Password Synchronization for Active Directory Plug-in Installation and Configuration Guide

T

ivo

l

i

®

Identity Manager

Version 5.1

Password Synchronization for Active

Directory Plug-in Installation and

Configuration Guide

SC23-9622-00

T

ivo

l

i

®

Identity Manager

Version 5.1

Password Synchronization for Active

Directory Plug-in Installation and

Configuration Guide

SC23-9622-00

Note:

Before using this information and the product it supports, read the information in Appendix C, “Notices,” on page 35.

This edition applies to version 5.1 of this plug-in and to all subsequent releases and modifications until otherwise indicated in new editions.

Preface

About this book

IBM®_Tivoli®_{Identity Manager provides the Password Synchronization for Active} Directory plug-in (Password Synchronization plug-in) to process password change requests between an Active Directory domain controller and the Tivoli Identity Manager server. This book describes how to install and configure the plug-in.

Note: The program that is used to connect the managed resource to the Tivoli Identity Manager server is now called an adapter. The term adapter replaces the previously used term agent. The user interface used to configure the adapter still uses the term agent.

Intended audience for this book

This book is intended for domain controller security administrators responsible for installing software on their site's computer systems. Readers are expected to understand Windows® _{and domain controller concepts. The person completing the} Password Synchronization plug-in installation procedure must also be familiar with their site's system standards and needs to have appropriate Windows knowledge. Readers should be able to perform routine Windows and security administration tasks.

Publications

This section lists publications in the Tivoli Identity Manager library and related documents. The section also describes how to access Tivoli publications online and how to order Tivoli publications.

Tivoli Identity Manager library

The publications in the technical documentation library for your product are organized into the following categories:

Release Information

v _{Release Notes provide software and hardware requirements for the} product and information about fix packs and support.

v _{Read This First card lists the publications for the product.}

Online user assistance

Provides online help topics and an information center for administrative tasks.

Server installation and configuration

Provides installation and configuration information for the product server.

Problem determination

Provides problem determination, logging, and message information for the product.

Technical supplements

The following technical supplements are provided by developers or by other groups who are interested in this product:

v _{Performance and tuning information}

Provides information needed to tune your production environment at: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

1. Click the I character in the A-Z product list to locate IBM Tivoli

Identity Managerproducts. 2. Click the link for your product.

3. Browse the information center for the Technical Supplements section. v _Redbooks®_{and white papers are available at:}

http://www.ibm.com/software/sysmgmt/products/support/ IBMTivoliIdentityManager.html

1. Navigate to the Self Help section, in the Learn category. 2. Click the Redbooks link.

v _{Technotes are available at:}

http://www.redbooks.ibm.com/redbooks.nsf/tips/ v _{Field guides are available at:}

http://www.ibm.com/software/sysmgmt/products/support/ Field_Guides.html

v _{For an extended list of other Tivoli Identity Manager resources, search} the following IBM developerWorks® at:

http://www.ibm.com/developerworks/

Adapter documentation

The technical documentation library also includes a set of platform-specific documents for the adapter components of the product. Adapter

information is available at:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

1. Click the I character in the A-Z product list to locate IBM Tivoli

Identity Managerproducts. 2. Click the link for your product.

3. Browse the information center for the adapter information that you want.

Prerequisite publications

To use the information in this book effectively, you must have knowledge of the prerequisite products. Publications are available from the following locations: v _{domain controller}

http://www-306.ibm.com/software/sw-library/ v _{Operating systems}

– IBM AIX®

http://publib16.boulder.ibm.com/pseries/ – Solaris Operating Environment

http://docs.sun.com/app/docs/prod/solaris – Red Hat Linux

http://www.redhat.com/docs/ – Microsoft®_Windows® _{Server 2003}

http://www.microsoft.com/windowsserver2003/proddoc/default.mspx v _{Database servers}

- Support: http://www.ibm.com/software/data/db2/udb/support.html - Information center: http://publib.boulder.ibm.com/infocenter/db2help/

index.jsp

- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/ winos2unix/support/v8pubs.d2w/en_main

- DB2® _{product family: http://www.ibm.com/software/data/db2}

- Fix packs: http://www.ibm.com/software/data/db2/udb/support/ downloadv8.html

- System requirements: http://www.ibm.com/software/data/db2/udb/ sysreqs.html – Oracle http://www.oracle.com/technology/documentation/index.html http://otn.oracle.com/tech/index.html http://otn.oracle.com/tech/linux/index.html – Microsoft SQL server http://www.msdn.com/library/ http://www.microsoft.com/sql/ v _{Directory server applications}

– IBM Directory Server

http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/ en_US/HTML/ldapinst.htm

http://www.ibm.com/software/network/directory – Sun ONE Directory Server

http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52 v _WebSphere

Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp

http://www.redbooks.ibm.com/ v _WebSphere®_{embedded messaging}

http://www.ibm.com/software/integration/wmq/ v _{IBM HTTP Server}

http://www.ibm.com/software/webservers/httpservers/library.html

Related publications

The Tivoli Software Library provides a variety of product-related publications, such as white papers, datasheets, demonstrations, Redbooks, and announcement letters. The Tivoli Software Library is available at http://www.ibm.com/software/ tivoli/literature/.

Accessing terminology online

The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available at the following Tivoli software library Web site:

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

The IBM Terminology Web site consolidates the terminology from IBM product libraries in one convenient location. You can access the Terminology Web site at the following Web address:

http://www.ibm.com/software/globalization/terminology

Accessing publications online

The documentation CD contains the publications that are in the product library. The format of the publications is PDF, HTML, or both. Refer to the readme file on the CD for instructions on how to access the documentation.

The product CD contains the publications that are in the product library. The format of the publications is PDF, HTML, or both. To access the publications using a Web browser, open the infocenter.html file. The file is in the appropriate

publications directory on the product CD.

IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli Information Center Web site at http://www.ibm.com/tivoli/documentation.

Note: If you print PDF documents on other than letter-sized paper, set the option in the File → Print window that allows Adobe Reader to print letter-sized pages on your local paper.

Ordering publications

You can order many Tivoli publications online at http:// www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss. You can also order by telephone by calling one of these numbers: v _{In the United States: 800-879-2755}

v _{In Canada: 800-426-4968}

In other countries, contact your software account representative to order Tivoli publications. To locate the telephone number of your local representative, perform the following steps:

1. Go to http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss. 2. Select your country from the list and click Go.

3. Click About this site in the main panel to see an information page that includes the telephone number of your local representative.

Accessibility

Accessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully. With this product, you can use assistive technologies to hear and navigate the interface. You can also use the keyboard instead of the mouse to operate all features of the graphical user interface.

For additional information, see Appendix B, “Accessibility,” on page 33.

Tivoli technical training

For Tivoli technical training information, refer to the following IBM Tivoli Education Web site at http://www.ibm.com/software/tivoli/education.

Tivoli user groups

Tivoli user groups are independent, user-run membership organizations that provide Tivoli users with information to assist them in the implementation of Tivoli Software solutions. Through these groups, members can share information and learn from the knowledge and experience of other Tivoli users. Tivoli user groups include the following members and groups:

v _{23,000+ members} v _{144+ groups}

Access the link for the Tivoli Users Group at www.tivoli-ug.org.

Support information

If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need:

Online

Go to the IBM Software Support site at http://www-01.ibm.com/ software/support/probsub.html and follow the instructions.

IBM Support Assistant

The IBM Support Assistant is a free local software serviceability workbench that helps you resolve questions and problems with IBM software

products. The Support Assistant provides quick access to support-related information and serviceability tools for problem determination. To install the Support Assistant software, go to http://www.ibm.com/software/ support/isa.

Troubleshooting Guide

For more information about resolving problems, see the problem determination information for this product.

Conventions used in this book

This publication uses several conventions for special terms and actions, operating system-dependent commands and paths.

Typeface conventions

This guide uses the following typeface conventions:

Bold

v _{Lowercase commands and mixed case commands that are otherwise} difficult to distinguish from surrounding text

v _{Interface controls (check boxes, push buttons, radio buttons, spin} buttons, fields, folders, icons, list boxes, items inside list boxes,

multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) v _{Keywords and parameters in text}

v _{Command names}

Italic

v _{Words defined in text}

v _{Emphasis of words (words as words)}

v _{New terms in text (except in a definition list)}

v _{Variables and values you must provide} Monospace

v _{Examples and code examples}

v _{Programming keywords, and other elements that are difficult to} distinguish from surrounding text

v _{File names}

v _{Message text and prompts addressed to the user} v _{Text that the user must type}

v _{Values for arguments or command options} v _{Names of object classes}

Operating system-dependent variables and paths

This guide uses the Windows convention for specifying environment variables and for directory notation.

When using the Unix command line, replace %variable% with $variable for environment variables and replace each backslash (\) with a forward slash (/) in directory paths. The names of environment variables are not always the same in Windows and UNIX®. For example, %TEMP% in the Windows operating system is equivalent to $tmp in a UNIX operating system.

Note: If you are using the bash shell on a Windows system, you can use the UNIX conventions.

Contents

Preface . . . iii

About this book . . . iii

Intended audience for this book . . . iii

Publications . . . iii

Tivoli Identity Manager library . . . iii

Prerequisite publications . . . iv

Related publications . . . v

Accessing terminology online. . . v

Accessing publications online . . . vi

Ordering publications . . . vi

Accessibility . . . vi

Tivoli technical training . . . vi

Tivoli user groups . . . vii

Support information . . . vii

Conventions used in this book . . . vii

Typeface conventions . . . vii

Operating system-dependent variables and paths . . . viii

Chapter 1. Overview of the plug-in . . . 1

Features of the plug-in . . . 1

Interaction among Active Directory, the adapter, and the plug-in . . . 1

Configuration 1: Forward password change . . . 1

Configuration 2: Reverse password change . . . 2

Supported configurations . . . 3

Configuration 1: Password Synchronization and Active Directory Adapter on same domain controller workstation . . . 3

Configuration 2: Password Synchronization and Active Directory Adapter on different domain controller workstations . . . 4

Configuration 3: Password Synchronization on a domain controller workstation and Active Directory Adapter on a non-domain controller workstation. . . 4

Configuration 4: Password Synchronization and Active Directory Adapter in different domains . . 5

Setting up registry access . . . 5

Using the winreg key to grant access to the registry . . . 6

Bypassing the Access Restriction. . . 7

Chapter 2. Planning to install the plug-in 9

Preinstallation road map . . . 9

Installation road map . . . 9

Prerequisites . . . 10

Information worksheet . . . 10

Downloading the software . . . 10

Chapter 3. Installing the plug-in . . . . 11

Before you begin . . . 11

About this task . . . 11

Procedure . . . 11

Installing CA certificates . . . 15

What to do next . . . 16

Verifying the installation . . . 16

Chapter 4. Installing and uninstalling

the plug-in by using the silent mode . . 17

Installing the plug-in by using the silent mode . . 17

Uninstalling the plug-in by using the silent mode . 19

Chapter 5. Configuring SSL

authentication for the plug-in . . . 21

Overview of SSL and digital certificates . . . 21

Private keys, public keys, and digital certificates 22 Self-signed certificates . . . 22

Certificate and key formats . . . 23

Configuring certificates when the plug-in operates as an SSL client . . . 23

Chapter 6. Taking the first steps after

installation . . . 25

Chapter 7. Uninstalling the plug-in . . . 27

Appendix A. Support information . . . 29

Searching knowledge bases . . . 29

Search the information center on your local system or network . . . 29

Search the Internet . . . 29

Contacting IBM Software Support . . . 29

Determine the business impact of your problem 30 Describe your problem and gather background information . . . 31

Submit your problem to IBM Software Support 31

Appendix B. Accessibility

. . . 33

Navigating the interface using the keyboard . . . 33

Magnifying what is displayed on the screen . . . 33

Appendix C. Notices . . . 35

Trademarks . . . 36

Index . . . 39

Chapter 1. Overview of the plug-in

The IBM Tivoli Identity Manager Password Synchronization plug-in enables connectivity between the Tivoli Identity Manager server and a system running the domain controller. This installation guide provides the basic information that you need to install and configure the Password Synchronization plug-in. This chapter provides an overview of the plug-in and the features of the plug-in.

Features of the plug-in

The Password Synchronization plug-in intercepts the domain user password changes and communicates with IBM Tivoli Identity Manager for password rules verification and synchronization. The new password is synchronized with other accounts managed by IBM Tivoli Identity Manager for the domain user.

Interaction among Active Directory, the adapter, and the plug-in

The Active Directory and Password Synchronization plug-in work together for password change requests originating from Tivoli Identity Manager. The password changes are done directly on the resource. The two following configurations are for password changes.

Configuration 1: Forward password change

IBM Tivoli Identity Manager server

WebSphere Application Server or WebLogic server

Single or Cluster

Agent Server Windows Domain Controller Server 1

Active Directory

Adapter Active Directory Registry Password Synchronization plug-in Password Change Request Password Change a d b c

In this configuration, the Active Directory user password change is initiated from Tivoli Identity Manager. The password change request is sent to the Active Directory Adapter in DAML format. The following is sequence of operations. 1. The Active Directory Adapter detects password change. It stores user ID and

password in the registry in the key PasswordChanges. The user ID and password are stored in the encrypted format. See a in the illustration. 2. The Active Directory Adapter then initiates a password change operation on

Active directory. See b in the illustration.

3. Before the password is actually changed on the resource, Password

Synchronization plug-in is invoked. The user ID and password to be changed are passed to Password Synchronization by the Windows operating system. See

cin the illustration.

4. When the Connect to Windows Active Directory Adapter Registry is enabled, the Password Synchronization plug-in accesses Active Directory Adapter

registry to determine if the change is initiated from Tivoli Identity Manager. For

this the password sync plug-in connects to Active Directory Adapter registry and reads PasswordChanges key. It reads in all the user ID-password pairs from the key and compares them with the input user ID and password. If a match is found, Password Synchronization plug-in ignores the request because password from Tivoli Identity Manager is already complying with the

password rules. Also because the password change is initiated from Tivoli Identity Manager, the password synchronization is performed by Tivoli Identity Manager. See d in the illustration.

5. The Active Directory Adapter deletes the expired user ID - password pair from the Active Directory Adapter registry. This is done whenever a password is specified in any of the Active Directory Adapter supported operations, such as, Add, Modify, Password Change, or Restore. This flushes the registry and restricts it growth. This also ensures that any older user ID and password pair is not used during the comparison.

Note: All user ID - password pair are treated as expired after 10 minutes of their creation.

Configuration 2: Reverse password change

IBM Tivoli Identity Manager server WebSphere Application Server or WebLogic server Single or Cluster Agent Server Windows Domain Controller Server 1 Active Directory Adapter Active Directory Registry User changes windows password a b d c Password Synchronization plug-in Password Synchronization

with IBM Tivoli Identity Manager

In this configuration, the Active Directory user password change is initiated from the resource. Following is the sequence of the operations.

1. The user changes account password by first selecting Ctrl + Alt + Delete and then clicking Change Password. The password change on the resource can also be initiated by

a. On a domain controller workstation, select Start -> Programs ->

Administrative Tools -> Active Directory Users and Computers. b. Browse to the appropriate container or organization unit. Select the user

whose password is to be changed. Right click on the user and click Reset

See a in the illustration.

2. The Windows operating system captures the password change event. Before the password is actually changed on the resource, the Password Synchronization plug-in is invoked. The user ID and password are passed to the plug-in. See b in the illustration.

3. When the Connect to Windows Active Directory Adapter Registry is enabled, the Password Synchronization plug-in accesses Active Directory Adapter registry to determine if the password change is initiated from Tivoli Identity Manager. In this case, because the password is directly changed on the resource, no matching user ID – password pair is found in Active Directory Adapter registry. The Password Synchronization plug-in determines that the password change is initiated by the user on the resource directly. See c in the illustration.

4. If ‘Enable Password rules’ is enabled for Password Synchronization plug-in, the plug-in sends the password to Tivoli Identity Manager for rules verification. If the password matches the rules defined in Tivoli Identity Manager then Tivoli Identity Manager sends success back to Password Synchronization plug-in. The plug-in notifies the Windows operating system that password complies to the password rules and can proceed. The password is then actually changed on the resource. After password change, the Windows operating system again invokes Password Synchronization to indicate that the password change operation is successful. Password Synchronization plug-in then sends SUCCESS to Tivoli Identity Manager for password change operation. Upon receipt of success, Tivoli Identity Manager then synchronizes the password with rest of the accounts of the user. See d in the illustration.

Supported configurations

Following are the configurations for Password Synchronization and Active Directory Adapter. Password Synchronization is always deployed on a domain controller workstation. The adapter can be deployed on domain controller or non-domain controller workstation

Configuration 1: Password Synchronization and Active

Directory Adapter on same domain controller workstation

IBM Tivoli Identity Manager server

WebSphere Application Server or WebLogic server

Single or Cluster

Windows Active Directory Domain Controller DAML Registry Active Directory Adapter DAML Domain 1 Password Synchronization plug-in

In this configuration, Active Directory Adapter and Password Synchronization are installed on same domain controller. No specific registry permissions are required. Password Synchronization can directly access the Active Directory Adapter registry.

Configuration 2: Password Synchronization and Active

Directory Adapter on different domain controller workstations

IBM Tivoli Identity Manager server

WebSphere Application Server or WebLogic server

Single or Cluster

Windows Active Directory Domain Controller

DAML

Domain 1

Windows Active Directory Domain Controller Registry Active Directory Adapter DAML Password Synchronization plug-in

In this configuration Password Synchronization and Active Directory Adapter are installed on different domain controller workstations in the same domain. Registry permissions need to be granted to allow Password Synchronization access to the Active Directory Adapter registry. See “Setting up registry access” on page 5 to determine which permissions need to be set for this configuration.

Configuration 3: Password Synchronization on a domain

controller workstation and Active Directory Adapter on a

non-domain controller workstation

IBM Tivoli Identity Manager server

WebSphere Application Server or WebLogic server

Single or Cluster

Windows Active Directory Domain Controller

DAML

Domain 1

Any non Domain Controller machine Registry Active Directory Adapter DAML Password Synchronization plug-in

In this configuration Password Synchronization is installed on a domain controller workstation. Active Directory Adapter is installed on non-domain controller workstation. Password Synchronization and Active Directory Adapter are in the same domain. Registry permissions need to be granted to allow Password Synchronization access to the Active Directory Adapter registry. See “Setting up registry access” on page 5 to determine which permissions need to be set for this configuration.

Configuration 4: Password Synchronization and Active

Directory Adapter in different domains

IBM Tivoli Identity Manager server

WebSphere Application Server or WebLogic server

Single or Cluster

Windows Active Directory Domain Controller

DAML

Domain 1

Domain Controller or non Domain Controller machine

Registry

Active Directory Adapter DAML

Cross Domain Trust Password

Synchronization plug-in

In this configuration Password Synchronization is installed on a domain controller workstation. Active Directory Adapter is installed on a domain controller or non-domain controller workstation. Password Synchronization and Active Directory Adapter are in different domains. Cross domain trust is required to enable Password Synchronization access to the Active Directory Adapter registry. See “Setting up registry access” to determine which permissions need to be set for this configuration.

Setting up registry access

The to perform the forward and reverse password change operations, Password Synchronization needs to access to the Active Directory Adapter registry to determine if the password change is initiated from Tivoli Identity Manager. Password Synchronization requires read and write access for reading the values and flushing the values. The following steps explain how the permissions are set on Active Directory Adapter registry key to enable registry access from same or different workstation.

Table 1. Registry access permissions

Step Description Configuration

Workstation that the step applies to

1. Set up appropriate permissions on HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurePipeServers\ winreg key.See “Using the winreg key to grant access to the registry” on page 6 for more information .

Configuration 2 Configuration 3 Configuration 4

Active Directory Adapter workstation

2. Alternative to step 1 is to bypass winreg key and use HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\SecurePipeServers\winreg\AllowedPaths key. See “Bypassing the Access Restriction” on page 7 for more information. Configuration 2 Configuration 3 Configuration 4 Active Directory Adapter workstation 3. Go to key “HKEY_LOCAL_MACHINE\SOFTWARE\Access360”. Go to Menu > Security > Permissions. Add the user or group to which access is to be granted. Grant full access to the user or group.

Configuration 2 Configuration 3

Active Directory Adapter workstation

Table 1. Registry access permissions (continued)

Step Description Configuration

Workstation that the step applies to

4. Ensure that the time on the workstation where Active Directory Adapter is installed is synchronized to the domain controller.

Configuration 2 Configuration 3 Configuration 4 Active Directory Adapter workstation, Password Synchronization workstation 5. Ensure that the domain administrators are members of the local

Administrators group on the workstation where Active Directory Adapter is installed. Configuration 2 Configuration 3 Configuration 4 Active Directory Adapter workstation 6. Ensure that the Remote Registry Service is started and running in

Automatic mode. To check this service, go to Control Panel >

Services > Remote Registry Service.

Configuration 2 Configuration 3 Configuration 4

Active Directory Adapter workstation If the Active Directory Adapter server and Password Synchronization are in different domains, following steps are required for registry access over domains.

7. Ensure that domain functional level and forest functional level are setup correctly for two-way trust relationship. Mix-mode domain functional level might have errors while setting up trust

relationship.

Configuration 4 All domain controller workstations

8. Ensure that domain trust relationship is two-way, transitive and of type Forest.

Configuration 4 All domain controller workstations

9. Ensure that all the domain controller workstations in the domains and the Active Directory Adapter server workstation are time synchronized.

Configuration 4 All domain controller workstations, Active Directory Adapter workstation If the Active Directory Adapter is located on the domain controller, following additional steps needs to be done. 10. Go to Control Panel > Administrative Tools > Domain Security

Policy. Go to Security Settings > Local Policies > Security

Options. Add Software\Access360\ADAgent to option Network

access: Remotely accessible registry paths and sub-paths

Configuration 2 Configuration 4

Active Directory Adapter workstation

11. Under Security Settings > System Services > Remote Registry, ensure that it is started automatically every time. Give permission to everyone.

Configuration 2 Configuration 4

Active Directory Adapter workstation 12. Go to Control Panel > Administrative Tools > Domain

Controller Security Policy. Perform steps 3 to 6 for Domain Controller Security Policy.

Configuration 2 Configuration 4

Active Directory Adapter workstation

Note: For modifying registry settings use regedt32.exe for Windows 2000 platform and regedit.exe for Windows 2003 platform.

Using the winreg key to grant access to the registry

In Windows 2000 and later, only Administrators and Backup Operators have default network access to the registry. To restrict or grant network access for any particular group or user to the registry, follow the steps listed below to create the following Registry key:

Table 2. Registry key

Registry key HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurePipeServers\ winreg

Type REG_SZ

The Security permissions set on this key define what users or groups can connect to the system for remote registry access. The default Windows installation defines this key and sets the access control list (ACL) to restrict remote registry access as follows: Administrators have Full Control.

The default configuration for Windows operating systems permits only

administrators remote access to the Registry. Changes to this key to allow users remote registry access require a system restart before they take effect.

To create the registry key to grant access to the registry:

1. Start Registry Editor (regedit.exe) and go to the following sub-key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control 2. On the Edit menu, click Add Key.

3. Enter the following values: Key Name: SecurePipeServers Class: REG_SZ. 4. Go to the following sub-key: HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Control\SecurePipeServers 5. On the Edit menu, click Add Key.

6. Enter the following values: Key Name: winreg Class: REG_SZ. 7. Go to the following sub-key: HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Control\SecurePipeServers\winreg 8. On the Edit menu, click Add Value.

9. Enter the following values: Value Name: Description Data Type: REG_SZ

String: Registry Server.

10. Go to the following sub-key HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\SecurePipeServers\winreg

11. Select winreg. Click Security and then click Permissions. Add users or groups to which you want to grant access.

12. Exit Registry Editor and restart the Windows operating system.

Note: If you later want to change the list of users that can access the registry, repeat steps 10-12.

Bypassing the Access Restriction

You can either add the account name that the service is running under to the access list of the winreg key, or you can configure Windows to bypass the access restriction to certain keys by listing them in the workstation value under the AllowedPaths key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurePipeServers\winreg\AllowedPaths.

For remote access to Active Directory Adapter registry, append value SOFTWARE\Access360\ADAgent to this key.

Chapter 2. Planning to install the plug-in

Installing and configuring the adapter involves several steps that you must complete in an appropriate sequence. Review the road maps before you begin the installation process.

Preinstallation road map

You must prepare the environment before you can install the plug-in.

Table 3. Preinstallation road map

Task For more information

Obtain the installation software Download the software from Passport Advantage®

. See “Downloading the software” on page 10.

Verify that the software and hardware requirements for the adapter that you want to install have been met.

See “Prerequisites” on page 10.

Collect the necessary information for the installation and configuration.

See “Information worksheet” on page 10.

Installation road map

You must complete the necessary steps to install the plug-in including completing post-installation configuration tasks and verifying the installation.

Table 4. Installation road map

Task For more information

Install the plug-in. See Chapter 3, “Installing the plug-in,” on page 11.

Verify the installation. See “Verifying the installation” on page 16. Configure SSL communications. See Chapter 5, “Configuring SSL

authentication for the plug-in,” on page 21.

Prerequisites

Table 5 identifies installation prerequisites for this plug-in. Verify that all of the prerequisites have been met before installing the Password Synchronization plug-in.

Table 5. Prerequisites to install the plug-in

Prerequisite Description

System A Windows Server running Active Directory on the

following 32-bit or 64-bit operating systems: v _{Windows 2003}

v _{Windows 2003 R2} v _{Windows 2008}

Note: The Password Synchronization supports only x64 architecture, however, the Password Synchronization does not have Itanium®

support. System Administrator

Authority

The person completing the Password Synchronization installation procedure must have system administrator authority to complete the steps in this chapter.

Adapter Compatibility IBM Tivoli Identity Manager Active Directory Adapter, version 5.1

Tivoli Identity Manager server Version 5.1

Information worksheet

The following worksheet lists information necessary to complete the installation of the plug-in. Gather this information prior to beginning the installation process.

Table 6. Information worksheet

Required information Description

Installation directory The location where the plug-in is installed. The default is C:\Tivoli\PwdSync

Tivoli Identity Manager Application server

IP address and SSL port

Target DN for the service On the Tivoli Identity Manager server IBM Tivoli Identity Manager

account

The account under which the requests are submitted. IBM Tivoli Identity Manager

account password

The password for the IBM Tivoli Identity Manager account under which the requests are submitted.

Downloading the software

Download the adapter software from your account in IBM Passport Advantage Online at:

Chapter 3. Installing the plug-in

The following sections contain the information that you will need to install the Password Synchronization.

Before you begin

Make sure you do the following:

v _{Verify that your site meets all the prerequisite requirements. See “Prerequisites”} on page 10.

v _{Obtain a copy of the installation software. See “Downloading the software” on} page 10.

v _{Obtain system administrator authority.}

About this task

This task provides all the necessary steps for installing the Password Synchronization software.

Procedure

1. If you downloaded the installation software from Passport Advantage, perform the following steps:

a. Create a temporary directory on the computer on which you want to install the software.

b. Extract the contents of the compressed file into the temporary directory. 2. Start the installation program with the SetupPwdSynch.exe file in the temporary

directory.

Note: When you install the Windows Password Sync plug-in by using Windows Remote Desktop, ensure that you open the remote desktop connection by using the command mstsc/console. If you do not do so, the following issue might occur:

The Windows Password Sync plug-in is installed successfully, however, on restarting the domain controller the TivoliPwdSync DLL is not loaded and the PwdSync.log file is not created under the plug-in's log

directory.

3. Select a language and click OK.

4. On the Introduction window, click Next.

5. Specify where you want to install the adapter in the Directory Name field. Perform one of the following steps:

v _{Click Next for the default location.}

v _{Click Choose and navigate to a different directory and click Next.} 6. In the License Agreement window:

a. Review the license agreement and select Accept. b. Click Next.

7. Choose the CA certificate file and click Next. For information about CA certificates installation after Password Synchronization adapter installation, see “Installing CA certificates” on page 15.

8. Review the installation settings in the Pre-Installation Summary window and do one of the following:

v _{Click Previous and return to a previous window to change any of these} settings.

v _{Click Install when you are ready to begin the installation.}

9. In the PFConfig window, complete all of the text fields in the window. The following information describes the fields:

Installation Path

Specifies the installation path for the Password Synchronization plug-in. The value specified must match with the installation directory value entered earlier in the installation process.

ITIM Host Name or IP

Specifies the IP address for the Tivoli Identity Manager server.

SSL Port Number

Specifies the SSL port for the Tivoli Identity Manager server. The default SSL port for WebSphere Application Server is 9443 on a single server setup. If you have a WebShpere Application Server cluster, the IBM HTTP Server needs to be configured for SSL. The default port for HTTP SSL is 443. For example, shreth.tivlab.austin.ibm.com:9443

Note: For more information about configuring certificate see “Installing CA certificates” on page 15.

Service DN

Specifies the Target DN of the service that is being monitored. At the Service DN field, click Configure Target Services. A list of configured target services appears.

Note: One copy of the Password Synchronization client can monitor multiple base points. Enter each of the points using the Target Services window.

To edit a target service, click the service and click Edit. The Base Point and Service Target DN specifications appear. The base point in the Active Directory must match the service Target DN on the Tivoli Identity Manager server.

Base Point

The base points specified must be identical to the base points configured in your Active Directory Adapter. The default base point is the root domain of the Active Directory.

Example 1

If the root of Active Directory is

Cascades.Irvine.IBM.com, the Base Point must be specified as:

dc=Cascades,dc=Irvine,dc=IBM,dc=com

Example 2

in an OU (organizational short name) of your Active Directory, Users, for example, the Base Point would be entered as:

cn=Users,dc=Cascades,dc=Irvine,dc=IBM,dc=com

Service Target DN

The format is:

erservicename=nameofservice,o=organizationname ou=organizationshortname,dc=com

Note: Although DN formatting is used for the Service DN value, this is not the DN of the service being

monitored. These are parameter values to the Password Synchronization plug-in.

erservicename

Specifies the name of the target service used by the Tivoli Identity Manager server

o Specifies the name of the organization on the Tivoli Identity Manager server

ou Specifies the short name defined for the

organization during installation and configuration of the Tivoli Identity Manager server. If this value is not known, it can be determined by opening the LDAP configuration tool for your product and locating the new root suffix created during the IBM Tivoli Identity Manager installation.

dc=com

Specifies the root of the directory tree. For example, if you installed the Tivoli Identity Manager server in the root LDAP suffix called ITIM and your Windows Active Directory service is named WinAD Corp Server and is installed in an organization named Finance Org, the IBM Tivoli Identity Manager organization chart would look similar to the following diagram:

+ ITIM Home + Corporate Org

+ IT Org Unit + HR Org Unit + Finance Org

+ Accounts Payable Org Unit

This Windows Active Directory Adapter example has the following Service DN value:

erservicename=WinAD Corp Server,o=Finance Org, ou=ITIM,dc=com

ITIM Principal

Specifies the IBM Tivoli Identity Manager account under which the password change requests are submitted. The account must have the proper authority to submit password change requests for the desired people. This authority is granted when you create the access control information (ACI) for the Principal account by granting read and write permissions to all the attributes that were listed.

At a minimum, the principal needs to be granted read and write permissions to perform the following tasks for password

synchronization:

a. Search for the account that triggered the password synchronization

b. Search for that account’s owner.

c. Search for any accounts that should have their passwords synchronized.

d. Modify those same accounts, with write access to their password attributes.

You need to create an account specifically for these types of requests. Refer to the IBM Tivoli Identity Manager Information Center for more information on creating accounts and privileges.

Password

Specifies the password for the IBM Tivoli Identity Manager account under which the password change requests are submitted

Verify Password

Specifies the verification field for the IBM Tivoli Identity Manager account password

Max Notify Thread Count

Specifies the maximum number of Password Change requests which can be processed by the plug-in at any one time. The plug-in

processes password synchronization requests in a multi-threaded manner. This value limits the number of threads to be created, so that requests can be processed in parallel.

For example, if this value is specified as 15, then the password synchronization plug-in processes only 15 parallel password change requests at any one time. The next password change request after 15 fails.

The default value for this parameter is 10.

Agent Host Machine

Specifies the name of the computer where the Windows Active Directory Adapter is installed and running. For example, \\mymachine

Agent Name

Specifies the adapter's registry key name. This value is ADAgent.

Enable Password Synchronization

Specifies if password synchronization should be enabled or disabled. When password synchronization is enabled, all password change requests are sent to IBM Tivoli Identity Manager in order to synchronize all passwords affected by the change request. When password synchronization is not enabled, the Password

Synchronization plug-in ignores all password change requests on the managed resource.

Enable Password Rules Verification

Validates that the password complies with the password rules defined for the user.

When this option is selected, the new password is checked against the password policy rules defined for each account type to be

synchronized. Unless the password is valid for all accounts, the password change fails with an error indicating that the new password does not meet specified password rules. Refer to the IBM Tivoli Identity Manager Information Center for more information on setting IBM Tivoli Identity Manager password policies.

Require ITIM Response

This option is enabled only if Enable Password Rules Verification is selected. When this option is selected, passwords cannot be changed on Active Directory if Tivoli Identity Manager is unavailable.

Enable Logging

Allows administrators to enable logging for password change requests sent to the Active Directory Server.

Connect to the Windows Active Directory Adapter Registry

When you select this check box, Tivoli Password Sync attempts to connect to Windows Active Directory Adapter registry. However, when you clear this heck box, Tivoli Password Sync does not attempt to connect to Windows Active Directory Adapter registry. An

informative message is logged in log file. You must use the server side recursion control to avoid looping. Tivoli Identity Manager version 4.6 Fix Pack 61 or later and Tivoli Identity Manager version 5.0 Fix Pack 02 or later also has server side recursion control.

10. In the Install Complete window, answer the question about restarting the system, and click Done.

11. Restart the Active Directory Server.

Notes:

a. The connection information can be modified at a later time by running the pfconfig.exe program. This program opens the IBM Tivoli Identity

Manager Password Change Notification Configuration page.

b. The Restart panel might not be displayed. For password synchronization to function correctly, you must install CA certificate and restart the system. c. When you make any changes in SSL configuration such as adding a new

certificate or removing a certificate, you must restart the system.

Installing CA certificates

To install the CA certificates after you install the Password Synchronization adapter, perform the following steps:

1. Go to Start>Run and type mmc and click OK or press Enter. 2. From the Console menu, select the Add/Remove Snap-in.

3. From the Add/Remove Snap-in window, click Add to display the Add Standalone Snap-in window.

4. From the Add Standalone Snap-in window, select Certificates and click Add. 5. On the Certificates Snap-in window, select Computer Account and click Next

to display the Select Computer window.

6. Select Local computer and click Finish, Close, and then OK.

7. Expand Certificates (Local computer)>Trusted Root Certification Authorities and select Certificates.

8. Right-click Certificates and select All Tasks>Import to display the Certificate Import Wizard and click Next.

9. Browse or type the name of the CA certificate for the Tivoli Identity Manager server and click Next.

10. Select Place all certificates in the following store option and click Next and then click Finish.

You can also use the CertMgr.exe command line tool to install the CA certificates after the Password Synchronization adapter installation. When you use the CertMgr.exe command line tool to install the CA certificates, run the following command:

CertMgr -add -c certificate file -s -r localMachine root where, certificate file is the full path to the certificate file.

What to do next

After you finish the installation, you must install CA certificates. See“Installing CA certificates” on page 15.

Verifying the installation

If the adapter is installed correctly, these directories are created: v _bin

v _jre v _license v _log

v _{Uninstall_Tivoli Windows Password Synch Plugin}

The following files are created in the system32 directory, for example, C:\Windows\system32.

Table 7. Operating system and file

Operating system File

32-bit operating system TivoliPwdSync.dll

64-bit operating system TivoliPwdSync64.dll

Review the installer log file

(Tivoli_Windows_Password_Synch_Plugin_InstallLog.log) located in the installation directory, for example, C:\Tivoli\PasswordSynch for any errors.

When you use regedit.exe or regedt32.exe ensure that Windows registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packagesincludes the TivoliPwdSync for 32-bit operating systems and TivoliPwdSync64 for 64-bit operating systems.

Ensure that your certificates are installed correctly. The SSL handshake fails when the certificate or the CA is not installed.

Chapter 4. Installing and uninstalling the plug-in by using the

silent mode

Silent installation suppresses the adapter installation wizard and the Launcher User Interfaces (UIs). It does not display any information or require interaction. You can use the –silent option to install or uninstall the adapter in silent mode.

Note:

v _{The plug-in installs run time files from Microsoft. The installer for these} run times shows some user interfaces and you cannot suppress these user interfaces.

v _{If you install the plug-in in silent mode, the uninstaller runs in silent} mode irrespective of whether you are using –silent option or not.

Installing the plug-in by using the silent mode

Installing the plug-in with default options

To install the adapter with the –silent option:

1. Navigate to the location where you have stored the SetupPwdSync.exe. 2. Run the following command from command prompt:

SetupPwdSync.exe -i silent -DLICENSE_ACCEPTED=TRUE The adapter is installed in the adapter installation directory,

C:\Tivoli\PasswordSynch. A log file, pwd_out.txt, is created and the plug-in is installed with the default value, %SYSTEM_DRIVE_ROOT%:\Tivoli\ passwordsynch.

After you install the plug-in, you must:

1. Run the pfconfig.exe (For 32-bit version of the plug-in) and pfconfig64.exe(For 64-bit version of the plug-in) from the bin directory and configure the plug-in.

2. Install the CA certificates. For information about CA certificates installation, see “Installing CA certificates” on page 15.

3. Restart the workstation.

Installing the plug-in with command line options

You can specify the listed installation options from the command prompt when you install the plug-in by using the silent mode. For example, if you want to override the default installation directory path then, run the following command:

SetupPwdSynch.exe -i silent -DLICENSE_ACCEPTED=TRUE -DUSER_INSTALL_DIR= "D:\Tivoli\MyFolder"

Note:

v _{The -D option is followed by a variable and a value pair without} any space after the -D option.

v _{You must wrap arguments with quotation marks when the} arguments contain spaces.

Table 8. Installation options

Option Value

-DUSER_INSTALL_DIR=Value Value overrides the default installation directory path. For example, D:\Tivoli\MyFolder.

-DLICENSE_ACCEPTED=Value Accept the IBM license for plug-in, the value must be TRUE.

When you do not specify this option, the default value is FALSE_.

-DUSER_CERT_FILE=Value The name of the CA certificate file for your IBM Tivoli Identity Manager server. For example,

My_CertfileName.cer.

-DPATH_OF_CERT_FILE=Value The full path of the CA certificate file (excluding the file name) for your IBM Tivoli Identity Manager server. For example, C:\CA_My_Folder.

After you install the plug-in, you must:

1. Run the pfconfig.exe (For 32-bit version of the plug-in) and pfconfig64.exe(For 64-bit version of the plug-in) from the bin directory and configure the plug-in.

2. Restart the workstation.

Installing the plug-in by using the response file Generating the response file

You can use response file to provide inputs during silent installation. Response file can be generated by running the

following command. This runs the installer in interactive mode and install the plug-in.

SetupPwdSync.exe –r "Full path of response file" For example:

SetupPwdSync.exe –r "c:\temp\PwdSynResponse.txt"

Note: If you are running this command to only generate the response file, you must uninstall the plug-in by using the uninstaller.

Creating the response file manually

You can also manually create the response file with the following content:

#Start of Response file #Choose Install Folder #---USER_INSTALL_DIR=Value

#Has the license been accepted #---LICENSE_ACCEPTED=TRUE

#Select CA Certificate file. #---USER_CERT_FILE=Value

PATH_OF_CERT_FILE=Value #End of Response file

After you create the response file you can use it as: SetupPwdSynch.exe –i silent -f "Full path of response file" After you install the Windows Tivoli Password Synchronization plug-in, you must:

1. Run the pfconfig.exe (For 32-bit version of the plug-in) and pfconfig64.exe (For 64-bit version of the plug-in) from the bin directory and configure the plug-in.

2. Reboot the workstation.

Uninstalling the plug-in by using the silent mode

Run the following command from command line to uninstall the Windows Tivoli Password Synchronization plug-in by using the –i silent option. Specify the full path when you are not running the command from Uninstall_Tivoli Windows Password Synch Plugin directory in the installation directory of the plug-in. "Uninstall Tivoli Windows Password Synch Plugin.exe" -i silent

For example, "C:\Tivoli\PasswordSynch\Uninstall_Tivoli Windows Password Synch Plugin\Uninstall Tivoli Windows Password Synch Plugin.exe" -i silent.

Note: Restart the workstation to completely remove plug-in.

Chapter 5. Configuring SSL authentication for the plug-in

In order to establish a secure connection between a IBM Tivoli Identity Manager adapter and the Tivoli Identity Manager server, you must configure the adapter and the server to use the Secure Sockets Layer (SSL) authentication. By configuring the adapter for SSL, you ensure that the Tivoli Identity Manager server verifies the identity of the adapter before a secure connection is established.

The Password Synchronization plug-in uses http with SSL to establish secure communications.

Note: In a production environment, you need to enable SSL security. For testing purposes you might want to disable SSL. However, if an external application that communicates with the adapter (such as Tivoli Identity Manager server) is set to use server authentication, you must enable SSL on the adapter to verify the certificate that the application presents.

You can configure SSL authentication for connections that originate from the Tivoli Identity Manager server or from the adapter. Typically, the Tivoli Identity Manager server initiates a connection to the adapter in order to set or retrieve the value of a managed attribute on the adapter. However, depending on the security

requirements of your environment, you might need to configure SSL authentication for connections that originate from the adapter. For example, if the adapter uses events to notify the Tivoli Identity Manager server of changes to attributes on the adapter, you can configure SSL authentication for Web connections that originate from the adapter to the Web server that is used by the Tivoli Identity Manager server.

This chapter presents an overview of SSL authentication and digital certificates.

Overview of SSL and digital certificates

When you deploy IBM Tivoli Identity Manager into an enterprise network, you must secure communication between the Tivoli Identity Manager server and the software products and components with which the server communicates. The industry-standard SSL protocol, which uses signed digital certificates from a certificate authority (ca) for authentication, is used to secure communication in a IBM Tivoli Identity Manager deployment. Additionally, SSL provides encryption of the data exchanged between the applications. Encryption makes data transmitted over the network intelligible only to the intended recipient.

Signed digital certificates enable two applications connecting in a network to authenticate each other's identity. An application acting as an SSL server presents its credentials in a signed digital certificate to verify to an SSL client that it is the entity it claims to be. An application acting as an SSL server can also be configured to require the application acting as an SSL client to present its credentials in a certificate, thereby completing a two-way exchange of certificates. Signed

certificates are issued by a third-party certificate authority for a fee. Some utilities, such as those provided by OpenSSL, can also issue signed certificates.

A certificate-authority certificate (ca certificate) must be installed to verify the origin of a signed digital certificate. When an application receives another

application's signed certificate, it uses a ca certificate to verify the originator of the

certificate. A certificate authority can be well-known and widely used by other organizations, or it can be local to a specific region or company. Many applications, such as Web browsers, are configured with the ca certificates of well known

certificate authorities to eliminate or reduce the task of distributing ca certificates throughout the security zones in a network.

Private keys, public keys, and digital certificates

Keys, digital certificates, and trusted certificate authorities are used to establish and verify the identities of applications.

SSL uses public key encryption technology for authentication. In public key encryption, a public key and a private key are generated for an application. Data encrypted with the public key can only be decrypted using the corresponding private key. Similarly, the data encrypted with the private key can only be decrypted using the corresponding public key. The private key is

password-protected in a key database file so that only the owner can access the private key to decrypt messages that are encrypted using the corresponding public key.

A signed digital certificate is an industry-standard method of verifying the authenticity of an entity, such as a server, client, or application. In order to ensure maximum security, a certificate is issued by a third-party certificate authority (ca). A certificate contains the following information to verify the identity of an entity:

Organizational information

This section of the certificate contains information that uniquely identifies the owner of the certificate, such as organizational name and address. You supply this information when you generate a certificate using a certificate management utility.

Public key

The receiver of the certificate uses the public key to decipher encrypted text sent by the certificate owner to verify its identity. A public key has a corresponding private key that encrypts the text.

Certificate authority's distinguished name

The issuer of the certificate identifies itself with this information.

Digital signature

The issuer of the certificate signs it with a digital signature to verify its authenticity. This signature is compared to the signature on the

corresponding ca certificate to verify that the certificate originated from a trusted certificate authority.

Web browsers, servers, and other SSL-enabled applications generally accept as genuine any digital certificate that is signed by a trusted Certificate Authority and is otherwise valid. For example, a digital certificate can be invalidated because it has expired or the ca certificate used to verify it has expired, or because the distinguished name in the digital certificate of the server does not match the distinguished name specified by the client.

Self-signed certificates

You can use self-signed certificates to test an SSL configuration before you create and install a signed certificate issued by a certificate authority. A self-signed certificate contains a public key, information about the owner of the certificate, and the owner's signature. It has an associated private key, but it does not verify the origin of the certificate through a third-party certificate authority. Once you

generate a self-signed certificate on an SSL server application, you must extract it and add it to the certificate registry of the SSL client application.

This procedure is the equivalent of installing a ca certificate that corresponds to a server certificate. However, you do not include the private key in the file when you extract a self-signed certificate to use as the equivalent of a ca certificate. Use a key management utility to generate a self-signed certificate and private key, extract a self-signed certificate, and add a self-signed certificate.

Where and how you choose to use self-signed certificates depends on your security requirements. In order to achieve the highest level of authentication between critical software components, do not use self-signed certificates, or use them selectively. For example, you can choose to authenticate applications that protect server data with signed digital certificates, and use self-signed certificates to authenticate Web browsers or IBM Tivoli Identity Manager adapters.

If you are using self-signed certificates, in the following procedures you can substitute a self-signed certificate for a certificate and ca certificate pair.

Certificate and key formats

Certificates and keys are stored in files with the following formats:

.pem format

A privacy-enhanced mail (.pem ) format file begins and ends with the following lines:

---BEGIN ---END

CERTIFICATE---A .pem file format supports multiple digital certificates, including a certificate chain. If your organization uses certificate chaining, use this format to create ca certificates.

.arm format

An .arm file contains a base-64 encoded ASCII representation of a certificate, including its public key, but not its private key. An .arm file format is generated and used by the IBM Key Management utility.

.der format

A .der file contains binary data. A .der file can only be used for a single certificate, unlike a .pem file, which can contain multiple certificates.

.pfx format (PKCS12)

A PKCS12 file is a portable file that contains a certificate and a

corresponding private key. This format is useful for converting from one type of SSL implementation to a different implementation.

Configuring certificates when the plug-in operates as an SSL client

In this configuration, the plug-in operates as an SSL client. For example, the plug-in initiates the connection and the Web server responds by presenting its certificate to the plug-in.

Figure 1 on page 24 illustrates how a IBM Tivoli Identity Manager plug-in operates as an SSL sever and an SSL client. When communicating with the Tivoli Identity Manager server, the plug-in sends its certificate for authentication. When

communicating with the Web server, the plug-in receives the certificate of the Web

server.

If the Web Server is configured for two-way SSL authentication, it verifies the identity of the plug-in, which sends its signed certificate to the Web server (not shown in the illustration). In order to enable two-way SSL authentication between the plug-in and Web server, use the following procedure:

1. Configure the Web server to use client authentication.

2. Follow the procedure for creating and installing a signed certificate on the Web server.

3. Install the ca certificate on the plug-in.

4. Add the ca certificate corresponding to the signed certificate of the plug-in to the Web server.

For more information on configuring certificates when the plug-in initiates a connection to the Web server (used by the Tivoli Identity Manager Server) to send a notification, see the Tivoli Identity Manager Information Center.

Tivoli Identity Manager Adapter Tivoli Identity Manager Server CA Certificate A Certificate A CA Certificate C Certificate C Web server A B C Hello Certificate A Hello Certificate C

Chapter 6. Taking the first steps after installation

After installing and configuring the adapter:

1. Install the CA certificate if you have not installed it during plug-in installation. For information about CA certificates installation after Password

Synchronization plug-in installation, see “Installing CA certificates” on page 15. 2. Restart the domain controller.

Note: After you restart the domain controller, ensure that the PwdSync.log file is created in the log directory.

Chapter 7. Uninstalling the plug-in

This section describes the procedures for uninstalling the Password

Synchronization plug-in. Inform users that the resource will be unavailable prior to removing the client. If the server is taken offline, Password Synchronization requests that are not completed may not be recovered when the server is back online.

Complete the following procedure to remove the Password Synchronization plug-in and directories.

1. From the Windows Control Panel, select Add/Remove Programs > Tivoli

Windows Password Synch Plugin.

2. On the Introduction window, click Uninstall. 3. On the Uninstall Complete window, click Done. 4. Restart the workstation.

Note:

v _{To ensure that the Password Synchronization directories, subdirectories,} and files are removed from the system, view the directory tree.

v _{When you use regedit.exe or regedt32.exe ensure that Windows registry} key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Notification Packagesdoes not include the TivoliPwdSync for 32-bit operating systems and TivoliPwdSync64 for 64-bit operating systems.

Appendix A. Support information

Use the following options to obtain support for IBM products: v _{“Searching knowledge bases”}

v _{“Contacting IBM Software Support”}

Searching knowledge bases

If you have a problem with your IBM software, you want it resolved quickly. Begin by searching the available knowledge bases to determine whether the resolution to your problem is already documented.

Search the information center on your local system or

network

IBM provides extensive documentation that can be installed on your local computer or on an intranet server. You can use the search function of this information center to query conceptual information, instructions for completing tasks, reference information, and support documents.

Search the Internet

If you cannot find an answer to your question in the information center, search the Internet for the latest, most complete information that might help you resolve your problem. To locate Internet resources for your product, open one of the following Web sites:

v _{Performance and tuning information}

Provides information needed to tune your production environment, available on the Web at:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click the I character in the A-Z product list to locate IBM Tivoli Identity

Managerproducts. Click the link for your product, and then browse the information center for the Technical Supplements section.

v _{Redbooks and white papers are available on the Web at:} http://www.ibm.com/software/sysmgmt/products/support/ IBMTivoliIdentityManager.html

Browse to the Self Help section, in the Learn category, and click the Redbooks link.

v _{Technotes are available on the Web at:}

http://www.redbooks.ibm.com/redbooks.nsf/tips/ v _{Field guides are available on the Web at:}

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html v _{For an extended list of other Tivoli Identity Manager resources, search the}

following IBM developerWorks Web address: http://www.ibm.com/developerworks/

Contacting IBM Software Support

IBM Software Support provides assistance with product defects.