Transcription
IBM Security Identity ManagerVersion 7.0Cisco Unified CommunicationsManager Adapter User GuideIBM
IBM Security Identity ManagerVersion 7.0Cisco Unified CommunicationsManager Adapter User GuideIBM
iiIBM Security Identity Manager: Cisco Unified Communications Manager Adapter User Guide
ContentsFigures . . . . . . . . . . . . . . . vTables . . . . . . . . . . . . . . . viiChapter 1. Overview . . . . . . . . . 1Prerequisites. 1Chapter 2. User account management . . 3Reconciling accounts. . . . . . . . . . . . 3Reconciling support data without reconciling useraccounts . . . . . . . . . . . . . . . 3Reconciling a single user account . . . . . . 4Adding user accounts . . . . . . . . . . . 4Specification of the required attributes . . . . . 5Specification of the mobility attributes . . . . . 5Specification of support data attributes . . . . 5Group assignment to a user account .Modifying user accounts . . . . . .Modification of support data attributesPassword change of user accounts . .Deleting user accounts . . . . . . .67788Chapter 3. Troubleshooting . . . . . . 9Error logs . . . . . . . . . .Error messages and problem solving . 9. 9Chapter 4. Reference. . . . . . . . . 11Application Programming Interfaces .Adapter attributes . . . . . . . 11. 12Index . . . . . . . . . . . . . . . 13iii
ivIBM Security Identity Manager: Cisco Unified Communications Manager Adapter User Guide
Figuresv
viIBM Security Identity Manager: Cisco Unified Communications Manager Adapter User Guide
Tables1.2.3.Prerequisites checklist . . . .Modifying support data attributesAdapter error messages, warnings,corrective actions . . . . . . . .and. . 1. 7. 94.5.APIs for user account operationsAccount form attributes . . . 11. 12vii
viiiIBM Security Identity Manager: Cisco Unified Communications Manager Adapter User Guide
Chapter 1. OverviewAn adapter is an interface between a managed resource and the IBM SecurityIdentity server. The Cisco Unified Communications Manager Adapter providesconnectivity between the IBM Security Identity server and the Cisco UnifiedCommunications Manager server.The adapter runs as a service, independent of whether you are logged on to IBMSecurity Identity Manager.The Cisco Unified Communications Manager Adapter automates the followingtasks:User account managementv Adding user accountsv Modifying user accountsv Deleting user accountsv Reconciling user accountsNote: The Cisco Unified Communications Manager server does not support theSuspend and Restore user account operations. There is no provision on the CiscoUnified Communications Manager server to suspend a user account.The Cisco Unified Communications Manager Adapter contains Tivoli DirectoryIntegrator assembly lines that serve one or more user account operations.When thefirst request is sent from IBM Security Identity Manager, the required assembly lineis loaded into Tivoli Directory Integrator. The same assembly line is then cached toserve subsequent operations of the same type.The Cisco Unified Communications Manager Adapter uses the AdministrativeXML Layer (AXL) API to communicate with the Cisco Unified CommunicationsManager server. The AXL API provides a mechanism for adding, retrieving,updating, and removing data from the Cisco Unified Communications Managerdatabase.PrerequisitesUse the Prerequisites checklist to install and configure the adapter before youperform any of the user account, group, or role management tasks, whereapplicable.Table 1. Prerequisites checklistTaskFor more information, seeInstall the adapter.See the adapter's Installation andConfiguration GuideImport the adapter profile into the IBMSecurity Identity server.See the adapter's Installation andConfiguration Guide1
Table 1. Prerequisites checklist (continued)TaskFor more information, seeCreate an adapter service.Note: After you create a Cisco UnifiedCommunications Manager Adapter service,the IBM Security Identity Manager servercreates a default provisioning policy for theadapter service. You can customize aprovisioning policy for the Cisco UnifiedCommunications Manager Adapter serviceaccording to the requirements of yourorganization. For more information, see thesection about Customizing a provisioningpolicy in the IBM Security Identity Managerproduct documentation.Configure the adapter.Perform a reconciliation operation to retrieve Managing reconciliation schedules in the IBMuser accounts and store them in the IBMSecurity Identity Manager productSecurity Identity server.documentation2Adopt orphan accounts on IBM SecurityIdentity Manager.Assigning an orphan account to a user in theIBM Security Identity Manager productdocumentationRun the dispatcher, which in turn runs theadapterSee the adapter's Installation andConfiguration GuideIBM Security Identity Manager: Cisco Unified Communications Manager Adapter User Guide
Chapter 2. User account managementIBM Security Identity Manager manages user accounts that are stored on the CiscoUnified Communications Manager server by using the Cisco UnifiedCommunications Manager Adapter. The Cisco Unified Communications ManagerAdapter manages user accounts for a specific person, a service instance, or specificaccounts.You can perform the following operations:v Add, modify, or delete an accountv Reconcile accountsReconciling accountsReconciliation synchronizes the accounts and supporting data between IBMSecurity Identity server and the managed server. Reconciliation is required so thatdata is consistent and up-to-date.The reconciliation operation retrieves the user account information from themanaged server and stores it in the IBM Security Identity Manager directoryserver.You can schedule reconciliation to run at specific times and to return specificparameters. Running a reconciliation before its schedule time does not cancel thescheduled reconciliation. For more information about scheduling reconciliation andrunning a scheduled reconciliation, see the IBM Security Identity Manager productdocumentation.You can perform the following reconciliation tasks at any time from IBM SecurityIdentity Manager:v Reconciling support datav Reconciling a single user accountReconciling support data without reconciling user accountsPerform support data reconciliation when you want an updated list of devices,device profiles, extensions, and groups that are available on the server.About this taskWhen you perform support data reconciliation, the adapter retrieves the supportdata information without processing the user account information from the server.Support data for the Cisco Unified Communications Manager server user accountincludes the following attributes:v Controlled Devicesv Controlled Device Profilesv Primary Extensionv GroupsYou can add, modify, or delete devices, device profiles, extensions, and groupsdirectly on the managed resource.3
To reconcile only the support data without reconciling user accounts:Procedure1. Log on to IBM Security Identity Manager as an administrator.2. In the My Work pane, click Manage Services to display the Manage Servicespage.3. Select CiscoUniComMgr Profile from the Service type list and click Search.4. Select the name of the service that you created for the Cisco UnifiedCommunications Manager Adapter.5. Click the View popup menu icon.6. Select Reconcile Now from the popup menu to display the Reconcile Nowpage.7. Click Define query.8. Select the Reconcile supporting data only check box and click Submit.Reconciling a single user accountReconciling a single user account means performing a filter reconciliation. It takesless time than reconciling all the user accounts. Perform filter reconciliation whenyou want to retrieve or modify a specific user account.Procedure1. Log on to IBM Security Identity Manager as an administrator.2. In the My Work pane, click Manage Services to display the Manage Servicespage.3. Select CiscoUniComMgr Profile from the Service type list and click Search.4. Select the name of the service that you created for the Cisco UnifiedCommunications Manager Adapter.5. Click the View popup menu icon.6. Select Reconcile Now from the popup menu to display the Reconcile Nowpage.7. Click Define query.8. In the Reconcile accounts that match this filter field, type the followingsyntax.(eruid UserID)UserID is the name of the user account that you want to reconcile.9. Click Submit.Adding user accountsYou can add user accounts at any time for either an existing person or a newperson in the organization.For specific procedures, see the IBM Security Identity Manager productdocumentation.This section includes the following topics:v “Specification of the required attributes” on page 5v “Specification of the mobility attributes” on page 5v “Specification of support data attributes” on page 54IBM Security Identity Manager: Cisco Unified Communications Manager Adapter User Guide
v Group assignment to a user accountSpecification of the required attributesTo add user accounts to the Cisco Unified Communications Manager server,specify the following required attributes on the account form:User IDThe login ID of the user account. For example, enter samy bob.Note:v The User ID attribute is case sensitive.v You can enter numbers for defining the User ID attribute.v You can use special characters such as *, &, %, and so on for definingthe User ID attribute.v The number of permissible character limit for the User ID attribute is128.Last NameThe family name of the user. For example, enter Smith for the user JohnSmith.You can also specify the other optional attributes, such as mobility attributes, onthe account form.Specification of the mobility attributesSpecify the mobility attributes to establish remote telephone communications.You can specify these mobility attributes in addition to the required attributes:Enable MobilitySelect this check box to originate a call from a remote destination. You canalso divert the in-progress calls on the desktop phone and cellular phoneto the specified primary extension number. For information aboutspecifying the Primary Extension attribute, see the “Specification ofsupport data attributes.”When you select the Enable Mobility check box on the account form andperform the add operation, the adapter creates the user account and setsthe value of the Enable Mobility attribute to TRUE on the server.Enable Mobile Voice AccessSelect this check box to originate a voice access call from a remotedestination. You can access the Mobile Voice Access integrated voiceresponse (IVR) system to initiate Mobile Connect calls and activate ordeactivate Mobile Connect capabilities on the server.When you select the Enable Mobile Voice Access check box on theaccount form and perform the add operation, the adapter creates the useraccount and sets the value of the Enable Mobile Voice Access attribute toTRUE on the server.Specification of support data attributesSpecify the support data attributes to associate the devices, device profiles,extensions, and groups with the user accounts on the Cisco UnifiedCommunications Manager server.Chapter 2. User account management5
Specifying the Controlled Devices attributeGives the user control of the devices that are available on the server.The adapter associates the devices that are selected from the list on theaccount form with the user account. You can assign multiple devices to asingle user account.When you assign a device to a user account:v The user gains control of the selected device and its settings, such asspeed dialing, call forwarding, and so on.v The adapter creates the user account on the server and sets the value ofthe Controlled Devices attribute.Specifying the Controlled Device Profiles attributeAssociates the user account with the attributes of the device profile that isselected from the list on the account form. When a device profile is loadedon a device, the device adopts the attributes of that device profile. A deviceprofile includes information about:v Phone templatev User localev Subscribed servicesv Speed dialsWhen you assign a device profile to a user account, the adapter:v Associates the device profile attributes with the user accountv Creates the user account on the server and sets the value of theControlled Device Profiles attributeSpecifying the Primary Extension attributeSets the number that is selected from the list on the account form as theprimary extension number. You can use this extension as the primaryextension to receive or initiate calls.When you associate a primary extension number with a user account, theadapter creates the user account on the server and sets the selected numberas the primary extension number. For example, If you select the ControlledDevice attribute as SEP001E7A2446FA, then select the Primary Extensionas 999906:SEP001E7A2446FA, where 999906 is the directory number that isassociated with the controlled device.Specifying the Groups attributeAssociates groups that are selected from the list on the account form withthe user account. When you associate a group with a user account, the useraccount gains privileges that are available to that group.When you assign a group to a user account:v The user becomes a member of that group.v The adapter creates the user account on the Cisco UnifiedCommunications Manager server and sets the value of the Groupsattribute.Group assignment to a user accountYou can assign groups to a user account on the Cisco Unified CommunicationsManager server.6IBM Security Identity Manager: Cisco Unified Communications Manager Adapter User Guide
To assign groups to a user account, select the groups that are listed on the accountform. For example, you can select the Standard CCM Super Users to associate auser with this group and to grant full administrative permissions.You can assign multiple groups to a user account. When you do so, the adaptercreates the user account and associates the user with the selected groups. For moreinformation about specifying the Groups attribute, see the “Specification of supportdata attributes” on page 5.Modifying user accountsYou can modify user account attributes at any time in IBM Security IdentityManager.This section describes the adapter attributes that you can use to modify the useraccounts. See the IBM Security Identity Manager product documentation.The User ID attribute is the only non-modifiable attribute on the account form. Youcan modify all the other attributes of a user account.This section includes the following topics:v “Modification of support data attributes”v “Password change of user accounts” on page 8Modification of support data attributesModify the support data attributes of a user account to assign or unassign devices,device profiles, extensions, or groups that are available on the Cisco UnifiedCommunications Manager server.For more information about assigning devices, device profiles, extensions, andgroups to a user account, see the “Specification of support data attributes” on page5.Table 2 describes the support data attributes that you can use to modify the useraccounts.Table 2. Modifying support data attributesSupport dataattributeTaskResultControlledDevicesUnassign controlleddevices from a useraccountWhen you unassign a controlled device from auser account, the adapter removes the control ofthe device from the user account.ControlledDeviceProfilesUnassign controlleddevice profiles from auser accountWhen you unassign a controlled device profilefrom a user account, the adapter removes anyconnection between the user account and theselected device profile.PrimaryExtensionChange the primaryextension number of auser accountWhen you change the primary extension numberof a user account, the adapter replaces theprimary extension number with the newlyselected directory number.Note: The newly selected directory number is setas the primary extension number.Chapter 2. User account management7
Table 2. Modifying support data attributes (continued)Support dataattributeTaskResultGroupsWhen you unassign a group from a user account:Unassign groups from auser accountv The user account no longer remains a memberof that groupv The adapter removes the value of the Groupsattribute from the server.Password change of user accountsYou can change the password of any of the Cisco Unified CommunicationsManager accounts that exist on IBM Security Identity Manager.For information about changing passwords, see the IBM Security Identity Managerproduct documentation.Deleting user accountsUse the IBM Security Identity Manager deprovision feature to delete user accounts.For more information about deleting user accounts, see the IBM Security IdentityManager product documentation.When you delete a user account, the adapter:v Removes the user account from the Cisco Unified Communications Managerdatabase. You can no longer manage the user account.v Removes any connection between the user account and the devices, deviceprofiles, extensions, and groups.v Deletes the Remote Destination Profiles (RDP) created for that user from theCisco Unified Communications Manager database.8IBM Security Identity Manager: Cisco Unified Communications Manager Adapter User Guide
Chapter 3. TroubleshootingTroubleshooting is the process of determining why a product does not function asit is designed to function. This topic provides information and techniques foridentifying and resolving problems that are related to the adapter, includingtroubleshooting errors that might occur when managing the accounts or groups,where applicable.Error logsWhen an operation fails, the corresponding error messages and warnings arelogged in the ibmdi.log file. This file is in the adapters solution/logs directory.The adapters solution directory is a Tivoli Directory Integrator work directory forIBM Security Identity Manager adapters.You can display the error logs in the user interface by running the Dispatcher fromthe command prompt. You can also configure logging information for the adapter.For more information about displaying logs in the user interface and configuringlogging information, see the adapter's Installation and Configuration Guide.Error messages and problem solvingA warning or error message might be displayed in the user interface to provideinformation about the adapter or when an error occurs.The table lists the error messages and warnings that might occur while performingthe user account or group management tasks, where applicable.It also includes thecorrective actions to resolve the errors.Table 3. Adapter error messages, warnings, and corrective actionsMessagenumberCTGIMT002EError messageCorrective actionNo login or an invalidcredential was suppliedin the request.Make sure you typed the following valuesaccurately on the service form:v Service namev Cisco Server IP Addressv Cisco Server IP Portv Administrator Namev Administrator PasswordCTGIMT005EA required field does not Specify the user ID and the last name of thehave a specified value.user.Note: The User ID and the Last Nameattributes are required attributes on theaccount form.9
Table 3. Adapter error messages, warnings, and corrective actions (continued)MessagenumberCTGIMT205EError messageCorrective actionThe specified name hasinvalid characters or isnot formatted correctlyfor this device type.Specify a User ID that does not exceed the 128character limit.Explanation: This erroroccurs when the value ofthe User ID attributeexceeds 128 characters.CTGIMT003EThe account alreadyexists.Explanation: This erroroccurs when:v A request is made toadd a user accountthat already exists.v The server and IBMSecurity IdentityManager are notsynchronized.CTGIMT009EThe account user IDcannot be modifiedbecause it does not exist.Perform one of the following steps:v Create a user account with another user ID.For information about creating a useraccount, see the IBM Security IdentityManager product documentation.v Schedule a reconciliation between themanaged resource and IBM Security IdentityManager. For more information aboutscheduling a reconciliation, see the IBMSecurity Identity Manager productdocumentation.If you believe that the user account alreadyexists:vMake sure that the location specified for themanaged resource on the service form iscorrect.Explanation: This erroroccurs when an attemptv The user account is created and it exists onis made to modify orthe managed resource.change the password of auser account.If the user account does not already exist,create it on the Cisco Unified CommunicationsManager server and perform the reconciliationoperation.CTGIMT015EAn error occurred whiledeleting the user IDaccount because theaccount does not exist.Explanation: An attemptis made to delete a useraccount that does notexist on the managedresource.10If you believe that the user account alreadyexists:v Make sure the location specified for themanaged resource on the service form iscorrect.v The user account is created and it exists onthe managed resource.If the user account does not exist on the CiscoUnified Communications Manager server, noaction is required.IBM Security Identity Manager: Cisco Unified Communications Manager Adapter User Guide
Chapter 4. ReferenceReference information is organized to help you locate particular facts quickly suchas adapter attributes, application programming interfaces, files and commands,where applicable.Application Programming InterfacesApplication programming interfaces (APIs) are part of a plug-in model that youcan use to add applications without disrupting existing applications. The adapteruses application programming interfaces to communicate with the managed server,to perform operations.Table 4 lists APIs used to perform user account operations.Table 4. APIs for user account operationsCisco Unified CommunicationsManager Adapter APIOperationaddUserAdds the user to the Cisco Unified CommunicationsManager serverupdateUserUpdates the specified user in the Cisco UnifiedCommunications Manager databasegetUserRetrieves the specified user from the Cisco UnifiedCommunications Manager databaseremoveUserRemoves the user from the Cisco UnifiedCommunications Manager databaselistUserByNameLists all the users in the Cisco UnifiedCommunications Manager databasegetPhoneRetrieves the specified phone from the CiscoUnified Communications Manager databaselistPhoneByNameLists all the phones in the Cisco UnifiedCommunications Manager databasegetDeviceProfileRetrieves the specified device profile from CiscoUnified Communications Manager databaselistDeviceByNameAndClassLists all the device profiles in the Cisco UnifiedCommunications Manager databasegetLineRetrieves the specified line in the Cisco UnifiedCommunications Manager databaseaddRemoteDestinationProfileAdds the specified Remote Destination Profile(RDP) in the Cisco Unified CommunicationsManager databasegetRemoteDestinationProfileRetrieves the specified RDP from the Cisco UnifiedCommunications Manager databaseremoveRemoteDestinationProfileRemoves the specified RDP from the Cisco UnifiedCommunications Manager databaseupdateUserGroupUpdates the specified group in the Cisco UnifiedCommunications Manager databasegetUserGroupRetrieves the specified group from the Cisco UnifiedCommunications Manager database11
Adapter attributesThe IBM Security Identity server communicates with the adapter by usingattributes, which are included in transmission packets that are sent over a network.The Cisco Unified Communications Manager Adapter uses attributes on the CiscoUnified Communications Manager account form.Table 5 provides information about the adapter attributes on the Cisco UnifiedCommunications Manager account form.Table 5. Account form attributesAttribute name on the CiscoUnified CommunicationsManager server account formon IBM Security IdentityManagerAttribute name on the Tivoli DirectoryServerAttribute name on the CiscoUnified Communications ManagerserverUser IDerUidUser IDPinerCUCMPwdPinPINFirst NamegivenNameFirst nameLast NamesnLast nameTelephone NumbererCUCMTelePhoneNumberTelephone NumberManager IDerCUCMManagerIdManager User IDDepartmenterCUCMDepartmentDepartmentUser LocaleerCUCMUserLocaleUser LocaleAssociated PCerCUCMAssociatedPCAssociated PCDigest CredentialserCUCMPwdDigestCredentialsDigest CredentialsControlled DeviceserCUCMDevicesControlled DevicesControlled Device ProfileserCUCMDeviceProfilesControlled ProfilesPrimary ExtensionerCUCMLinePrimary CUCMRolesRolesAllow Control of Devices from erCUCMEnableCTICTIAllow Control of Device from CTIEnable MobilityerCUCMEnabMobilityEnable MobilityEnable Mobile Voice AccesserCUCMEnabMobVoiceAccessEnable Mobile Voice AccessMaximum Wait Time For Desk erCUCMMaxWaitTimeForDeskPickupPick UpMaximum Wait Time For Desk PickUpRemote Destination LimiterCUCMRemDestLimitRemote Destination LimitRemote Destination ProfileerCUCMRemDestProfileNamesRemote Destination ProfilesAccess ListerCUCMAccessListAccess Lists12IBM Security Identity Manager: Cisco Unified Communications Manager Adapter User Guide
IndexAOaccount form 12required attributes 5specification 5adapterassign groups to user account 7introduction 1overview 1schedule reconciliation 3troubleshooting errors 9user account management tasks 3, 7warnings 9API 11attributes 12account form 5required 5operationsadding 4deleting 8modification 7password change 8specifying 4user accounts 7, 8Cchecklistsconfiguration 1run the adapter 1configurationchecklist 1run the adapter 1connectivity 1reconciliation 3filter reconciliation 4operations 3schedule 3single user accounts 4required attributesaccount form 5specification 5Ssupport dataassigning 6attributes 6controlled device 6controlled device profiles 6groups 6modification 7primary extensions 6reconciliation 3user account 3, 7Ddeviceextensions 6profiles 6dispatcher 9TEtroubleshootingadapter errors 9error messages 9warning messageswarnings 9enabling mobility 5erroradapter 9dispatcher 9logs 9messages 9troubleshooting 99UGgroup assignment to user account7Mmessageserror 9warning 9mobility attributesenabling mobile voice accessenabling mobility 5modification 7Ruser accountsadding 4, 11deleting 8deprovision feature 8filter reconciliation 4modification 7operations 8, 11password change 8reconciling 4specifying 4User ID attribute 75Wwarning messages913
14IBM Security Identity Manager: Cisco Unified Communications Manager Adapter User Guide
IBM Printed in USA
The Cisco Unified Communications Manager Adapter pr ovides connectivity between the IBM Security Identity server and the Cisco Unified Communications Manager server . The adapter r uns as a service, independent of whether you ar e logged on to IBM Security Identity Manager . The Cisco Unified Communications Manager Adapter automates the following
