sybase ada pter installa tion andpublic.dhe.ibm.com/software/security/products/isim/...intelligence...

IBM Security Identity Governance and Intelligence

Sybase Adapter Installation andConfiguration Guide

IBM

ii IBM Security Identity Governance and Intelligence: Sybase Adapter Installation and Configuration Guide

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

Chapter 1. Overview . . . . . . . . . 1Features of the adapter . . . . . . . . . . . 1Architecture of the adapter . . . . . . . . . 1Supported configurations . . . . . . . . . . 2

Chapter 2. Planning. . . . . . . . . . 5Roadmap for IBM Tivoli Directory Integrator basedadapters, for IBM Security Identity Governance andIntelligence . . . . . . . . . . . . . . . 5Prerequisites . . . . . . . . . . . . . . 6Installation worksheet . . . . . . . . . . . 8

Chapter 3. Installing in the IdentityGovernance and Intelligence virtualappliance. . . . . . . . . . . . . . 11

Chapter 4. Installing . . . . . . . . . 13Installing the dispatcher . . . . . . . . . . 13Installing the adapter binaries or connector . . . . 13Restarting the adapter service . . . . . . . . 14Importing the adapter profile . . . . . . . . 14Importing attribute mapping file . . . . . . . 15Adding a connector . . . . . . . . . . . 16Enabling connectors . . . . . . . . . . . 17Reviewing and setting channel modes for each newconnector . . . . . . . . . . . . . . . 18Attribute Mapping . . . . . . . . . . . . 19Service/Target form details . . . . . . . . . 20Verifying that the adapter is working correctly . . 23

Chapter 5. Upgrading . . . . . . . . 25Upgrading the dispatcher. . . . . . . . . . 25Upgrading the adapter profile . . . . . . . . 25

Chapter 6. Configuring . . . . . . . . 27Customizing the adapter profile . . . . . . . 27Editing adapter profiles on the UNIX or Linuxoperating system . . . . . . . . . . . . 28Password management for account restoration . . 28

Chapter 7. Troubleshooting . . . . . . 31Techniques for troubleshooting problems . . . . 31Error messages and problem solving . . . . . . 33

Chapter 8. Uninstalling . . . . . . . . 35Uninstalling the adapter . . . . . . . . . . 35Deleting the adapter profile . . . . . . . . . 35

Chapter 9. Reference . . . . . . . . 37Adapter attributes and object classes . . . . . . 37Adapter attributes by operations . . . . . . . 38

System Login Add . . . . . . . . . . . 38System Login Change . . . . . . . . . . 38System Login Delete . . . . . . . . . . 38System Login Suspend . . . . . . . . . 39System Login Restore . . . . . . . . . . 39Test . . . . . . . . . . . . . . . . 39Reconciliation . . . . . . . . . . . . 39

Special attributes . . . . . . . . . . . . 40

Index . . . . . . . . . . . . . . . 41

iii

iv IBM Security Identity Governance and Intelligence: Sybase Adapter Installation and Configuration Guide

Figures

1. The architecture of the Sybase Adapter . . . . 22. Example of a single server configuration . . . 2

3. Example of a multiple server configuration 3

v

vi IBM Security Identity Governance and Intelligence: Sybase Adapter Installation and Configuration Guide

Tables

1. Prerequisites to install the adapter . . . . . 72. Required information to install the adapter 83. Adapter package contents . . . . . . . . 114. Prerequisites for enabling a connector . . . . 175. Required roles and their descriptions . . . . 216. Ports . . . . . . . . . . . . . . . 217. Warning and error messages . . . . . . . 338. Attributes, object identifiers, descriptions, and

corresponding column/table name on theSybase Adapter . . . . . . . . . . . 37

9. Add request attributes for Oracle . . . . . 3810. Change request attributes for Oracle . . . . 3811. Delete request attributes for Oracle. . . . . 3912. Suspend request attributes for Oracle . . . . 3913. Restore request attributes for Oracle . . . . 3914. Test attributes . . . . . . . . . . . . 3915. Reconciliation function attributes . . . . . 39

vii

viii IBM Security Identity Governance and Intelligence: Sybase Adapter Installation and Configuration Guide

Chapter 1. Overview

An adapter is an interface between a managed resource and the IBM® SecurityIdentity server. The Sybase Adapter enables communication between the IBMSecurity Identity server and the Sybase Adaptive Server Enterprise (ASE).

Adapters can be installed on the managed resource. The IBM Security Identityserver manages access to the resource by using the security system. Adaptersfunction as trusted virtual administrators on the target operating system. Theadapter creates, suspends, restores user accounts, and other functions thatadministrators run manually. The adapter runs as a service, independently ofwhether you are logged on to the IBM Security Identity server.

Features of the adapterThe adapter automates several administrative and management tasks.v Reconciling user accounts and other support datav Adding user accountsv Modifying user account attributesv Modifying user account passwordsv Suspending, restoring, and deleting user accounts

Architecture of the adapterSeveral components are involved in running and using the adapter. Install all thesecomponents so that the adapter can function correctly.v Dispatcherv Tivoli® Directory Integrator connectorv IBM Security Identity Adapter profile

You need to install the Dispatcher and the adapter profile; however, the TivoliDirectory Integrator connector might already be installed with the base TivoliDirectory Integrator product.

Figure 1 on page 2 describes the components that work together to complete theuser account management tasks in a Tivoli Directory Integrator environment.

1

Supported configurationsThe adapter supports both single and multiple server configurations. In a singleserver configuration, the adapter is installed on only one server. In a multipleserver configuration, the adapter is installed on several different servers.

The fundamental components in each environment are:v The IBM Security Identity serverv The IBM Tivoli Directory Integrator serverv The managed resourcev The adapter

The adapter must be installed directly on the server that runs the Tivoli DirectoryIntegrator server.

Single server configuration

In a single server configuration, the IBM Security Identity server, the TivoliDirectory Integrator server, and the Sybase Adapter are installed on one server toestablish communication with the managed resource.

The managed resource is installed on a different server as described in Figure 2.

RMI callsIBM SecurityIdentityServer

DispatcherService(an instanceof the IBMTivoliDirectoryIntegrator)

Adapterresource

Figure 1. The architecture of the Sybase Adapter

IBM SecurityIdentity Server

Tivoli DirectoryIntegrator Server

Adapter

Managedresource

Figure 2. Example of a single server configuration

2 IBM Security Identity Governance and Intelligence: Sybase Adapter Installation and Configuration Guide

Multiple server configuration

In a multiple server configuration, the IBM Security Identity server, the TivoliDirectory Integrator server, and the Sybase Adaptive Server Enterprise are installedon different servers.

The Tivoli Directory Integrator server and the Sybase Adapter are installed on thesame server as described in Figure 3.

IBM SecurityIdentity Managerserver

Security DirectoryIntegrator server Managed

resource

Adapter

Figure 3. Example of a multiple server configuration

Chapter 1. Overview 3

Chapter 2. Planning

Installing and configuring the adapter involves several steps that you mustcomplete in a specific sequence. Follow the roadmap for the main tasks.

Roadmap for IBM Tivoli Directory Integrator based adapters, for IBMSecurity Identity Governance and Intelligence

Follow this section when using the guide to install, configure, troubleshoot, oruninstall the adapter.

Note: There is a separate instruction for installing, upgrading or uninstallingadapters from the IBM Security Identity Governance and Intelligence virtualappliance.

Pre-installation

Complete these tasks.1. Verify that your environment meets the software and hardware requirements

for the adapter. See Prerequisites.2. Obtain the installation software. See Software downloads.3. Obtain the necessary information for the installation and configuration. See

Installation worksheet.

Installation

Complete these tasks.1. Install the dispatcher.2. Install the adapter binaries or connector.3. Install 3rd party client libraries.4. Set up the adapter environment.5. Restart the adapter service.6. Import the adapter profile.7. Load attribute mapping.8. Set account defaults.9. Create an adapter service/target.

10. Install the adapter language package.11. Verify that the adapter is working correctly.

Upgrade

To upgrade the adapter, do a full installation of the adapter. Follow the Installationroadmap.

Configuration

Complete these tasks.1. Configure secure communication between the IBM Security Identity server and

the adapter.

5

a. Configure 1-way authentication.b. Configure 2-way authentication.

2. Configure secure communication between the adapter and the managed target.a. Configure 1-way authentication.b. Configure 2-way authentication.

3. Configure the adapter.4. Modify the adapter profiles.5. Customize the adapter.

Troubleshooting

See the following topics.v Techniques for troubleshooting problemsv Configure debuggingv Logsv Error messages and problem solving

Uninstallation

Complete these tasks.1. Stop the adapter service.2. Remove the adapter binaries or connector.3. Remove 3rd party client libraries.4. Delete the adapter service/target.5. Delete the adapter profile.

Reference

See the following topics.v Adapter attributes and object classesv Adapter attributes by operationsv Special attributes

PrerequisitesVerify that your environment meets the software and hardware requirements forthe adapter.

Table 1 on page 7 identifies the software and operating system prerequisites for theadapter installation.

Ensure that you install the adapter on the same workstation as the IBM TivoliDirectory Integrator server.


Table 1. Prerequisites to install the adapter

Prerequisite Description

Directory Integrator v IBM Tivoli Directory Integrator Version 7.1.1+ 7.1.1-TIV-TDI-FP0004 +7.2.0-ISS-SDI-LA0008

v IBM Security Directory Integrator Version 7.2

Note:

v Earlier versions of IBM Tivoli DirectoryIntegrator that are still supported mightfunction properly. However, to resolve anycommunication errors, you must upgradeyour Directory Integrator release to theversions that the adapter officially supports.

v The adapter supports IBM Security DirectoryIntegrator 7.2, which is available only tocustomers who have the correct entitlement.Contact your IBM representative to find outwhether you have the entitlement todownload IBM Security Directory Integrator7.2.

IBM Security Identity server The following servers are supported:

v IBM Security Identity Manager server Version6.0

v IBM Security Identity Manager server Version7.0

v IBM Security Privileged Identity ManagerVersion 2.0

v IBM Security Identity Governance andIntelligence server Version 5.2.2

Sybase Adaptive Server Enterprise A system that runs the Sybase Adapter with oneof following versions:

v Sybase Adaptive Server Enterprise v15.7

v Sybase (SAP) Adapter Server Enterprise v16.0

Sybase JDBC Driver jconn4.jar

Network Connectivity Install the adapter on a workstation that cancommunicate with the IBM Security IdentityGovernance and Intelligence service through theTCP/IP network.

System Administrator Authority To complete the adapter installation procedure,you must have system administrator authority.

Tivoli Directory Integrator adapterssolution directory

A Tivoli Directory Integrator adapters solutiondirectory is a Tivoli Directory Integrator workdirectory for IBM Security Identity Manageradapters. See the Dispatcher Installation andConfiguration Guide.

Chapter 2. Planning 7

Table 1. Prerequisites to install the adapter (continued)

Prerequisite Description

Sybase Account You must provide a Sybase account andpassword for every Sybase instance that theadapter manages.

The Sybase account must have the followingSybase privileges and roles:

v SA_ROLE

v SSO_ROLE

v OPER_ROLE

Install the Sybase Adapter and the appropriate Sybase JDBC drivers on the sameworkstation as the Tivoli Directory Integrator.

For information about the prerequisites and supported operating systems for TivoliDirectory Integrator, see the IBM Tivoli Directory Integrator 7.0: Administrator Guide.

Installation worksheetThe installation worksheet lists the information that is required to install andconfigure the adapter. Complete this worksheet before you start the installationprocedure for ease of reference. Make a copy of the worksheet for each adapterinstance you install.

Table 2. Required information to install the adapter

Required information Description Value

IBM Tivoli DirectoryIntegrator HomeDirectory

The ITDI_HOME directory containsthe jars/connectors subdirectory thatcontains adapter jars. For example,the jars/connectors subdirectorycontains the jar for the UNIXadapter.

If Tivoli DirectoryIntegrator is automaticallyinstalled with your IBMSecurity IdentityGovernance andIntelligence product, thedefault directory path forTivoli Directory Integratoris as follows:

Windows:

v for version 7.0:

drive\ProgramFiles\IBM\TDI\V7.0

v for version 7.1

drive\ProgramFiles\IBM\TDI\V7.1

UNIX:

v for version 7.0:

/opt/IBM/TDI/V7.0

v for version 7.1:

/opt/IBM/TDI/V7.1


Table 2. Required information to install the adapter (continued)

Required information Description Value

Adapters solutiondirectory

When you install the dispatcher, theadapter prompts you to specify a filepath for the adapters solutiondirectory. For more informationabout the solution directory, see theDispatcher Installation andConfiguration Guide.

The default solutiondirectory is located at:

Windows:

v for version 7.0:

drive\ProgramFiles\IBM\TDI\V7.0\isimsoln

v for version 7.1:

drive\ProgramFiles\IBM\TDI\V7.1\isimsoln

UNIX:

v for version 7.0:

/opt/IBM/TDI/V7.0/isimsoln

v for version 7.1:

/opt/IBM/TDI/V7.1/isimsoln

Chapter 2. Planning 9

Chapter 3. Installing in the Identity Governance andIntelligence virtual appliance

For Identity Governance and Intelligence target management, you can install anIBM Security Identity Adapters or a custom adapter on the built-in SecurityDirectory Integrator in the virtual appliance instead of installing the adapterexternally. As such, there is no need to manage a separate virtual machine orsystem.

About this task

This procedure is applicable for a selected list of Identity Adapters. See the IdentityAdapters product documentation at http://www.ibm.com/support/knowledgecenter/SSIGMP_1.0.0/com.ibm.itim_pim.doc/c_adapters_intro.htm todetermine which adapters are supported in Identity Governance and Intelligence,and which can be installed on the virtual appliance.

All Identity Governance and Intelligence supported adapters can be installedexternally on the virtual appliance. Depending on the adapter, an external SecurityDirectory Integrator may be required.

See the corresponding Adapter Installation and Configuration Guide for the specificprerequisites, installation and configuration tasks, and issues and limitations. Seethe Adapters Release Notes for any updates to these references.

Procedure1. Download the adapter package from the IBM Passport Advantage. For

example, Adapter-<Adaptername>.zip.The adapter package includes the following files:

Table 3. Adapter package contents

Files Descriptions

bundledefinition.json The adapter definition file. It specifies thecontent of the package, and the adapterinstallation and configuration properties thatare required to install and update theadapter.

Adapter JAR profile An Security Directory Integrator adapteralways include a JAR profile which contains:

v targetProfile.json

– Service provider configuration

– Resource type configuration

– SCIM schema extensions

– List of assembly lines

v A set of assembly lines in XML files

v A set of forms in XML files

v Custom properties that include labels andmessages for supported languages.

Use the Target Administration module toimport the target profile.

11

http://www.ibm.com/support/knowledgecenter/SSIGMP_1.0.0/com.ibm.itim_pim.doc/c_adapters_intro.htm?view=kc

http://www.ibm.com/support/knowledgecenter/SSIGMP_1.0.0/com.ibm.itim_pim.doc/c_adapters_intro.htm?view=kc

Table 3. Adapter package contents (continued)

Files Descriptions

Additional adapter specific files Examples of adapter specific files:

v Connector jar files

v Configuration files

v Script files

v Properties files

The file names are specified in the adapterdefinition file along with the destinationdirectory in the virtual appliance.

2. From the top-level menu of the Appliance Dashboard, click Configure > SDIManagement.

3. Select the instance of the Security Directory Integrator for which you want tomanage the adapters and click Manage > SDI Adapters The SDI Adapterswindow is displayed with a table that list the name, version, and anycomments about the installed adapters.

4. On the SDI Adapters window, click Install.5. On the File Upload window, click Browse to locate the adapter package and

then click OK. For example, Adapter-<Adaptername>.zip.6. Provide the missing 3rd party libraries when prompted.

a. On the File Upload for Pre-requisite files window, click Select Files. A newFile Upload window is displayed.

b. Browse and select all the missing libraries. For example,httpclient-4.0.1.jar

c. Click Open. The selected files are listed in the File Upload for Pre-requisitefiles window.

d. Click OK. The missing files are uploaded and the adapter package isupdated with the 3rd party libraries.

7. Enable secure communication.a. Select the instance of the Security Directory Integrator for which you want

to manage the adapter.b. Click Edit.c. Click the Enable SSL check box.d. Click Save Configuration.

8. Import the SSL certificate to the IBM Security Directory Integrator server.a. Select the instance of the Security Directory Integrator for which you want

to manage the adapter.b. Click Manage > Certificates.c. Click the Signer tab.d. Click Import. The Import Certificate window is displayed.e. Browse for the certificate file.f. Specify a label for the certificate. It can be any name.g. Click Save.


Chapter 4. Installing

Installing the adapter mainly involves importing the adapter profile and creatingan adapter service. Depending on the adapter, several other tasks can be involvedto completely install it.

All IBM Tivoli Directory Integrator based adapters require the Dispatcher for theadapters to function correctly. If the Dispatcher is installed from a previousinstallation, do not reinstall it unless the Dispatcher is upgraded. See DispatcherInstallation Verification.

Depending on your adapter, the Tivoli Directory Integrator connector mightalready be installed as part of the Tivoli Directory Integrator product and nofurther action is required. If the connector is not pre-installed, install it after theDispatcher.

Installing the dispatcherIf this is the first Tivoli Directory Integrator-based adapter installation, you mustinstall the RMI Dispatcher before you install the adapter. Install the RMIDispatcher on the same Tivoli Directory Integrator server where you want to installthe adapter.

If you already installed the RMI Dispatcher for another adapter, you do not needto reinstall it.

If you have not yet installed the RMI Dispatcher in the Tivoli Directory Integratorenvironment, download the Dispatcher installer from the IBM Passport Advantagewebsite. For more information about the installation, see the Dispatcher Installationand Configuration Guide.

Installing the adapter binaries or connectorThe connector might or might not be available with the base Tivoli DirectoryIntegrator or Security Directory Integrator product. The connector is required toestablish communication between the adapter and the Dispatcher.

Before you beginv The Dispatcher must be installed.

About this task

The adapter uses the IBM Tivoli Directory Integrator JDBC connector. Thisconnector is already available with the base Tivoli Directory Integrator product. Assuch, you just need to install the Dispatcher. See the IBM Security DispatcherInstallation and Configuration Guide..

13

http://www.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm

Restarting the adapter serviceVarious installation and configuration tasks might require the adapter to berestarted to apply the changes. For example, you must restart the adapter if thereare changes in the adapter profile, connector, or assembly lines. To restart theadapter, restart the Dispatcher.

The adapter does not exist as an independent service or a process. The adapter isadded to the Dispatcher instance, which runs all the adapters that are installed onthe same Security Directory Integrator instance.

See the topic about starting, stopping, and restarting the Dispatcher service in theDispatcher Installation and Configuration Guide.

Importing the adapter profileYou can import a profile definition file, which creates a profile in IBM SecurityIdentity Governance and Intelligence server. Use this option for importing adapterprofiles.

Before you beginv The IBM Security Identity Governance and Intelligence server is installed and

running.v You have administrator authority on the IBM Security Identity Governance and

Intelligence server.v The file to be imported must be a Java archive (JAR) file. The

<Adapter>Profile.jar file includes all the files that are required to define theadapter schema, account form, service/target form, and profile properties. Ifnecessary, you can extract the files from the JAR file, modify the files, andrepackage the JAR file with the updated files.

About this task

Target definition files are also called adapter profile files. The profile definition filesare provided with the various IBM Security Identity Adapter. The adapter profilemust be imported because it defines the types of resources that the IdentityGovernance and Intelligence server can manage.

The adapter profile definition file is used to create a target profile on the IdentityGovernance and Intelligence server and to establish communication with theadapter. If the adapter profile is not imported, you cannot create a connector forthat adapter type.

An upload error might occur when no file is selected, or when the file is empty, ordue to any upload operation error, such as a timeout or connection error. If theadapter profile is not installed correctly, the adapter cannot function correctly. Youcannot create a connector with the adapter profile or open and account on theservice. You must import the adapter profile again.

This task can be completed from the Enterprise Connectors module in theAdministration Console. To import an adapter target profile, complete these steps:

Procedure1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.


3. Select Manage > Profiles.4. Optional: Click Filter to toggle the filter on to refine your search results, or

click Hide Filter to toggle the filter off. When the filter is visible, you canspecify search criteria for your requests, and then click Search.

5. Click Actions > Import.6. On the Import page, complete these steps:

a. Select Profile.b. Click Browse to locate the JAR file that you want to import.c. Click Upload file. A message indicates that you successfully imported a

profile.7. Click Close. The new profile is displayed in the list of profiles.

Results

The upload is synchronous but has a timeout. The progress bar on the Import pageaccurately indicates the upload status. However, when a timeout is reached, thefollowing message occurs: "The import is still in progress and will completeshortly. Close this window to proceed." If you see that message, allow a fewminutes for the upload to complete and for the profile to be available.

What to do next

After the target profile is imported successfully, complete these tasks.v Import the attribute mapping file. See “Importing attribute mapping file.”v Create a connector that uses the target profile. See “Adding a connector” on

page 16.

Importing attribute mapping fileAfter importing the adapter profile, you must import an attribute map from aprofile mapping definition file.

About this task

This task involves importing an account attribute mapping definition file, which isincluded in the adapter package. The imported file must be a DEF file.

Procedure1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage > Profiles.4. Optional: Click Filter to toggle the filter on to refine your search results, or


5. Click Actions > Import.6. On the Import page, complete these steps:

a. Select Attribute Mapping.b. Click Browse to locate the attribute mapping file that you want to import.c. Click Upload file. A message indicates that you successfully imported the

file.7. Click Close.

Chapter 4. Installing 15

Adding a connectorAfter you import the adapter profile on the Identity Governance and Intelligenceserver, add a connector so that Identity Governance and Intelligence server cancommunicate with the managed resource.

Before you begin

Complete “Importing the adapter profile” on page 14.

Note: If you migrated from Identity Governance and Intelligence V5.2.2 or V5.2.2.1and want to add or configure a connector, see Adding and configuring a connector foreach target in the IBM Security Identity Governance and Intelligence productdocumentation.

About this task

The connectors consolidate, extract, and reconcile user identities, organizationunits, permissions, and user entitlements with the most common enterpriseapplications. Configure a connector to keep the Access Governance Core repositorysynchronized with the target system.

This task can be completed from the Enterprise Connectors module in theAdministration Console.

Procedure

To add a connector, complete these steps.1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage > Connectors. A list of connectors is displayed on the

Connectors tab.4. Optional: Click Filter to toggle the filter on to refine your search results, or


5. Optional: To view all of the columns in the list of connectors, expand theConnectors pane.

6. Click Actions > Add. The Connector Details pane is enabled for your input.7. On the Connector Details tab, complete these steps:

a. Assign a name and description for the connector.b. Select the target profile type as Identity Brokerage and its corresponding

target profile.c. Select the entity, such as Account or User. Depending on the connector

type, this field might be preselected.d. Optional: Select Trace ON and the corresponding Trace Level to enable

trace logs. The available trace levels are DEBUG, INFO, and ERROR.e. Optional: Select History ON to save and track the connector usage.f. Click Save. The fields for enabling the channels for sending and receiving

data are now visible.g. Select and set the connector properties in the Global Config accordion

pane. For information about the global configuration properties, see GlobalConfig accordion pane.


https://www.ibm.com/support/knowledgecenter/SSGHJR_5.2.3/com.ibm.igi.doc/CrossIdeas_Topics/ECONN/configureConnectorDriver.htm

https://www.ibm.com/support/knowledgecenter/SSGHJR_5.2.3/com.ibm.igi.doc/CrossIdeas_Topics/ECONN/configureConnectorDriver.htm

h. Click Save. The fields for enabling the channels for sending and receivingdata are now visible.

Results

The connector is saved and added to the list of connectors in the Connectors pane.

If you cannot create a connector with the target profile or open an account on anexisting connector, the target profile was not installed correctly during the import.You must import the target profile again.

What to do next

Enable the channel modes to synchronize the data between the target systems andIdentity Governance and Intelligence. For more information, see “Enablingconnectors.”

Enabling connectorsAfter you create a connector, by default it is in a disabled state. You must enable aconnector to use it.

Before you begin

Table 4. Prerequisites for enabling a connector

Prerequisite Find more information

A connector must exist in IdentityGovernance and Intelligence.

“Adding a connector” on page 16.

Ensure that you enabled the appropriatechannel modes for the connector.

“Reviewing and setting channel modes foreach new connector” on page 18.

Procedure

To enable a connector, complete these steps:1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage > Connectors. A list of connectors is displayed on the




6. Select the connector that you want to enable.7. On the Connector Details tab, complete these steps:

a. Select the channel modes that you want to enable, and then click Save.Depending on the channels that you enable, the corresponding Channeltabs are displayed.

Enable write-to channelPropagates every change in the Access Governance Core repositoryinto the target system.


For connectors that are not HR feed, the check boxes for enablingthe read-from channel and the write-to channel are available.

Enable read-from channelReads the INPUT EVENTS and USER DATA from the target system.Imports data from the target system to the Access Governance Corerepository.

For HR feed connectors, only the check box for enabling theread-from channel is available.

Enable reconciliationSynchronizes the modified data between the Access GovernanceCore repository and the target system.

Results

The connector is enabled

What to do next

Enable the channel modes to synchronize the data between the target systems andIdentity Governance and Intelligence.

Reviewing and setting channel modes for each new connectorUse this procedure to set up the read-from and write-to channels and to set thesynchronization schedule for each new connector.

About this task

Note: Legacy Identity Governance and Intelligence Enterprise connectors useReconciliation channel, whereas Identity Brokerage Enterprise connectors useRead From Channel and Change Log Sync.

For more information about any of tasks in the following steps, see the IBM®

Security Identity Governance and Intelligence product documentation.

Procedure

To enable the read-from and write-to channels, and to set the change logsynchronization schedule for each new connector, complete these steps in IdentityGovernance and Intelligence V5.2.3:1. Log in to the Identity Governance and Intelligence Administration Console.2. From the Administration Console, select Enterprise Connectors.3. Select Manage > Connectors. A list of connectors is displayed on the




6. Select the connector that you want to enable.7. On the Connector Details tab, complete these steps:


a. Select the channel modes that you want to enable, and then click Save.Depending on the channels that you enable, the corresponding Channeltabs are displayed, in which you can do more configuration, such asmapping attributes and setting up rules.

Enable write-to channelPropagates every change in the Access Governance Core repositoryinto the target system.

Enable read-from channelReads the INPUT EVENTS and USER DATA from the targetsystem. Imports data from the target system to the AccessGovernance Core repository.

Enable reconciliationSynchronizes the modified data between the Access GovernanceCore repository and the target system.

8. Select Monitor > Change Log Sync Status. A list of connectors is displayed.9. On the Change Log Sync Status tab, complete these steps:

a. Optional: Click Filter to toggle the filter on to refine your search results, orclick Hide Filter to toggle the filter off. When the filter is visible, you canspecify search criteria for your requests, and then click Search.

b. Select a connector, and click Actions > Sync Now. The synchronizationprocess begins.

c. Optional: To view the status of the synchronization request, select SyncHistory in the right pane. Information about the synchronization isdisplayed in the Sync History tab.

10. Set the change log synchronization schedule for each new connector that youmigrated.

11. When the connector configuration is complete, enable the connector bycompleting these steps:a. Select Manage > Connectors.b. Select the connector that you want to enable, and then select the Enable

check box in the Connector Details tab.c. Click Save. For more information, see “Enabling connectors” on page 17.

For Identity Brokerage connectors that are not HR feed, the check boxes forenabling the read-from channel and the write-to channel are available.For Identity Brokerage HR feed connectors, only the check box for enablingthe read-from channel is available.

12. Start the connector by selecting Monitor > Connector Status. Select theconnector that you want to start, and then select Actions > Start.

Attribute MappingAttribute mapping is required to define which target attributes correspond to theIdentity Governance and Intelligence account attributes.

About this task

This task involves an account attribute mapping definition file, which is includedin the adapter package.


The file consists of Identity Governance and Intelligence account attributes andtheir equivalent attributes in the managed target. The file is structured as<IGI_attribute> = <target_attribute>.

The <IGI_attribute> is fixed and must not be modified. Edit only the<target_attribute>. Some <IGI_attribute> already has a fixed equivalent<target_attribute> of eraccount.

Some <IGI_attribute> do not have a defined <target_attribute> and you can assignthe mapping. For example:USER_TYPE=USER_TYPEATTR1=ATTR1

Note:

v The default mapping is already included out-of-the box. If there are no changesto the attribute mapping, there is no need to import the attribute mapping files.

v It might take up to 10 minutes for the attribute mapping changes to take effectonce the file is imported.

Procedure1. Open the mapping definition file by using any text editor.2. Edit the mapping.3. If the target attribute has a list of predefined values, use the following syntax to

convert its values to the corresponding Identity Governance and Intelligenceattribute values.[conversion].<target_attribute>.<IGI_attribute> =[<target_attribute_value1>=<IGI_attribute_value1>;...;<target_attribute_valuen>=<IGI_attribute_valuen>]

4. For attributes that contains date and time, use the following syntax to convertits values. For example:[conversion.date].erbirthDate.BIRTHDAY=[yyyyMMdd=dd/MM/yyyy HH:mm:ss][conversion.date].ACCOUNT_EXPIRY_DATE.ACCOUNT_EXPIRY_DATE=[dd/MM/yyyy HH:mm:ss=dd/MM/yyyy HH:mm:ss]

5. Import the updated mapping definition file through the Enterprise Connectorsmodule. For more information, see Attribute-to-permission mapping service in theIBM Security Identity Governance and Intelligence product documentation.

6. Map the following attributes for Chaneel-Write To and Chaneel-Read From

Attribute Mapped Attribute

eruid CODE

erpassword PASSWORD

For more information, see Mapping attributes for a connector in the IBM SecurityIdentity Governance and Intelligence product documentation.

Service/Target form detailsComplete the service/target form fields.


The accounts must be able to remotely connect to the Sybase Adaptive ServerEnterprise server and must have sufficient roles to administer Sybase users.

Table 5. Required roles and their descriptions

Role Description

SA_ROLE System administrator role

SSO_ROLE System security officer role

OPER_ROLE Operator role

Note: If the following fields on the service form are changed for an existingservice, the IBM Security Identity Adapter service on the Tivoli DirectoryIntegrator server must be restarted.v Service Name

v Sybase Admin Password

v AL File System Path

v Max Connection Count

On the Sybase Connection tab:

Service nameSpecify a name that defines the adapter service on the IBMSecurity Identity server.

Note: Do not use forward (/) or backward slashes (\) in theservice name.

Description Specify a description that identifies the service for yourenvironment. This field is optional.

Tivoli Directory Integrator location

Specify the URL for the IBM Tivoli Directory Integrator instance.The valid syntax for the URL is rmi://ip-address:port/ITDIDispatcher, where ip-address is the IBM Tivoli DirectoryIntegrator host and port is the port number for the RMI Dispatcher.

The default URL for the default SDI1 instance isrmi://localhost:1099/ITDIDispatcher.

The following table shows the ports that are open in the firewallfor every instance that is created. However, usage of these portnumbers do not support high availability.

Table 6. Ports

Instance Ports

SDI1 1199, 1198, 1197, 1196, 1195, 1194

SDI2 2299, 2298, 2297, 2296, 2295, 2294

SDI3 3399, 3398, 3397, 3396, 3395, 3394

SDI4 4499, 4498, 4497, 4496, 4495, 4494

SDI5 5599, 5598, 5597, 5596, 5595, 5594

SDI6 6699, 6698, 6697, 6696, 6695, 6694

SDI7 7799, 7798, 7797, 7796, 7795, 7794

SDI8 8899, 8898, 8897, 8896, 8895, 8894


Table 6. Ports (continued)

Instance Ports

SDI9 9999, 9998, 9997, 9996, 9995, 9994

SDI10 11099, 11098, 11097, 11096, 11095, 11094

For a high availability implementation, use any of these portnumbers.v 1099v 2099v 3099

Sybase Server HostSpecify the host workstation on which the Sybase server isrunning. This field is required.

Sybase Server PortSpecify the TCP port on which the Sybase server is running. Forexample, 5000. This field is required.

Sybase Admin IDSpecify the name of the user who has access to the Sybase resourceand who can perform administrative operations. This field isrequired.

Sybase Admin PasswordSpecify the password for the user. This field is required.

OwnerSpecify a user as a service owner. This field is optional.

Service PrerequisiteSpecify a service that is prerequisite to this service.

On the Dispatcher Attributes tab:

Disable AL CachingSelect the check box to disable the assembly line caching in thedispatcher for the service. The assembly lines for the add, modify,delete, and test operations are not cached.

AL File System PathSpecify the file path from where the dispatcher loads the assemblylines. If you do not specify a file path, the dispatcher loads theassembly lines received from IBM Security Identity server.

For example, you can specify the following file path to load theassembly lines from the profiles directory of the Windowsoperating system: c:\Files\IBM\TDI\V7.0\profiles or you canspecify the following file path to load the assembly lines from theprofiles directory of the UNIX and Linux operating system: system:/opt/IBM/TDI/V7.0/profiles.

Max Connection CountSpecify the maximum number of assembly lines that the dispatchercan run simultaneously for the service. For example, enter 10 whenyou want the dispatcher to run a maximum of 10 assembly linessimultaneously for the service. If you enter 0 in the MaxConnection Count field, the dispatcher does not limit the numberof assembly lines that are run simultaneously for the service.


Verifying that the adapter is working correctlyAfter you install and configure the adapter, verify that the installation andconfiguration are correct.

Procedure1. Test the connection for the service that you created on the IBM Security Identity

Governance and Intelligence server.2. Run a full reconciliation from the IBM Security Identity Governance and

Intelligence server.3. Run all supported operations such as add, modify, and delete on one user

account.4. Verify the ibmdi.log file after each operation to ensure that no errors are

reported.5. Verify the trace.log file to ensure that no errors are reported when you run an

adapter operation.


Chapter 5. Upgrading

Upgrading an IBM Tivoli Directory Integrator-based adapter involves tasks such asupgrading the dispatcher, the connector, and the adapter profile. Depending on theadapter, some of these tasks might not be applicable. Other tasks might also berequired to complete the upgrade.

To verify the required version of these adapter components, see the adapter releasenotes. For the installation steps, see Chapter 4, “Installing,” on page 13.

Upgrading the dispatcherBefore you upgrade the dispatcher, verify the version of the dispatcher.v If the dispatcher version mentioned in the release notes is later than the existing

version on your workstation, install the dispatcher.v If the dispatcher version mentioned in the release notes is the same or earlier

than the existing version, do not install the dispatcher.

Note: Stop the dispatcher service before the upgrading the dispatcher and start itagain after the upgrade is complete.

Upgrading the adapter profileRead the adapter Release Notes for any specific instructions before you import anew adapter profile.

Note: Restart the Dispatcher service after importing the profile. Restarting theDispatcher clears the assembly lines cache and ensures that the dispatcher runs theassembly lines from the updated adapter profile.

25

Chapter 6. Configuring

After you install the adapter, configure it to function correctly. Configuration isbased on your requirements or preference.

See the IBM Security Dispatcher Installation and Configuration Guide for additionalconfiguration options such as:v JVM propertiesv Dispatcher filteringv Dispatcher propertiesv Dispatcher port numberv Logging configurationsv Secure Sockets Layer (SSL) communication

Customizing the adapter profileTo customize the adapter profile, you must modify the Sybase Adapter JAR file.You can customize the adapter profile to change the account form or the serviceform.

About this task

You can also use the Form Designer or the CustomLabels.properties file to changethe labels on the forms. Each adapter has a CustomLabels.properties file for thatadapter.

The JAR file is included in the Sybase Adapter compressed file that youdownloaded from the IBM website. The JAR file and the files that are contained inthe JAR file vary depending on your operating system.

Note: You cannot modify the schema for this adapter. You cannot add or deleteattributes from the schema.

The adapter JAR file includes the following files:v CustomLabels.properties

v erSybaseAccount.xml

v erSybaseService.xml

v schema.dsml

v service.def

v SybaseAdapter.xml

Procedure1. Edit the JAR file.

a. Log on to the workstation where the Sybase Adapter is installed.b. On the Start menu, click Programs → Accessories → Command Prompt.c. Copy the JAR file into a temporary directory.

27

d. Extract the contents of the JAR file into the temporary directory by runningthe following command. The following example applies to the SybaseAdapter profile. Type the name of the JAR file for your operating system.cd c:\tempjar -xvf SybaseAdapterProfile.jar

The jar command extracts the files into the directory.e. Edit the file that you want to change.

2. Import the file into the IBM Security Identity server for the changes to takeeffect..a. Create a JAR file by using the files in the \temp directory. Run the following

commands:cd c:\tempjar -cvf SybaseAdapterProfile.jar SybaseAdapterProfile

b. Import the JAR file into the IBM Security Identity Governance andIntelligence application server.

c. Stop and start the IBM Security Identity serverd. Restart the adapter service.

Editing adapter profiles on the UNIX or Linux operating systemThe adapter profile .jar file might contain ASCII files that are created by using theMS-DOS ASCII format.

About this task

If you edit an MS-DOS ASCII file on the UNIX operating system, you might see acharacter ^M at the end of each line. These characters indicate new lines of text inMS-DOS. The characters can interfere with the running of the file on UNIX orLinux systems. You can use tools, such as dos2unix, to remove the ^M characters.You can also use text editors, such as the vi editor, to remove the charactersmanually.

Example

You can use the vi editor to remove the ^M characters. From the vi commandmode, run the following command and press Enter::%s/^M//g

When you use this command, enter ^M or Ctrl-M by pressing ^v^M or Ctrl V CtrlM sequentially. The ^v instructs the vi editor to use the next keystroke instead ofissuing it as a command.

Password management for account restorationHow each restore action interacts with its corresponding managed resourcedepends on the managed resource or on the business processes that youimplement.

Certain resources reject a password when a request is made to restore an account.In this case, you can configure IBM Security Identity Governance and Intelligenceto forego the new password requirement. You can configure the Sybase Adapter to


require a new password when the account is restored. This feature is useful if yourcompany's business processes require you to reset the password when an accountis restored.

In the service.def file, you can define whether a password is required as a newprotocol option. When you import the adapter profile, if an option is not specified,the adapter profile importer determines the correct restoration password behaviorfrom the schema.dsml file. The adapter profile components enable remote servicesto know whether to discard a password that is entered by the user where multipleaccounts on disparate resources are being restored. In this situation, where onlysome of the accounts that are being restored might require a password. Remoteservices discard the password from the restore action for those managed resourcesthat do not require them.

Edit the service.def file to add the new protocol options, for example:<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.

PASSWORD_NOT_REQUIRED_ON_RESTORE"<value>true</value></property><Property Name = "com.ibm.itim.remoteservices.ResourceProperties.

PASSWORD_NOT_ALLOWED_ON_RESTORE"<value>false</value></property>

By adding the two options in the preceding example, you can ensure that you arenot prompted for a password when an account is restored.

Chapter 6. Configuring 29

Chapter 7. Troubleshooting

Troubleshooting is a systematic approach to solving a problem. The goal oftroubleshooting is to determine why something does not work as expected andhow to resolve the problem. This topic provides information and techniques foridentifying and resolving problems that are related to the adapter, includingtroubleshooting errors that might occur during the adapter installation.

Techniques for troubleshooting problemsCertain common techniques can help with the task of troubleshooting. The firststep in the troubleshooting process is to describe the problem completely.

Problem descriptions help you and the IBM technical-support representative findthe cause of the problem. This step includes asking yourself basic questions:v What are the symptoms of the problem?v Where does the problem occur?v When does the problem occur?v Under which conditions does the problem occur?v Can the problem be reproduced?

The answers to these questions typically lead to a good description of the problem,which can then lead you to a problem resolution.

What are the symptoms of the problem?

When you start to describe a problem, the most obvious question is “What is theproblem?” This question might seem straightforward; however, you can break itdown into several more-focused questions that create a more descriptive picture ofthe problem. These questions can include:v Who, or what, is reporting the problem?v What are the error codes and messages?v How does the system fail? For example, is it a loop, hang, crash, performance

degradation, or incorrect result?

Where does the problem occur?

Determining where the problem originates is not always easy, but it is one of themost important steps in resolving a problem. Many layers of technology can existbetween the reporting and failing components. Networks, disks, and drivers areonly a few of the components to consider when you are investigating problems.

The following questions help you to focus on where the problem occurs to isolatethe problem layer:v Is the problem specific to one operating system, or is it common across multiple

operating systems?v Is the current environment and configuration supported?v Do all users have the problem?v (For multi-site installations.) Do all sites have the problem?

31

If one layer reports the problem, the problem does not necessarily originate in thatlayer. Part of identifying where a problem originates is understanding theenvironment in which it exists. Take some time to completely describe the problemenvironment, including the operating system and version, all correspondingsoftware and versions, and hardware information. Confirm that you are runningwithin an environment that is a supported configuration. Many problems can betraced back to incompatible levels of software that are not intended to run togetheror are not fully tested together.

When does the problem occur?

Develop a detailed timeline of events that lead up to a failure, especially for thosecases that are one-time occurrences. You can most easily develop a timeline byworking backward: Start at the time an error was reported (as precisely as possible,even down to the millisecond), and work backward through the available logs andinformation. Typically, you use the first suspicious event that you find in adiagnostic log.

To develop a detailed timeline of events, answer these questions:v Does the problem happen only at a certain time of day or night?v How often does the problem happen?v What sequence of events leads up to the time that the problem is reported?v Does the problem happen after an environment change, such as upgrading or

installing software or hardware?

Responding to these types of questions can give you a frame of reference in whichto investigate the problem.

Under which conditions does the problem occur?

Knowing which systems and applications are running at the time that a problemoccurs is an important part of troubleshooting. These questions about yourenvironment can help you to identify the root cause of the problem:v Does the problem always occur when the same task is being done?v Is a certain sequence of events required for the problem to occur?v Do any other applications fail at the same time?

Answering these types of questions can help you explain the environment inwhich the problem occurs and correlate any dependencies. Remember that justbecause multiple problems might occur around the same time, the problems arenot necessarily related.

Can the problem be reproduced?

From a troubleshooting standpoint, the ideal problem is one that can bereproduced. Typically, when a problem can be reproduced you have a larger set oftools or procedures at your disposal to help you investigate. Problems that you canreproduce are often easier to debug and solve.

However, problems that you can reproduce can have a disadvantage: If theproblem is of significant business impact, you do not want it to recur. If possible,re-create the problem in a test or development environment, which typically offersyou more flexibility and control during your investigation.v Can the problem be re-created on a test system?


v Do multiple users or applications have the same type of problem?v Can the problem be re-created by running a single command, a set of

commands, or a particular application?

Error messages and problem solvingA warning or error message might be displayed in the user interface to provideinformation about the adapter or when an error occurs.

A warning or error might be displayed in the user interface to provide informationthat you need to know about the adapter or about an error. Table 7 containswarnings or errors which might be displayed in the user interface if the SybaseAdapter is installed on your system.

Table 7. Warning and error messages

Message code Warning or error message Remedial action

CTGIMT001E The following error occurred. Error:Either the Sybase service name isincorrect or the service is not up.

Ensure that the Sybase service name given on theservice form is running.

CTGIMT001E The following error occurred. Error:Either the Sybase host or port isincorrect.

Verify that the host workstation name or the port forthe Sybase service is correctly specified.

CTGIMT002E The login credential is missing orincorrect.

Verify that you provided correct login credential onservice form.

CTGIMT001E The following error occurred. Error:No suitable JDBC driver found.

Ensure that the correct version of the JDBC driver iscopied onto the workstation where the adapter isinstalled. Ensure that the path for the driver isincluded in the system CLASSPATH variable.

CTGIMT600E An error occurred while establishingcommunication with the IBM TivoliDirectory Integrator server.

IBM Security Identity Governance and Intelligencecannot establish a connection with IBM TivoliDirectory Integrator. To fix this problem, ensure that:

v IBM Tivoli Directory Integrator is running.

v The URL specified on the service form for the IBMTivoli Directory Integrator is correct.

CTGIMT004E The adapter does not have permissionto add an account: Account_Name.

The administrator user that is provided on the IBMTivoli Directory Integrator service form does not havethe required privileges to add a user account. Ensurethat an administrator user with the requiredprivileges is specified on service form. Theseprivileges are the minimum that are required for theadministrator user:

v SA_ROLE

v SSO_ROLE

v OPER_ROLE

CTGIMT003E The account already exists. Use different name for the user to be added.

CTGIMT015E An error occurred while deleting theAccount_Name account because theaccount does not exist.

The user you trying to delete does not exist. Ensurethat you are deleting only an existing account.

Chapter 7. Troubleshooting 33

Chapter 8. Uninstalling

To remove an adapter from the IBM Security Identity server for any reason, youmust remove all the components that were added during installation. Uninstallingan IBM Tivoli Directory Integrator based adapter mainly involves removing theconnector file, and the adapter profile from the IBM Security Identity server.Depending on the adapter, some of these tasks might not be applicable, or therecan be other tasks.

Uninstalling the adapterTo remove an adapter from the IBM Security Identity server for any reason, youmust remove all the components that were added during installation. Uninstallingthe adapter involves running the uninstaller and removing the adapter profile fromthe IBM Security Identity server.

About this task

The Sybase Adapter installation installs the Dispatcher only on the Tivoli DirectoryIntegrator server. Therefore, you only need to uninstall from the Dispatcher. Thereis no uninstall for the Sybase Adapter.

The JAR file needed to uninstall the Dispatcher was created in theITDI_HOME\DispatcherUninstall directory when the Dispatcher was installed.

Note: The Dispatcher is required for all Tivoli Directory Integrator-based adapters.If you uninstall the Dispatcher, none of the other installed adapters function.

To remove the Sybase Adapter, complete these steps:

Procedure1. Stop the adapter service.2. Run the DispatcherUninstall.jar file. To run the JAR file, double click on the

executable file or enter the following command at the command prompt:TDI_HOME/jvm/jre/bin/java –jar DispatcherUninstall.jar

Deleting the adapter profileRemove the adapter service/target type from the IBM Security Identity server.Before you delete the adapter profile, ensure that no objects exist on the IBMSecurity Identity server that reference the adapter profile.

Objects on the IBM Security Identity server that can reference the adapter profile:v Adapter service instancesv Policies referencing an adapter instance or the profilev Accounts

Note: The Dispatcher component must be installed on your system for adapters tofunction correctly in a Tivoli Directory Integrator environment. When you deletethe adapter profile, do not uninstall the Dispatcher.

35

For specific information about how to delete the adapter profile, see the IBMSecurity Identity Governance and Intelligence product documentation.


Chapter 9. Reference

Reference information is organized to help you locate particular facts quickly, suchas adapter attributes, registry settings, and environment variables.

Adapter attributes and object classesAdapter attributes and object classes are required for customization, creatingprovisioning rules, and understanding what service/target attributes are supportedby the adapter. The IBM Security Identity server communicates with the adapterby using attributes, which are included in transmission packets that are sent over anetwork.This topic is not applicable for this adapter.

Table 8 is a listing of the attributes that are used by the Sybase Adapter. The tablegives a brief description and the data type for the attribute.

Table 8. Attributes, object identifiers, descriptions, and corresponding column/table name on the Sybase Adapter

Attribute nameDirectory serverattribute Description Data type

Database Access erSybAccess Specifies the database and alias access for the user.

For database access:

databasename:user:group:username

Note:

v The databasename must be a valid database onthe managed resource.

v The user is a keyword.

v The group is a valid group that exists on thedatabase database name.

v The username is the name for the user in thedatabase database name.

For alias access:

databasename:alias:databaseuser_name

Note:

v The databasename must be a valid database onthe managed resource.

v The alias is a keyword.

v The databaseuser_name must exist inmaster.dbo.syslogins and in the sysusers table ofthe database databasename.

String

Default Database erSybDefaultDatabase Specifies the default database for the user. If thisvalue is not supplied, then the default database istempdb with public group permissions.

String

Default Language erSybDefaultLanguage Specifies the default language for the user. If thisvalue is not supplied, then the form default isEnglish, us_english.

String

37

Table 8. Attributes, object identifiers, descriptions, and corresponding column/table name on the SybaseAdapter (continued)

Attribute nameDirectory serverattribute Description Data type

Password erPassword Specifies the password for the Sybase Adapter.Only one Password attribute is passed to the IBMSecurity Identity server

String

Roles Assigned erSybRole Specifies the name of the Sybase Adapter role thatis assigned to the user. Multiple Role attributes canbe passed to the IBM Security Identity server.

String

Sybase Adapter ServerRole

erSybServerName Specifies the name of the Sybase Adapter Server. String

Sybase AdapterAdmin ID

erSybAdminId Specifies the Sybase Adapter account that wascreated for the Sybase Adapter.

String

Sybase AdapterAdmin Password

erSybPwd1 Specifies the password for the user account that isspecified as the Sybase Adapter Admin ID.

String

User’s Full Name erSybFullName Specifies the full name of the user. String

User Name erUid Specifies the Sybase Adapter login ID. String

User Status erAccountStatus Specifies whether the user account is suspended. String

UserAccountDisabled AccountStatus Specifies whether the user account is enabled. String

Adapter attributes by operationsAdapter attributes by operations refer to adapter actions by their functionaltransaction group. They are required for customization, creating provisioning rules,and understanding what service/target attributes are supported by the adapter.

System Login AddA System Login Add is a request to create a user account with the specifiedattributes.

Table 9. Add request attributes for Oracle

Required attribute Optional attribute

erUidAll other supported attributes

System Login ChangeA System Login Change is a request to change one or more attributes for thespecified users.

Table 10. Change request attributes for Oracle


erUidAll other supported attributes

System Login DeleteA System Login Delete is a request to remove the specified user from the Oracledatabase.


Table 11. Delete request attributes for Oracle


erUid None

System Login SuspendA System Login Suspend is a request to disable a user account. The user is notremoved, and the attributes of the user are not modified.

Table 12. Suspend request attributes for Oracle


erUid

erAccountStatus

None

System Login RestoreA System Login Restore is a request to activate a user account that was previouslysuspended. After an account is restored, the user can access the system by usingthe same attributes as the ones before the Suspend function was called.

Table 13. Restore request attributes for Oracle


erUid

erAccountStatus

None

TestThe following table identifies attributes that are needed to test the connection.

Table 14. Test attributes


None None

ReconciliationThe Reconciliation request synchronizes user account information between IBMSecurity Identity Governance and Intelligence and the adapter.

Table 15. Reconciliation function attributes


erServicePwd1

erSybServerName

erSybAdminId

None

Chapter 9. Reference 39

Special attributesCertain attributes have special syntax and meaning that customers needs to beaware off. This information will be used to help the customer in how to supply theattribute value.This topic is not applicable for this adapter.


Index

Aaccounts

password requirements 28restoration 28

adapterarchitecture

directory integrator connector 1dispatcher 1profile 1

attributesdescriptions 37

customizationsteps 27

features 1installation 13

tasks 13troubleshooting errors 31warnings 31worksheet 8

overview 1post-installation steps 27profile

customization 27upgrading 25

supported configurations 2trusted virtual administrator 1uninstalling 35upgrading 25user account

management tasks 1adapter attributes

add 38adapter installation 13adapters

removing profiles 35attributes

change 38delete 39descriptions 37restore 39suspend 39testing connection 39

Ddirectory integrator

connector 1uninstalling the adapter 35

dispatcheradapter architecture 1installation 13upgrading 25

Eerror messages 33

Iinstallation

adapter 13software 13

planning roadmaps 5post-installation steps 27troubleshooting errors 31uninstall 35warnings 31worksheet 8

Mmessages

error 33warning 33

MS-DOS ASCII characters 28

Ooperating system prerequisites 6overview 1

Ppost-installation steps 27profile

editing on UNIX or Linux 28

RReconciliation, request 39removing

adapter profiles 35request

Reconciliation 39System Login Add 38System Login Change 38System Login Delete 39System Login Restore 39System Login Suspend 39

roadmapsplanning 5

Sservice

restart 14start 14stop 14

softwarerequirements 6

supported configurationsadapter 2overview 2

System Login Add, request 38System Login Change, request 38System Login Delete, request 39

System Login Restore, request 39System Login Suspend, request 39

Ttroubleshooting

error messages 33identifying problems 31techniques for 31warning messages 33

troubleshooting and supporttroubleshooting techniques 31

Uuninstallation 35updating

adapter profile 27upgrades

adapter 25adapter profiles 25dispatcher 25

user accountmanagement tasks 1

Vverification

dispatcher installation 13operating system prerequisites 6operating system requirements 6software

prerequisites 6requirements 6

vi command 28

Wwarning messages 33

41

IBM®

Printed in USA

sybase ada pter installa tion andpublic.dhe.ibm.com/software/security/products/isim/...intelligence...

Documents