNIX or Linux operating system. Install
the UNIX or Linux operating system on a different server as described
Figure 2.
IBM Security
Identity Manager Server
Tivoli Directory
Integrator Server
Managed
resource
Adapter
Figure 2. Example of a single server configuration
Multiple server configuration
Install the IBM Security Identity Manager server, the Tivoli Directory
Integrator server, the UNIX and Linux Adapter, and the UNIX or Linux
operating system on different servers. Install the Tivoli Directory Integrator
2
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
server and the UNIX and Linux Adapter on the same server as described
Figure 3.
IBM Security
Identity Manager
server
Tivoli Directory
Integrator server
Managed
resource
Adapter
Figure 3. Example of multiple server configuration
Chapter 1. UNIX and Linux Adapter Installation and Configuration Guide
3
4
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Chapter 2. Adapter installation planning
Installing and configuring the adapter involves several steps that you must
complete in an appropriate sequence. Review the roadmaps before you begin the
installation process.
Preinstallation roadmap
Before you install the adapter, prepare the environment.
Do the tasks that are listed in Table 1.
Table 1. Preinstallation roadmap
Task
For more information
Obtain the installation software.
Download the software from Passport
Advantage® website. See “Software
download” on page 8.
Verify that your environment meets the
software and hardware requirements for the
adapter.
See “Prerequisites” on page 6.
Obtain and install the Dispatcher.
Download the software from Passport
Advantage website. See “Software
download” on page 8. Follow the
installation instructions in the dispatcher
download package.
Obtain the necessary information for the
installation and configuration.
See “Installation worksheet for the adapter”
on page 8.
Installation roadmap
Installation of the adapter requires several sequential tasks. Use this roadmap
navigate through the installation process.
To install the adapter, complete the tasks that are listed in Table 2.
Table 2. Installation roadmap
Task
For more information
Install the adapter.
See “Installing the UNIX and Linux
Adapter” on page 9.
Verify the installation.
See “Installation verification” on page 10.
Import the adapter profile.
See “Importing the adapter profile into the
IBM Security Identity Manager server” on
page 11.
Verify the profile installation.
See “Adapter profile installation
verification” on page 12.
Install the Secure Shell protocol.
See “Communicating with the Secure Shell
protocol” on page 12.
Create an adapter user account.
See “Adapter user account creation” on page
13.
© Copyright IBM Corp. 2012, 2014
5
Table 2. Installation roadmap (continued)
Task
For more information
Create a service.
See “Creating a service” on page 14.
Configure the adapter.
See “Adapter configuration” on page 23.
Prerequisites
Verify that your environment meets all the prerequisites before you install the
adapter.
This adapter is installed into IBM Tivoli Directory Integrator. The adapter can be
installed on any operating system that is supported by Tivoli Directory Integrator
and supported by the target system libraries or client.
Install Tivoli Directory Integrator on each node of the IBM Security Identity
Manager WebSphere® Application Server cluster. Then, install this adapter on each
instance of Tivoli Directory Integrator.
Table 3 identifies the software and operating system prerequisites for the adapter
installation.
See the Release Notes bundled with this adapter package for the most current
information about supported versions and minimum fix pack levels.
Table 3. Prerequisites to install the adapter
Prerequisite
Description
Tivoli Directory Integrator server
Version 7.1 fix pack 5 or later
Version 7.1.1 with fix pack 1 and Interim Fix 7.1.1-TIV-TDI-LA0001 or
higher
IBM Security Identity Manager server
6
Version 6.0
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Table 3. Prerequisites to install the adapter (continued)
Prerequisite
Description
Operating systems
Use the UNIX and Linux Adapter for user provisioning on the following
operating systems.
AIX
AIX 6.1
AIX 7.1
HP-UX HP-UX 11i
HP-UX 11i v2
HP-UX 11i v3
Supported operating system modes: non-trusted, trusted, and
non-secure
Oracle Solaris
Solaris 10
Solaris 11
Oracle Linux
Linux 6.3
Red Hat Linux
Red Hat Linux Enterprise Server 5.9
Red Hat Linux Enterprise Server 6.3
Red Hat Linux Advanced Server 5.9
Red Hat Linux Advanced Server 6.3
SuSE Enterprise Linux Server
SuSE SLES 10
SuSE SLES 11
SuSE SLES 11 on zSeries
System Administrator Authority
To complete the adapter installation procedure, you must have system
administrator authority.
Tivoli Directory Integrator adapters
solution directory
A Tivoli Directory Integrator adapters solution directory is a Tivoli
Directory Integrator work directory for IBM Security Identity Manager
adapters. See the Dispatcher Installation and Configuration Guide.
The /etc/passwd and
/etc/shadow/passwd files in a standard
format on the managed resource
The /etc/passwd and /etc/shadow/passwd files must be in a standard
format on the managed resource. Any non-standard deviation in these files,
such as more fields or characters, might cause adapter operations to fail.
The Secure Shell (SSH) protocol
The Secure Shell (SSH) protocol must be installed and running on the
managed resource.
Note: The adapter supports OpenSSH and Tectia SSH package.
For information about the prerequisites and supported operating systems for Tivoli
Directory Integrator, see the applicable IBM Tivoli Directory Integrator Administrator
Guide.
Chapter 2. Adapter installation planning
7
Installation worksheet for the adapter
Use this information before you install the adapter.
Table 4. Required information to install the adapter
Required information Description
Value
Tivoli Directory
Integrator Home
Directory
IBM Tivoli Directory Integrator
can be automatically installed
with your IBM Security Identity
Manager product. In this case,
one of the following is the
default directory path that is
used for Tivoli Directory
Integrator.
The ITDI_HOME directory
contains the jars/connectors
subdirectory. This subdirectory
contains adapter JAR files.
Windows:
drive:\Program
Files\IBM\TDI\
TDI_VERSION
UNIX:
Adapters solution
directory
/opt/IBM/TDI/
TDI_VERSION
When you install the dispatcher,
Windows:
the adapter prompts you to
drive:\Program
specify a file path for the
Files\IBM\TDI\
adapter solution directory. If you
TDI_VERSION\timsol
do not specify a directory, the
default directory is timsol.
UNIX: /opt/IBM/TDI/
TDI_VERSION/timsol
Software download
Download the software through your account at the IBM Passport Advantage
website.
Go to IBM Passport Advantage.
See the IBM Security Identity Manager Download Document for instructions.
Note:
You can also obtain additional adapter information from IBM Support.
8
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Chapter 3. Adapter installation
All the adapters that are based on Tivoli Directory Integrator require the
Dispatcher for the adapters to function correctly.
If the Dispatcher is installed from a previous installation, do not reinstall it unless
there is an upgrade to the Dispatcher. See the Dispatcher Installation and
Configuration Guide.
After verifying the Dispatcher installation, you might need to install the Tivoli
Directory Integrator connector. Depending on your adapter, the connector might
already be installed as part of the Tivoli Directory Integrator product and no
further action is required.
Dispatcher installation verification
If this installation is the first adapter installation that is based on Tivoli Directory
Integrator, you must install the Dispatcher before you install the adapter.
Install the Dispatcher on the same Tivoli Directory Integrator server where you
want to install the adapter.
Obtain the dispatcher installer from the IBM Passport Advantage website, IBM
Passport Advantage. For information about Dispatcher installation, see the
Dispatcher Installation and Configuration Guide.
Installing the UNIX and Linux Adapter
Use these steps to install the UNIX and Linux Adapter software.
Before you begin
Make sure that you do the following actions:
v See the Release Notes bundled with this adapter package for any updates on
installation and configuration steps.
v Verify that your site meets all the prerequisite requirements. See “Prerequisites”
on page 6.
v Verify that the Dispatcher is installed before you install the UNIX and Linux
Adapter. See “Software download” on page 8. Follow the installation
instructions included in the dispatcher download package.
v Obtain a copy of the installation software. See “Software download” on page 8.
v Obtain system administrator authority. See “Prerequisites” on page 6.
About this task
Use the PosixAdapterInstall_70.jar file to install the adapter.
Procedure
1. Create a temporary directory on the workstation where you want to install the
adapter.
2. Extract the contents of the compressed file in the temporary directory.
© Copyright IBM Corp. 2012, 2014
9
3. Run the adapter installation wizard. Use the Java™ executable file that comes
with Tivoli Directory Integrator to start the installation program. The Java
executable file is in the ITDI_HOME/jvm/jre/bin directory. Run the following
command to start the installation program:
ITDI_HOME/jvm/jre/bin/java –jar PosixAdapterInstall_70.jar
4. On the Welcome page, click Next.
5. In the Directory Name field, specify the location of the Tivoli Directory
Integrator home directory.
6. Review the installation settings on the Install Summary page and do one of the
following steps:
v Click Back to return to a previous page to modify any of the settings.
v Click Next when you are ready to begin the installation.
7. Click Finish when the software displays the Install Completed window.
What to do next
After you finish the adapter installation, do the following actions:
v Verify that the installation completed successfully. See “Installation verification.”
v Import the adapter profile. See “Importing the adapter profile into the IBM
Security Identity Manager server” on page 11.
v Create a user account for the adapter on IBM Security Identity Manager. See
“Adapter user account creation” on page 13.
Installation verification
Adapter components are created on the Tivoli Directory Integrator server after you
install the adapter.
Table 5. Adapter components
Directory
Adapter component
ITDI_HOME/jars/connectors
PosixConnector.jar
adapter_solution_directory
v AIXPConnRes.sh
v SolarisPConnRes.sh
v HPTrustPConnRes.sh
v LinuxPConnRes.sh
v LinuxShadowPConnRes.sh
v HPNTrustPConnRes.sh
v CryptPwd
v LastAccessDateReader
Review the installer log files, POSIXAdapter_Installer.log,and
POSIXAdapter_Installer_opt.log that are in the adapter installer directory for any
errors.
If this installation is to upgrade a connector, then send a request from IBM Security
Identity Manager. Verify that the version number in the ibmdi.log matches the
version of the connector that you installed. The ibmdi.log file is at
ITDI_HOME/adapter solution directory/logs.
10
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Adapter service start, stop, and restart
To start, stop, or restart the adapter, you must start, stop, or restart the Dispatcher.
The adapter does not exist as an independent service or a process. The adapter is
added to the Dispatcher instance, which runs all the adapters that are installed on
the same Tivoli Directory Integrator instance.
See the topic about starting stopping, and restarting the dispatcher service in the
Dispatcher Installation and Configuration Guide.
Importing the adapter profile into the IBM Security Identity Manager
server
Before you can add an adapter as a service, the IBM Security Identity Manager
server must have an adapter profile to recognize the adapter.
Before you begin
The files that are packaged with the adapter include the adapter profile JAR file.
You can import this adapter profile JAR file as a service profile on the server with
the Import feature of IBM Security Identity Manager.
Before you begin to import the adapter profile, verify that the following conditions
are met:
v The IBM Security Identity Manager server is installed and running.
v You have root or Administrator authority on IBM Security Identity Manager.
About this task
An adapter profile defines the types of resources that the IBM Security Identity
Manager server can manage. Use the profile to create an adapter service on IBM
Security Identity Manager server and establish communication with the adapter.
The JAR file includes all the files that are required to define the adapter schema,
account form, service form, and profile properties. If necessary, you can extract the
files from the JAR file, modify the files, and repackage the JAR file with the
updated files.
Procedure
1. Log on to the IBM Security Identity Manager server by using an account that
has the authority to do administrative tasks.
2. In the My Work pane, expand Configure System and click Manage Service
Types.
3. On the Manage Service Types page, click Import to display the Import Service
Types page.
4. Specify the location of the JAR file in the Service Definition File field by doing
one of the following actions:
v Type the complete location of where the file is stored.
v Use Browse to navigate to the file.
5. Click OK.
Note:
Chapter 3. Adapter installation
11
v When you import the adapter profile and if you receive an error that is
related to the schema, see the trace.log file for information about the error.
The trace.log file location is specified by using the handler.file.fileDir
property that is defined in the IBM Security Identity Manager
enRoleLogging.properties file. The enRoleLogging.properties file is
installed in the ITIM_HOME\data directory.
v If you modify any properties in the enRoleLogging.properties file, restart
the IBM Security Identity Manager for the change to take effect.
Adapter profile installation verification
After you install the adapter profile, verify that the installation was successful.
An unsuccessful installation:
v Might cause the adapter to function incorrectly.
v Prevents you from creating a service with the adapter profile.
To verify that the adapter profile is successfully installed, create a service with the
adapter profile. For more information about creating a service, see “Creating a
service” on page 14.
If you cannot create a service with the adapter profile or open an account on an
existing service, the adapter profile is not installed correctly. You must import the
adapter profile again.
Communicating with the Secure Shell protocol
The adapter uses the Secure Shell (SSH) protocol to communicate with the
managed resource. This protocol must be installed and running before the adapter
connects to the managed resource.
About this task
The adapter supports SSH protocol version 2.0. The SSH configuration file lists the
SSH protocol version that is supported by your system.
Note: OpenSSH is the only supported SSH package on HP-UX and Solaris.
OpenSSH and Tectia SSH packages are supported on AIX and Linux systems.
The following list provides information to help you ensure that the UNIX based
managed resources in your network can operate with the UNIX and Linux
Adapter.
HP-UX, Linux, and Solaris systems
SSH is installed and enabled by default on these operating systems.
However, check to ensure that the SSH daemon is running before you
attempt to connect a managed resource to the IBM Security Identity
Manager server. If SSH is not enabled, the connection fails.
AIX systems
SSH is not installed on AIX operating systems. If a supported version of
SSH is not installed on your system, you might download and install SSH
from an open source website. You must install OpenSSL if you are going to
use OpenSSH because OpenSSH uses functions that are provided by
OpenSSL. Install the OpenSSL first and then install OpenSSH. The AIX
operating system requires the OpenSSH product version 4.7 or later. After
12
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
SSH is installed, check to ensure that the SSH daemon is running. Then,
connect the managed resource to the IBM Security Identity Manager server.
If SSH is not enabled, the connection fails.
Note: On an IPv6 environment, you might be required to configure SSH to listen
on an IPv6 address. See the SSH man page on your workstation for detailed
information.
Note: The following procedure is applicable to OpenSSH packages only.
Procedure
1. Open the sshd_config file. This file can be found in different locations,
depending on the operating system. Common locations are /etc/ssh or
/opt/ssh/etc.
2. Search for the following attributes and use the corresponding settings:
Table 6. Secure Shell configuration
Attribute
Setting and description
UsePrivilegeSeparation
Yes
Use this setting so that the adapter account
is not locked after you do a user account
operation.
ClientAliveInterval
0
This setting disables the
ClientAliveInterval attribute. The adapter
does not acknowledge client-keep-alive
messages. If the managed resource sends
such messages, the connection is ended as a
result.
PasswordAuthentication
Yes
Use this setting only if you are using
password based authentication for your
adapter service.
Adapter user account creation
You must create a user account for the adapter on the managed resource. You must
provide the account information such as administrator name and password when
you create the adapter service.
To use SSH to remotely connect to the managed resource, the adapter user account
must be one of the following types:
v A root account
v A super user account (SUDO user)
v An account that has root UID permissions
See “Communicating with the Secure Shell protocol” on page 12 for information
about SSH.
The adapter user account must have:
Chapter 3. Adapter installation
13
v Permissions to do user administration tasks, such as add accounts, delete
accounts, change passwords for accounts, suspend accounts, restore accounts,
and retrieve account data.
v Permissions to do group tasks, such as add groups, modify attributes of a group,
and delete groups.
For more information about creating a service, see “Creating a service.”
Creating a service
After the adapter profile is imported on IBM Security Identity Manager, you must
create a service so that IBM Security Identity Manager can communicate with the
adapter.
About this task
To create or change a service, you must use the service form to provide
information for the service. Service forms might vary depending on the adapter.
Note: If the following fields on the service form are changed for an existing
service, the IBM Security Identity Manager adapter service on the Tivoli Directory
Integrator server must be restarted.
v User registry
v
v
v
v
v
Use a shadow file?
Delete home directory when the account is deleted?
Is sudo user?
Execute user profile?
Authentication method
v
v
v
v
Passphrase (Required for key-based authentication)
Private key file (Required for key-based authentication)
AL FileSystem Path
Max Connection Count
Procedure
1. Log on to the IBM Security Identity Manager server with an account that has
the authority to do administrative tasks.
2. In the My Work pane, click Manage Services and click Create.
3. On the Select the Type of Service page. Select:
For AIX operating system:
Select POSIX AIX Profile.
For HP-UX operating system:
Select POSIX HP-UX Profile.
For Solaris operating system:
Select POSIX Solaris Profile.
For Linux operating system:
Select POSIX Linux Profile.
4. Click Next to display the adapter service form.
5. Complete the following fields on the service form.
On the General Information tab:
14
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Service Name
Specify a name that defines the adapter service on the IBM
Security Identity Manager server.
Note: Do not use forward (/) or backward slashes (\) in the
service name.
Description
Optionally, specify a description that identifies the service for
your environment.
IBM Tivoli Directory Integrator URL
Optionally, specify the URL for the Tivoli Directory Integrator
instance. The valid syntax for the URL is rmi://ipaddress:port/ITDIDispatcher, where ip-address is the Tivoli
Directory Integrator host and port is the port number for the
Dispatcher.
The default for version 7.1 is this URL:
rmi://localhost:1099/ITDIDispatcher
For information about changing the port number, see IBM
Security Dispatcher Installation and Configuration Guide.
Managed resource location
Specify the IP address or host name of the managed resource.
This location uses the default SSH port, which is port 22. If the
SSH port is different, then ip/host:port can be used.
Note: An IPv6 address must be enclosed in brackets. An
example of a valid IPv6 address format is
[fedc:ba98:7654:3210:fedc:ba98:7654:3210]:22
RXA Internal Command TimeOut
Specify a value, in milliseconds, to control how long the
adapter waits for a response after a remote command is issued
to a managed resource. The default value is 5000 milliseconds.
Modify this default value if operations on the managed
resource timeout frequently.
User registry
This input field is available only on service forms for AIX
profiles. This adapter supports user management and
authentication by using files or by using LDAP.
Note:
v This field is case-sensitive.
v AIX roles are not reconciled or managed by the adapter for
any AIX service with a user registry that is defined as LDAP.
a. If the users on the managed resource are to be managed
only through the /etc/password file, leave the field blank.
b. If this setup is a mixed and the users are to be managed
through the /etc/password file, type files.
Note: A mixed setup means that some users on the
managed resource are defined in LDAP and some users are
defined in files. These users are mutually exclusive and
cannot be managed by a single service. If you want IBM
Chapter 3. Adapter installation
15
Security Identity Manager to manage users that are defined
in LDAP as well, ensure that you also create a service to
manage users through LDAP.
c. If this setup is a mixed setup and the users are to be
managed through LDAP, type LDAP.
Note: A mixed setup means that some users on the
managed resource are defined files and some users are
defined in LDAP. These users are mutually exclusive and
cannot be managed by a single service. If you want IBM
Security Identity Manager to manage users that are defined
in files as well, ensure that you also create a service to
manage users through files.
Use a shadow file?
Select this check box if shadow passwords are enabled on the
managed resource. This field applies to service forms only
when you use the Linux or HP-UX service profiles.
For Linux operating systems, shadow passwords are enabled by
default. When you create a service for HP-UX, by default the
Use a shadow file? field is enabled. If the HP-UX system you
are connecting to is an HP-UX trusted system, then the Use a
shadow file? field is irrelevant and the adapter ignores the
field.
Delete home directory when the account is deleted?
Select this check box if you want the home directory of the user
to be deleted when the user is deleted.
Owner
Optionally specify a IBM Security Identity Manager user as a
service owner.
Service Prerequisite
Optionally, specify a IBM Security Identity Manager service that
is a prerequisite to this service.
On the Additional Configuration tab:
This tab applies only to Linux systems.
Command used to query failed logins
Specifies the system command that is used to detect and tally
failed login attempts and enforce account lockout. This
command must be configured through the PAM mechanism. If
no value is specified, the default faillog command is used.
This command is not available on some operating systems,
such as RHEL 6.1 and later versions.
File or directory where failed login records are found
Specifies the absolute path to the location of the failed login
attempt datastore, if it is not the default datastore. This field
applies to faillock and pam_tally2 only. The field is ignored
when faillog is used.
Maximum failed logins allowed
Specifies the maximum number of failed logins that can occur
before an account is locked. This field applies to faillock and
pam_tally2 only. The field is ignored when faillog is used.
On the Authentication tab:
16
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Administrator name
Specify the user name for the administrator. If you are
specifying a super user, instead of a root user, see Appendix C,
“Super user creation on a supported operating system,” on
page 73.
Is sudo user?
Select this check box if the administrator name is a super user.
Sudo user privileges must be carefully configured on the
resource. For more information about sudo users, see
Appendix C, “Super user creation on a supported operating
system,” on page 73.
Execute user profile?
Available for HP-UX services only.
Click this check box to run the profile of the adapter user
before you run operations on the endpoint.
When you create a service for HP-UX, by default the Execute
user profile? field is disabled. You might want to enable this
field if the adapter user profile remaps special terminal control
characters on HP-UX (for example @ and #). The profile can
remap these characters when the Execute user profile? field is
enabled. In this case, you can use those special characters in
passwords when you add or change accounts. If the field is not
enabled and you use a special character, the add or modify
operations for the account fail when the password is set.
Running the user profile can affect the runtime environment of
the adapter at the endpoint and the outcome of adapter
operations. Running the profile has some limitations and must
be used with care. For example:
v Do not call another shell from the profile scripts. Doing so
can cause the remote operation to hang.
v Do not echo any strings from the profile when you trap
signals. The profile must not echo any output from trap
commands. The echoed string might be merged with the
results of the command that is running.
Use the default settings for the owner, group, and permissions
settings on both the /etc/profile and the adapter user
.profile file. Changing the values for these attributes can cause
the remote operation to fail.
Authentication method
From the drop-down menu, select the authentication method to
be used by the adapter when it communicates with the
managed resource for user management. Select Password-Based
Authentication or Key-Based Authentication. For more
information about key-based authentication, see Appendix D,
“Key-based authentication for the UNIX and Linux Adapter,”
on page 85.
Note: This authentication method is only for adapter
communication and does not apply to users created on the
managed resource by this adapter.
Chapter 3. Adapter installation
17
Password
Required for password-based authentication: Specify the
password for the administrator.
Passphrase (Required for key-based authentication)
Specify the pass-phrase that is associated with the private key.
For more information about private keys, see “Enabling RSA
key-based authentication on UNIX and Linux operating
systems” on page 85.
Private key file (Required for key-based authentication)
Specify the full path and file name of the keystore that contains
the private key of the client. This keystore must be on the
workstation that runs the Tivoli Directory Integrator server. For
more information about keystore, see Appendix D, “Key-based
authentication for the UNIX and Linux Adapter,” on page 85.
On the Dispatcher Attributes tab:
AL FileSystem Path
Specify the file path from where the dispatcher loads the
assembly lines. If you do not specify a file path, the dispatcher
loads the assembly lines that are received from IBM Security
Identity Manager. You can specify the following file path to
load the assembly lines from the profiles directory of the
Windows operating system: c:\Files\IBM\TDI\TDI_VERSION\
profiles or you can specify the following file path to load the
assembly lines from the profiles directory of the UNIX and
Linux operating systems:system:/opt/IBM/TDI/TDI_VERSION/
profiles
Max Connection Count
Specify the maximum number of assembly lines that the
dispatcher can run simultaneously for the service. If you enter 0
in the Max Connection Count field, the dispatcher does not
limit the number of assembly lines that run simultaneously for
the service.
Disable AL Caching
Select the check box to disable the assembly line caching for
add, modify, and delete operations in the dispatcher for the
service.
On the Status and information tab
Contains read only information about the adapter and managed
resource. These fields are examples. The actual fields vary depending
on the type of adapter and how the service form is configured. The
adapter must be running to obtain the information. Click Test
Connection to populate the fields.
Last status update: Date
Specifies the most recent date when the Status and information
tab was updated.
Last status update: Time
Specifies the most recent time of the date when the Status and
information tab was updated.
Managed resource status
Specifies the status of the managed resource that the adapter is
connected to.
18
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Adapter version
Specifies the version of the adapter that the IBM Security
Identity Manager service uses to provision request to the
managed resource.
Profile version
Specifies the version of the profile that is installed in the IBM
Security Identity Manager server.
TDI version
Specifies the version of the Tivoli Directory Integrator on which
the adapter is deployed.
Dispatcher version
Specifies the version of the Dispatcher.
Installation platform
Specifies summary information about the operating system
where the adapter is installed.
Adapter account
Specifies the account that running the adapter binary file.
Adapter up time: Date
Specifies the date when the adapter started.
Adapter up time: Time
Specifies the time of the date when the adapter started.
Adapter memory usage
Specifies the memory usage for running the adapter.
If the connection fails, follow the instructions in the error message. Also
v Verify the adapter log to ensure that the IBM Security Identity
Manager test request was successfully sent to the adapter.
v Verify the adapter configuration information.
v Verify IBM Security Identity Manager service parameters for the
adapter profile. You can verify the work station name or the IP
address of the managed resource and the port.
6. Click Finish.
Chapter 3. Adapter installation
19
20
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Chapter 4. Adapter installation and uninstallation in silent
mode
You can use the -i silent option to install or uninstall the adapter in silent mode.
Silent installation suppresses the adapter installation wizard and the Launcher
User Interfaces (UIs). It does not display any information or require interaction.
Installing the adapter in silent mode
You can either use the default settings or override those settings when you install
the adapter in silent mode.
About this task
If you accept the default setting for the silent installation, the adapter is installed in
a location that depends on your operating system.
Windows operating systems
%SYSTEM_DRIVE_ROOT%\Program Files\IBM\TDI\V7.1
UNIX and Linux operating systems
/opt/IBM/TDI/V7.1
You can override the default settings with the -D parameter. The -D must be
followed immediately by an option-value pair. No space exists after -D.
Note: If an argument contains spaces, you must wrap the argument in quotation
marks.
Table 7. silent mode parameters for installing
Parameter
Description
-DUSER_INSTALL_DIR
This parameter overrides the default
installation path. For example,
-DUSER_INSTALL_DIR="D:/security/
MyFolder"
-DFORCE_DISPATCHER_SERVICE_START
_ONINSTALL
If the dispatcher service is running before
the installation, the installer stops the
service. It restarts the service after the
installation is completed. If the dispatcher
service is not running before the installation,
use this parameter to start the service after
the installation. Set the value of the
parameter to YES.
Procedure
1. Go to a command line.
2. Run either of the following commands:
v To install the adapter in silent mode with the default settings, issue the
command:
java -jar PosixAdapterInstall_70.jar -i silent
© Copyright IBM Corp. 2012, 2014
21
v To install the adapter in silent mode and changing one or more default
settings, use the -D parameter. For example, this command overrides the
default installation directory for a Windows operating system.
java -jar PosixAdapterInstall_70.jar -i silent
-DUSER_INSTALL_DIR="E:\Program Files\IBM\TDI\V7.1"
Results
The adapter is installed in the adapter installation directory.
Uninstalling the adapter in silent mode
You can uninstall the adapter without any prompts for user action.
About this task
Run the command from the PosixAdapterUninstall directory in the installation
directory of the adapter. If you run the command from a different directory, you
must specify the full file path to the uninstaller.jar file. For example, this
command is run from outside the PosixAdapterUninstall directory.
java
-jar "E:\Program Files\IBM\TDI\V7.1\PosixAdapterUninstall\uninstaller.jar"
-i silent
Table 8. silent mode parameter for uninstalling
Parameter
Description
-DFORCE_DISPATCHER_SERVICE_STAR
T_ONUNINSTALL
If the dispatcher service is running before
the uninstallation, the installer stops the
service. It restarts the service after the
uninstallation is completed. If the dispatcher
service is not running before the
uninstallation, use this parameter to start the
service after the uninstallation. Set the value
of the parameter to YES.
Procedure
1. Go to a command line.
2. Run either of the following commands:
v To uninstall the adapter with the default settings, run the command:
java -jar uninstaller.jar -i silent
v To ensure that the dispatcher service is restarted after you uninstall the
adapter, run the command:
java -jar uninstaller.jar -i silent
-DFORCE_DISPATCHER_SERVICE_START_ONUNINSTALL=yes
Results
The adapter is removed without any additional user response or interaction.
22
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Chapter 5. First steps after installation
After you install the adapter, you must do several other tasks. The tasks include
configuring the adapter, setting up SSL, installing the language pack, and verifying
that the adapter works correctly.
Adapter configuration
You can use the configuration options for the UNIX and Linux Adapter.
v “Customizing the adapter profile”
v “Running user-defined scripts” on page 25
v “Customizing the adapter profile”
v “Running user-defined scripts” on page 25
v
v
v
v
v
v
“Customizing password prompt attributes” on page 29
“User home directory creation” on page 28
“Adding home directory permissions on the account form” on page 30
“Editing adapter profiles on the UNIX or Linux operating system” on page 28
“Adapter features customization and extension” on page 28
“Setting up locales” on page 32
See the IBM Security Dispatcher Installation and Configuration Guide for more
configuration options such as:
v JVM properties
v Dispatcher filtering
v
v
v
v
Dispatcher properties
Dispatcher port number
Logging configurations
Secure Sockets Layer (SSL) communication
Customizing the adapter profile
To customize the adapter profile, you must change the adapter profile JAR file. You
might customize the adapter profile to change the account form or the service
form. You can also change the labels on the forms by using the Form Designer or
the CustomLabels.properties file. Each adapter has a CustomLabels.properties
file.
About this task
The adapter profile JAR file is included in the adapter compressed file that you
downloaded from the IBM website. The JAR file and the files that are contained in
the JAR file vary depending on your operating system.
Note: You cannot modify the schemas for this adapter. Attributes cannot be added
to or deleted from the schema.
AIX (PosixAixProfile.jar)
The following files are included in the AIX profile JAR file:
v CustomLabels.properties
v erPosixAixAccount.xml
© Copyright IBM Corp. 2012, 2014
23
v
v
v
v
v
erPosixAixRMIService.xml
posixAdd.xml
posixDelete.xml
posixModify.xml
posixSearch.xml
v
v
v
v
v
v
v
posixTest.xml
schema.dsml
service.def
posixGroupAdd.xml
posixGroupDelete.xml
posixGroupModify.xml
posixRoleAdd.xml
v posixRoleDelete.xml
v posixRoleModify.xml
HP-UX (PosixHpuxProfile.jar)
The following files are included in the HP-UX profile JAR file:
v CustomLabels.properties
v erPosixHpuxAccount.xml
v erPosixHpuxRMIService.xml
v posixAdd.xml
v posixDelete.xml
v
v
v
v
posixModify.xml
posixSearch.xml
posixTest.xml
schema.dsml
v service.def
v posixGroupAdd.xml
v posixGroupDelete.xml
v posixGroupModify.xml
Solaris (PosixSolarisProfile.jar)
The following files are included in the Solaris profile JAR file:
v CustomLabels.properties
v erPosixSolarisAccount.xml
v erPosixSolarisRMIService.xml
v posixAdd.xml
v
v
v
v
v
v
v
posixDelete.xml
posixModify.xml
posixSearch.xml
posixTest.xml
schema.dsml
service.def
posixGroupAdd.xml
v posixGroupDelete.xml
v posixGroupModify.xml
24
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Linux (PosixLinuxProfile.jar)
The following files are included in the Linux profile JAR file:
v CustomLabels.properties
v erPosixLinuxAccount.xml
v erPosixLinuxRMIService.xml
v posixAdd.xml
v posixDelete.xml
v posixModify.xml
v
v
v
v
v
v
v
posixSearch.xml
posixTest.xml
schema.dsml
service.def
posixGroupAdd.xml
posixGroupDelete.xml
posixGroupModify.xml
After you edit the file, you must import the file into the IBM Security Identity
Manager server for the changes to take effect.
Procedure
1. Edit the profile JAR file.
a. Log in to the system where the UNIX and Linux Adapter is installed.
b. Copy the JAR file into a temporary directory.
c. Extract the contents of the JAR file into the temporary directory. Run the
following command. The following example applies to the Linux adapter
profile. Type the name of the JAR file for your operating system.
#cd /tmp
#jar -xvf PosixLinuxProfile.jar
The jar command extracts the files into the PosixLinuxProfile directory.
d. Edit the file that you want to change.
e. Save the file.
2. Import the file.
a. Create a JAR file by using the files in the /tmp directory Run the following
command:
#cd /tmp
#jar -cvf PosixLinuxProfile.jar PosixLinuxProfile
b. Import the modified profile JAR file into the IBM Security Identity Manager
application server. For more information about importing the JAR file, see
“Importing the adapter profile into the IBM Security Identity Manager
server” on page 11.
c. Stop and start the IBM Security Identity Manager server.
d. Stop and start the UNIX and Linux Adapter service. See “Adapter service
start, stop, and restart” on page 11 for information about stopping and
starting the UNIX and Linux Adapter service.
Running user-defined scripts
The UNIX and Linux Adapter is configured to run user-defined scripts before a
request is processed (preexec), after a request is processed (postexec), or both.
Chapter 5. First steps after installation
25
About this task
Running user-defined scripts can be useful when external activities are required to
manage the resource. Use these attributes that are defined in the relevant Posix
account form:
v Pre-execution options:
erPosixPreExec
Always continue the operation regardless of the pre-execution script
outcome (succeed or fail).
erPosixPreExecRunOption
Continue the operation only when the pre-execution script succeeds.
v Post-execution options:
erPosixPostExec
Always continue the operation regardless of the post-execution script
outcome (succeed or fail).
erPosixPostExecRunOption
Continue the operation only when the post-execution script succeeds.
Note:
1. The term operation refers to any account management request. For example,
user add or user modify.
2. The status or outcome of the preexec and postexec commands are not returned
to the IBM Security Identity Manager server.
3. On a modify request, the IBM Security Identity Manager server sends only
those attributes whose values are changed. This behavior differs from an add
operation in which all the attributes are always sent. The modify behavior
applies to the preexec and postexec attributes.
To send these attributes on a modify operation regardless of actual value changes,
update the service.def file for the relevant Posix adapter profile.
Procedure
1. Extract the adapter profile JAR file. For example, PosixAIXProfile.jar
2. Open the service.def file in a text editor.
3. Insert the following lines in service.def, under <operation cn="posixModify">
<input name="erPosixPreExec" source="erPosixPreExec"></input>
<input name="erPosixPostExec" source="erPosixPostExec""></input>
<input name="erPosixPreExecRunOption" source="erPosixPreExecRunOption">
</input>
<input name="erPosixPostExecRunOption" source="erPosixPostExecRunOption">
</input>
4. Save the changes and create another adapter profile JAR file.
jar -cvf PosixAixProfile.jar PosixAixProfile
Defining the maximum connection count for adapter
operations
You can limit the number of connections that can be made to a resource based on
the service, service type, and operation. You can modify the service.def file in the
service profile. Alternatively, you can specify a value for the Max Connection
Count field on the service form of a resource.
26
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
About this task
Limit the number of concurrent connections to a resource if you see errors that are
caused by contention for files or other objects on the resource. For example, when
many operations occur at the same time for account add, some might fail because
they cannot get write access to the /etc/passwd file. To reduce contention, lower
the maximum connection count for the resource or the add operation.
To set a default or an absolute maximum connection count for a service type,
modify the service.def file. A default count can be overridden on a per-resource
basis; an absolute count cannot be overridden.
To change the service.def file, take these steps:
Procedure
1. Extract the adapter profile JAR file. For example, extract PosixAIXProfile.jar
with this command:
jar -xvf PosixAixProfile.jar
2. Open the service.def file in a text editor.
3. To limit the maximum connections for an operation type, first locate the type. A
maximum connection count is defined for each operation type such as add
(posixAdd) or modify (posixModify). Locate the type of operation whose
maximum connection count you want to set. For example, locate the
posixModify operation:
<operation cn="posixModify">
4. Find the <dispatcherParameter name="MaxConnectionCnt"...> element under
the posixModify operation entry.
5. Edit the dispatcherParameter element to specify a default value or an absolute
value.
v Specify a default value.
Create an entry similar to this example:
<dispatcherParameter name="MaxConnectionCnt" source= "erPosixMaxConnectionCnt">
<default>value</default>
</dispatcherParameter>
For any AIX resource, the maximum number of concurrent operations for
account modify has a default of value. To override this default, specify a
different value in the Max Connection Count field on the Dispatcher
Attributes tab of the service form of the AIX resource.
v Specify an absolute value.
Create an entry similar to this example:
<dispatcherParameter name="MaxConnectionCnt">
<value>value</value>
</dispatcherParameter>
For any AIX resource, the maximum number of concurrent operations for
account modify is value, which cannot be overridden.
Note:
v The maximum number of connections for search (recon) operations is always
one, regardless of the settings in the service.def file or on the service form.
v If no maximum connection count is defined in the service.def file or on the
service form, the connection count is unlimited.
6. Save the changes and create another adapter profile JAR file. For example:
jar -cvf PosixAixProfile.jar PosixAixProfile
Chapter 5. First steps after installation
27
7. Import the modified profile JAR file into IBM Security Identity Manager.
User home directory creation
The UNIX and Linux Adapter provides a user-selectable option to create a default
home directory for a user or an account.
The default home directory is created by concatenating the base directory value
that is defined on that system with the account name or user name to be created.
Example
The base directory value on the target system is /home. The user name for the
account that is being created is testuser. The default home directory is
/home/testuser.
Note: AIX systems ignore this option. The AIX operating systems create a home
directory by default for each new account.
Editing adapter profiles on the UNIX or Linux operating
system
The adapter profile .jar file might contain ASCII files that are created by using the
MS-DOS ASCII format.
About this task
If you edit an MS-DOS ASCII file on the UNIX operating system, you might see a
character ^M at the end of each line. These characters indicate new lines of text in
MS-DOS. The characters can interfere with the running of the file on UNIX or
Linux systems. You can use tools, such as dos2unix, to remove the ^M characters.
You can also use text editors, such as the vi editor, to remove the characters
manually.
Example
You can use the vi editor to remove the ^M characters. From the vi command
mode, run the following command and press Enter:
:%s/^M//g
When you use this command, enter ^M or Ctrl-M by pressing ^v^M or Ctrl V Ctrl
M sequentially. The ^v instructs the vi editor to use the next keystroke instead of
issuing it as command.
Adapter features customization and extension
The IBM Security Identity Manager adapters can be customized or extended or
both. The type and method of this customization varies depending on the adapter.
Customizing and extending adapters requires a number of skills. The developer
must be familiar with the following concepts and skills:
v IBM Security Identity Manager administration
v IBM Tivoli Directory Integrator management
v Tivoli Directory Integrator Assembly Line development
v LDAP schema management
v Working knowledge of Java scripting language
28
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
v Working knowledge of LDAP object classes and attributes
v Working knowledge of XML document structure
Note: If the customization requires a new Tivoli Directory Integrator connector, the
developer must also be familiar with Tivoli Directory Integrator connector
development and working knowledge of Java programming language.
IBM Security Identity Manager resources
See the “Learn” section of the IBM Security Identity Manager Support
website for links to training, publications, and demonstrations.
Tivoli Directory Integrator resources
See the “Learn” section of the Tivoli Directory Integrator Support website
for links to training, publications, and demonstrations.
IBM Security Identity Manager adapter development resources
Adapter Development Tool
The Adapter Development Tool (ADT) is a tool that is used by IBM
Security Identity Manager customers and consultants to create
custom IBM Security Identity Manager adapters. It reduces adapter
delivery time and it helps in the development of custom adapters.
The ADT is available from the IBM Open Process Automation
Library (OPAL) website.
Support for customized adapters
The integration to the IBM Security Identity Manager server, the adapter
framework, is supported. However, IBM does not support the customizations,
scripts, or other modifications. You might experience a problem with a customized
adapter. In this case, IBM Support might require the problem to be demonstrated
on the GA version of the adapter before a PMR is opened.
Optional feature configuration
Depending on your needs, the adapter has attributes that you can optionally
configure for the following capabilities.
Customizing password prompt attributes
The UNIX and Linux Adapter does password changes by using an interactive
Secure Shell (SSH) session. The adapter searches for the default password prompts
on the managed resource to complete the transaction successfully. If the managed
resource has customized password prompts, then you can specify the password
prompts on the service form that the adapter must search for.
About this task
The password prompt attributes are:
v erPosixNewRegx - the new password prompt
v erPosixRetypeRegx - the retype password prompt
To customize these password prompt attributes on the service form, do the
following steps from IBM Security Identity Manager. The customized password
prompt attributes are displayed on the service form. The adapter does a
case-insensitive match on these password prompts.
Chapter 5. First steps after installation
29
Procedure
1. Log on to IBM Security Identity Manager as an administrator.
2. In the My Work pane, expand Configure System and click Design Forms to
display the Design Forms page.
3. From the applet, double-click Service to display the service form profiles.
4. Double-click the service form profile whose service form you want to
customize. Select one of the following profiles:
POSIX AIX account
Select this option to customize the erPosixNewRegx and
erPosixRetypeRegx attributes on the AIX service form. The default
values of these attributes on this account are:
erPosixNewRegx = ".*new password:$"
erPosixRetypeRegx = "re-enter .* new password:"
POSIX HP-UX account
Select this option to customize the erPosixNewRegx and
erPosixRetypeRegx attributes on the HP-UX service form.The default
values of these attributes on this account are:
erPosixNewRegx = ".*new password:$"
erPosixRetypeRegx = ".*re-enter new password:$"
POSIX Linux account
Select this option to customize the erPosixNewRegx and
erPosixRetypeRegx attributes on the Linux service for The default
values of these attributes on this account are:
erPosixNewRegx = ".*new password:$"
erPosixRetypeRegx = ".*re-enter new password:$"
POSIX Solaris account
Select this option to customize the erPosixNewRegx and
erPosixRetypeRegx attributes on the Solaris service form. The default
values of these attributes on this account are:
erPosixNewRegx = ".*new password:$"
erPosixRetypeRegx = ".*re-enter new password:$"
5. From the Attributes List window, double-click the erPosixNewRegx attribute to
add it to the service form.
6. From the Attributes List window, double-click the erPosixRetypeRegx attribute
to add it to the service form.
7. Click Save Form Template icon. After you customize the password prompt
attributes, the following attributes are available on the service form:
v New Password Regular expression
v Retype Password Regular expression
Adding home directory permissions on the account form
You might want to add or modify the home directory permissions of the user on
the managed resource.
About this task
To modify the home directory permissions, you must customize the
erPosixHomeDir attribute on the account form. Do the following steps on IBM
Security Identity Manager:
30
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Procedure
1. Log on to IBM Security Identity Manager as an administrator.
2. In the My Work pane, expand Configure System and click Design Forms to
display the Design Forms page.
3. From the applet, double-click Account to display the account form profiles.
4. Double-click the account form profile to add the erPosixHomeDir attribute on
the account form. Select one of the following profiles:
POSIX AIX account
Select this option to customize the erPosixHomeDir attribute on the AIX
account form.
POSIX HP-UX account
Select this option to customize the erPosixHomeDir attribute on the
HP-UX account form.
POSIX Linux account
Select this option to customize the erPosixHomeDir attribute on the
Linux account form.
POSIX Solaris account
Select this option to customize the erPosixHomeDir attribute on the
Solaris account form.
5. From the Attributes List window, double-click the erPosixHomeDir attribute to
add it to the $tabemployeeinfo tab.
6. Right-click erposixperhomedir and click Change To>UMask.
7. Click the Save Form Template icon. After you customize the attribute, the
Home directory permissions attribute is available on the account form.
Adding umask settings on the account form
You might want to add or modify the umask permissions of the user on the
managed resource. The umask settings control how file permissions are set for
newly created files.
About this task
To modify the umask permissions, you must customize the erPosixUmask attribute
on the account form. Do the following steps on IBM Security Identity Manager:
Procedure
1. Log on to IBM Security Identity Manager as an administrator.
2. In the My Work pane, expand Configure System and click Design Forms to
display the Design Forms page.
3. From the applet, double-click Account to display the account form profiles.
4. Double-click the account form profile to add the erPosixUmask attribute on the
account form. Select one of the following profiles:
POSIX AIX account
Select this option to customize the erPosixUmask attribute on the AIX
account form.
POSIX HP-UX account
Select this option to customize the erPosixUmask attribute on the
HP-UX account form.
Chapter 5. First steps after installation
31
POSIX Linux account
Select this option to customize the erPosixUmask attribute on the Linux
account form.
POSIX Solaris account
Select this option to customize the erPosixUmask attribute on the Solaris
account form.
5. From the Attributes List window, double-click the erPosixUmask attribute to
add it to the $tabemployeeinfo tab.
6. Right-click erPosixUmask and click Change To>UMask.
7. Click the Save Form Template icon. After you customize the attribute, you can
use it when you create or modify a user account.
Locate the attribute that is labeled UNIX umask on the account form and use
the Access Type permission boxes to change or set the read, write and execute
permissions for user, group and other access.
Setting up locales
You can specify a particular code page for the adapter to use when encoding and
decoding data. By default, the adapter uses the same locale and code page that are
specified for the administrative user account that the adapter uses on the managed
resource. The locale and code page are typically the same as the system locale and
code page. If the locales and code pages are different, use this task to configure the
adapter to use the system locale and code page.
About this task
The erPosixEncoding attribute provides enhanced support in the Posix adapter for
characters sets from user-specified locales.
Procedure
1. Open the DESIGN FORMS feature of the IBM Security Identity Manager server.
Click Configure System > Design Forms.
2. Click Service and select a POSIX Profile.
3. Add the attribute erposixencoding on the Service form from the Attribute List.
4. Save the form and close the Design Form window.
5. Create a service with following parameter:
Code Page to be used for data encoding(Default to UTF-8) : Code page for data
Code page for data on the service form is the corresponding code page to the
LOCALE in use. For example, the code page for the German locale is
ISO-8859-1.
Code Page to be used for data encoding(Default to UTF-8) : ISO-8859-1
Configuring alternative adapter scripts location
You can specify where the adapter script files are stored on the managed UNIX or
Linux system.
Before you begin
The administrator that is defined on the service form for the managed system must
have sufficient permission to access the specified location or directory.
32
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
About this task
A configurable option, erPosixCopyAdpFilesTo, can be used to store adapter script
files in a location other than the default location /tmp. This option is configurable
by service and is not automatically displayed on the service form.
To add this attribute:
Procedure
1. Open the DESIGN FORMS feature of the IBM Security Identity Manager server.
Click Configure System > Design Forms.
2. Click Service and select any POSIX Profile.
3. Add the attribute erPosixCopyAdpFilesTo on the Service form from the
Attribute List.
4. Save the form.
5. Create a service with following parameter:
Location of temporary files on resource : full path to file location
Reconciling with custom scripts
You can run reconciliation with either the reconciliation script bundled with the
adapter or your own customized reconciliation script that is optimized for your
setup.
Before you begin
Ensure that these conditions are true:
v The customized reconciliation script name is user definable, and must be present
in the timsol folder.
v You must have executable permission on reconciliation script. You must have
similar permissions on the specified folder as on the /tmp folder.
v The reconciliation script and folder cannot contain double quotation marks or
spaces.
v The names of the reconciliation script and folder must follow the naming
conventions of the operating system.
About this task
To use this feature, select the Use recon script from this folder on managed
resource attribute on the service form. The adapter uses the reconciliation script
present at that location. If this option is not selected, then the standard
reconciliation script that is bundled with the adapter is used.
Note:
1. If a value for both Location of temporary files on resource and Use recon
script from this folder on managed resource are selected, then Use recon
script from this folder on managed resource is used.
2. If a folder is specified on the managed resource without a script file name, the
adapter looks for the standard reconciliation script name. The script name is
based on the operating system type in the specified folder. On an AIX
operating system, if the file path given for this attribute is /reconfolder, the
adapter looks for the /reconfolder/AixPConnRes.sh file.
Chapter 5. First steps after installation
33
Procedure
1. Open the DESIGN FORMS feature of the IBM Security Identity Manager server.
Click Configure System > Design Forms.
2. Click Service and select POSIX Solaris Profile.
3. Add the attribute erPosixReconScriptLocation on the Service form from the
Attribute List.
4. Save the form.
Ending a user session after suspension
The adapter can be configured to end active user sessions after the user is
suspended.
About this task
The default behavior of the adapter is not to end active sessions after the user is
suspended. Use this task to configure the adapter to end active sessions after the
successful completion of a suspension request.
This option is configurable by service. The option is not displayed automatically on
the Service Form.
Note:
1. This option must not be used on systems that allow duplicate user IDs.
2. An error condition or hang occurs if a user attempts to suspend itself when this
option is set.
To add this attribute to the Service Form:
Procedure
1. Open the DESIGN FORMS feature of the IBM Security Identity Manager server.
Click Configure System > Design Forms.
2. Click Service and select any POSIX Solaris Profile.
3. Add the attribute erPosixKillUserProcess on the Service form from the
Attribute List.
4. Change display type to CheckBox and save the form.
5. Create a service with following parameter:
Kill active user process on suspending an account
6. Restart the Dispatcher.
Ending user processes to delete a user account
On a Linux operating system, you cannot delete a user if any user processes are
running. The adapter can be configured for Linux operating systems to end all
user processes when a user is deleted.
About this task
The default behavior of the Linux operating system is to fail a user delete request
if any user processes are running. Use this task to configure the adapter to end any
active user processes when you submit a delete user request.
This option is configurable by service. The option is not displayed automatically on
the Service Form.
34
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Note: This option must not be used on systems that permit duplicate user IDs.
To add this attribute to the Service Form:
Procedure
1. Open the DESIGN FORMS feature of the IBM Security Identity Manager server.
Click Configure System > Design Forms.
2. Click Service and select any POSIX Linux Profile.
3. Add the attribute erPosixDelUserInUse on the Service form from the Attribute
List.
4. Change display type to CheckBox and save the form.
5. Create a service with following parameter:
Delete user account even when it is in use
6. Restart the Dispatcher.
Configuring last access date support for Solaris systems
You can configure the UNIX and Linux Adapter to show the date that an account
on a Solaris system was last accessed.
About this task
You can add two fields to the service form:
Retrieve last Access Date?
The value for erPosixLastAccessDateBinaryCopy is either TRUE or FALSE.
The value of this option determines how the adapter handles "Account last
accessed on" attribute. This value must be set to TRUE on the service form
for the adapter to retrieve the value for "Account last accessed on". The
adapter copies the LastAccessDateReader binary file to a specified location
or to the /tmp folder (default location) during reconciliation. After
reconciliation, the adapter deletes the binary file from the resource. This
binary file is used to read the contents of the /var/adm/wtmpx file to
retrieve the last access date for the user accounts.
Account last accessed on
The value for the erPosixLastAccessDate is retrieved from the
/var/adm/wtmpx file that is maintained on the Solaris system. This file
contains history of user access and administrative information. The
minimum permissions that are required to read this file is 0644
(rw-r--r--).
Note: The erPosixLastAccessDate attribute that is added to account from
by using the Design Forms editor must be kept as Read-Only on Modify.
The Account last accessed on field has these behaviors for the following
operations:
Add
When a user account is requested with the "Account last accessed
on" value on the Account Form, the adapter does not set this
value. The adapter returns a message: Not supported during add
operation.
Modify
The value is read only.
Chapter 5. First steps after installation
35
Reconciliation
The adapter reconciles the value for each account in GMT format
(for example 20110102122500Z).
To add these attributes to the Service Form:
Procedure
1. Open the Design Forms feature of the IBM Security Identity Manager server.
Click Configure System > Design Forms.
2. Click Service and select POSIX Solaris Profile.
3. Add the attribute erposixlastaccessdatebinarycopy on the service form from
the Attribute List.
4. Change display type to CheckBox and save the form.
5. Click Account and select POSIX Solaris Account.
6. On the account form, add the attribute erposixlastaccessdate from the
Attribute List.
7. Click the Read-Only on Modify check box in the format tab under the
properties section
8. Save the form and close the Design Form window
Non-login account (passwd-N) support
The adapter supports "No Password" accounts. A "No Password" account does not
have a password. Accounts without passwords cannot be used to log in to the
system interactively with commands such as login, telnet, ftp, or ssh.
The adapter supports "No Password" accounts on Solaris 10 and higher and
HP-UX Trusted and Non-Trusted operating systems.
The Is No Password Account? check box on the account form is used to enable
and disable the behavior. The possible values for this option are TRUE when
selected and FALSE when not selected. When the option is selected, adapter creates
a "No Password" account. The adapter creates a "Password" account when the
option is not selected.
Note:
1. Password aging attributes for "No Password" accounts on HP-UX Trusted
operating systems cannot be set.
2. When run from a sudo-super user account, HP-UX systems require these
conditions.
v /usr/sam/lbin and /usr/bin be in the user path.
v /usr/sam/lbin/usermod.sam and /usr/bin/test be in the user entry in the
sudoers file.
Attribute usage
The following examples demonstrate the usage of the attribute in various
operations:
Add
36
A new user account can be requested with the Is No Password Account?
option that is selected on the account form. In this case, the adapter creates
a "No Password" account on Solaris 10 and higher and HP-UX Trusted and
Non-Trusted operating systems.
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Modify
When an account is modified with the option selected on the account form,
the account is set to "No Password". When the option is not selected, the
adapter sets the account to "Password". In this case, a password must also
be provided.
Note: Changing an account from No Password to Password is not
available through the UI. An error is returned: Cannot change No Password
Accounts to Password Accounts without password
This modify operation can be done only through Workflows by providing
a password along with a value of FALSE for erPosixNpAccount.
Password change
A change password request is valid for "Password" accounts only.
Suspend
The suspend operation for “No Password” accounts works similar to
"Password" accounts.
Restore
Restore operation for “No Password” accounts is as follows:
v "No Password" accounts on Solaris 10 and HP-UX Trusted operating
systems can be restored. However, a password cannot be set. If a
password is supplied in the restore request, the Can't set password for
No Password Accounts error is returned.
v After a “No Password” account is restored on HP-UX Non-Trusted
systems, the resource requires a new password at the next user login.
Because of HP-UX Non-Trusted resource behavior, the adapter is not
able to distinguish a "Password" account from a “No Password” account
on subsequent reconciliation requests. Therefore, use caution when you
suspend and restore “No Password” accounts on HP-UX Non-Trusted
systems.
Reconciliation
You can select "Is No Password Account?" on the account form. The
adapter reconciles the value for the account as TRUE. If it is not selected, the
adapter reconciles the value for the account as FALSE.
This table lists possible outcomes for "No Password" accounts during a modify
operation when either:
v A password is provided.
v The value of the "Is No Password Account?" attribute is not sent in the request.
Table 9. No Password Account possible outcomes
1
Password
2
3
4
Null
Not null
U
Np Account
1/TRUE
Unchanged
U
Np Account
0/False
Unchanged
Replace
Replace
U
U
5
6
7
8
U
U
U
U
U
U
U
U
U
U
U
U
Chapter 5. First steps after installation
37
Table 9. No Password Account possible outcomes (continued)
1
2
3
4
5
It is already
an Np
Account
Request to
make Np
Account
(that is from
0 to 1).
Not an Np
account.
Request to
make
password
Account from
Np Account
(that is from 1
to 0).
It is already
an Np
Account
Fail the
request as it
is requesting
for
password
change on
NP Account.
Set as Np
Account. Do
not set the
password.
Set as
Password
account by
setting the
password.
Do other
modify
operations.
Fail the
request as it
is requesting
for
password
change on
NP Account.
N.A. The
Password
and Np
Account
value cannot
come
together.
WARNING:
Cannot set as
password
account. - No
means to get
the password
here.
Do other
modify
operations.
PASSWORD IS PRESENT
Work Flow
UI without
the
Password
field
Set
Password
for the
account.
Set
Password
for the
account.
6
Request to
make Np
Account
(that is from
0 to 1).
7
Not an Np
account.
8
Request to
make password
Account from
Np Account
(that is from 1
to 0).
PASSWORD IS NOT PRESENT
Set as Np
Account.
Set as Np
Account.
Do other
modify
operations.
Do other
modify
operations.
Cannot change
to Password
account
without
providing the
password.
Password management for account restoration
When an account is restored from being previously suspended, you are prompted
to supply a new password for the reinstated account.
However, in some cases you might not want to be prompted for a password. The
password requirement to restore an account falls into two categories: allowed and
required.
How each restore action interacts with its corresponding managed resource
depends on either the managed resource, or the business processes that you
implement. Certain resources reject a password when a request is made to restore
an account. In this case, you can configure IBM Security Identity Manager to
forego the new password requirement. You can set the adapter to require a new
password if your company requires that passwords are reset when accounts are
restored.
The adapter profile JAR file contains a service.def file. In the service.def file,
you can define whether a password is required as a new protocol option. When
you import the adapter profile, if an option is not specified, the adapter profile
importer determines the correct restoration password behavior from the
schema.dsml file. Adapter profile components enable remote services to determine
whether you discard a password that the user entered while multiple accounts on
disparate resources are being restored. In this scenario, only some of the accounts
that are being restored might require a password. Remote services discard the
password from the restore action for those managed resources that do not require
them.
Edit the <properties>...</properties> section of the service.def file to add the
new protocol options, for example:
<property name = "com.ibm.itim.remoteservices.ResourceProperties.
PASSWORD_NOT_REQUIRED_ON_RESTORE"><value>true</value>
</property>
<property name = "com.ibm.itim.remoteservices.ResourceProperties.
PASSWORD_NOT_ALLOWED_ON_RESTORE"><value>false</value>
</property>
38
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
By adding the two options in the preceding example, you are ensuring that you
are not prompted for a password when an account is restored.
Note: Before you set the property PASSWORD_NOT_REQUIRED_ON_RESTORE to true,
ensure that the operating system supports restoring of an account without a
password.
Language pack installation
The adapters use a separate language package from the IBM Security Identity
Manager.
See the IBM Security Identity Manager library and search for information about
installing the adapter language pack.
Verifying that the adapter is working correctly
After you install and configure the adapter, take steps to verify that the installation
and configuration are correct.
Procedure
1. Test the connection for the service that you created on IBM Security Identity
Manager.
2. Run a full reconciliation from IBM Security Identity Manager.
3. Run all supported operations such as add, modify, and delete on one user
account.
4. Verify the ibmdi.log file after each operation to ensure that no errors are
reported.
5. Verify the IBM Security Identity Manager log file trace.log to ensure that no
errors are reported when you run an adapter operation.
Chapter 5. First steps after installation
39
40
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Chapter 6. Adapter error troubleshooting
Troubleshooting can help you determine why a product does not function properly.
Use the following information and techniques to identify and resolve problems
with the adapter. There is also information about troubleshooting errors that might
occur during the adapter installation.
Techniques for troubleshooting problems
Troubleshooting is a systematic approach to solving a problem. The goal of
troubleshooting is to determine why something does not work as expected and
how to resolve the problem. Certain common techniques can help with the task of
troubleshooting.
The first step in the troubleshooting process is to describe the problem completely.
Problem descriptions help you and the IBM technical-support representative know
where to start to find the cause of the problem. This step includes asking yourself
basic questions:
v
v
v
v
What are the symptoms of the problem?
Where does the problem occur?
When does the problem occur?
Under which conditions does the problem occur?
v Can the problem be reproduced?
The answers to these questions typically lead to a good description of the problem,
which can then lead you to a problem resolution.
What are the symptoms of the problem?
When you start to describe a problem, the most obvious question is “What is the
problem?” This question might seem straightforward; however, you can break it
down into several more-focused questions that create a more descriptive picture of
the problem. These questions can include:
v Who, or what, is reporting the problem?
v What are the error codes and messages?
v How does the system fail? For example, is it a loop, hang, crash, performance
degradation, or incorrect result?
Where does the problem occur?
Determining where the problem originates is not always easy, but it is one of the
most important steps in resolving a problem. Many layers of technology can exist
between the reporting and failing components. Networks, disks, and drivers are
only a few of the components to consider when you are investigating problems.
The following questions help you to focus on where the problem occurs to isolate
the problem layer:
v Is the problem specific to one operating system, or is it common across multiple
operating systems?
v Is the current environment and configuration supported?
© Copyright IBM Corp. 2012, 2014
41
v Do all users have the problem?
v (For multi-site installations.) Do all sites have the problem?
If one layer reports the problem, the problem does not necessarily originate in that
layer. Part of identifying where a problem originates is understanding the
environment in which it exists. Take some time to completely describe the problem
environment, including the operating system and version, all corresponding
software and versions, and hardware information. Confirm that you are running
within an environment that is a supported configuration. Many problems can be
traced back to incompatible levels of software that are not intended to run together
or are not fully tested together.
When does the problem occur?
Develop a detailed timeline of events that lead up to a failure, especially for those
cases that are one-time occurrences. You can most easily develop a timeline by
working backward: Start at the time an error was reported (as precisely as possible,
even down to the millisecond), and work backward through the available logs and
information. Typically, you must look only as far as the first suspicious event that
you find in a diagnostic log.
To develop a detailed timeline of events, answer these questions:
v Does the problem happen only at a certain time of day or night?
v How often does the problem happen?
v What sequence of events leads up to the time that the problem is reported?
v Does the problem happen after an environment change, such as upgrading or
installing software or hardware?
Responding to these types of questions can give you a frame of reference in which
to investigate the problem.
Under which conditions does the problem occur?
Knowing which systems and applications are running at the time that a problem
occurs is an important part of troubleshooting. These questions about your
environment can help you to identify the root cause of the problem:
v Does the problem always occur when the same task is being done?
v Does a certain sequence of events happen for the problem to occur?
v Do any other applications fail at the same time?
Answering these types of questions can help you explain the environment in
which the problem occurs and correlate any dependencies. Just because multiple
problems might occur around the same time. However, the problems are not
necessarily related.
Can the problem be reproduced?
From a troubleshooting standpoint, the ideal problem is one that can be
reproduced. Typically, when a problem can be reproduced you have a larger set of
tools or procedures at your disposal to help you investigate. Problems that you can
reproduce are often easier to debug and solve.
However, problems that you can reproduce can have a disadvantage: If the
problem is of significant business impact, you do not want it to recur. If possible,
42
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
re-create the problem in a test or development environment, which typically offers
you more flexibility and control during your investigation.
v Can the problem be re-created on a test system?
v Do multiple users or applications encounter the same type of problem?
v Can the problem be re-created by running a single command, a set of
commands, or a particular application?
For information about obtaining support, see Appendix F, “Support information,”
on page 99.
Warning and error messages
A warning or error might be displayed in the user interface. The message provides
information that the user must know about the adapter or when an error occurs.
Table 10 contains warnings or errors that might be displayed on the user interface
if the adapter is installed on your workstation.
Table 10. Warning and error messages
Warning or error message
Corrective action
The following error occurred - Error Description.
IBM Security Identity Manager cannot establish a
connection with IBM Tivoli Directory Integrator. To fix
this problem, ensure that:
v Tivoli Directory Integrator is running
v The URL specified on the service form for IBM Tivoli
Directory Integrator is correct
The login credential is missing or incorrect.
You must provide correct information for the adapter to
function properly. To fix this problem, ensure that:
v The managed resource is functioning properly and that
you are connected to the correct resource
v The Managed Resource Location that is specified on
the service form is correct
v The administrator ID specified on the service form is
correct
v The administrator password that is specified on the
service form is correct
v SSH is enabled and running on the managed resource
The account exists.
The user is already added to the resource. This error
might occur if you are attempting to add a user to the
managed resource and IBM Security Identity Manager is
not synchronized with the resource. To fix this problem,
schedule a reconciliation between IBM Security Identity
Manager and the resource. See the online help for
information about scheduling a reconciliation.
v The adapter does not have permission to add an
account.
The administrator ID specified on the service form does
not have permissions to add, modify, or delete the
account. To fix this problem, do one of these steps:
v The adapter does not have permission to modify an
account.
v The adapter does not have permission to delete an
account.
v Assign the correct privileges to the current
administrator ID
v Change the administrator ID to an administrator ID
that has the correct privileges.
Chapter 6. Adapter error troubleshooting
43
Table 10. Warning and error messages (continued)
Warning or error message
Corrective action
v The required attributes are missing from the request.
One or more required attributes were not provided when
you attempted to add, modify, delete, or search for a
user. Type the required attributes for each field and try
the action again.
v There were no attributes that were passed to the
adapter in the request.
v One or more required attributes are missing in the
request.
v A system error occurred adding an account. The
account was not added.
This error might occur for several reasons. To fix this
problem, ensure that:
v A system error occurred modifying an account. The
account was not changed.
v The administrator ID specified on the service form is
correct.
v A system error occurred deleting an account. The
account was not deleted.
v The administrator password that is specified on the
service form is correct.
v The search failed because of a system error.
v The administrator ID has the correct privileges to add,
modify, or delete a user account.
v The network connection is not slow between IBM
Security Identity Manager and IDI or IDI and the
managed resource.
CTGIMT022E The search failed because of a system
error: Error running script with Failed value:126
Verify that the sudo user configuration file does not
contain syntax errors.
v The account was added but some attributes failed.
The account was created, modified, or deleted, but some
of the specified attributes in the request were not set. See
the list of attributes that failed and the error message
that explains why the attribute failed. Correct the errors
that are associated with each attribute and try the action
again.
Note: Review the documentation for the operating
system of the managed resource to determine the correct
values for some attributes.
v The account was modified but some attributes failed.
v The account was deleted successfully, but other steps
failed.
v The user cannot be modified because it does not exist.
v An error occurred deleting the account because the
account does not exist.
This error might occur when you attempt to modify or
delete a user. This error might also occur if you attempt
to change the password for a user. To fix the problem,
ensure that:
v The location that is specified for the managed resource
is correct.
v The user was created on the resource.
v The user was not deleted from the resource.
If the user does not exist on the resource, create the user
on the resource and then schedule a reconciliation. See
the online help for information about scheduling a
reconciliation.
v Search filter error.
v Invalid search filter.
The account is already suspended.
44
The filter that is specified in the search request is not
correct. Specify the correct filter and try the search action
again.
This error might occur if you attempt to suspend an
account that was already suspended.
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Table 10. Warning and error messages (continued)
Warning or error message
Corrective action
The account was not suspended.
The request failed to suspend the account. To fix this
problem, ensure that:
v The specified administrator ID is correct.
v The specified administrator password is correct.
v The administrator has the necessary privileges to
suspend an account.
v The user exists on the specified managed resource.
See the ibmdi.log file in the solutions directory of the
IBM Tivoli Directory Integrator for specific details about
the error.
The account is already restored.
This error might occur if you attempt to restore an
account that was already restored.
The account was not restored.
The request failed to restore the account. To fix this
problem, ensure that:
v The specified administrator ID is correct.
v The specified administrator password is correct.
v The administrator has the necessary privileges to
restore an account.
v The user exists on the specified managed resource.
See the ibmdi.log file in the solutions directory of the
IBM Tivoli Directory Integrator for specific details about
the error.
The reconciliation is successful, but no accounts were
added to your service.
v On the service form, check or clear the Use a Shadow
File check box.
v Check the IDI log to ensure that there is no mismatch
for shadow file usage.
The application cannot establish a connection to
hostname.
Ensure that SSH is enabled on the managed resource and
that the managed resource is operational and attached to
the network.
Attribute names are not displayed in the user interface.
For IBM Security Identity Manager to refresh the list of
attribute names, you must either:
v Stop and restart the IBM Security Identity Manager
server.
v Wait until the cache times out (up to 10 minutes).
Adapter profile is not displayed in the user interface
after you install the profile.
For IBM Security Identity Manager to refresh the list of
attribute names, you must either:
v Stop and restart the IBM Security Identity Manager
server.
v Wait until the cache times out (up to 10 minutes).
The group cannot be added because it exists.
This error occurs when a request is made to add a group
that exists. Create a group with another group name.
The group cannot be added because a group with the
GID Group ID number exists.
This error occurs when a request is made to add a group
with a group ID number that exists. Create a group with
another group ID number.
The group Group name cannot be modified or deleted
because it does not exist.
This error occurs when a request is made to modify or
delete a group that does not exist on the managed
resource. Do a reconciliation operation to ensure that the
group exists on the managed resource.
Chapter 6. Adapter error troubleshooting
45
Table 10. Warning and error messages (continued)
Warning or error message
Corrective action
An error occurred creating, modifying, or deleting the
Group name group. The application cannot establish a
connection to managed resource.
Ensure that these conditions are true.
v The name in the Administrator name field on the
service form is specified correctly.
v The value of the Password attribute on the service
form is specified correctly.
v The managed resource is operational and connected to
the network.
The IBM Tivoli Directory Integrator detected the
following error. Error: Connector parameter
executeUserProfile has a value that is not valid: true.
Clear the Execute user profile? check box for the
service that is used in the operation.
Sudo message: sudo: sorry, you must have a tty to
run sudo
Comment out the line Defaults requiretty in the
sudouser file.
Solving adapter installation and operational problems
You can obtain information that might be helpful in troubleshooting adapter
installation and operational problems.
About this task
The term "adapter user name" is used throughout this procedure. The "adapter
user name" is the UNIX account that is supplied on the IBM Security Identity
Manager service form for the administrator name. This account is the account that
is used by the adapter to open a connection to the target workstation.
Note: The following steps are written for the AIX operating system and must be
updated with correct commands for other UNIX or Linux operating systems.
Procedure
1. Set log level to Debug. See the IBM Security Dispatcher Installation and
Configuration Guide. If possible, get only the log file with the failed request.
2. Get the software versions from the log files. Perform the following searches:
Table 11. Search strings for software versions
Software
Log file search string
Dispatcher
RMIDispatcherImpl: Starting
Assembly line
UNIX/Linux Adapter AL version
Posix connector
Loaded com.ibm.di.connector.osconnector.PosixConnector
RXA library
RXA Version
3. Get the operating system version. On an AIX workstation issue the commands:
% instfix -i | grep AIX_ML
% oslevel -q –s
4. Ensure that OpenSSH version 4.7 or later is installed. Other versions of
OpenSSH might function properly with this adapter, however if an issue is
traced to OpenSSH, you might need to update your OpenSSH version to get
support.
5. For OpenSSH configuration issues, do the following steps:
46
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
a. Ensure that the UsePrivilegeSeparation attribute is set to yes in the
sshd_config file. The default value of UsePrivilegeSeparation is yes. If set
to no the adapter account is locked.
b. Ensure that the ClientAliveInterval attribute in the sshd_config file is
either commented out or set to 0. The default value of ClientAliveInterval
is 0.
6. On a remote workstation, issue the following ssh commands and capture the
results.
% ssh username@ip-address "ssh -V"
If sudo is used, issue these commands:
% ssh username@ip-address "sudo ls /tmp"
% ssh username@ip-address "which sudo"
The username is the adapter user name. The ip-address is the IP address of the
UNIX system that is being managed.
7. For reconciliation issues, do the following steps:
a. Copy the AIXPConnRes.sh reconciliation file from the adapter solution
directory to the AIX /tmp directory.
b. Log in to the AIX system with the "adapter user name".
c. Change the directory to the /tmp directory.
d. Ensure that you have execute permission on the AIXPConnRes.sh file, chmod
777 AIXPConnRes.sh.
e. Run the following command and save the recon.out file:
AIXPConnRes.sh "grep -e :" true > recon.out 2>&1
For Linux systems, depending on the command that is specified on the
service form for the Command used to query failed logins field, use one of
these commands:
LinuxPConnRes.sh "grep -e :" true : "faillog -u %USER%"
LinuxPConnRes.sh "grep -e :" true : "faillock --user %USER%"
LinuxPConnRes.sh "grep -e :" true : "pam_tally2 --user %USER%"
If sudo is not used, replace the value true with false. False is the value for
the root user.
All reconciliation files are in the adapter solution directory. The following
table lists the names of the reconciliation files for various operating systems.
Table 12. Reconciliation file names
Platform
Reconciliation file name
AIX file system
AIXPConnRes.sh
HPUX not trusted
HPNTrustPConnRes.sh
HPUX trusted
HPTrustPConnRes.sh
Linux no shadow
LinuxPConnRes.sh
Linux with shadow
LinuxShadowPConnRes.sh
Solaris
SolarisPConnRes.sh
8. For sudo issues, do the following steps:
a. Verify sudo setup per installation guide. See Appendix C, “Super user
creation on a supported operating system,” on page 73.
Chapter 6. Adapter error troubleshooting
47
b. Use the adapter user name to log in to the target system.
c. Use sudo to do manual commands on the target system. For example,
sudo mkuser test1
sudo passwd test1
sudo rmuser test1
9. For ssh issues, use ssh and sudo to do manual commands on the target system.
For example, log in to a system that has connectivity to the target system and
issue the commands:
For sudo users
ssh user@target "sudo mkuser test1"
ssh user@target "sudo passwd test1"
ssh user@target "sudo rmuser test1"
For nonsudo users
ssh user@target "mkuser test1"
ssh user@target "passwd test1"
ssh user@target "rmuser test1"
Known adapter issues
You can use information about permissions, passwords, and other data to correct
known issues with the adapter.
/tmp directory permissions
The permissions for the /tmp directory on the managed resource must be set to 777
to do the reconciliation operation by using the sudo user.
Home directory permissions
The adapter requires home directory permissions that are set to 755 to set the
umask value.
The sudo user must have permissions on the home directory of the user whose
umask value is added or changed. Otherwise, the adapter might not work as
expected
HP-UX password age issues
The password age attributes have certain restrictions for HP-UX Trusted and
Non-Trusted systems.
The HP-UX Non-Trusted operating system sets password MAX_AGE and MIN_AGE to
-1 during account creation if no values are supplied. However, on a modify
operation, the operating system does not allow -1 for password MIN_AGE. The
adapter account form is modified with a constraint on password MIN_AGE that
prevents the user from entering a value less than 0.
The HP-UX Trusted operating system sets password MAX_AGE and MIN_AGE to 0
during account creation if no values are supplied. The operating system does not
allow -1 for password MIN_AGE and MAX_AGE. The adapter account form is modified
with a constraint on password MIN_AGE that prevents the user from entering a
value less than 0. No constraint exists on password MAX_AGE because it can be -1
for HP-UX_Non-Trusted operating systems.
The following attributes cannot be managed on HP-UX Non-Trusted systems:
password warning age
48
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
maximum number of days the account can remain valid after the password
expires For AIX systems the duration is specified in weeks.
number of days the account can remain idle
allowed number of login retries before locking the account
account expiration date
No support for adding the primary group of a user to the
secondary groupset of the user
SUSE Linux and Solaris operating systems do not support adding the primary
group of a user to the secondary groupset of the user.
The UNIX and Linux Adapter cannot support a function that is not supported by
the operating system. If you attempt to add the primary group to the secondary
groupset of the user, the operation fails on SUSE Linux and Solaris systems.
Although the primary group is not added, no error message is returned. The
command that is used for this function does not generate an error message.
Chapter 6. Adapter error troubleshooting
49
50
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Chapter 7. Adapter upgrade
Upgrading the adapter involves tasks such as upgrading the connector, dispatcher,
and the existing adapter profile.
To verify the required version of these adapter components, see the adapter release
notes.
Connector upgrade
The new adapter package might require you to upgrade the connector.
Before you upgrade the connector, verify the version of the connector.
v If the connector version mentioned in the release notes is later than the existing
version on your workstation, install the connector.
v If the connector version mentioned in the release notes is the same or earlier
than the existing version, do not install the connector.
Note: Stop the dispatcher service before the upgrading the connector and start it
again after the upgrade is complete.
Dispatcher upgrade
The new adapter package might require you to upgrade the Dispatcher.
Before you upgrade the dispatcher, verify the version of the dispatcher.
v If the dispatcher version mentioned in the release notes is later than the existing
version on your workstation, install the dispatcher.
v If the dispatcher version mentioned in the release notes is the same or earlier
than the existing version, do not install the dispatcher.
Note: Stop the dispatcher service before the upgrading the dispatcher and start it
again after the upgrade is complete.
Upgrade of an existing adapter profile
Read the adapter release notes for any specific instructions before you import a
new adapter profile on IBM Security Identity Manager.
See “Importing the adapter profile into the IBM Security Identity Manager server”
on page 11.
Note: Restart the dispatcher service after you import the profile. Restarting the
dispatcher clears the assembly lines cache and ensures that the dispatcher runs the
assembly lines from the updated adapter profile.
© Copyright IBM Corp. 2012, 2014
51
52
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Chapter 8. Adapter uninstallation
You can uninstall the UNIX and Linux Adapter completely.
v Uninstall the adapter from the IBM Tivoli Directory Integrator server.
v Remove the adapter profile from the IBM Security Identity Manager server.
Uninstalling the adapter from the Tivoli Directory Integrator server
When the adapter is installed, the JAR file that is required for uninstalling the
adapter is created in the ITDI_HOME/PosixAdapterUninstall directory.
Procedure
1. Stop the adapter service. See “Adapter service start, stop, and restart” on page
11.
2. Run the PosixAdapterUninstall.jar file from PosixAdapterUninstall directory.
If you run the command from a different directory, you must specify the full
file path to the uninstaller.jar file.
TDI_HOME/jvm/jre/bin/java
–jar
uninstaller.jar
Adapter profile removal from the IBM Security Identity Manager server
Before you remove the adapter profile, ensure that no objects exist on your IBM
Security Identity Manager server that reference the adapter profile.
Examples of objects on the IBM Security Identity Manager server that can reference
the adapter profile are:
v Adapter service instances
v Policies referencing an adapter instance or the profile
v Accounts
For specific information about removing the adapter profile, see the IBM Security
Identity Manager product documentation.
© Copyright IBM Corp. 2012, 2014
53
54
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Chapter 9. Adapter reinstallation
There are no special considerations for reinstalling the adapter. You are not
required to remove the adapter before reinstalling.
For more information, see Chapter 7, “Adapter upgrade,” on page 51.
© Copyright IBM Corp. 2012, 2014
55
56
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Appendix A. Adapter attributes
The IBM Security Identity Manager server communicates with the adapter by
using attributes that are included in transmission packets that are sent over a
network.
The combination of attributes, depends on the type of action that the IBM Security
Identity Manager server requests from the adapter.
Table 13. Account form attributes, descriptions, permissions, and applicable operating systems
Attribute
Description
Permissions
Operating systems
erUid
Specifies the login name
and user name.
Read and Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixUid
Specifies the user ID.
Read and Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixDupUid
Specifies that a non-unique Write
ID can be assigned to the
user.
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixSudoersPath
Specifies the path to the
sudoers file on the
resource.
Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
© Copyright IBM Corp. 2012, 2014
57
Table 13. Account form attributes, descriptions, permissions, and applicable operating systems (continued)
Attribute
Description
Permissions
Operating systems
erPosixSudoPrivileges
Specifies the sudo
privileges for the user or
group that is associated
with the account.
Read
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixReturnSudoPrivileges
Specifies whether to return Write
sudo privileges during
account reconciliation.
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPassword
Specifies the password for
the account.
Read and Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixForcePwdChange
Specifies whether the user
is required to change the
login password upon next
login.
Read and Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixMaxPwdAge
Specifies the maximum
age for a password.
Read and Write
AIX
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
58
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Table 13. Account form attributes, descriptions, permissions, and applicable operating systems (continued)
Attribute
Description
Permissions
Operating systems
erPosixMinPwdAge
Specifies the minimum age Read and Write
for a password.
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixPwdMaxRepeats
Specifies the maximum
Read and Write
repeated characters that
are allowed in a password.
AIX
Linux Shadow
HP-UX-Trusted
Solaris
erPosixPwdWarnAge
Specifies the age of a
password before a
message that warns the
user about password
expiration is sent.
Read and Write
AIX
Linux Shadow
HP-UX-Trusted
Solaris
erPosixPwdLastChange
Read
Specifies the date on
which a password was last
changed.
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixExpireDate
Specifies the date on
Read and Write
which the account expires.
AIX
Linux Shadow
HP-UX-Nontrusted
Solaris
erPosixIdleDays
erPosixGecos
Specifies the number of
days the account can
remain idle before the
account is suspended.
Read and Write
Specifies a descriptive
comment for the user
account.
Note: The back quotation
mark character (`) is not
allowed.
Read and Write
HP-UX-Trusted
Solaris
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
Appendix A. Adapter attributes
59
Table 13. Account form attributes, descriptions, permissions, and applicable operating systems (continued)
Attribute
Description
Permissions
Operating systems
erPosixPrimaryGroup
Specifies the primary
group for the user.
Read and Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixSecondGroup
Specifies the secondary
groups for the user.
Read and Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixHomeDir
Specifies the home
directory for the user
Note: The back quotation
mark character (`) and the
semicolon (;) are not
allowed.
Read and Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixDefaultHomeDir
Specifies to create a home Read and Write
directory while the
account is created. This
attribute does not apply to
RHEL.
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixNPAaccount
Specifies that the account
has no password.
Read and Write
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixPerHomeDir
Specifies the permissions
for the home directory.
Read and Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
60
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Table 13. Account form attributes, descriptions, permissions, and applicable operating systems (continued)
Attribute
Description
Permissions
Operating systems
erPosixShell
Specifies the login shell of
the user.
Read and Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixUmask
Specifies the umask.
Read and Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixLastAccessDate
Read
Specifies the date on
which the account was last
accessed.
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixAT
Specifies whether AT jobs
are allowed.
Read and Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixCron
Specifies whether CRON
jobs are allowed.
Read and Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixPwdMaxAge
Specifies the maximum
amount of time that a
password can be changed
after the maximum
password age.
Read and Write
AIX
Linux Shadow
HP-UX-Trusted
Appendix A. Adapter attributes
61
Table 13. Account form attributes, descriptions, permissions, and applicable operating systems (continued)
Attribute
Description
Permissions
Operating systems
erPosixKillUserProcess
Specifies whether to end
the user sessions when a
suspend user request is
processed.
Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixCopyAdpFilesTo
Specifies an alternative
directory location to store
the adapter scripts. The
default location is /tmp.
Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixPreExec
Specifies a user-defined
command to run before a
resource request.
Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixPreExecRunOption
Specifies to run a resource
request only if a pre-exec
command succeeds.
Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixPostExec
Specifies a user-defined
command to run after a
resource request.
Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
62
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Table 13. Account form attributes, descriptions, permissions, and applicable operating systems (continued)
Attribute
Description
Permissions
Operating systems
erPosixPostExecRunOption
Specifies to run a
user-defined post-exec
command only if the
resource command
succeeds.
Write
AIX
Linux NonShadow
Linux Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixAdminUser
Specifies whether the
password belongs to an
administrator.
Read and Write
AIX
erPosixAuth1
Specifies the primary
authorization methods for
a user.
Read and Write
AIX
erPosixAuth2
Specifies the secondary
authorization methods for
a user.
Read and Write
AIX
erPosixDaemonAllowed
Specifies whether the user
is allowed to run daemon
processes.
Read and Write
AIX
erPosixLoginRetries
Specifies the maximum
number of unsuccessful
logins that are allowed
before the account is
locked.
Read and Write
AIX
Suse Linux
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
erPosixSuGroup
Specifies the groups whose Read and Write
members can use the su
command to switch to this
user.
AIX
erPosixAdmGroups
Specifies the groups for
which the user is an
administrator.
Read and Write
AIX
erPosixRoles
Specifies the roles that the
user is assigned.
Read and Write
AIX
erPosixSuAllowed
Specifies whether another
user can switch to this
user with the su
command.
Read and Write
AIX
erPosixRLoginAllowed
Specifies whether the user
is allowed to log in
remotely with the telnet
or rlogin commands.
Read and Write
AIX
erPosixLoginAllowed
Specifies whether the user
is allowed to log in to the
system with the login
command.
Read and Write
AIX
Appendix A. Adapter attributes
63
Table 13. Account form attributes, descriptions, permissions, and applicable operating systems (continued)
Attribute
Description
Permissions
Operating systems
erAccountStatus
Specifies the status of the
account.
Read and Write
AIX
erPosixAuditClasses
Specifies the list of audit
classes for a user.
Read and Write
AIX
erPosixSoftCore
Specifies the soft limit, any Read and Write
value less than the
maximum, for the largest
core file a user process can
create.
AIX
erPosixHardCore
Specifies the largest core
file a user process can
create.
Read and Write
AIX
erPosixSoftCPU
Specifies the soft limit, any Read and Write
value less than the
maximum, for the largest
amount of system unit
time a user process can
use. The time is specified
in seconds.
AIX
erPosixHardCPU
Specifies the largest
amount of system unit
time a user process can
use. The time is specified
in seconds.
Read and Write
AIX
erPosixSoftData
Specifies the soft limit, any Read and Write
value less than the
maximum, for the largest
data segment that a user
process can contain.
AIX
erPosixHardData
Read and Write
Specifies the limit for the
largest data segment that a
user process can contain.
AIX
erPosixSoftFileSize
Specifies the soft limit, any Read and Write
value less than the
maximum, for the largest
file a user process can
create.
AIX
erPosixHardFileSize
Specifies the limit for the
largest file a user process
can create.
Read and Write
AIX
erPosixLoginTimes
Specifies the days and
times a user is allowed to
log in.
Read and Write
AIX
erPosixSoftStack
Specifies the soft limit, any Read and Write
value less than the
maximum, for the largest
stack segment for a user
process.
AIX
erPosixHardStack
Specifies the limit for the
Read and Write
largest stack segment for a
user process.
AIX
64
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Table 13. Account form attributes, descriptions, permissions, and applicable operating systems (continued)
Attribute
Description
Permissions
Operating systems
erPosixTrustedPath
Specifies the trusted path
status of the user.
Read and Write
AIX
erPosixAuthGrammar
Specifies the user
authentication method.
Read and Write
AIX
erPosixPwdMinAlphaChar
Specifies the minimum
number of alphabetic
characters in a password.
Read and Write
AIX
erPosixPwdMinOtherChar
Specifies the minimum
number of non-alphabetic
characters in a password.
Read and Write
AIX
erPosixPwdMinDiff
Specifies the minimum
difference in characters
that are allowed between
passwords.
Read and Write
AIX
erPosixPwdMinLen
Specifies the minimum
length for a password.
Read and Write
AIX
erPosixPwdCheck
Specifies whether to check
the password in a
dictionary.
Read and Write
AIX
erPosixPwdDiction
Specifies the dictionary
files to check for the
password.
Read and Write
AIX
erPosixPwdHistory
Specifies the number of
passwords to be
remembered before reuse.
Read and Write
AIX
erPosixPwdHistoryExpire
Specifies the number of
weeks that must pass
before the password
history is erased.
Read and Write
AIX
erPosixValidTtys
Specifies the terminal
types through which the
user can log in.
Read and Write
AIX
erPosixRegistry
Specifies the registry to be
used for authentication.
Read and Write
AIX
erPosixSoftRss
Specifies the soft limit, any Read and Write
value less than the
maximum, for the largest
amount of physical
memory that can be
allocated by a user
process. This limit is not
enforced by the system.
AIX
erPosixHardRss
Specifies the largest
amount of physical
memory that can be
allocated by a user
process. This limit is not
enforced by the system.
AIX
Read and Write
Appendix A. Adapter attributes
65
Table 13. Account form attributes, descriptions, permissions, and applicable operating systems (continued)
Attribute
Description
Permissions
erPosixSoftNoFiles
Specifies the soft limit, any Read and Write
value less than the
maximum, for the number
of file descriptors a user
process can have open at
one time.
AIX
erPosixHardNoFiles
Specifies the maximum
number of file descriptors
a user process can have
open at one time.
Read and Write
AIX
erPosixHostsAllowedLogin
Specifies the workstations Read and Write
to which a user can log in.
AIX
erPosixerPosixHostsDeniedLogin
Specifies the workstations Read and Write
to which a user cannot log
in.
AIX
erPosixDelUserInUse
Specifies whether to end
the user processes when a
delete account request is
processed.
Read and Write
Operating systems
Linux NonShadow
Linux Shadow
Group form attributes
The IBM Security Identity Manager server communicates with the adapter for
group management by using specific attributes.
Table 14 lists the attributes that are used by the adapter. The table also gives the
permissions that are needed for the attribute.
Table 14. Group form attributes
Attribute name on the UNIX
and Linux operating systems
group form on IBM Security
Identity Manager
Permissions
AIX
HP-UX
Linux
Solaris
Group name
Read and Write
'
'
'
'
Group ID number
Read and Write
'
'
'
'
Administrator group
Read and Write
'
Group administrators
Read and Write
'
Group projects
Read and Write
'
Allow duplicate group IDs
Write
'
'
'
Sudo privileges
Read
'
'
'
Supported operating system
'
Attributes by UNIX and Linux Adapter actions
Typical adapter actions can be listed by their functional transaction group.
The following lists include more information about required and optional attributes
that are sent to the adapter to complete that action.
66
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
System Login Add
A System Login Add is a request to create a user account with the specified
attributes.
Table 15. Add request attributes for AIX, HPUX, Linux, and Solaris
Required attribute
erUid
Optional attribute
All other supported attributes
System Login Change
A System Login Change is a request to change one or more attributes for the
specified users.
Table 16. Change request attributes for AIX, HPUX, Linux, and Solaris
Required attribute
erUid
Optional attribute
All other supported attributes
System Login Delete
A System Login Delete is a request to remove the specified user from the directory.
Table 17. Delete request attributes for AIX and Solaris
Required attribute
Optional attribute
erUid
erPosixHomeDirRemove
Table 18. Delete request attributes for HPUX and Linux
Required attribute
Optional attribute
erUid
erPosixHomeDirRemove
erPosixUseShadow
System Login Suspend
A System Login Suspend is a request to disable a user account. The user is not
removed and the account attributes are not modified.
Table 19. Suspend request attributes for AIX and Solaris
Required attribute
Optional attribute
erUid
erPosixHomeDirRemove
erAccountStatus
erPosixKillUserProcess
Table 20. Suspend request attributes for HP-UX and Linux
Required attribute
Optional attribute
erUid
erPosixHomeDirRemove
erAccountStatus
erPosixUseShadow
erPosixKillUserProcess
Appendix A. Adapter attributes
67
System Login Restore
A System Login Restore is a request to activate a user account that was previously
suspended. After an account is restored, the user can access the system with the
same attributes as the ones before the Suspend function was called.
Table 21. Restore request attributes for AIX
Required attribute
Optional attribute
erUid
erPosixHomeDirRemove
erAccountStatus
Table 22. Restore request attributes for Solaris
Required attribute
Optional attribute
erUid
erPosixHomeDirRemove
erAccountStatus
erPassword
Test
No attributes are needed to test the connection to the managed resource.
The following table identifies attributes that are needed to test the connection.
Table 23. Test attributes
Required attribute
Optional attribute
None
None
Reconciliation
The Reconciliation request synchronizes user account information between IBM
Security Identity Manager and the managed resource.
Table 24. Reconciliation request attributes for AIX and Solaris
Required attribute
Optional attribute
None
erPosixHomeDirRemove
erPosixSudoersPath
erPosixReturnSudoPrivileges
Table 25. Reconciliation request attributes for HP-UX and Linux
Required attribute
Optional attribute
None
erPosixHomeDirRemove
erPosixUseShadow
erPosixSudoersPath
erPosixReturnSudoPrivileges
68
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Group add
Group add is a request to create a group with the specified attribute.
Group add is a request to create a group with the specified attribute.
Table 26. Group add request attribute for AIX, HPUX, Linux, and Solaris
Required attribute
Optional attribute
erPosixGroupName
All other supported attributes
Group change
Group change is a request to modify group attributes with the specified attribute.
Table 27. Group change request attribute for AIX, HPUX, Linux, and Solaris
Required attribute
Optional attribute
erPosixGroupName
All other supported attributes
Group delete
Group delete is a request to delete a group with the required erPosixGroupName
attribute on the account form of the AIX, HPUX, Linux, and Solaris operating
systems.
Appendix A. Adapter attributes
69
70
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Appendix B. Adapter installation on a z/OS operating system
The Dispatcher must be installed before you install any adapter that is based on
IBM Tivoli Directory Integrator, including the UNIX and Linux Adapter.
If not already installed, download the Dispatcher software package from your
account in IBM Passport Advantage. The Dispatcher installation instructions are
included in the package.
IBM Tivoli Directory Integrator POSIX connector installation
You must install the connector on the workstation where you want to install the
adapter.
Procedure
1. Locate the delivered adapter compressed file.
2. Extract the contents of the compressed file into a temporary directory and
navigate to that directory.
3. From the temporary directory, locate and navigate to the zSystem directory.
4. Under the zSystem directory, locate the following two files:
v PosixAdapter.tar
v instPosix_zOS.sh
Note: The PosixAdapter.tar file is a binary UNIX tar file and the
instPosix_zOS.sh file is a UNIX shell script.
5. Copy the two files to the same directory on a z/OS workstation where you
want to install the adapter.
6. Run the following command to set the executable permissions for the
instPosix_zOS.sh file:
chmod +x instPosix_zOS.sh
7. Run the following command to begin the connection installation:
./ instPosix_zOS.sh
The following dialog is displayed:
************************************************
TDI POSIX Connector Installation Program
************************************************
You will prompted to enter the following information:
Your TDI solution directory.
Make sure you have the above information available and
and the PosixAdapter.jar is located in the current directory
before you continue
1. Install
2. Quit
Please enter choice: 1
Enter the solution directory name (full path): /u/user2/rmi/soldir
© Copyright IBM Corp. 2012, 2014
71
Verifying the solution directory /u/user2/rmi/soldir...
Extracting content of PosixAdapter.jar...
Getting connector files from /u/user2/rmi/PosixAdapter...
Installation complete, press any key to continue..
Note: The path in the example might be different on your workstation.
72
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Appendix C. Super user creation on a supported operating
system
You can specify a super user instead of a root user to do administration tasks. To
create a super user, follow the directions that are specified for your operating
system.
Creating a super user on an AIX operating system
You can create a user with required permissions to run the adapter correctly on a
workstation that uses an AIX operating system.
About this task
In this task, the user is "tdiuser".
Procedure
1. Create a user with security group permission.
a. Issue the command:
|
mkuser home="/home/tdiuser" pgrp="security" shell="/usr/bin/ksh" tdiuser
b. Confirm the group information. Issue the command:
bash-2.05b$ id tdiuser
The system response is this message:
uid=215(tdiuser) gid=7(security) groups=0(system)
c. Set the following statement in the user PATH environment variable:
PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:$HOME/bin:/usr/bin/X11:/sbin:
/usr/local/bin
The following commands must be in the user path:
mv, tee, cp, kill, chsec, mkdir, rm, sudo
If the super user is used to log in and run commands, then '.' can be added
to the PATH environment variable.
2. Grant sudo permissions to the user for AIX commands.
Note: By default, the sudo command requires user authentication before it runs
a command. To modify this behavior, add the NOPASSWD tag to the sudoers
file entry.
a. Open the sudoers file. Issue the following command:
bash-2.05b$ visudo
b. If the line Defaults requiretty exists in the file, comment it out.
#Defaults requiretty
c. Insert the following lines to allow sudo access. The entry beginning with
tdiuser must be entered on a single line. It is displayed here as multiple
lines for readability.
# User privilege specification
tdiuser ALL=NOPASSWD:/usr/bin/pwdadm,/usr/bin/passwd,/usr/bin/mkuser,
/usr/sbin/rmuser,/usr/bin/chuser,/usr/bin/chmod,/usr/bin/cat,
/usr/bin/rm,/usr/bin/tee,/usr/bin/ed,/usr/bin/groups,/usr/bin/ls,
/usr/bin/logins,/usr/sbin/lsuser,/usr/bin/mv,/usr/sbin/lsgroup,
© Copyright IBM Corp. 2012, 2014
73
/usr/bin/chpasswd,/usr/bin/chsec,/usr/sbin/usermod,/usr/sbin/lsrole,
/usr/bin/mkgroup,/usr/sbin/rmgroup,/usr/bin/chgroup,/usr/bin/mkrole,
/usr/sbin/rmrole,/usr/bin/chrole,/usr/bin/mkdir,/usr/bin/rm,
/usr/bin/kill,/usr/bin/hostname
The following commands are used by the connector but are not needed in
the sudoers file. However, if the sudo user is used, the user needs execute
permissions on these commands.
/usr/bin/tr, /usr/bin/cut, /usr/bin/egrep, /usr/bin/awk,
/usr/bin/sort, /usr/bin/ps, /usr/bin/sed
d. Validate the format of the /etc/sudoers file Issue the command:
visudo -c
If syntax is wrong the command prompts an error message, for example:
$ visudo -c
>>> sudoers file: syntax error, line 30 <<<
parse error in /etc/sudoers near line 30
Note: The sudo access command paths that are listed here are an example.
The actual command paths vary depending upon the resource. Ensure that
the correct path is specified in the sudoers file.
3. Set the password for the newly created user. Issue the command:
bash-2.05b$passwd tdiuser
Creating a super user on a Linux operating system
You can create a user with required permissions to run the adapter correctly on a
workstation that uses a Linux operating system.
About this task
The adapter supports both SUSE and RHEL. In this example, the user is "tdiuser".
Procedure
1. Create a user with security group permission.
a. Issue the command:
|
useradd –d "/home/tdiuser" –s "/bin/bash" –m tdiuser
b. Set the following statement in the user PATH environment variable:
PATH=/usr/bin:/usr/sbin:/etc:
The following commands must be in the user path:
mv, tee, cp, kill, mkdir, rm, faillog, faillock, pam_tally2, grep,
lastlog, sudo
Note: For SLES 11 and higher, the faillog command full path is
/usr/sbin/faillog.
If the super user is used to log in and run commands, then '.' can be added
to the PATH environment variable.
2. Grant sudo permissions to the user for all commands.
Note: By default, the sudo command requires user authentication before it runs
a command. To modify this behavior, add the NOPASSWD tag to the sudoers
file entry.
a. Open the sudoers file. Issue the following command:
bash-2.05b$ visudo
74
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
b. If the line Defaults requiretty exists in the file, comment it out.
#Defaults requiretty
c. Insert the following lines to allow sudo access. The entry beginning with
tdiuser must be entered on a single line. It is displayed here as multiple
lines for readability.
Modify the command paths to match your operating system. Update the
user path if necessary.
# User privilege specification
tdiuser ALL=NOPASSWD:/usr/bin/passwd,/usr/sbin/useradd,
/usr/sbin/usermod,/usr/sbin/userdel,/usr/bin/tee,/bin/chmod,
/bin/cat,/bin/ls,/usr/bin/chage,/usr/bin/groups,/bin/ed,
/bin/cp,/usr/bin/faillog,/usr/sbin/groupadd,/usr/sbin/groupmod,
/usr/sbin/groupdel,/usr/bin/kill,/bin/hostname,/sbin/faillock,
/sbin/pam_tally2,/bin/mkdir,/bin/rm,/usr/bin/lastlog
The following commands are used by the connector but are not needed in
the sudoers file. However, if the sudo user is used, the user needs execute
permissions on these commands:
tr, cut, awk, sed, sort, grep, ps
d. Validate the format of the /etc/sudoers file Issue the command:
visudo -c
If syntax is wrong the command prompts an error message, for example:
$ visudo -c
>>> sudoers file: syntax error, line 30 <<<
parse error in /etc/sudoers near line 30
Note: The sudo access command paths that are listed here are an example.
The actual command paths vary depending upon the resource. Ensure that
the correct path is specified in the sudoers file.
For example, the complete path of ed command is /bin/ed for RHEL
systems, /usr/bin/ed for SUSE systems and /bin/ed for Debian systems.
3. Set the password for the newly created user. Issue the command:
bash-2.05b$passwd tdiuser
Creating a super user on a Solaris operating system
You can create a user with the required permissions to run the adapter correctly on
a workstation that uses a Solaris operating system.
About this task
In this example, the user is "tdiuser".
Procedure
1. Create a user and specify the home directory.
a. Issue the command:
|
useradd –d "/home/tdiuser" –s "/sbin/sh" –m tdiuser
b. Ensure that the /home/tdiuser/.profile file exists. If not, you must create
the .profile file.
c. Set the following statement in the user PATH environment variable:
PATH=/usr/bin:/etc:/usr/local/sbin:/usr/local/bin
The following commands must also be in the user path:
Appendix C. Super user creation on a supported operating system
75
mv, tee, cp, kill, mkdir, rm, sudo
If the super user is used to log in and run commands, then '.' can be added
to the PATH environment variable.
2. Grant sudo permissions to the user for all commands.
Note: By default, the sudo command requires user authentication before it runs
a command. To modify this behavior, add the NOPASSWD tag to the sudoers
file entry.
a. Open the sudoers file. Issue the following command:
bash-2.05b$ visudo
b. If the line Defaults requiretty exists in the file, comment it out.
#Defaults requiretty
c. Insert the following lines to allow sudo access. The entry beginning with
tdiuser must be entered on a single line. It is displayed here as multiple
lines for readability.
# User privilege specification
tdiuser ALL=NOPASSWD:/usr/bin/passwd,/usr/sbin/useradd,
/usr/sbin/usermod,/usr/sbin/userdel,/usr/bin/tee,/usr/bin/chmod,
/usr/bin/cat,/usr/bin/logins,/usr/bin/ls,/usr/bin/ed,/usr/bin/cp,
/usr/sbin/groupadd,/usr/sbin/groupmod,/usr/sbin/groupdel,
/usr/bin/mkdir,/usr/bin/rm,/usr/bin/kill,/usr/bin/hostname
The following commands are used by the connector but are not needed in
the sudoers file. However, if the sudo user is used, the user needs execute
permissions on these commands.
/usr/bin/tr, /usr/bin/cut, /usr/bin/egrep, /usr/bin/awk,
/usr/bin/sort, /usr/bin/ps, /usr/bin/sed
d. Validate the format of the /etc/sudoers file Issue the command:
visudo -c
If syntax is wrong the command prompts an error message, for example:
$ visudo -c
>>> sudoers file: syntax error, line 30 <<<
parse error in /etc/sudoers near line 30
Note: The sudo access command paths that are listed here are an example.
The actual command paths vary depending upon the resource. Ensure that
the correct path is specified in the sudoers file.
3. Set the password for the newly created user. Issue the command:
bash-2.05b$passwd tdiuser
Creating a super user on an HP-UX Non-Trusted operating system
You can create a user with required permissions to run the adapter correctly on a
workstation that uses an HP-UX Non-Trusted operating system.
About this task
In this example, the user is "tdiuser".
Procedure
1. Create a user and specify the home directory.
a. Issue the command:
|
useradd –d "/home/tdiuser" –s "/sbin/sh" –m tdiuser
76
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
b. Ensure that the /home/tdiuser/.profile file exists. If not, you must create
the .profile file.
c. Set the following statement in the user PATH environment variable:
PATH=/usr/bin:/usr/sbin:/etc:/usr/local/bin:/usr/sam/lbin:/usr/sbin/acct:
The following commands must be in the user path:
mv, tee, cp, kill, usermod.sam, mkdir, rm, fwtmp, sudo
If the super user is used to log in and run commands, then '.' can be added
to the PATH environment variable.
2. Grant sudo permissions to the user for all commands.
Note: By default, the sudo command requires user authentication before it runs
a command. To modify this behavior, add the NOPASSWD tag to the sudoers
file entry.
a. Open the sudoers file. Issue the following command:
bash-2.05b$ visudo
b. If the line Defaults requiretty exists in the file, comment it out.
#Defaults requiretty
c. Insert the following lines to allow sudo access. The entry beginning with
tdiuser must be entered on a single line. It is displayed here as multiple
lines for readability.
|
# User privilege specification
tdiuser ALL=NOPASSWD:/usr/bin/chmod,/usr/bin/cat,/usr/sbin/logins,
/usr/bin/ls,/usr/bin/passwd,/usr/sbin/useradd,/usr/sbin/usermod,
/usr/sbin/userdel,/usr/bin/tee,/usr/bin/ed,/usr/sbin/groupadd,
/usr/sbin/groupdel,/usr/sbin/groupmod,/usr/bin/cp,/usr/bin/mkdir,
/usr/bin/rm,/usr/bin/kill,/usr/bin/hostname,/usr/sbin/acct/fwtmp,
/usr/bin/test
The following commands are used by the connector but are not needed in
the sudoers file. However, if the sudo user is used, the user needs execute
permissions on these commands.
/usr/bin/tr, /usr/bin/cut, /usr/bin/egrep, /usr/bin/awk,
/usr/bin/head, /usr/bin/sort, /usr/bin/ps, /usr/bin/sed
d. Validate the format of the /etc/sudoers file Issue the command:
visudo -c
If syntax is wrong the command prompts an error message, for example:
$ visudo -c
>>> sudoers file: syntax error, line 30 <<<
parse error in /etc/sudoers near line 30
Note: The sudo access command paths that are listed here are an example.
The actual command paths vary depending upon the resource. Ensure that
the correct path is specified in the sudoers file.
3. Set the password for the newly created user. Issue the command:
bash-2.05b$passwd tdiuser
Creating a super user on an HP-UX Trusted operating system
You can create a user with required permissions to run the adapter correctly on a
workstation that uses an HP-UX Trusted operating system.
Appendix C. Super user creation on a supported operating system
77
About this task
In this example, the user is "tdiuser".
Procedure
1. Create a user and specify the home directory.
a. Issue the command:
|
useradd –d "/home/tdiuser" –s "/sbin/sh" –m tdiuser
b. Ensure that the /home/tdiuser/.profile file exists. If not, you must create
the .profile file.
c. Set the following statement in the user PATH environment variable:
PATH=/usr/bin:/usr/sbin:/etc:/usr/local/bin:/usr/sam/lbin:/usr/sbin/acct:
The following commands must be in the user path:
mv, tee, cp, kill, usermod.sam, mkdir, rm, fwtmp, sudo
If the super user is used to log in and run commands, then '.' can be added
to the PATH environment variable.
2. Grant sudo permissions to the user for all commands.
Note: By default, the sudo command requires user authentication before it runs
a command. To modify this behavior, add the NOPASSWD tag to the sudoers
file entry.
a. Open the sudoers file. Issue the following command:
bash-2.05b$ visudo
b. If the line Defaults requiretty exists in the file, comment it out.
#Defaults requiretty
c. Insert the following lines to allow sudo access. The entry beginning with
tdiuser must be entered on a single line. It is displayed here as multiple
lines for readability.
# User privilege specification
tdiuser ALL=NOPASSWD:/usr/bin/passwd,/usr/sbin/useradd,
/usr/sbin/usermod,/usr/sbin/userdel,/usr/bin/cat,/usr/lbin/getprpw,
/usr/lbin/modprpw,/usr/bin/chmod,/usr/bin/ls,/usr/bin/tee,
/usr/bin/ed,/usr/sbin/logins,/usr/sam/lbin/usermod.sam,
/usr/sbin/groupadd,/usr/sbin/groupdel,/usr/sbin/groupmod,
/usr/bin/cp,/usr/bin/mkdir,/usr/bin/rm,/usr/bin/kill,
/usr/bin/hostname,/usr/sbin/acct/fwtmp
The following commands are used by the connector but are not needed in
the sudoers file. However, if the sudo user is used, the user needs execute
permissions on these commands.
/usr/bin/tr, /usr/bin/cut, /usr/bin/egrep, /usr/bin/awk,
/usr/bin/head, /usr/bin/sort, /usr/bin/ps, /usr/bin/sed
d. Validate the format of the /etc/sudoers file Issue the command:
visudo -c
If syntax is wrong the command prompts an error message, for example:
$ visudo -c
>>> sudoers file: syntax error, line 30 <<<
parse error in /etc/sudoers near line 30
Note: The sudo access command paths that are listed here are an example.
The actual command paths vary depending upon the resource. Ensure that
the correct path is specified in the sudoers file.
78
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
3. Set the password for the newly created user. Issue the command:
bash-2.05b$passwd tdiuser
Command setup for sudo
Some commands need sudo access.
The following table lists the files that are used by the commands. In this table:
v Homedirectory is a user specified directory. For example, /home/username.
v Shell can be /bin/csh, /bin/sh, and others.
v Profilepath can be /homedirectory/.profile depending on the shell that is
defined by the user.
Table 28. Sudo access command and file setup
Files that are used by the
Command command
Operation
Operating System
cat
/var/adm/cron/at.allow
useradd
AIX
/var/adm/cron/ at.deny
usermod
HP-UX-Trusted
/var/adm/cron/cron.allow
userdel
HP-UX-Nontrusted
Solaris
/var/adm/cron/cron.deny
/etc/passwd
usermod
AIX
userdel
set home directory
/etc/passwd
set umask
Linux - NonShadow
Linux - Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
/etc/passwd
reconciliation
Linux - NonShadow
Linux - Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
/etc/passwd
set home directory
permissions
AIX
Linux - NonShadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
/etc/passwd
suspend and restore
account and userdel
Linux - NonShadow
Appendix C. Super user creation on a supported operating system
79
Table 28. Sudo access command and file setup (continued)
Files that are used by the
Command command
Operation
Operating System
/etc/passwd
set password and
userdel
HP-UX-Trusted
/etc/passwd
usermod
Linux - NonShadow
Linux - Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
/etc/passwd
suspend and restore
account and userdel
Linux - Shadow
/tcb/files/auth/
usernamefolder/username
For example,
/tcb/files/auth/a/admin
identify the operating HP-UX-Trusted
system and the type
of account (password
or nopassword
accounts)
profilepath
reconciliation
Linux - NonShadow
Linux - Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
/etc/at.allow
useradd
Linux - NonShadow
/etc/at.deny
usermod
Linux - Shadow
/etc/cron.allow
userdel
/etc/cron.deny
chmod
/var/adm/cron/at.allow
set permissions
AIX
/var/adm/cron/at.deny
HP-UX-Trusted
/var/adm/cron/cron.allow
HP-UX-Nontrusted
/var/adm/cron/cron.deny
Solaris
set permissions
AIX
HPNTrustPConnRes.sh
set permissions
HP-UX-Nontrusted
HPTrustPConnRes.sh
set permissions
HP-UX-Trusted
LinuxPConnRes.sh
set permissions
Linux - NonShadow
LinuxShadowPConnRes.sh
set permissions
Linux - Shadow
AIXPConnRes.sh
ViosAixPConnRes.sh
mkvios.sh
CryptPwd
80
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Table 28. Sudo access command and file setup (continued)
Files that are used by the
Command command
SolarisPConnRes.sh
Operation
Operating System
set permissions
Solaris
set permissions
AIX
LastAccessDateReader
homedirectory
Location of temporary files on
resource. The default location
is /tmp.
Linux - NonShadow
Linux - Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
/etc/at.allow
useradd
Linux - NonShadow
/etc/at.deny
usermod
Linux - Shadow
/etc/cron.allow
/etc/cron.deny
chsec
/etc/security/lastlog
restore account
AIX
chuser
homedirectory and shell
usermod
AIX
cp
/etc/skel/local.cshrc,
profilepath
set umask
Solaris
/etc/csh.cshrc, profilepath
set umask
Linux - NonShadow
Linux - Shadow
ed
profilepath
set umask
Linux - NonShadow
Linux - Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
/var/adm/cron/at.allow
useradd
AIX
/var/adm/cron/at.deny
usermod
HP-UX-Trusted
/var/adm/cron/cron.allow
userdel
HP-UX-Nontrusted
Solaris
/var/adm/cron/cron.deny
/etc/at.allow
useradd
Linux - NonShadow
/etc/at.deny
usermod
Linux - Shadow
/etc/cron.allow
userdel
/etc/cron.deny
fwtmp
reconciliation
/var/adm/wtmp
/var/adm/wtmps
HP-UX-Trusted
HP-UX-Nontrusted
Appendix C. Super user creation on a supported operating system
81
Table 28. Sudo access command and file setup (continued)
Files that are used by the
Command command
Operation
Operating System
grep
reconciliation
Linux - NonShadow
/etc/at.allow
Linux - Shadow
/etc/at.deny
/etc/cron.allow
/etc/cron.deny
lastlog
/var/log/lastlog
reconciliation
Linux - NonShadow
Linux - Shadow
ls -la
identify operating
system
Linux - NonShadow
/tcb/files/auth/system/
default
identify operating
system
HP-UX-Trusted
/usr/ios/cli/ios.level
identify operating
system
AIX
homedirectory
delete home directory AIX
profilepath
set umask
/etc/SuSE-release
/etc/redhat-release
Linux - Shadow
/etc/debian_version
Linux - NonShadow
Linux - Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
/var/adm/cron/at.allow
useradd
AIX
/var/adm/cron/at.deny
usermod
HP-UX-Trusted
/var/adm/cron/cron.allow
userdel
HP-UX-Nontrusted
Solaris
/var/adm/cron/cron.deny
homedirectory
reconciliation
Linux - NonShadow
Linux - Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
Location of temporary files on
resource. The default location
is /tmp. For example,
/tmp/AIXPConnRes.sh
reconciliation
AIX
Linux - NonShadow
Linux - Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
82
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Table 28. Sudo access command and file setup (continued)
Files that are used by the
Command command
Operation
Operating System
/etc/at.allow
useradd
Linux - NonShadow
/etc/at.deny
usermod
Linux - Shadow
/etc/cron.allow
userdel
/etc/cron.deny
mkdir
Location of temporary files on
resource. The default location
is /tmp.
useradd
AIX
usermod
HP-UX-Trusted
userdel
HP-UX-Nontrusted
cat
Solaris
Linux - NonShadow
Linux - Shadow
mkuser
homedirectory
add user with home
directory
AIX
mv
homedirectory
move home directory
AIX
rm -rf
homedirectory
delete home directory AIX
Location of temporary files on
resource. The default location
is /tmp.
useradd
AIX
usermod
HP-UX-Trusted
userdel
HP-UX-Nontrusted
cat
Solaris
Linux - NonShadow
Linux - Shadow
tee
set umask
profilepath
Linux - NonShadow
Linux - Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
/var/adm/cron/at.allow
useradd
AIX
/var/adm/cron/at.deny
usermod
HP-UX-Trusted
/var/adm/cron/cron.allow
userdel
HP-UX-Nontrusted
Solaris
/var/adm/cron/cron.deny
/etc/at.allow
useradd
Linux - NonShadow
/etc/at.deny
usermod
Linux - Shadow
/etc/cron.allow
userdel
/etc/cron.deny
Appendix C. Super user creation on a supported operating system
83
Table 28. Sudo access command and file setup (continued)
Files that are used by the
Command command
Operation
Operating System
test
/tcb/files/auth/
usernamefolder/username
identify the operating HP-UX-Trusted
system and the type
of account (password
or nopassword
accounts)
useradd
homedirectory
add user with home
directory
Linux - NonShadow
Linux - Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
usermod
homedirectory and shell
usermod
Linux - NonShadow
Linux - Shadow
HP-UX-Trusted
HP-UX-Nontrusted
Solaris
84
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Appendix D. Key-based authentication for the UNIX and Linux
Adapter
An alternative to password-based authentication is Identity/Pubkey authentication.
This type of authentication eliminates the need for static passwords.
A password can be captured by a keystroke logger or witnessed as you type it.
Instead of providing a password, you have a key pair on your disk that you use to
authenticate.
The following sections describe a typical SSH connection between a server and a
client. For this setup example, the workstation that runs the IBM Tivoli Directory
Integrator server is the SSH client and the managed resource is the SSH server.
Enabling RSA key-based authentication on UNIX and Linux operating
systems
You can use RSA key-based authentication as an alternative to simple password
authentication.
About this task
Perform this task on the managed resource:
Procedure
1. Use the ssh-keygen tool to create a key pair.
a. Log in as the administrator user defined on the IBM Security Identity
Manager service form.
b. Start the ssh-keygen tool. Issue the command:
mydesktop$# ssh-keygen -t rsa
c. At the following prompt, accept the default or enter the file path where you
want to save the key pair and press Enter.
Generating public/private dsa key pair.
Enter the file in which to save the key (home/root/.ssh/id_rsa):
d. At the following prompt, accept the default or enter the passphrase and
press Enter.
Enter the passphrase (empty for no passphrase): passphrase
e. At the following prompt, confirm your passphrase selection and press Enter.
Enter the same passphrase again: passphrase
This example is a sample of the system response:
Your identification was saved in /home/root/.ssh/id_rsa.
Your public key was saved in /home/root/.ssh/id_rsa.pub.
The key fingerprint is this value:
2c:3f:a4:be:46:23:47:19:f7:dc:74:9b:69:24:4a:44 root@ps701
Note: Although the ssh-keygen tool accepts a blank passphrase, the
passphrase is required on the IBM Security Identity Manager service form.
2. Validate that the keys were generated.
a. Issue the commands:
© Copyright IBM Corp. 2012, 2014
85
mydesktop$ cd $HOME/.ssh
mydesktop$ ls -l
A sample system response is:
-rw------- 1 root
-rw-r--r-- 1 root
root
root
883 Jan 21 11:52 id_rsa
223 Jan 21 11:52 id_rsa.pub
b. Issue the command:
mydesktop$ cat id_rsa
A sample system response is:
-----BEGIN RSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7F4CF1E209817BA0
GuIQh4EdIp2DY1KfgB3eHic1InCG5VC9/dumHd7AqEnlo241fRuIo8zgO87GV+tk
cvKd/pPCGhmyCZy/are0wZt3KLYWUyoN7i+8H2Khk8LmaspD6Tx309VHTfCyoJsu
jtuR5c4HbcRtOYhMByHEqllEst1azzlIrO75Qj5cUG01K1MbdTeXq1xUGjo97s+V
gEOokMQ+JmaJD9lrbiMz4wjWRtREjHfc1VYTA+ZE1W3HT3PfrjCnHm9RKKFaA6kM
fPInefQgdzhCa0mCz+HOKJfkpfPh8ufGM9Jfb99VjZdI77LHeNN4VqeQ/VyPH7pn
wp7GbEJ8g6iX4BWUWpXUVStfYNQTV8Dis7ayZtr3g/o+AKnh/dGnk1SHHNFgUUFf/
+E0EXMokHSqqOzwf4t8xp4upnnS/7ag5MIVcU5/iWGW4sDEw7xfB25zD4lbvVK5
kSZeWLgm79wMipKP90iEELPqO6cS2yPXd+ADfHs7FWPQW0UYGFeMnHa/
tlglO5Pxo7ek2iR57mazmx33cofIX6E/ZI9XLysp5TR6Npq1x8KCv2Dk2x3QSH8F54EQmQ2+
5uDsPA9Hg1B+agkBh/1g3tfevT01cCtUkQGl2ubhrNGB2SiiyKgw9Ks0AL3TO0ul
D69D18r6Y6s3pHQ9LYAs6EIq3/5dqNYW8eLQ5eINUIlHBp9ep8+quyqSfB3qPCBW
Db+qI09pYhkTrGBD8l5eQqs1T1h2gJsY2yyYV/Cp2m4fI+uHItCgSlkPROnj27Xh
p6HAPaFA0zWOz1lmVNYhTbJZlbbwYyf/OKmYuOklSuQ=
-----END RSA PRIVATE KEY-----
c. Issue the command
mydesktop$ cat id_rsa.pub
A sample system response is this message:
ssh-rsaAAB3NzaC1yc2EAAAABIwAAAIEA9xjGJ+8DLrxSQfVxXYUx4lc9copCG4HwD3TLO5i
fezBQx0e9UnIWNFi4Xan3S8mYd6L+TfCJkVZ+YplLAe367/vhc1nDzfNRPJ95YnATefj
YEa48lElu7uq1uofM+sZ/b0p7fIWvIRRbuEDWHHUmneoX8U/ptKFZzRpb/
vTE6nE= root@ps0701
3. Enable key-based authentication in the /etc/ssh directory on the SSH server,
the managed resource.
a. Ensure that the following lines exist in the sshd_config file:
# Should we allow Identity (SSH version 1) authentication?
RSAAuthentication yes
# Should we allow Pubkey (SSH version 2) authentication?
PubkeyAuthentication yes
# Where do we look for authorized public keys?
# If it doesn’t start with a slash, then it is
# relative to the user’s home directory
AuthorizedKeysFile .ssh/authorized_keys
b. Restart the SSH server.
4. Copy the rsa.pub file to the SSH server, the managed resource.
5. If you have an existing authorized_keys file, edit it to remove any no-pty
restrictions
6. Add the public key to the authorized_keys file, from the /.ssh directory. Issue
the command:
ssh-server$ cat ../id_rsa.pub >> authorized_keys
86
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Note: This command concatenates the RSA Pubkey to the authorized_keys file.
For example, $HOME/.ssh/authorized_keys. If this file does not exist, the
command creates it.
7. Copy the id_rsa private key file to the client workstation and set its ownership
value to 755.
Note:
v Complete these steps. When you log in to the server from the client
computer, you are prompted for a passphrase for the key instead of a user
password.
v If the installed ssh uses the AES-128-CBC cipher, RXA cannot fetch the
private key from the file. RSA key-based authentication does not work. To
support RSA key-based authentication, take one of the following actions:
– Install an ssh that uses the DES-EDE3-CBC cipher.
– Install the RXA 2.3.0.9 package in your environment. RXA 2.3.0.9 supports
the AES-128-CBC cipher.
RXA 2.3.0.9 is included in the base release of Tivoli Directory Integrator
version 7.1.1, and is also available in Tivoli Directory Integrator version
7.0 fix pack 8 and Tivoli Directory Integrator version 7.1 fix pack 7.
Enabling DSA key-based authentication on UNIX and Linux operating
systems
You can use DSA key-based authentication as an alternative to simple password
authentication.
About this task
Perform this task on the managed resource.
Procedure
1. Use the ssh-keygen tool to create a key pair.
a. Log in as the administrator user defined on the IBM Security Identity
Manager service form.
b. Start the ssh-keygen tool. Issue the command:
[root@ps2372 root]# ssh-keygen -t dsa
c. At the following prompt, accept the default or enter the file path where you
want to save the key pair and press Enter.
Generating public/private dsa key pair.
Enter the file in which to save the key (/root/.ssh/id_dsa):
d. At the following prompt, accept the default or enter the passphrase and
press Enter.
Enter the passphrase (empty for no passphrase): passphrase
e. At the following prompt, confirm your passphrase selection and press Enter.
Enter the same passphrase again: passphrase
This is a sample of the system response:
Your identification is saved in /root/.ssh/id_dsa.
Your public key is saved in /root/.ssh/id_dsa.pub.
The key fingerprint is this one:
9e:6c:0e:e3:d9:4f:37:f1:dd:34:fc:20:36:67:b2:94 root@ps2372.persistent.co.in
Appendix D. Key-based authentication for the UNIX and Linux Adapter
87
Note: Although the ssh-keygen tool accepts a blank passphrase, the
passphrase is required on the IBM Security Identity Manager service form.
2. Validate that the keys were generated.
a. Issue the commands:
[root@ps2372 root]# cd root/.ssh
[root@ps2372 .ssh]# ls –l
A sample system response is this message:
-rwxr-xr-x 1 root root 736 Dec 20 14:33 id_dsa
-rw-r--r-- 1 root root 618 Dec 20 14:33 id_dsa.pub
b. Issue the command:
[root@ps2372 .ssh]# cat id_dsa
A sample system response is this message:
-----BEGIN DSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,32242D3525AEDC64
MOZ0m/BCLFNS+ujlcnQR3gOIb5w5hwu1jByw8/kyvTMIHqAx1ANgqV1gFBGX7F0
vdfmNQKnjLcH8cGueUYnmx4vSu9FnKK91abNW9Nd67MDtJEztHckahXDYy7oX1t
LNh3QtaZ32AgHro7QxxCGIHQeDaiGePg7WhVqH8EXo3c+/L/5sQpfx0eG30nrDjl
+cmXgmzU2uQsPL2ckP9NQTgRU4QgWYDBle0YhUXTAG8eW9XG9iCm9iFO4WLWtWd24
Q799A1w6UJReHKQq+vdrN76PgK32NMNmindOqzKVzFL4TsjLyGyWofImpG65oO
FSc4GXTsRkZ0OQxixakpKShRpJ5pW6V1PN4tR/RCRWmpW/yZTr4qtQzcw+AY6ONA
QEVtJQeN69LJncuy9MY/K2F7hn5lCYy/TOnM1OOD6/a1R6U4xoH6qkasLGchiTIP
/NIfrITQho49I7cIJ9HmW54Bmeqh2U9WiSD4aSyxL1Mm6vGoc81U2XjJmcUmQ9XHmhx
R4iWaATaz6RTsxBksNhn7jVx34DDvRDJ4MSjLaNpjnvAdYTM7YislsBulDTr8ZF6P9
Fa7VyFP4TyCjUM1w==
-----END DSA PRIVATE KEY-----
c. Issue the command
[root@ps2372 .ssh]# cat id_dsa.pub
A sample system response is this message:
ssh-dsa
AAAAB3NzaC1kc3MAAACBAIHozHi6CHwvGDt7uEYkEmn4STOj2neOo5mPOZFpBjs
KzzWBqBuAxoMwMgHy3zZAIgmzMwIVQum4/uIHlhOx0Q4QDLJbveFShuXxBjm5BOU1
rCCSeqYCOPdub9hx3uzZaTNqfFIvO4/NTcjp7pgQqBdvWs0loyYViYVWpVQmMdif
AAAAFQDhaD9m//n07C+R+X46g5iTYFA9/QAAAIBVbBXXL3/+cHfbyKgCCe2CqjRESQ
i2nwiCPwyVzzwfHw4MyoYe5Nk8sfTiweY8Lus7YXXUZCPbnCMkashsbFVO9w
/q3xmbrKfBTS+QOjs6nebftnxwk/RrwPmb9MS/kdWMEigdCoum9MmyJlOw5fwGl
P1ufVHn+v9uTKWpPgr0egAAAIArKV4Yr3mFciTbzcGCicW+axekoCKq520Y68mQ
1xrI4HJVnTOb6J1SqvyK68eC2I5lo1kJ6aUixJt/D3d/GHnA+i5McbJgLsNuiDs
RI3Q6v3ygKeQaPtgITKS7UY4S0FBQlw9q7qjHVphSOPvo2VUHkG6hYiyaLvLrX
Jo7JPk6tQ== root@ps2372.persistent.co.in
3. Enable key-based authentication in the /etc/ssh directory on the SSH server,
the managed resource.
a. Ensure that the following lines exist in the sshd_config file:
# Should we allow Identity (SSH version 1) authentication?
DSAAuthentication yes
# Should we allow Pubkey (SSH version 2) authentication?
PubkeyAuthentication yes
# Where do we look for authorized public keys?
# If it doesn’t start with a slash, then it is
# relative to the user’s home directory
AuthorizedKeysFile .ssh/authorized_keys
b. Restart the SSH server.
4. Copy the dsa.pub file to the SSH server, the managed resource.
88
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
5. If you have an existing authorized_keys file, edit it to remove any no-pty
restrictions
6. Add the public key to the authorized_keys file, from the /.ssh directory. Issue
the command:
[root@ps2372 .ssh]# cat id_dsa.pub >> authorized_keys
Note: This command concatenates the DSA Pubkey to the authorized_keys file.
For example, $HOME/.ssh/ authorized_keys. If this file does not exist, the
command creates it.
7. Copy the id_dsa private key file to the client workstation and set its ownership
value to 755.
Note:
v Complete these steps. When you log in to the server from the client
computer, you are prompted for a passphrase for the key instead of a user
password.
v If the installed ssh uses the AES-128-CBC cipher, RXA cannot fetch the
private key from the file. DSA key-based authentication does not work. To
support DSA key-based authentication, take one of the following actions:
– Install an ssh that uses the DES-EDE3-CBC cipher.
– Install the RXA 2.3.0.9 package in your environment. RXA 2.3.0.9 supports
the AES-128-CBC cipher.
RXA 2.3.0.9 is included in the base release of Tivoli Directory Integrator
version 7.1.1, and is also available in Tivoli Directory Integrator version
7.0 fix pack 8 and Tivoli Directory Integrator version 7.1 fix pack 7.
|
|
Enabling RSA key-based authentication on UNIX and Linux operating
systems with Tectia SSH
|
|
You can enable RSA key-based authentication on UNIX and Linux operating
systems with Tectia SSH.
|
About this task
|
|
|
|
|
|
|
|
These instructions assume that the client user is allowed to log in to the remote
host, where the Tectia Server is running, and using password authentication.
Ensure that public-key authentication is enabled (the default) in the
ssh-broker-config.xml and ssh-server-config.xml file. For example:
|
|
|
|
|
Procedure
|
|
<authentication-methods>
<auth-publickey />
...
</authentication-methods>
v Keys generated on an OpenSSH client:
1. Use the ssh-keygen tool to create a key pair.
a. Log in as the administrator user defined on the IBM Security Identity
Manager service form.
b. Start the ssh-keygen tool. Type:
mydesktop$ ssh-keygen -t rsa
Appendix D. Key-based authentication for the UNIX and Linux Adapter
89
c. At the prompt to generate a public/private RSA key pair, accept the
default or enter the file path where you want to save the key pair and
press Enter. For example:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Generating public/private rsa key pair.
Enter the file in which to save the key (/home/root/.ssh/id_rsa):
d. At the prompt to enter a passphrase, accept the default or enter the
passphrase and press Enter. For example:
Enter passphrase (empty for no passphrase): passphrase
e. Confirm your passphrase selection and press Enter. For example:
Enter same passphrase again: passphrase
The system response is similar to this example:
Your identification has been saved in /home/root/.ssh/id_rsa.
Your public key has been saved in /home/root/.ssh/id_rsa.pub.
The key fingerprint is:
2c:3f:a4:be:46:23:47:19:f7:dc:74:9b:69:24:4a:44 root@ps701
Note: Although the ssh-keygen tool accepts a blank passphrase, the
passphrase is required on the IBM Security Identity Manager service
form.
2. Validate that the keys were generated.
a. Enter these commands:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
mydesktop$ cd $HOME/.ssh
mydesktop$ ls -l
An example system response is:
-rw------- 1 root root 883 Jan 21 11:52 id_rsa
-rw-r--r-- 1 root root 223 Jan 21 11:52 id_rsa.pub
b. Enter this command:
mydesktop$ cat id_rsa
An example system response is:
-----BEGIN RSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7F4CF1E209817BA0
GuIQh4EdIp2DY1KfgB3eHic1InCG5VC9/dumHd7AqEnlo241fRuIo8zgO87GV+tk
cvKd/pPCGhmyCZy/are0wZt3KLYWUyoN7i+8H2Khk8LmaspD6Tx309VHTfCyoJsu
jtuR5c4HbcRtOYhMByHEqllEst1azzlIrO75Qj5cUG01K1MbdTeXq1xUGjo97s+V
gEOokMQ+JmaJD9lrbiMz4wjWRtREjHfc1VYTA+ZE1W3HT3PfrjCnHm9RKKFaA6kM
fPInefQgdzhCa0mCz+HOKJfkpfPh8ufGM9Jfb99VjZdI77LHeNN4VqeQ/VyPH7pn
wp7GbEJ8g6iX4BWUWpXUVStfYNQTV8Dis7ayZtr3g/o+AKnh/dGnk1SHHNFgUUFf/
+E0EXMokHSqqOzwf4t8xp4upnnS/7ag5MIVcU5/iWGW4sDEw7xfB25zD4lbvVK5
kSZeWLgm79wMipKP90iEELPqO6cS2yPXd+ADfHs7FWPQW0UYGFeMnHa/
tlglO5Pxo7ek2iR57mazmx33cofIX6E/ZI9XLysp5TR6Npq1x8KCv2Dk2x3QSH8F54EQmQ2+
5uDsPA9Hg1B+agkBh/1g3tfevT01cCtUkQGl2ubhrNGB2SiiyKgw9Ks0AL3TO0ul
D69D18r6Y6s3pHQ9LYAs6EIq3/5dqNYW8eLQ5eINUIlHBp9ep8+quyqSfB3qPCBW
Db+qI09pYhkTrGBD8l5eQqs1T1h2gJsY2yyYV/Cp2m4fI+uHItCgSlkPROnj27Xh
p6HAPaFA0zWOz1lmVNYhTbJZlbbwYyf/OKmYuOklSuQ=
-----END RSA PRIVATE KEY-----
c. Enter this command:
mydesktop$ cat id_rsa.pub
An example system response is:
ssh-rsaAAB3NzaC1yc2EAAAABIwAAAIEA9xjGJ+8DLrxSQfVxXYUx4lc9copCG4HwD3TLO5i
fezBQx0e9UnIWNFi4Xan3S8mYd6L+TfCJkVZ+YplLAe367/vhc1nDzfNRPJ95YnATefj
YEa48lElu7uq1uofM+sZ/b0p7fIWvIRRbuEDWHHUmneoX8U/ptKFZzRpb/
vTE6nE= root@ps0701
3. After the key is generated, convert the public key for use on the Tectia SSH
server.
90
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
a. On the local-host that is running openSSH, convert the openSSH public
key to an SSH2(tectia) public key by using ssh-keygen.
[local-host]$ ssh-keygen -e -f ~/.ssh/id_rsa.pub > ~/.ssh/id_rsa_ssh2.pub
b. Install the public-key on the remote-host that is running SSH2.
Create a new public key file on remote-host. Copy and paste the
converted SSH2 key from local-host.
remote-host]$ vi ~/.ssh2/hostkey.pub
For example:
---- BEGIN SSH2 PUBLIC KEY ---Comment: "1024-bit RSA, converted from OpenSSH
by root@tivsun12.persistent.co.in"
AAAAB3NzaC1yc2EAAAABIwAAAIEA4TsEMAH0l9dTreOwfFv6wzzZqL+AdmerDRfTEoTbPa
TS2XYYz/wpD9xmohYOvz3VDWqNoCOlPJ1fHaMqCYRwXi0oMiW2P+k1ZF64CELOVjn1sb6m
0bX/xneO5CTd6RBHJO9nMCTYpJNCJH6M9w4LPwIJtiXRRGFByQJ0jIAbdKs=
---- END SSH2 PUBLIC KEY ----
c. Add the public key file name to the authorization file on the remote-host.
For example:
[remote-host]$ vi ~/.ssh2/authorization
Key hostkey.pub
d. Copy the private key file (id_rsa) to the client workstation and set its
ownership value to 600. Rename the private key file to hostkey on the
client workstation.
v Keys generated on a Tectia SSH client: You can generate a key on the Tectia
SSH client on a workstation with a UNIX or Linux operating system.
1. Use the ssh-keygen-g3 tool to create a key pair.
a. Start the ssh-keygen tool with this command:
[root@vmw009053116054]:\ # ssh-keygen-g3 -t rsa
The system response is similar to this example:
Generating 2048-bit rsa key pair
3 o.oOo.oOo.oO
Key generated.
2048-bit rsa, root@vmw009053116054, Tue Feb 25 2014 21:49:43 -0600
b. At the prompt, accept the default or enter the file path where you want
to save the passphrase and press Enter.
c. At the prompt, confirm the file path where you want to save the
passphrase and press Enter.
The system response is similar to this example:
Private key saved to //.ssh2/id_rsa_2048_a
Public key saved to //.ssh2/id_rsa_2048_a.pub
[root@vmw009053116054]:\ #
2. Convert the private key created on the Tectia client. If the Tectia private key
is passphrase protected, you must remove the first passphrase by using
Tectia keygen. Press Enter when prompted for the new passphrase. For
example:
$ ssh-keygen-g3 -e id_rsa_2048_a
a. At the prompt, provide the old passphrase. For example:
Passphrase needed for key " id_rsa_2048_a".
Passphrase: passphrase
b. At the next prompt, type yes and press Enter. For example:
Do you want to edit the key "" (yes or no)? yes
c. At the next prompt, type no and press Enter. For example:
Appendix D. Key-based authentication for the UNIX and Linux Adapter
91
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Your key comment is " id_rsa_2048_a ".
Do you want to edit it (yes or no)? no
d. At the next prompt, type yes and press Enter. For example:
Do you want to edit the passphrase (yes or no)? yes
e. At the next prompt, press Enter. For example:
New passphrase : passphrase
f. At the next prompt, press Enter. For example:
Again : passphrase
g. At the next prompt, type no and press Enter. For example:
Do you want to continue editing the key "" (yes or no)? no
h. At the next prompt, type yes and press Enter. For example:
Do you want to save the key "" to file id_rsa_2048_a (yes or no)? yes
3. Use the OpenSSH keygen import.
a. Type:
ssh-keygen -i -f id_rsa_2048_a > my_openssh_privatekey
b. Encrypt the key again with a passphrase using OpenSSH keygen. For
example:
ssh-keygen -p -f my_openssh_privatekey
c. At the next prompt, accept the default or enter the passphrase and press
Enter. For example:
Enter new passphrase (empty for no passphrase): passphrase
d. At the next prompt, confirm your passphrase selection and press Enter.
For example:
Enter same passphrase again: passphrase
e. Rename the private key file my_openssh_privatekey to id_rsa_2048_a.
f. Set the ownership value of this file to 600.
4. Install the public-key on the remote-host that is running Tectia SSH.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
a. Create a new public key file on remote-host. Copy and paste the
id_rsa_2048_a.pub. For example:
[remote-host]$ vi ~/.ssh2/ id_rsa_2048_a.pub
An example file is:
---- BEGIN SSH2 PUBLIC KEY ---Subject: root
Comment: "2048-bit rsa, root@vmw009053116054,
Tue Feb 25 2014 21:49:43\ -0600"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDMy7Q3Z0pxlYCiA9wdJPgRuBR7NQvX1ICIUXFbwx
uJD6xkqCnjC++JkZlG+6tRlty+T8dXQE/98czGK6dcg9bbHwQ1Wvxn5v9aSfZMZaNy8T+p
CIPV/0L/kbGoXkvg4amqlQkJnQhnwaJKdNm8WBMRcDkv/fj0LILDhUSWnEhPINdoeUV/EE
DxUhf2jRRHwxQihwXDEge/n0UgdSAkJaqTJTdF9HEkiPh25eeng0Ym2Yk0JHQzVhDJLSYz
WQ/Bg5Nzran63y0cRS40pY9CioAkgjI9J5P/tvPazLjoeMP8f+2ELp9suJ+VFMAULpqx9H
jwXK/4a4nWg7vEyaektoQp
---- END SSH2 PUBLIC KEY ----
b. Add the public key file name to the authorization file on the remote-host.
For example:
[remote-host]$ vi ~/.ssh2/authorization
Key id_rsa_2048_a.pub
Enabling DSA key-based authentication on UNIX and Linux operating
systems with Tectia SSH
You can enable DSA key-based authentication on UNIX and Linux operating
systems with Tectia SSH.
|
|
92
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
|
About this task
|
|
|
|
|
|
|
|
These instructions assume that the client user is allowed to log in to the remote
host, where the Tectia Server is running, and using password authentication.
Ensure that public-key authentication is enabled (the default) in the
ssh-broker-config.xml and ssh-server-config.xml file. For example:
|
|
Keybased authentication can be done using keys generated on an OpenSSH client
or Tectia SSH client.
|
|
Procedure
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<authentication-methods>
<auth-publickey />
...
</authentication-methods>
v Keys generated on an OpenSSH client:
1. Use the ssh-keygen tool to create a key pair.
a. Log in as the administrator user defined on the IBM Security Identity
Manager service form.
b. Start the ssh-keygen tool. Type:
mydesktop$ ssh-keygen -t dsa
c. At the prompt to generate a public/private DSA key pair, accept the
default or enter the file path where you want to save the key pair and
press Enter. For example:
Generating public/private dsa key pair.
Enter the file in which to save the key (/home/root/.ssh/id_dsa):
d. At the prompt to enter a passphrase, accept the default or enter the
passphrase and press Enter. For example:
Enter the passphrase (empty for no passphrase): passphrase
e. Confirm your passphrase selection and press Enter. For example:
Enter same passphrase again: passphrase
The system response is similar to this example:
Your identification has been saved in /home/root/.ssh/id_dsa.
Your public key has been saved in /home/root/.ssh/id_dsa.pub.
The key fingerprint is:
9e:6c:0e:e3:d9:4f:37:f1:dd:34:fc:20:36:67:b2:94
root@ps2372.persistent.co.in
Note: Although the ssh-keygen tool accepts a blank passphrase, the
passphrase is required on the IBM Security Identity Manager service
form.
2. Validate that the keys were generated.
a. Enter these commands:
mydesktop$ cd $HOME/.ssh
mydesktop$ ls -l
An example system response is:
-rw------- 1 root root 883 Jan 21 11:52 id_dsa
-rw-r--r-- 1 root root 223 Jan 21 11:52 id_dsa.pub
b. Enter this command:
mydesktop$ cat id_dsa
An example system response is:
Appendix D. Key-based authentication for the UNIX and Linux Adapter
93
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-----BEGIN DSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,32242D3525AEDC64
MOZ0m/BCLFNS+ujlcnQR3gOIb5w5hwu1jByw8/kyvTMIHqAx1ANgqV1gFBGX7F0
vdfmNQKnjLcH8cGueUYnmx4vSu9FnKK91abNW9Nd67MDtJEztHckahXDYy7oX1t
LNh3QtaZ32AgHro7QxxCGIHQeDaiGePg7WhVqH8EXo3c+/L/5sQpfx0eG30nrDjl
+cmXgmzU2uQsPL2ckP9NQTgRU4QgWYDBle0YhUXTAG8eW9XG9iCm9iFO4WLWtWd24
Q799A1w6UJReHKQq+vdrN76PgK32NMNmindOqzKVzFL4TsjLyGyWofImpG65oO
FSc4GXTsRkZ0OQxixakpKShRpJ5pW6V1PN4tR/RCRWmpW/yZTr4qtQzcw+AY6ONA
QEVtJQeN69LJncuy9MY/K2F7hn5lCYy/TOnM1OOD6/a1R6U4xoH6qkasLGchiTIP
/NIfrITQho49I7cIJ9HmW54Bmeqh2U9WiSD4aSyxL1Mm6vGoc81U2XjJmcUmQ9XHmhx
R4iWaATaz6RTsxBksNhn7jVx34DDvRDJ4MSjLaNpjnvAdYTM7YislsBulDTr8ZF6P9
Fa7VyFP4TyCjUM1w==
-----END DSA PRIVATE KEY-----
c. Enter this command:
mydesktop$ cat id_dsa.pub
An example system response is:
ssh-dss
AAAAB3NzaC1kc3MAAACBAIHozHi6CHwvGDt7uEYkEmn4STOj2neOo5mPOZFpBjs
KzzWBqBuAxoMwMgHy3zZAIgmzMwIVQum4/uIHlhOx0Q4QDLJbveFShuXxBjm5BOU1
rCCSeqYCOPdub9hx3uzZaTNqfFIvO4/NTcjp7pgQqBdvWs0loyYViYVWpVQmMdif
AAAAFQDhaD9m//n07C+R+X46g5iTYFA9/QAAAIBVbBXXL3/+cHfbyKgCCe2CqjRESQ
i2nwiCPwyVzzwfHw4MyoYe5Nk8sfTiweY8Lus7YXXUZCPbnCMkashsbFVO9w
/q3xmbrKfBTS+QOjs6nebftnxwk/RrwPmb9MS/kdWMEigdCoum9MmyJlOw5fwGl
P1ufVHn+v9uTKWpPgr0egAAAIArKV4Yr3mFciTbzcGCicW+axekoCKq520Y68mQ
1xrI4HJVnTOb6J1SqvyK68eC2I5lo1kJ6aUixJt/D3d/GHnA+i5McbJgLsNuiDs
RI3Q6v3ygKeQaPtgITKS7UY4S0FBQlw9q7qjHVphSOPvo2VUHkG6hYiyaLvLrX
Jo7JPk6tQ== root@ps2372.persistent.co.in
3. After the key is generated, convert the public key for use on the Tectia SSH
server.
a. On the local-host that is running openSSH, convert the openSSH public
key to an SSH2 (tectia) public key by using ssh-keygen.
|
|
|
|
[local-host]$ ssh-keygen -e -f ~/.ssh/id_dsa.pub > ~/.ssh/id_dsa_ssh2.pub
b. Install the public-key on the remote-host that is running SSH2.
Create a new public key file on remote-host. Copy and paste the
converted SSH2 key from local-host.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
remote-host]$ vi ~/.ssh2/hostkey.pub
For example:
---- BEGIN SSH2 PUBLIC KEY ---Comment: "1024-bit DSA, converted from OpenSSH
by root@tivsun12.persistent.co.in"
AAAAB3NzaC1yc2EAAAABIwAAAIEA4TsEMAH0l9dTreOwfFv6wzzZqL+AdmerDRfTEoTbPa
TS2XYYz/wpD9xmohYOvz3VDWqNoCOlPJ1fHaMqCYRwXi0oMiW2P+k1ZF64CELOVjn1sb6m
0bX/xneO5CTd6RBHJO9nMCTYpJNCJH6M9w4LPwIJtiXRRGFByQJ0jIAbdKs=
---- END SSH2 PUBLIC KEY ----
c. Add the public key file name to the authorization file on the remote-host.
For example:
[remote-host]$ vi ~/.ssh2/authorization
Key hostkey.pub
d. Copy the private key file (id_dsa) to the client workstation and set its
ownership value to 600. Rename the private key file to hostkey on the
client workstation.
v Keys generated on a Tectia SSH client: You can generate a key on the Tectia
SSH client on a workstation with a UNIX or Linux operating system.
1. Use the ssh-keygen-g3 tool to create a key pair.
a. Start the ssh-keygen tool with this command:
[root@vmw009053116054]:\ # ssh-keygen-g3 -t dsa
94
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The system response is similar to this example:
Generating 2048-bit dsa key pair
92 .oOo..oOo.oO
Key generated.
2048-bit dsa, root@vmw009053116054, Mon Mar 03 2014 01:57:28 -0600
b. At the prompt, accept the default or enter the file path where you want
to save the passphrase and press Enter. For example:
Passphrase : passphrase
c. At the prompt, confirm the file path where you want to save the
passphrase and press Enter.
The system response is similar to this example:
Private key saved to //.ssh2/id_dsa_2048_a
Public key saved to //.ssh2/id_dsa_2048_a.pub
[root@vmw009053116054]:\ #
2. Convert the private key created on the Tectia client. If the Tectia private key
is passphrase protected, you must first remove the passphrase by using
Tectia keygen. Press Enter when prompted for the new passphrase. For
example:
$ ssh-keygen-g3 -e id_dsa_2048_a
a. At the prompt, provide the old passphrase. For example:
Passphrase needed for the key " id_dsa_2048_a".
Passphrase: passphrase
b. At the next prompt, type yes and press Enter. For example:
Do you want to edit the key "" (yes or no)? yes
c. At the next prompt, type no and press Enter. For example:
Your key comment is " id_dsa_2048_a ".
Do you want to edit it (yes or no)? no
d. At the next prompt, type yes and press Enter. For example:
Do you want to edit the passphrase (yes or no)? yes
e. At the next prompt, press Enter. For example:
New passphrase : passphrase
f. At the next prompt, press Enter. For example:
Again : passphrase
g. At the next prompt, type no and press Enter. For example:
Do you want to continue editing the key "" (yes or no)? no
h. At the next prompt, type yes and press Enter. For example:
Do you want to save the key "" to file id_dsa_2048_a (yes or no)? yes
3. Use the OpenSSH keygen import.
a. Type:
ssh-keygen -i -f id_dsa_2048_a > my_openssh_privatekey
b. Encrypt the key again with a passphrase using OpenSSH keygen. For
example:
ssh-keygen -p -f my_openssh_privatekey
c. At the next prompt, accept the default or enter the passphrase and press
Enter. For example:
Enter new passphrase (empty for no passphrase): passphrase
d. At the next prompt, confirm your passphrase selection and press Enter.
For example:
Enter same passphrase again: passphrase
e. Rename the private key file my_openssh_privatekey to id_dsa_2048_a.
Appendix D. Key-based authentication for the UNIX and Linux Adapter
95
f. Set the ownership value of this file to 600.
4. Install the public-key on the remote-host that is running Tectia SSH.
a. Create a new public key file on remote-host. Copy and paste the
id_dsa_2048_a.pub. For example:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[remote-host]$ vi ~/.ssh2/ id_dsa_2048_a.pub
An example file is:
---- BEGIN SSH2 PUBLIC KEY ---Subject: root
Comment: "2048-bit dsa, root@vmw009053116054,
Mon Mar 03 2014 21:49:43\ -0600"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDMy7Q3Z0pxlYCiA9wdJPgRuBR7NQvX1ICIUXFbwx
uJD6xkqCnjC++JkZlG+6tRlty+T8dXQE/98czGK6dcg9bbHwQ1Wvxn5v9aSfZMZaNy8T+p
CIPV/0L/kbGoXkvg4amqlQkJnQhnwaJKdNm8WBMRcDkv/fj0LILDhUSWnEhPINdoeUV/EE
DxUhf2jRRHwxQihwXDEge/n0UgdSAkJaqTJTdF9HEkiPh25eeng0Ym2Yk0JHQzVhDJLSYz
WQ/Bg5Nzran63y0cRS40pY9CioAkgjI9J5P/tvPazLjoeMP8f+2ELp9suJ+VFMAULpqx9H
jwXK/4a4nWg7vEyaektoQp
---- END SSH2 PUBLIC KEY ----
b. Add the public key file name to the authorization file on the remote-host.
For example:
[remote-host]$ vi ~/.ssh2/authorization
Key id_dsa_2048_a.pub
|
96
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Appendix E. Definitions for ITDI_HOME and ISIM_HOME
directories
ITDI_HOME is the directory where Tivoli Directory Integrator is installed.
ISIM_HOME is the directory where IBM Security Identity Manager is installed.
ITDI_HOME
This directory contains the jars/connectors subdirectory that contains files
for the adapters.
Windows
drive\Program Files\IBM\TDI\ITDI_VERSION
For example the path for version 7.1:
C:\Program Files\IBM\TDI\V7.1
UNIX
/opt/IBM/TDI/ITDI_VERSION
For example the path for version 7.1:
/opt/IBM/TDI/V7.1
ISIM_HOME
This directory is the base directory that contains the IBM Security Identity
Manager code, configuration, and documentation.
Windows
path\IBM\isim
UNIX
path/IBM/isim
© Copyright IBM Corp. 2012, 2014
97
98
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Appendix F. Support information
You have several options to obtain support for IBM products.
v “Searching knowledge bases”
v “Obtaining a product fix” on page 100
v “Contacting IBM Support” on page 100
Searching knowledge bases
You can often find solutions to problems by searching IBM knowledge bases. You
can optimize your results by using available resources, support tools, and search
methods.
About this task
You can find useful information by searching the product documentation for IBM
Security Identity Manager. However, sometimes you must look beyond the product
documentation to answer your questions or resolve problems.
Procedure
To search knowledge bases for information that you need, use one or more of the
following approaches:
1. Search for content by using the IBM Support Assistant (ISA).
ISA is a no-charge software serviceability workbench that helps you answer
questions and resolve problems with IBM software products. You can find
instructions for downloading and installing ISA on the ISA website.
2. Find the content that you need by using the IBM Support Portal.
The IBM Support Portal is a unified, centralized view of all technical support
tools and information for all IBM systems, software, and services. The IBM
Support Portal lets you access the IBM electronic support portfolio from one
place. You can tailor the pages to focus on the information and resources that
you need for problem prevention and faster problem resolution. Familiarize
yourself with the IBM Support Portal by viewing the demo videos
(https://www.ibm.com/blogs/SPNA/entry/the_ibm_support_portal_videos)
about this tool. These videos introduce you to the IBM Support Portal, explore
troubleshooting and other resources, and demonstrate how you can tailor the
page by moving, adding, and deleting portlets.
3. Search for content about IBM Security Identity Manager by using one of the
following additional technical resources:
v IBM Security Identity Manager version 6.0 technotes and APARs (problem
reports).
v IBM Security Identity Manager Support website.
v IBM Redbooks®.
v IBM support communities (forums and newsgroups).
4. Search for content by using the IBM masthead search. You can use the IBM
masthead search by typing your search string into the Search field at the top of
any ibm.com® page.
5. Search for content by using any external search engine, such as Google, Yahoo,
or Bing. If you use an external search engine, your results are more likely to
© Copyright IBM Corp. 2012, 2014
99
include information that is outside the ibm.com domain. However, sometimes
you can find useful problem-solving information about IBM products in
newsgroups, forums, and blogs that are not on ibm.com.
Tip: Include “IBM” and the name of the product in your search if you are
looking for information about an IBM product.
Obtaining a product fix
A product fix might be available to resolve your problem.
About this task
You can get fixes by following these steps:
Procedure
1. Obtain the tools that are required to get the fix. You can obtain product fixes
from the Fix Central Site. See http://www.ibm.com/support/fixcentral/.
2. Determine which fix you need.
3. Download the fix. Open the download document and follow the link in the
“Download package” section.
4. Apply the fix. Follow the instructions in the “Installation Instructions” section
of the download document.
Contacting IBM Support
IBM Support assists you with product defects, answers FAQs, and helps users
resolve problems with the product.
Before you begin
After trying to find your answer or solution by using other self-help options such
as technotes, you can contact IBM Support. Before contacting IBM Support, your
company or organization must have an active IBM software subscription and
support contract, and you must be authorized to submit problems to IBM. For
information about the types of available support, see the Support portfolio topic in
the “Software Support Handbook”.
Procedure
To contact IBM Support about a problem:
1. Define the problem, gather background information, and determine the severity
of the problem. For more information, see the Getting IBM support topic in the
Software Support Handbook.
2. Gather diagnostic information.
3. Submit the problem to IBM Support in one of the following ways:
v Using IBM Support Assistant (ISA):
Any data that has been collected can be attached to the service request.
Using ISA in this way can expedite the analysis and reduce the time to
resolution.
a. Download and install the ISA tool from the ISA website. See
http://www.ibm.com/software/support/isa/.
b. Open ISA.
100
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
c. Click Collection and Send Data.
d. Click the Service Requests tab.
e. Click Open a New Service Request.
v Online through the IBM Support Portal: You can open, update, and view all
of your service requests from the Service Request portlet on the Service
Request page.
v By telephone for critical, system down, or severity 1 issues: For the telephone
number to call in your region, see the Directory of worldwide contacts web
page.
Results
If the problem that you submit is for a software defect or for missing or inaccurate
documentation, IBM Support creates an Authorized Program Analysis Report
(APAR). The APAR describes the problem in detail. Whenever possible, IBM
Support provides a workaround that you can implement until the APAR is
resolved and a fix is delivered. IBM publishes resolved APARs on the IBM Support
website daily, so that other users who experience the same problem can benefit
from the same resolution.
Appendix F. Support information
101
102
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Appendix G. Accessibility features for IBM Security Identity
Manager
Accessibility features help users who have a disability, such as restricted mobility
or limited vision, to use information technology products successfully.
Accessibility features
The following list includes the major accessibility features in IBM Security Identity
Manager.
v Support for the Freedom Scientific JAWS screen reader application
v Keyboard-only operation
v Interfaces that are commonly used by screen readers
v Keys that are discernible by touch but do not activate just by touching them
v Industry-standard devices for ports and connectors
v The attachment of alternative input and output devices
The IBM Security Identity Manager library, and its related publications, are
accessible.
Keyboard navigation
This product uses standard Microsoft Windows navigation keys.
Related accessibility information
The following keyboard navigation and accessibility features are available in the
form designer:
v You can use the tab keys and arrow keys to move between the user interface
controls.
v You can use the Home, End, Page Up, and Page Down keys for more
navigation.
v You can launch any applet, such as the form designer applet, in a separate
window to enable the Alt+Tab keystroke to toggle between that applet and the
web interface, and also to use more screen workspace. To launch the window,
click Launch as a separate window.
v You can change the appearance of applets such as the form designer by using
themes, which provide high contrast color schemes that help users with vision
impairments to differentiate between controls.
IBM and accessibility
See the IBM Human Ability and Accessibility Center For more information about
the commitment that IBM has to accessibility.
© Copyright IBM Corp. 2012, 2014
103
104
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user's responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
19-21, Nihonbashi-Hakozakicho, Chuo-ku
Tokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law :
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certain
transactions, therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
© Copyright IBM Corp. 2012, 2014
105
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases payment of a fee.
The licensed program described in this document and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurement may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which
illustrate programming techniques on various operating platforms. You may copy,
modify, and distribute these sample programs in any form without payment to
IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating
platform for which the sample programs are written. These examples have not
been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or
imply reliability, serviceability, or function of these programs. You may copy,
modify, and distribute these sample programs in any form without payment to
106
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
IBM for the purposes of developing, using, marketing, or distributing application
programs conforming to IBM's application programming interfaces.
Each copy or any portion of these sample programs or any derivative work, must
include a copyright notice as follows:
If you are viewing this information softcopy, the photographs and color
illustrations might not appear.
© (your company name) (year). Portions of this code are derived from IBM Corp.
Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rights
reserved.
If you are viewing this information in softcopy form, the photographs and color
illustrations might not be displayed.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at "Copyright and
trademark information" at http://www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered
trademarks or trademarks of Adobe Systems Incorporated in the United States,
other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and
Telecommunications Agency which is now part of the Office of Government
Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,
Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or
registered trademarks of Intel Corporation or its subsidiaries in the United States
and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or
both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office
of Government Commerce, and is registered in the U.S. Patent and Trademark
Office.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer
Entertainment, Inc., in the United States, other countries, or both and is used under
license therefrom.
Notices
107
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.
Privacy Policy Considerations
IBM Software products, including software as a service solutions, ("Software
Offerings") may use cookies or other technologies to collect product usage
information, to help improve the end user experience, and to tailor interactions
with the end user or for other purposes. In many cases, no personally identifiable
information is collected by the Software Offerings. Some of our Software Offerings
can help enable you to collect personally identifiable information. If this Software
Offering uses cookies to collect personally identifiable information, specific
information about this offering’s use of cookies is set forth below.
This Software Offering does not use cookies or other technologies to collect
personally identifiable information.
If the configurations deployed for this Software Offering provide you as customer
the ability to collect personally identifiable information from end users via cookies
and other technologies, you should seek your own legal advice about any laws
applicable to such data collection, including any requirements for notice and
consent.
For more information about the use of various technologies, including cookies, for
these purposes, see IBM's Privacy Policy at http://www.ibm.com/privacy and
IBM’s Online Privacy Statement at http://www.ibm.com/privacy/details/us/en
sections entitled "Cookies, Web Beacons and Other Technologies and Software
Products and Software-as-a Service".
108
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Index
A
accessibility x, 103
account
changing 67
creating 67
deleting 67
for adapters 13
last access attribute, Solaris 35
no password 36
password management 38
restoring 68
suspending 67
account form
attributes 57
descriptions 57
home directory permissions 30, 31
permissions 57
adapter ix
attributes 57
attributes, by actions 66
configuration 23
customization steps 23
feature customization 28
features 1
installation 9
verifying 39
installation worksheet 8
maximum connection count 27
overview 1
reinstalling 55
script locations 32
silent installation 21
silent uninstallation 22
SSH remote connection 13
supported configurations 2
uninstallation 53
user accounts, creating 13
user management automation 1
adapter attributes
restoring accounts 38, 68
suspend accounts 67
adapter installation
Dispatcher requirement 9
troubleshooting errors 41
verifying 10
warnings 41
adapter profile
customization 23
importing 11, 51
objects that reference 53
operating system differences 23
password management 38
removal 53
upgrading 11, 51
verifying 12
adapters
upgrade 51
administration tasks, as super user 73
AIX operating systems
creating a user 73
super user 73
© Copyright IBM Corp. 2012, 2014
attributes
adapter, by action 66
erPosixHomeDir 30, 31
erPosixReconScriptLocation 33
for the adapter 57
for the group form
permissions 66
supported operating systems
password prompt 29
permissions, group form 66
authentication
DSA key pairs 87, 93
key-based 85
OpenSSH options 85
RSA key pairs 85, 89
directory integrator, uninstalling the
adapter 53
dispatcher 1
installation 9
upgrade 51
download, software 8
DSA key pairs, creating 87, 93
66
E
education x
ending user processes 34
erPosixDelUserInUse 34
erPosixHomeDir attribute 30, 31
erPosixReconScriptLocation 33
error messages 43
B
BASE DIRECTORY
F
28
features
adapter 1
optional 29
C
character support, non-English
locales 32
commands
AIX operating systems, creating a
user 73
for setting up sudo 79
HP-UX NonTrusted operating
systems, creating a user 76
HP-UX Trusted operating systems,
creating a user 78
Linux operating systems, creating a
user 74
Solaris operating systems, creating a
user 75
configuration
adapter 23
multiple servers 2
single server 2
supported 2
connectivity between server, resource ix
connector
installation 71
upgrades 51
creating
DSA key pairs 87, 93
home directory 28
RSA key pairs 85, 89
services 14
custom scripts, reconciling 33
customization
adapter features 28
adapter profile 23
password prompt attribute 29
D
default setting, silent mode 21
deleted user, ending user processes
34
G
group
add request 69
change request 69
delete request 71
primary 49
group form attributes 66
groupset, secondary 49
H
home directory
creating 28
permissions 30, 31
permissions, sudo user 48
umask value, sudo user 48
HP-UX NonTrusted operating systems
creating a user 76
super user 76
HP-UX Trusted operating systems
creating a user 78
super user 78
I
IBM
Software Support x
Support Assistant x
IBM Support Assistant 100
importing adapter profile 51
installation
adapter 9
adapter profile 11
connector 71
Dispatcher requirement 9
109
N
installation (continued)
language pack 39
on z/OS systems 71
planning 5
prerequisites 6
roadmap 5
sequence 5
steps after installing adapter 23
subsequent tasks 23
troubleshooting 46
verification
adapter 39
verify 10
verifying adapter profile 12
worksheet 8
installing
adapter 9
in silent mode 21
internet protocol, IPv6 14
IPv6 15
ISA 100
ISIM_HOME definition 97
ITDI_HOME definition 97
notices
online
publications ix
terminology ix
operating system prerequisites 6
optional features 29
overriding default settings in silent
mode 21
overview ix, 1
S
P
password
age restrictions 48
management with adapter profile
non-login account 36
password
MAX_AGE 48
MIN_AGE 48
prompt customization 29
permissions
/tmp directory 48
for the home directory 30, 31
reconciliation option for sudo
user 48
sudo user 48
posixadapteruninstall.jar file 53
preinstallation roadmap 5
primary group, addition error for
secondary groupset 49
problem-determination x
profile
editing on UNIX or Linux 28
publications
accessing online ix
list of ix
key-based authentication 85
knowledge bases 99
known adapter issues
adding primary group to secondary
groupset 49
Solaris 49
SUSE Linux 49
L
R
10
M
managed resource, testing connection 68
MAX_AGE
HP-UX trusted, non-trusted operating
systems 48
password restriction 48
maximum connection count, adapter 27
messages, error and warning 43
MIN_AGE
HP-UX trusted, non-trusted operating
systems 48
password restriction 48
MS-DOS ASCII characters 28
110
105
O
K
language pack
installation 39
same for adapters and server 39
Linux operating systems
creating a user 74
super user 74
locales, non-English 32
locations, adapter scripts 32
logs
error checking in installer log files
trace.log file 11
restoring accounts (continued)
password requirements 38
roadmaps
installation 5
preinstallation 5
RSA key pairs, creating 85, 89
reconciliation
/tmp directory option for sudo
user 48
custom scripts 33
restoring accounts 68
reinstallation, adapter 55
request
group add 69
group change 69
group delete 71
System Login Add 67
System Login Change 67
System Login Delete 67
System Login Restore 68
System Login Suspend 67
user account creation 67
user account deletion 67
user account restore 68
user account suspension 67
user attribute change 67
restoring accounts
attributes for 68
38
scripts
alternative locations 32
custom 33
reconciliation 33
user-defined 26
searches, customizing password
prompts 29
secondary groupset, error in adding
primary group 49
service
creating 14
restart 11
service form 14
start 11
stop 11
silent mode
adapter installation 21
default settings 21
installation 21
silent uninstallation, adapter 22
software
download 8
requirements 6
website 8
Solaris
account, last access attribute 35
creating a user 75
known adapter issues 49
super user 75
ssh
communication with managed
resource 12
protocol 12
ssh-keygen 85, 87, 89, 93
sudo
adapter user account 13
as super user 13
commands for setup 79
super user
/tmp permissions for reconciliation
option 48
administration tasks 73
AIX operating systems, creating a
user 73
HP-UX NonTrusted operating
systems, creating a user 76
HP-UX Trusted operating systems,
creating a user 78
Linux operating systems, creating a
user 74
Solaris operating systems, creating a
user 75
support contact information 100
supported configurations
adapter 2
overview 2
SUSE Linux, known adapter issues 49
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
suspended user, ending active
sessions 34
suspending accounts, attributes for 67
System Login Add request 67
System Login Change request 67
System Login Delete request 67
System Login Restore request 68
System Login Suspend request 67
Z
z/OS systems, installing the adapter
71
T
terminology ix
test connection to managed resource 68
Tivoli Directory Integrator connector 1
trace.log file 11
training x
troubleshooting
contacting support 100
default shell 46
getting fixes 100
identifying problems 41
log file searches 46
messages 43
reconciliation 46
searching knowledge bases 99
ssh issues 46
sudo issues 46
support website x
techniques 41
U
uninstalling
adapter from the directory
integrator 53
in silent mode 22
steps 53
upgrading
adapter profile 23, 51
adapters 51
connector 51
dispatcher 51
user account
previously suspended 68
restoring 68
user management automation, adapter 1
user session, ending after suspension 34
user-defined scripts 26
V
verification
dispatcher installation 9
installation 39
operating system prerequisites 6
operating system requirements 6
software prerequisites 6
software requirements 6
vi command 28
W
warning messages
43
Index
111
112
IBM Security Identity Manager: UNIX and Linux Adapter Installation and Configuration Guide
Printed in USA
SC27-4426-07
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising