IBM Tivoli Identity Manager Adapter for Enterprise Identity Mapping Readme

Overview
Prerequisite
Preparing EIM
Installing the ITIM-EIM Adapter
Configuring and Running the ITIM-EIM Adapter

Overview

Tivoli Identity Manager (TIM) manages identity information across many types of end user registries. These include user registries for operating systems running on eServer operating platforms. Enterprise Identity Mapping (EIM) is a technology that is capable of storing identity mapping relationships between user definitions in one registry and user definitions in other registries. The purpose of the TIM Adapter for EIM, referred to as the "ITIM - EIM Adapter", is to synchronize these two systems.

The ITIM-EIM Adapter is a Java application executed by an ITIM-EIM Administrator to provide EIM Domain Controller support to TIM v4.5 and above. Upon installation of the downloadable console application, the TIM-EIM Administrator aliases the EIM registries that will be governed by the ITIM-EIM Adapter in a specified EIM domain. The alias will include the type of associations that will be created for this registry (either source, target, or source and target). This process is further explained in the Preparing EIM section. The ITIM-EIM Adapter will do an initial load of EIM Identifiers and Associations based on the population of TIM Persons and Accounts. Once EIM is populated, the ITIM-EIM Adapter will monitor the ITIM LDAP directory for changes to the Persons and Accounts in ITIM and make the appropriate changes in the EIM domain. The figure below illustrates the relationship between the ITIM system and the EIM system.

Figure 1: ITIM EIM System Layout

Prerequisite

Before you install and run the ITIM-EIM Adapter, ensure that your system meets the prerequisites listed in the following table:

Prerequisite	Description
Operating System	One of the following operating systems must be installed on the machine: Windows 2000 Advance Server (Service pack 3 or later) AIX 5.1
Tivoli Identity Manager [remote location]	You must copy the following files from the <ITIM_SERVER_INSTALL_DIR>\lib directory and place them in the local <ITIM_ADAPTER_INSTALL>\lib directory: api_ejb.jar enroleagent.jar jsafe.jar ldapjdk.jar itim_api.jar itim_server.jar xerces.jar You must copy the following files from the <ITIM_SERVER_INSTALL_DIR>\data directory and place them in the local <ITIM_ADAPTER_INSTALL_DIR> directory: enRole.properties Properties.properties
Websphere Application Server Client for remote installations.	You will need to install and setup the Websphere Application Client environment to run the adapter on a separate machine from the ITIM Server. The Websphere Application Server Client is part of the ITIM product shipment. For more information about Websphere Application Server client, see the Websphere Application Server InfoCenter.

Preparing EIM

In order to use this Adapter, it is expected that the following business roles have been established.

ITIM Administrator
EIM Administrator

The EIM Administrator must determine which EIM Registries will be populated by the ITIM-EIM Adapter for a given EIM Domain. The Administrators must also determine which ITIM services need to be mapped to EIM Registries and create this mapping in the EIM administrative interface.

To map a given EIM Registry, the EIM Administrator will need to add two EIM Registry Aliases in order to map this registry to an ITIM Service. Here is an example mapping the current registry to the ITIM Service ntagent with the ITIM-EIM Adapter creating Source and Target associations to this registry.

<aliasType>ITIM2EIM Synch</aliasType><aliasValue>ITIM2EIMService=ntagent</aliasValue>
<aliasType>ITIM2EIM Synch</aliasType><aliasValue>ITIM2EIMAssociationType=3</aliasValue>

The EIM association types are based off the EIM API specification which are listed below:

1 - Target Association
2 - Source Association
3 - Source and Target Association
4 - EIM Admin Association

Installing the ITIM-EIM Adapter

The Tivoli Identity Manager Adapter for EIM files are available for download from IBM's Web site. Contact your IBM account representative for the Web address and download instructions. Install the ITIM-EIM Adapter by creating a directory (i.e. /opt/itimaeim) and extracting the files from itimaeim.zip to this directory. Follow the steps in the next section to configure and run the Adapter

Configuring and Running the ITIM-EIM Adapter

This section provides detailed information about the property keys and values contained in the ITIM Adapter for EIM default.properties configuration file. This section will also cover modifications needed to execute the script files. You can install and run the adapter on the same machine as the ITIM server or on a remote machine.

NOTE: To run the Adapter on a remote system, you must install the Websphere Application Server client first. See the Prerequisite section in this document for more details.

You must modify the Adapter's configuration file (default.properties) and update the parameters below:

Parameter	Description
com.ibm.itim.eim.synch.EIMDomain	The EIM domain
com.ibm.itim.eim.synch.LDAPHostName	The hostname or IP Address of the EIM LDAP server machine
com.ibm.itim.eim.synch.LDAPPort	The port number that the EIM LDAP server machine is listening
com.ibm.itim.eim.synch.LDAPUserName	The user name needed to access the EIM LDAP server machine.
com.ibm.itim.eim.synch.LDAPPassword	The password needed to access the EIM LDAP server machine. This password is obfuscated using the ITIM encrypt utility.
com.ibm.itim.eim.synch.LogFileName	The name of the log file to place logging information.
com.ibm.itim.eim.synch.LogLevel	The level of logging desired when running the Adapter. The log levels are defined as follows: `DEBUG` - Most verbose logging level in that it displays synchronization data. `ERROR` - Least verbose logging level in that it only logs errors and exceptions.
com.ibm.itim.eim.synch.WorkerThreadCount	The number of threads the adapter will use.

 

Sample defaults.properties file.

############################################################
#   ITIM - EIM Synch Configuration File 
############################################################
com.ibm.itim.eim.synch.WorkerThreadCount=5

############################################################
# Logging Filename and Level of detail
############################################################
com.ibm.itim.eim.synch.LogFileName=ITIM-EIMBridge.log
com.ibm.itim.eim.synch.LogLevel=0

############################################################
# EIM LDAP Directory Data Store
############################################################
com.ibm.itim.eim.synch.EIMDomain=ibm-eimdomainname=eimTest
com.ibm.itim.eim.synch.LDAPHostName=tim23w6873.tivlab.raleigh.ibm.com
com.ibm.itim.eim.synch.LDAPPort=389
com.ibm.itim.eim.synch.LDAPUserName=cn=root

# This password is encrypted with the password stored in ITIM's enrole.properties
# by the encrypt.bat script.
com.ibm.itim.eim.synch.LDAPPassword=QOUVx+ANYg9FMJ4XPLgzUg==

Local Execution

To run locally, you must modify the following parameters in the runLocal.bat (.sh) file.

Parameter	Description
ITIM_HOME	Enter the installation path to the ITIM Server (i.e. c:\itim45)
APP_SVR_HOME	Enter the installation path to the application server. For Example, (i.e. c:\Program Files\Websphere\AppServer

After making the necessary modification, execute runLocal.bat or runLocal.sh depending on your platform.

Remote Execution

To run the adapter remotely, you must modify the following parameters in the runRemote.bat (.sh) file.

Parameter	Description
ITIM_HOME	Enter the installation path to the ITIM Server (i.e. c:\itim45)
APP_SVR_HOME	Enter the installation path to the application server. For Example, (i.e. c:\Program Files\Websphere\AppServer
ITIM_USER	Enter the user id of the ITIM Administrator
ITIM_PSWD	Enter the ITIM Administrator's password.

After making the necessary modification, execute the following scripts.

setEnvRemote.bat for Windows or setEnvRemote.sh for AIX.
runRemote.bat for Windows or runRemote.sh for AIX.