WIXLIB

Table 2 identifies the information you need to install the Novell Directory ServicesAdapter.Table 2. Required information to install the adapterRequired informationDescriptionValueLockout Reset optionSpecifies whether to resetYesintruder lock on the resourceduring the restore andpassword change operationrequested from IBM SecurityIdentity server.When you specifyYes:v The user accountis locked by anintruder.v The account isunlocked if it islocked byintruder whenyou perform theuser restore orpassword changeoperation.NoWhen you specifyNo:v The user accountis locked by anintruder.v The user accountremains locked bythe intruder whenyou perform theuser restore orpassword changeoperation.6IBM Security Privileged Identity Manager: Novell Directory Services Adapter Installation and Configuration Guide

Chapter 3. InstallingInstalling the adapter mainly involves importing the adapter profile and creatingan adapter service. Depending on the adapter, several other tasks can be involvedto completely install it.Installing the adapterAdministrators can install the Novell Directory Services Adapter software toprovide an interface between a managed resource and the IBM Security IdentityManager server.Before you beginTake these steps:v Verify that your site meets all the prerequisite requirements. See “Prerequisites”on page 5.v Obtain a copy of the installation software. See Software download.v Obtain system administrator authority.v If you are updating a previous installation, the adapter you want to update mustexist. If it does not exist, the software generates the following message:Adapter is not found at specified location.Can not perform Update Installation. Please correctthe path of installed adapter or select Full Installation.About this taskTo install the adapter, complete these steps.Procedure1. If you downloaded the installation software from Passport Advantage, performthe following steps:a. Create a temporary directory on the computer on which you want to installthe software.b. Extract the contents of the compressed file into the temporary directory.2. Start the installation program with the setup.exe file in the temporarydirectory.3. Click Next on the Welcome window.4. Select either Full installation or Update installation and click Next to displaythe Select Destination Directory window. Remember that the adapter must existif you want to perform an updated installation.5. Specify where you want to install the adapter in the Directory Name field. Takeone of these steps:a. Click Next to accept the default location.b. Click Browse and navigate to a different directory and click Next.6. Specify whether you want to reset intruder lock for the user during thepassword change and restore operations. Take one of these steps:v Click Yes to reset the intruder lock for the user during the password changeand restore operations.7

v Click No to keep the user locked by intruder even after you perform thepassword change and restore operations.7. Review the installation settings in the Install Summary window and take one ofthese steps:a. Click Back and return to a previous window to change any of thesesettings.b. Click Next when you are ready to begin the installation.8. Click Finish when the software displays the Install Completed window.What to do nextAfter you finish the installation, you must import the adapter profile. SeeImporting the adapter profile.Verifying the adapter installationIf the adapter is installed correctly, these components exist in the%ProgramFiles%\ISIM\Agents\NetwareAgent\bin directory:v NetwareAgent.exev agentCfg.exev CertTool.exev regis.exev Isamtool.exev fipsEnable.exev icudt32.dllv icuuc32.dllv xml4c 5 5.dllv XML4CMessages5 5.DLLThe following components exist in the C:\WINDOWS\system32 directory:v AdkApi.dllv ErmApi.dllv ErmApiDaml.dllv icudt36.dllv icuuc36.dllv ssleay32.dllv libeay32.dllReview the installer log files for any errors, such as NetwareAgentinstall.log inthe %ProgramFiles%\ISIM\Agents\NetwareAgent\bin directory.If this installation is to upgrade an adapter, send a request from IBM SecurityIdentity Manager. Verify that the version number in the NetwareAgent.log matchesthe version of the adapter.Note: The Novell Directory Services Adapter does not use an xforms.xml file.Ignore the errors in the adapter log that are related to xforms.8IBM Security Privileged Identity Manager: Novell Directory Services Adapter Installation and Configuration Guide

Restarting the adapter serviceVarious installation and configuration tasks might require the adapter to berestarted to apply the changes. For example, you must restart the adapter if thereare changes in the adapter profile, connector, or assembly lines. To restart theadapter, restart the Dispatcher.The adapter does not exist as an independent service or a process. The adapter isadded to the Dispatcher instance, which runs all the adapters that are installed onthe same Security Directory Integrator instance.See the topic about starting, stopping, and restarting the Dispatcher service in theDispatcher Installation and Configuration Guide.Importing the adapter profileAn adapter profile defines the types of resources that the IBM Security Identityserver can manage. It is packaged with the IBM Security Identity Adapter. Use theadapter profile to create an adapter service on IBM Security Identity server andestablish communication with the adapter.Before you beginv The IBM Security Privileged Identity Manager is installed and running.v You have root or administrator authority on the IBM Security Privileged IdentityManager.v The file to be imported must be a Java archive (JAR) file. The Adapter Profile.jar file includes all the files that are required to define theadapter schema, account form, service/target form, and profile properties. Ifnecessary, you can extract the files from the JAR file, modify the files, andrepackage the JAR file with the updated files.The JAR file for IBM SecurityPrivileged Identity Manager is located in the top level folder of the installationpackage.About this taskService definition files are also called adapter profile files.If the adapter profile is not installed correctly, the adapter cannot functioncorrectly. You cannot create a service with the adapter profile or open an accounton the service. You must import the adapter profile again.Procedure1. Log on to the IBM Security Privileged Identity Manager by using an accountthat has the authority to perform administrative tasks.2. From the navigation tree, select Configure System Manage Service Types.The Manage Service Types page is displayed.3. On the Manage Service Types page, click Import. The Import Service Type pageis displayed.4. On the Import Service Type page, complete these steps:a. In the Service Definition File field, type the directory location of the Adapter Profile.jar file, or click Browse to locate the file. For example, ifyou are installing the IBM Security Identity Adapter for a Windows serverthat runs Active Directory, locate and import the ADProfileJAR file.b. Click OK to import the file.Chapter 3. Installing9

ResultsA message indicates that you successfully submitted a request to import a servicetype.What to do nextv The import occurs asynchronously, which means it might take some time for theservice type to load into the IBM Security Identity server from the propertiesfiles and to be available in other pages. On the Manage Service Types page, clickRefresh to see the new service type. If the service type status is Failed, checkthe log files to determine why the import failed.v If you receive a schema-related error, see the trace.log file for informationabout it. The trace.log file location is specified by the handler.file.fileDirproperty that is defined in the enRoleLogging.properties file. TheenRoleLogging.properties file is in the IBM Security Identity serverHOME\datadirectory. .Creating an adapter service/targetAfter you import the adapter profile on the IBM Security Identity server, create aservice/target so that IBM Security Identity server can communicate with themanaged resource.Before you beginComplete “Importing the adapter profile” on page 9.About this taskYou must create an administrative user account for the adapter on the managedresource. You can provide the account information such as administrator name andpassword when you create the adapter service. Ensure that the account hassufficient privileges to administer the users. For information about creating anadministrative account, see the documentation for the managed resource.To create or change a service, you must use the service form to provideinformation for the service. Service forms might vary depending on the adapter.The service name and description that you provide for each service are displayedon the console. Therefore, it is important to provide values that make sense to yourusers and administrators.Procedure1. From the navigation tree, click Manage Services.2. On the Services table, click Create. The Create a Service wizard is displayed.3. On the Select the Type of Service page, click Search to locate a business unit.The Business Unit page is displayed.4. On the Business Unit page, complete these steps:a. Type information about the business unit in the Search information field.b. Select a business type from the Search by list, and then click Search. A listof business units that matches the search criteria is displayed.If the table contains multiple pages, you can do the following tasks:v Click the arrow to go to the next page.v Type the number of the page that you want to view and click Go.10IBM Security Privileged Identity Manager: Novell Directory Services Adapter Installation and Configuration Guide

c. In the Business Units table, select business unit in which you want to createthe service, and then click OK. The Select the Type of Service page isdisplayed, and the business unit that you specified is displayed in theBusiness unit field.5. On the Select the Type of Service page, select a service type, and then clickNext.6. On the Service Information page, specify the appropriate values for the serviceinstance. The content of the Service Information page depends on the type ofservice that you are creating.7. Click Finish.ResultsA message is displayed, indicating that you successfully created the serviceinstance for a specific service type.Service/Target form detailsComplete the service/target form fields.On the General Information tab:Service NameSpecify a name that defines this adapter service on the IBMSecurity Identity server.DescriptionOptional: Specify a description for this service.URLSpecify the location and port number of the adapter. The portnumber is defined in the protocol configuration by using theagentCfg program. See “Modifying protocol configuration settings”on page 21.If https is specified as part of the URL, the adapter must beconfigured to use SSL authentication. If the adapter is notconfigured to use SSL authentication, specify http for the URL. See“Configuration of SSL authentication” on page 42.User IdSpecify the DAML protocol user name. The user name is definedin the protocol configuration by using the agentCfg program. See“Modifying protocol configuration settings” on page 21.PasswordSpecify the password for the DAML protocol user name. Thispassword is defined in the protocol configuration by using theagentCfg program. See “Modifying protocol configuration settings”on page 21.NDS ServerSpecify the name of the NDS server that this service manages.NDS TreeSpecify the name of the NDS tree for the specified NDS Server.NDS ContextSpecify the name of the NDS container that is under the specifiedNDS Tree.Chapter 3. Installing11

NDS UsernameSpecify the name of the NDS user ID that the adapter uses toconnect to the NDS server.Note: If the NDS Username is present under the specified NDSContext, then the NDS Username must be specified in this format:NDSUserNameOtherwise, specify the value in the full DN format:NDSUserName.ContainerNamewhere ContainerName is the full path of the container that containsthe NDS Username.NDS PasswordSpecify the password for the NDS user ID.OwnerOptional: Specify the service owner, if any.Service PrerequisiteOptional: Specify an existing service that is a prerequisite for theadapter service.On the Status and information tabThis page contains read only information about the adapter and managedresource. These fields are examples. The actual fields vary depending onthe type of adapter and how the service form is configured. The adaptermust be running to obtain the information. Click Test Connection topopulate the fields.Last status update: DateSpecifies the most recent date when the Status and information tabwas updated.Last status update: TimeSpecifies the most recent time of the date when the Status andinformation tab was updated.Managed resource statusSpecifies the status of the managed resource that the adapter isconnected to.Adapter versionSpecifies the version of the adapter that the service uses toprovision request to the managed resource.Profile versionSpecifies the version of the profile that is installed in the IBMSecurity Identity server.ADK versionSpecifies the version of the ADK that the adapter uses.Installation platformSpecifies summary information about the operating system wherethe adapter is installed.Adapter accountSpecifies the account that running the adapter binary file.12IBM Security Privileged Identity Manager: Novell Directory Services Adapter Installation and Configuration Guide

Adapter up time: DateSpecifies the date when the adapter started.Adapter up time: TimeSpecifies the time of the date when the adapter started.Adapter memory usageSpecifies the memory usage for running the adapter.If the connection fails, follow the instructions in the error message. Alsov Verify the adapter log to ensure that the test request was successfullysent to the adapter.v Verify the adapter configuration information.v Verify service parameters for the adapter profile. For example, verify thework station name or the IP address of the managed resource and theport.Verifying that the adapter is working correctlyAfter you install and configure the adapter, verify that the installation andconfiguration are correct.Procedure1. Test the connection for the service that you created on the IBM Security Identityserver.2. Run a full reconciliation from the IBM Security Identity server.3. Run all supported operations such as add, modify, and delete on one useraccount.4. Verify the ibmdi.log file after each operation to ensure that no errors arereported.5. Verify the trace.log file to ensure that no errors are reported when you run anadapter operation.Installing and uninstalling in silent modeYou can install and uninstall the Novell Directory Services Adapter by using thesilent mode.Silent installation suppresses the wizard and the Launcher User Interfaces (UIs)that do not display any information or require interaction. You can use the –silentoption to install or uninstall the adapter in silent mode.Installing in silent modeYou can install the adapter by using the silent mode.Run the following command from command line to install the Novell DirectoryServices Adapter by using the –silent option:setup.exe –silent -G licenseAccepted trueThe adapter is installed with these values.Table 3. Default valuesAdapter installation inChapter 3. Installing13

Table 3. Default values (continued)Adapter configuration optionFull installationLockout reset option onconfigurationIntruder lockout on password change is true.You can specify the listed installation options from the command line when youinstall the adapter by using the silent mode. For example, to perform fullinstallation of the adapter with default options run the following command:setup.exe –silent -G licenseAccepted true –W FullInstallUpgradeBean.FullInstallUpgrade "1" LockoutResetPanel.LockoutResetChoice "1"The options are:Table 4. nstallation optionsOptionDescription-Wvalue 1FullInstallUpgradeBean.FullInstallUpgrade Performs full adapter installation.Valuevalue 2Updates the adapter installation.-W LockoutResetPanel.LockoutResetChoice value 1valueIf the Intruder lockout on passwordchange is Yes.value 0If the Intruder lockout on passwordchange is No.Uninstalling in silent modeRun the following command from the command line to uninstall the NovellDirectory Services Adapter by using the –silent option.uninstaller.exe –silentNote: No user inputs are required for the adapter uninstallation.14IBM Security Privileged Identity Manager: Novell Directory Services Adapter Installation and Configuration Guide

Chapter 4. UpgradingYou can either update the Novell Directory Services Adapter or the AdapterDevelopment Kit (ADK).The ADK is the base component of the adapter. While all adapters have the sameADK, the remaining adapter functionality is specific to the managed resource.Note: If your existing adapter version is earlier than 5.x, you must uninstall theolder version of the adapter before you can install the 5.x adapter. You cannotmigrate from a version to 5.x because the encryption used in the 5.x release is notcompatible with earlier versions of the ADK. Any previously encrypted valuescannot be read by the 5.x adapter.You can perform an adapter upgrade to migrate your current adapter installationto a newer version, for example version 5.0 to version 5.x. Upgrading the adapter,as opposed to reinstalling it, enables you to keep your configuration settings.Additionally, you do not have to uninstall the current adapter and install thenewer version.If you make a code fix only to the ADK, instead of upgrading the entire adapter,you can upgrade just the ADK to the newer version. See “Updating the ADK” onpage 16.Updating the Novell Directory Services AdapterYou might need to update the Novell Directory Services Adapter.About this taskFor adapter versions 5 and later, use the adapter update option:v If you want to keep the adapter configuration (registry keys and certificates)unchanged.v If the installed adapter is FIPS enabled. The Update Installation option keepsFIPS configurations unchanged. For example, the CA certificates, fipsdata.txt(the key generated by running fipsenable.exe), and the registry keys encryptedwith fipsdata.txt are unchanged.Note: The upgrade option is applicable only for the adapte

IBM Security Privileged Identity Mana ger . Installa tion and Configura tion Guide IBM. ii IBM Security Privileged Identity Manager: Novell Dir ectory Services Adapter Installation and Configuration Guide. Contents Figures . . v T ables . . vii Chapter 1. Overview . . 1