Transcription
IBM Security Identity Governance and IntelligenceCyberArk adapter Installation andConfiguration GuideIBM
IBM Security Identity Governance and IntelligenceCyberArk adapter Installation andConfiguration GuideIBM
iiIBM Security Identity Governance and Intelligence: CyberArk adapter Installation and Configuration Guide
ContentsFigures . . . . . . . . . . . . . . . vTables . . . . . . . . . . . . . . . viiChapter 1. Overview . . . . . . . . . 1Features of the adapter . .Architecture . . . . .Supported configurations . 1. 1. 2Chapter 2. Planning. . . . . . . . . . 5Roadmap for IBM Tivoli Directory Integrator basedadapters, for IBM Security Identity Governance andIntelligence . . . . . . . . . . . . . .Prerequisites . . . . . . . . . . . . .Software downloads . . . . . . . . . . .Installation worksheet . . . . . . . . . .1315161719Chapter 4. Upgrading . . . . . . . . 21Upgrading the Dispatcher . .Upgrading the adapter profile . 21. 21Chapter 5. Configuring . . . . . . . . 23.5778Chapter 3. Installing . . . . . . . . . 9Installing the dispatcher . . . . . . .Installing third-party client libraries . . .Installing the adapter binaries or connector .Verifying the adapter installation . . . .Restarting the adapter service . . . . .Importing the adapter profile . . . . .Importing attribute mapping file . . . .Adding a connector . . . . . . . .Enabling connectors . . . . . . . . . . .Reviewing and setting channel modes for each newconnector . . . . . . . . . . . . . . .Attribute Mapping . . . . . . . . . . . .Service/Target form details . . . . . . . . .Verifying that the adapter is working correctly . . 9. 9. 9. 10. 10. 10. 12. 12Customizing the adapter profile. 23Chapter 6. Troubleshooting . . . . . . 25Techniques for troubleshooting problemsLogs . . . . . . . . . . . . .Error messages and problem solving . . 25. 27. 27Chapter 7. Uninstalling . . . . . . . . 29Chapter 8. Reference. . . . . . . . 31Adapter attributes and object classes .Adapter configuration properties . . 31. 32iii
ivIBM Security Identity Governance and Intelligence: CyberArk adapter Installation and Configuration Guide
Figures1.2.The architecture of the CyberArk adapterExample of a single server configuration .1. 23.Example of a multiple server configuration3v
viIBM Security Identity Governance and Intelligence: CyberArk adapter Installation and Configuration Guide
Tables1.2.3.4.Prerequisites to install the adapter . . . . . 7Required information to install the adapter8Adapter components . . . . . . . . . 10Prerequisites for enabling a connector . . . . 145.6.Specific warning and error messages andactions . . . . . . . . . . . .Supported attributes . . . . . . . 27. 31vii
viiiIBM Security Identity Governance and Intelligence: CyberArk adapter Installation and Configuration Guide
Chapter 1. OverviewAn adapter is an interface between a managed resource and the IBM SecurityIdentity server. The CyberArk adapter enables communication between the IBMSecurity Identity server and the CyberArk SCIM server.Features of the adapterThe CyberArk adapter automates several administrative and management tasksYou can perform the following tasks with the CyberArk adapter:v Adding user accountsv Changing user account passwordsv Modifying user account attributesv Suspending and restoring user accountsv Retrieving user accounts for the first timev Deleting user accountsv Reconciliation of modified user accountsv Reconciliation of support data as Groups, Containers and Privileged DataArchitectureSeveral components are involved in running and using the adapter. Install all thesecomponents so that the adapter can function correctly.The adapter requires the following components:v Dispatcherv Tivoli Directory Integrator connectorv IBM Security Identity Adapter profileFigure 1 describes the components that work together to complete the user accountmanagement tasks in a Tivoli Directory Integrator environment.IBM SecurityIdentity ServerRMI callsDispatcher Service(an instance of the IBMTivoli Directory Integrator)AdapterresourceFigure 1. The architecture of the CyberArk adapter1
Supported configurationsThe adapter supports both single and multiple server configurations.The fundamental components in each environment are:v The IBM Security Identity serverv The IBM Tivoli Directory Integrator serverv The managed resourcev The adapterThe adapter must be installed directly on the server that runs the Tivoli DirectoryIntegrator server.Single server configurationIn a single server configuration, the following components are installed on oneserver to establish communication with the CyberArk SCIM server:v IBM Security Identity serverv Tivoli Directory Integrator serverv CyberArk adapterThe CyberArk SCIM server is installed on a different server as shown in Figure 2.IBM SecurityIdentity ServerTivoli DirectoryIntegrator ServerManagedresourceAdapterFigure 2. Example of a single server configurationMultiple server configurationIn a multiple server configuration, the following components are installed ondifferent servers.v IBM Security Identity serverv Tivoli Directory Integrator serverv CyberArk adapterv CyberArk SCIM serverTheTivoli Directory Integrator server and the CyberArk adapter are installed onthe same server as shown in Figure 3 on page 3.2IBM Security Identity Governance and Intelligence: CyberArk adapter Installation and Configuration Guide
IBM Security IdentityGovernance andIntelligence serverTivoli DirectoryIntegrator serverManagedresourceAdapterFigure 3. Example of a multiple server configurationChapter 1. Overview3
4IBM Security Identity Governance and Intelligence: CyberArk adapter Installation and Configuration Guide
Chapter 2. PlanningInstalling and configuring the adapter involves several steps that you mustcomplete in a specific sequence. Follow the roadmap for the main tasks.Roadmap for IBM Tivoli Directory Integrator based adapters, for IBMSecurity Identity Governance and IntelligenceFollow this section when using the guide to install, configure, troubleshoot, oruninstall the adapter.Note: There is a separate instruction for installing, upgrading or uninstallingadapters from the IBM Security Identity Governance and Intelligence virtualappliance.Pre-installationComplete these tasks.1. Verify that your environment meets the software and hardware requirementsfor the adapter. See Prerequisites.2. Obtain the installation software. See Software downloads.3. Obtain the necessary information for the installation and configuration. SeeInstallation worksheet.InstallationComplete these tasks.1. Install the dispatcher.2. Install the adapter binaries or connector.3. Install 3rd party client libraries.4. Set up the adapter environment.5. Restart the adapter service.6. Import the adapter profile.7. Load attribute mapping.8. Set account defaults.9. Create an adapter service/target.10. Install the adapter language package.11. Verify that the adapter is working correctly.UpgradeTo upgrade the adapter, do a full installation of the adapter. Follow the Installationroadmap.ConfigurationComplete these tasks.1. Configure secure communication between the IBM Security Identity server andthe adapter.5
a. Configure 1-way authentication.b. Configure 2-way authentication.2. Configure secure communication between the adapter and the managed target.a. Configure 1-way authentication.b. Configure 2-way authentication.3. Configure the adapter.4. Modify the adapter profiles.5. Customize the adapter.TroubleshootingSee the following topics.v Techniques for troubleshooting problemsv Configure debuggingv Logsv Error messages and problem solvingUninstallationComplete these tasks.1. Stop the adapter service.2. Remove the adapter binaries or connector.3. Remove 3rd party client libraries.4. Delete the adapter service/target.5. Delete the adapter profile.ReferenceSee the following topics.v Adapter attributes and object classesv Adapter attributes by operationsv Special attributes6IBM Security Identity Governance and Intelligence: CyberArk adapter Installation and Configuration Guide
PrerequisitesVerify that your environment meets the software and hardware requirements forthe adapter.Table 1 identifies the prerequisites for the adapter installation.Table 1. Prerequisites to install the adapterPrerequisiteDescriptionDirectory Integratorv IBM Tivoli Directory Integrator Version7.1.1 7.1.1-TIV-TDI-FP0004 7.2.0-ISS-SDI-LA0008v IBM Security Directory Integrator Version7.2Note:v Earlier versions of IBM Tivoli DirectoryIntegrator that are still supported mightfunction properly. However, to resolveany communication errors, you mustupgrade your Directory Integrator releaseto the versions that the adapter officiallysupports.v The adapter supports IBM SecurityDirectory Integrator 7.2, which is availableonly to customers who have the correctentitlement. Contact your IBMrepresentative to find out whether youhave the entitlement to download IBMSecurity Directory Integrator 7.2.IBM Security Identity serverThe following servers are supported:v IBM Security Identity Governance andIntelligence Version 5.2.4.CyberArk SCIM serverCyberArk v10.1.1Tivoli Directory Integrator adapters solutiondirectoryA Tivoli Directory Integrator work directoryfor adapters. For more information, see, theDispatcher Installation and Configuration Guide.System administrator authorityYou must have system administratorauthority to complete the adapterinstallation procedure.Software downloadsLog in to your account on the IBM Passport Advantage website and downloadthe software.Go to IBM Passport Advantage. See the IBM Security Identity Governance andIntelligence Download Document.Note: You can also obtain adapter information from IBM Support.Chapter 2. Planning7
Installation worksheetThe installation worksheet lists the information that is required to install andconfigure the adapter. Complete this worksheet before you start the installationprocedure for ease of reference. Make a copy of the worksheet for each adapterinstance you install.Table 2. Required information to install the adapterRequired information DescriptionValueTivoli DirectoryIntegrator HomeDirectoryWindows:The ITDI HOME directory contains thejars/connectors subdirectory, whichcontains the files for the IBM/TDI/V7.2Adapter SolutionDirectorySee the Dispatcher Installation andConfiguration olUNIX:/opt/IBM/TDI/V7.2/timsolAdministrator account An administrator account ID andID and passwordpassword on the managed resourcethat has administrative rights forrunning the CyberArk adapter.8IBM Security Identity Governance and Intelligence: CyberArk adapter Installation and Configuration Guide
Chapter 3. InstallingInstalling the adapter mainly involves importing the adapter profile and creatingan adapter service. Depending on the adapter, several other tasks can be involvedto completely install it.All IBM Tivoli Directory Integrator based adapters require the Dispatcher for theadapters to function correctly. If the Dispatcher is installed from a previousinstallation, do not reinstall it unless the Dispatcher is upgraded. See “Installingthe dispatcher.”Depending on your adapter, the Tivoli Directory Integrator connector mightalready be installed as part of the Tivoli Directory Integrator product and nofurther action is required. If the connector is not pre-installed, install it after theDispatcher.Installing the dispatcherIf this is the first Tivoli Directory Integrator-based adapter installation, you mustinstall the RMI Dispatcher before you install the adapter. Install the RMIDispatcher on the same Tivoli Directory Integrator server where you want to installthe adapter.If you already installed the RMI Dispatcher for another adapter, you do not needto reinstall it.If you have not yet installed the RMI Dispatcher in the Tivoli Directory Integratorenvironment, download the Dispatcher installer from the IBM Passport Advantagewebsite. For more information about the installation, see the Dispatcher Installationand Configuration Guide.Installing third-party client librariesThe adapter requires access to the jars at runtime.Copy the following list of JAR files to ITDI HOME/jars/3rdparty/others folder:v httpclient-4.5.5.jarv httpcore-4.4.9.jarv jackson-annotations-2.5.0.jarv jackson-core-2.5.0.jarv jackson-databind-2.5.0.jarInstalling the adapter binaries or connectorThe adapter binaries establish that communication to the managed target. Someadapters relies on the Security Directory Integrator and don't include any binaries.For those adapters that do provide binary distribution, follow the adapter'sinstallation steps.Before you beginv The Dispatcher must be installed.9
ProcedureCopy CyberArkConnector.jar from the adapter package to theITDI HOME/jars/connectors directory.Verifying the adapter installationAfter you install the adapter, verify the adapter components on the IBM TivoliDirectory Integrator server. If the adapter is installed correctly, the adapter JAR fileexists in the specified directory. If the JAR file does not exist, the installation is notsuccessful and the adapter cannot function as expected. You must copy the JAR filein the specified location.These adapter components must exist on the IBM Tivoli Directory Integratorserver.Table 3. Adapter componentsDirectoryAdapter componentITDI HOME/jars/connectorsCyberArkConnector.jarITDI HOME/jars/3rdparty/otherv httpclient-4.5.5.jarv httpcore-4.4.9.jarv jackson-annotations-2.5.0.jarv jackson-core-2.5.0.jarv jackson-databind-2.5.0.jarRestarting the adapter serviceVarious installation and configuration tasks might require the adapter to berestarted to apply the changes. For example, you must restart the adapter if thereare changes in the adapter profile, connector, or assembly lines. To restart theadapter, restart the Dispatcher.The adapter does not exist as an independent service or a process. The adapter isadded to the Dispatcher instance, which runs all the adapters that are installed onthe same Security Directory Integrator instance.See the topic about starting, stopping, and restarting the Dispatcher service in theDispatcher Installation and Configuration Guide.Importing the adapter profileYou can import a profile definition file, which creates a profile in IBM SecurityIdentity Governance and Intelligence server. Use this option for importing adapterprofiles.Before you beginv The IBM Security Identity Governance and Intelligence server is installed andrunning.v You have administrator authority on the IBM Security Identity Governance andIntelligence server.v The file to be imported must be a Java archive (JAR) file. The Adapter Profile.jar file includes all the files that are required to define theadapter schema, account form, service/target form, and profile properties. If10IBM Security Identity Governance and Intelligence: CyberArk adapter Installation and Configuration Guide
necessary, you can extract the files from the JAR file, modify the files, andrepackage the JAR file with the updated files.About this taskTarget definition files are also called adapter profile files. The profile definition filesare provided with the various IBM Security Identity Adapter. The adapter profilemust be imported because it defines the types of resources that the IdentityGovernance and Intelligence server can manage.The adapter profile definition file is used to create a target profile on the IdentityGovernance and Intelligence server and to establish communication with theadapter. If the adapter profile is not imported, you cannot create a connector forthat adapter type.An upload error might occur when no file is selected, or when the file is empty, ordue to any upload operation error, such as a timeout or connection error. If theadapter profile is not installed correctly, the adapter cannot function correctly. Youcannot create a connector with the adapter profile or open and account on theservice. You must import the adapter profile again.This task can be completed from the Enterprise Connectors module in theAdministration Console. To import an adapter target profile, complete these steps:Procedure1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage Profiles.4. Optional: Click Filter to toggle the filter on to refine your search results, orclick Hide Filter to toggle the filter off. When the filter is visible, you canspecify search criteria for your requests, and then click Search.5. Click Actions Import.6. On the Import page, complete these steps:a. Select Profile.b. Click Browse to locate the JAR file that you want to import.c. Click Upload file. A message indicates that you successfully imported aprofile.7. Click Close. The new profile is displayed in the list of profiles.ResultsThe upload is synchronous but has a timeout. The progress bar on the Import pageaccurately indicates the upload status. However, when a timeout is reached, thefollowing message occurs: "The import is still in progress and will completeshortly. Close this window to proceed." If you see that message, allow a fewminutes for the upload to complete and for the profile to be available.What to do nextAfter the target profile is imported successfully, complete these tasks.v Import the attribute mapping file. See “Importing attribute mapping file” onpage 12.Chapter 3. Installing11
v Create a connector that uses the target profile. See “Adding a connector.”Importing attribute mapping fileAfter importing the adapter profile, you must import an attribute map from aprofile mapping definition file.About this taskThis task involves importing an account attribute mapping definition file, which isincluded in the adapter package. The imported file must be a DEF file.Procedure1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage Profiles.4. Optional: Click Filter to toggle the filter on to refine your search results, orclick Hide Filter to toggle the filter off. When the filter is visible, you canspecify search criteria for your requests, and then click Search.5. Click Actions Import.6. On the Import page, complete these steps:a. Select Attribute Mapping.b. Click Browse to locate the attribute mapping file that you want to import.c. Click Upload file. A message indicates that you successfully imported thefile.7. Click Close.Adding a connectorAfter you import the adapter profile on the Identity Governance and Intelligenceserver, add a connector so that Identity Governance and Intelligence server cancommunicate with the managed resource.Before you beginComplete “Importing the adapter profile” on page 10.Note: If you migrated from Identity Governance and Intelligence V5.2.2 or V5.2.2.1and want to add or configure a connector, see Adding and configuring a connector foreach target in the IBM Security Identity Governance and Intelligence productdocumentation.About this taskThe connectors consolidate, extract, and reconcile user identities, organizationunits, permissions, and user entitlements with the most common enterpriseapplications. Configure a connector to keep the Access Governance Core repositorysynchronized with the target system.This task can be completed from the Enterprise Connectors module in theAdministration Console.12IBM Security Identity Governance and Intelligence: CyberArk adapter Installation and Configuration Guide
ProcedureTo add a connector, complete these steps.1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage Connectors. A list of connectors is displayed on theConnectors tab.4. Optio
6 IBM Security Identity Governance and Intelligence: CyberArk adapter Installation and Configuration Guide Prerequisites V erify that your envir onment meets the softwar e and har dwar e r equir ements for
