t l identity manager -...
TRANSCRIPT
Tivoli® Identity Manager
Lotus Notes Adapter Installation and Configuration Guide
Version 4.6
SC32-1707-03
���
Tivoli® Identity Manager
Lotus Notes Adapter Installation and Configuration Guide
Version 4.6
SC32-1707-03
���
Note:
Before using this information and the product it supports, read the information in Appendix D, “Notices,” on page 87.
Fourth Edition (June 2005)
This edition applies to version 4.6 of this adapter and to all subsequent releases and modifications until otherwise
indicated in new editions. This edition replaces all previous editions.
© Copyright International Business Machines Corporation 2003, 2005. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . . v
Who should read this book . . . . . . . . . v
Publications and related information . . . . . . v
Tivoli Identity Manager library . . . . . . . v
Prerequisite Product Publications . . . . . . vii
Related Publications . . . . . . . . . . viii
Accessing publications online . . . . . . . viii
Accessibility . . . . . . . . . . . . . . viii
Support information . . . . . . . . . . . ix
Conventions used in this book . . . . . . . . ix
Typeface conventions . . . . . . . . . . ix
Operating system differences . . . . . . . . x
Definitions for HOME and other directory
variables . . . . . . . . . . . . . . . x
Chapter 1. Overview of the Lotus Notes
adapter . . . . . . . . . . . . . . . 1
Features of the adapter . . . . . . . . . . . 1
Supported configurations . . . . . . . . . . 2
Scenario 1: Running a single Lotus Notes adapter 2
Scenario 2: Running multiple instances of the
Lotus Notes adapter . . . . . . . . . . . 2
Scenario 3: Configuring multiple instances of the
Tivoli Identity Manager Server . . . . . . . 3
Scenario 4: Running multiple Lotus Domino
Servers . . . . . . . . . . . . . . . 3
Non-supported configurations . . . . . . . . 4
Scenario 1: Running multiple Lotus Domino
Servers and configuring multiple instances of the
Tivoli Identity Manager Server . . . . . . . 4
Scenario 2: Running the Universal Provisioning
adapter on the same server as the Lotus Notes
adapter . . . . . . . . . . . . . . . 4
Chapter 2. Adapter interactions with the
Tivoli Identity Manager Server . . . . . 5
Data Transfer from the Tivoli Identity Manager
Server to the adapter . . . . . . . . . . . 5
Basic configuration for server-to-adapter SSL
communication . . . . . . . . . . . . . 5
Chapter 3. Installing and configuring the
Lotus Notes adapter . . . . . . . . . 7
Prerequisites . . . . . . . . . . . . . . 7
Installation worksheet . . . . . . . . . . . 8
Installing the adapter . . . . . . . . . . . 10
Installing the NotesShadowAgent utility . . . . . 13
Installing the Shadow utility . . . . . . . . 13
Importing the adapter profile into the Tivoli Identity
Manager Server . . . . . . . . . . . . . 14
Importing the adapter profile . . . . . . . 14
Creating a Lotus Notes service . . . . . . . . 15
Configuring the adapter . . . . . . . . . . 16
Configuring the adapter to run multiple Lotus
Domino Servers . . . . . . . . . . . . . 17
Configuring the Adapter to use Custom ERUID . . 17
Configuring the adapter to use ITIM_ERUID . . . 18
Chapter 4. Configuring the adapter for
IBM Tivoli Identity Manager . . . . . . 19
Starting the adapter configuration tool . . . . . 19
Viewing configuration settings . . . . . . . . 20
Changing protocol configuration settings . . . . 20
Configuring event notification . . . . . . . . 23
Setting event notification triggers . . . . . . 26
Modifying an event notification context . . . . 27
Changing the configuration key . . . . . . . 29
Changing activity logging settings . . . . . . . 29
Changing registry settings . . . . . . . . . 31
Modifying non-encrypted registry settings . . . 31
Modifying encrypted registry settings . . . . 35
Changing advanced settings . . . . . . . . . 35
Viewing statistics . . . . . . . . . . . . 36
Changing code page settings . . . . . . . . 37
Accessing help and additional options . . . . . 37
Chapter 5. Configuring SSL
authentication for the Lotus Notes
adapter . . . . . . . . . . . . . . 41
Overview of SSL and digital certificates . . . . . 41
Private keys, public keys, and digital certificates 42
Self-signed certificates . . . . . . . . . . 42
Certificate and key formats . . . . . . . . 43
The use of SSL authentication . . . . . . . . 43
Configuring certificates for SSL authentication . . . 44
Configuring certificates for one-way SSL
authentication . . . . . . . . . . . . 44
Configuring certificates for two-way SSL
authentication . . . . . . . . . . . . 45
Configuring certificates when the adapter
operates as an SSL client . . . . . . . . . 46
Managing SSL certificates using CertTool . . . . 47
Starting CertTool . . . . . . . . . . . 47
Generating a private key and certificate request 49
Installing the certificate . . . . . . . . . 50
Installing the certificate and key from a PKCS12
file . . . . . . . . . . . . . . . . 50
Viewing the installed certificate . . . . . . . 51
Installing a CA certificate . . . . . . . . . 51
Viewing CA certificates . . . . . . . . . 51
Deleting a CA certificate . . . . . . . . . 51
Viewing registered certificates . . . . . . . 52
Registering a certificate . . . . . . . . . 52
Unregistering a certificate . . . . . . . . 52
Exporting a certificate and key to PKCS12 file . . 53
© Copyright IBM Corp. 2003, 2005 iii
Chapter 6. Configuring the managed
resource . . . . . . . . . . . . . . 55
Domino Server configuration . . . . . . . . 55
Database creation on the Lotus Domino Server 55
Group creation on the Lotus Domino Server . . 56
Mail quota size requirements for Lotus Notes 6 56
Required environment settings on Windows . . . 57
Chapter 7. Customizing the Lotus
Notes adapter . . . . . . . . . . . . 59
Copy the NotesProfile.jar file and extract the files . 59
Create a new JAR file and install the new attributes
on the Tivoli Identity Manager Server . . . . . 60
Managing passwords when restoring accounts . . . 60
Chapter 8. Verification of the Lotus
Notes adapter installation . . . . . . 63
Storing existing data using the Shadow utility . . . 64
Chapter 9. Troubleshooting the Lotus
Notes adapter installation . . . . . . 67
Chapter 10. Upgrading the Lotus Notes
adapter or the ADK . . . . . . . . . 69
Upgrading the Lotus Notes adapter . . . . . . 69
Upgrading the ADK . . . . . . . . . . . 69
Log files . . . . . . . . . . . . . . 70
Chapter 11. Uninstalling the Lotus
Notes adapter . . . . . . . . . . . . 71
Uninstalling the Lotus Notes Shadow adapter . . . 71
Appendix A. Files . . . . . . . . . . 73
xforms.xml file . . . . . . . . . . . . . 73
Appendix B. Adapter attributes . . . . 75
Attribute descriptions . . . . . . . . . . . 75
Lotus Notes Adapter attributes by action . . . . 81
System Login Add . . . . . . . . . . . 81
System Login Change . . . . . . . . . . 81
System Login Delete . . . . . . . . . . 81
System Login Suspend . . . . . . . . . 82
System Login Restore . . . . . . . . . . 82
Reconciliation . . . . . . . . . . . . 82
Appendix C. Support information . . . 83
Searching knowledge bases . . . . . . . . . 83
Search the information center on your local
system or network . . . . . . . . . . . 83
Search the Internet . . . . . . . . . . . 83
Obtaining fixes . . . . . . . . . . . . . 84
Contacting IBM Software Support . . . . . . . 84
Determine the business impact of your problem 85
Describe your problem and gather background
information . . . . . . . . . . . . . 85
Submit your problem to IBM Software Support 85
Appendix D. Notices . . . . . . . . . 87
Trademarks . . . . . . . . . . . . . . 88
Index . . . . . . . . . . . . . . . 91
iv IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Preface
The IBM® Tivoli® Identity Manager Lotus Notes® Adapter (Lotus Notes Adapter)
enables connectivity between the IBM Tivoli Identity Manager Server and a
network of systems running the Lotus Domino® Server (Domino Server). The
Lotus Notes Adapter must be installed on a machine where the Lotus Notes Client
(Notes Client) is running. Once the adapter is installed and configured, Tivoli
Identity Manager manages access to Lotus Domino Server resources, using the
Lotus Domino Administrator’s ID. This book describes how to install and
configure the Lotus Notes Adapter.
Note: The program that is used to connect the managed resource to the Tivoli
Identity Manager Server is now called an adapter. The term adapter replaces
the previously used term agent. The user interface used to configure the
adapter still refers to an adapter as an agent.
Who should read this book
This book is intended for Lotus Notes system and security administrators
responsible for installing software on their site’s computer systems. Readers are
expected to understand Lotus Notes concepts. The person completing the
installation procedure must also be familiar with their site’s system standards and
needs to have appropriate Lotus Notes experience and knowledge. Readers must
be able to perform routine Lotus Notes system and security administration tasks.
Publications and related information
Read the descriptions of the Tivoli Identity Manager library. To determine which
additional publications you might find helpful, read the “Prerequisite Product
Publications” on page vii and the “Related Publications” on page viii. After you
determine the publications you need, refer to the instructions in “Accessing
publications online” on page viii.
Tivoli Identity Manager library
The publications in the Tivoli Identity Manager technical documentation library are
organized into the following categories:
v Release information
v Online user assistance
v Server installation and configuration
v Problem determination
v Technical supplements
v Adapter installation and configuration
Release Information:
v IBM Tivoli Identity Manager Release Notes
Provides software and hardware requirements for Tivoli Identity Manager, and
additional fix, patch, and other support information.
v IBM Tivoli Identity Manager Documentation Read This First Card
Lists the Tivoli Identity Manager publications.
© Copyright IBM Corp. 2003, 2005 v
Online user assistance:
Provides online help topics and an information center for all Tivoli Identity
Manager administrative tasks. The information center includes information that
was previously provided in the IBM Tivoli Identity Manager Configuration Guide and
the IBM Tivoli Identity Manager Policy and Organization Administration Guide.
Server installation and configuration:
IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere
Environments provides installation and configuration information for Tivoli Identity
Manager.
Configuration information that was previously provided in the IBM Tivoli Identity
Manager Configuration Guide is now included in either the installation guide or in
the IBM Tivoli Identity Manager Information Center.
Problem determination:
IBM Tivoli Identity Manager Problem Determination Guide provides problem
determination, logging, and message information for the Tivoli Identity Manager
product.
Technical supplements:
The following technical supplements are provided by developers or by other
groups who are interested in this product:
v IBM Tivoli Identity Manager Performance Tuning Guide
Provides information needed to tune Tivoli Identity Manager Server for a
production environment, available on the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list, and then, click the Tivoli Identity
Manager link. Browse the information center for the Technical Supplements
section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web address:
http://www.ibm.com/developerworks/
Adapter installation and configuration:
The Tivoli Identity Manager Server technical documentation library also includes
an evolving set of platform-specific installation documents for the adapter
components of a Tivoli Identity Manager Server implementation. Locate adapters
on the Web at:
vi IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home
Click Support & downloads. Browse to the Downloads and drivers. Click the link
for the current inventory of adapters.
Skills and training:
The following additional skills and technical training information were available at
the time that this manual was published:
v Virtual Skills Center for Tivoli Software on the Web at:
http://www.cgselearning.com/tivoliskills/
v Tivoli Education Software Training Roadmaps on the Web at:
http://www.ibm.com/software/tivoli/education/eduroad_prod.html
v Tivoli Technical Exchange on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html
Prerequisite Product Publications
To use the information in this book effectively, you must have knowledge of the
products that are prerequisites for Tivoli Identity Manager Server. Publications are
available from the following locations:
v Lotus Domino Server
– http://www-306.ibm.com/software/sw-library/v Operating systems
– IBM AIX®
http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm
– Sun Solaris
http://docs.sun.com/db?q=solaris+9
– Red Hat Linux®
http://www.redhat.com/docs/
– Microsoft® Windows Server 2003
http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers
– IBM DB2®
- Support: http://www.ibm.com/software/data/db2/udb/support.html
- Information center:
http://publib.boulder.ibm.com/infocenter/db2help/index.jsp
- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main
- DB2 product family: http://www.ibm.com/software/data/db2
- Fix packs:
http://www.ibm.com/software/data/db2/udb/support/downloadv8.html
- System requirements:
http://www.ibm.com/software/data/db2/udb/sysreqs.html– Oracle
http://www.oracle.com/technology/documentation/index.html
http://otn.oracle.com/tech/index.html
Preface vii
http://otn.oracle.com/tech/linux/index.html
– Microsoft SQL Server 2000
http://www.msdn.com/library/
http://www.microsoft.com/sql/v Directory server applications
– IBM Directory Server http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm http://www.ibm.com/software/network/directory
– Sun ONE Directory Server
http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52v WebSphere Application Server
Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/
v WebSphere embedded messaging
http://www.ibm.com/software/integration/wmq/
v IBM HTTP Server
http://www.ibm.com/software/webservers/httpservers/library.html
Related Publications
Information that is related to Tivoli Identity Manager Server is available in the
following publications:
v The Tivoli Software Library provides a variety of Tivoli publications such as
white papers, datasheets, demonstrations, redbooks, and announcement letters.
The Tivoli Software Library is available on the Web at:
http://www.ibm.com/software/tivoli/literature/
v The Tivoli Software Glossary includes definitions for many of the technical terms
related to Tivoli software. The Tivoli Software Glossary is available from the
Glossary link of the Tivoli Software Library Web page at:
http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
Accessing publications online
IBM posts publications for this and all other Tivoli products, as they become
available and whenever they are updated, to the Tivoli software information center
Web site. Access the Tivoli software information center at the following Web
address:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z list, and then click the Tivoli Identity Manager
link to access the product library.
Note: If you print PDF documents on other than letter-sized paper, set the option
in the File → Print window that allows Adobe Reader to print letter-sized
pages on your paper.
Accessibility
The product documentation includes the following features to aid accessibility:
viii IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
v Documentation is available in convertible PDF format to give the maximum
opportunity for users to apply screen-reader software.
v All images in the documentation are provided with alternative text so that users
with vision impairments can understand the contents of the images.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM
provides the following ways for you to obtain the support you need:
v Searching knowledge bases: You can search across a large collection of known
problems and workarounds, Technotes, and other information.
v Obtaining fixes: You can locate the latest fixes that are already available for your
product.
v Contacting IBM Software Support: If you still cannot solve your problem, and
you need to work with someone from IBM, you can use a variety of ways to
contact IBM Software Support.
For more information about these ways to resolve problems, see Appendix C,
“Support information,” on page 83.
Conventions used in this book
This reference uses several conventions for special terms and actions and for
operating system-dependent commands and paths.
Typeface conventions
This guide uses the following typeface conventions:
Bold
v Lowercase commands and mixed case commands that are otherwise
difficult to distinguish from surrounding text
v Interface controls (check boxes, push buttons, radio buttons, spin
buttons, fields, folders, icons, list boxes, items inside list boxes,
multicolumn lists, containers, menu choices, menu names, tabs, property
sheets), labels (such as Tip:, and Operating system considerations:)
v Keywords and parameters in text
Italic
v Words defined in text
v Emphasis of words (words as words)
v New terms in text (except in a definition list)
v Variables and values you must provide
Monospace
v Examples and code examples
v File names, programming keywords, and other elements that are difficult
to distinguish from surrounding text
v Message text and prompts addressed to the user
v Text that the user must type
v Values for arguments or command options
Preface ix
Operating system differences
This guide uses the UNIX® convention for specifying environment variables and
for directory notation.
When using the Windows command line, replace $variable with %variable% for
environment variables and replace each forward slash (/) with a backslash (\) in
directory paths. The names of environment variables are not always the same in
Windows and UNIX. For example, %TEMP% in the Windows operating system is
equivalent to $tmp in a UNIX operating system.
Note: If you are using the bash shell on a Windows system, you can use the UNIX
conventions.
Definitions for HOME and other directory variables
The following table contains the default definitions that are used in this guide to
represent the HOME directory level for various product installation paths. You can
customize the installation directory and HOME directory for your specific
implementation. If this is the case, you need to make the appropriate substitution
for the definition of each variable represented in this table.
The value of path varies for these operating systems:
v Windows: drive:\Program Files
v AIX: /usr
v Other UNIX: /opt
Path Variable Default Definition Description
DB_INSTANCE_HOME Windows:
path\IBM\SQLLIB
UNIX:
v AIX, Linux: /home/dbinstancename
v Solaris: /export/home/dbinstancename
The directory that
contains the
database for Tivoli
Identity Manager.
x IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Path Variable Default Definition Description
LDAP_HOME v For IBM Directory Server Version 5.2
Windows:
path\IBM\LDAP
UNIX:
– AIX, Linux: path/ldap
– Solaris: path/IBMldaps
path/IBM/LDAP
v For IBM Directory Server Version 6.0
Windows:
path\IBM\LDAP\V6.0
UNIX:
path/IBM/LDAP/V6.0
– AIX, Solaris
– Linux: opt/ibm/ldap/V6.0
v For Sun ONE Directory Server
Windows:
path\Sun\MPS
UNIX:
/var/Sun/mps
The directory that
contains the
directory server
code.
IDS_instance_HOME For IBM Directory Server Version 6.0
Windows:
drive\
ibmslapd-instance_owner_name
The value of drive might be C:\ on
Windows systems. An example of
instance_owner_name might be ldapdb2.
For example, the log file might be
C:\idsslapd-ldapdb2\logs\ibmslapd.log.
UNIX:
INSTANCE_HOME/idsslapd-instance_name
On Linux and AIX systems, the default
home directory is the
/home/instance_owner_name directory. On
Solaris systems, for example, the directory
is the /export/home/ldapdb2/idsslapd-ldapdb2 directory.
The directory that
contains the IBM
Directory Server
Version 6.0 instance.
HTTP_HOME Windows:
path\IBMHttpServer
UNIX:
path/IBMHttpServer
The directory that
contains the IBM
HTTP Server code.
Preface xi
Path Variable Default Definition Description
ITIM_HOME Windows:
path\IBM\itim
UNIX:
path/IBM/itim
The base directory
that contains the
Tivoli Identity
Manager code,
configuration, and
documentation.
WAS_HOME Windows:
path\WebSphere\AppServer
UNIX:
path/WebSphere/AppServer
The WebSphere
Application Server
home directory
WAS_MQ_HOME Windows:
path\ibm\WebSphere MQ
UNIX:
path/mqm
The directory that
contains the
WebSphere MQ
code.
WAS_NDM_HOME Windows:
path\WebSphere\DeploymentManager
UNIX:
path/WebSphere/DeploymentManager
The home directory
on the deployment
manager
Tivoli_Common_Directory Windows:
path\ibm\tivoli\common\CTGIM
UNIX:
path/ibm/tivoli/common/CTGIM
The central location
for all
serviceability-related
files, such as logs
and first-failure
capture data
xii IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Chapter 1. Overview of the Lotus Notes adapter
An adapter is a program that provides an interface between a managed resource
and the Tivoli Identity Manager Server. Adapters might or might not reside on the
managed resource and the Tivoli Identity Manager Server manages access to the
resource by using your security system. Adapters function as trusted virtual
administrators on the target platform, performing such tasks as creating login IDs,
suspending IDs, and performing other functions administrators normally run
manually. The adapter runs as a service, independent of whether or not a user is
logged on to the Tivoli Identity Manager Server.
The IBM Tivoli Identity Manager Lotus Notes Adapter enables connectivity
between the Tivoli Identity Manager Server and a system running the Lotus
Domino Server. This installation guide provides the basic information that you
need to install and configure the Lotus Notes Adapter components. This chapter
provides an overview of the adapter and the features of the adapter.
Features of the adapter
You can use the Lotus Notes Adapter to automate the following administrative
tasks:
v Registering new users in the Lotus Domino Server
v Creating new users on the Lotus Domino Registration Server by specifying a
different Lotus Domino Email Server
v Modifying Lotus Notes user attributes
v Changing the Lotus Notes user account password
v Suspending, restoring, and deleting Lotus Notes user accounts
v Looking up user operations for Lotus Notes user accounts
v Reconciling Lotus Notes user accounts
v Executing Administration Process (AdminP) commands
– Renaming a user account
The adapter can be used to rename all references to a user account in the
Lotus Domino Server.
– Re-certifying a user account
The adapter can be used to re-certify a specific user account in the Lotus
Domino Server.
– Move User in Hierarchy
The adapter can be used to move a user to a new hierarchy in the
organization’s hierarchal name scheme.
– Move User Complete
When used with Move User in Hierarchy, the adapter can be used to move a
user to a new hierarchy.
– Creating a New Replica of Database
The adapter can be used to create a new replica of a database in another
Lotus Domino Server.
– Moving a Replica of Database
The adapter can be used to move a replica of a database from one Lotus
Domino Server to another.
© Copyright IBM Corp. 2003, 2005 1
– Deleting an Access Control List (ACL)
The adapter can be used to delete the name of a user account from the ACL
of the mail database files in the Lotus Domino Server.
The ID file and password information for newly created users is stored in a
database file (NSF, by default). To add information for existing users, the Lotus
Notes Adapter includes a NotesShadowAgent utility (Shadow utility) that you can
use to incorporate the user’s information into this database file. For more
information on this utility, see “Installing the NotesShadowAgent utility” on page
13.
Supported configurations
You can install the Lotus Notes Adapter in four different configurations. The
fundamental components in each environment are a Tivoli Identity Manager
Server, a Notes Client, a Lotus Notes Adapter, and a Lotus Domino Server. In each
configuration, the Lotus Notes Adapter uses the Notes Client to communicate with
the Lotus Domino Server.
Note: The following schematics show the Notes Client and Lotus Notes Adapter
on a separate machine from the Lotus Domino Server. Both components can
reside on the same machine as the Lotus Domino Server.
Scenario 1: Running a single Lotus Notes adapter
The first supported configuration includes a single Tivoli Identity Manager Server,
a single machine running the Notes Client with one instance of the Lotus Notes
Adapter, and a single Lotus Domino Server.
Scenario 2: Running multiple instances of the Lotus Notes
adapter
The second supported configuration includes a single Tivoli Identity Manager
Server, a single machine running the Notes Client with multiple instances of the
Lotus Notes Adapter on different ports, and a single Lotus Domino Server.
Figure 1. Single Lotus Notes Adapter configuration
2 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Scenario 3: Configuring multiple instances of the Tivoli
Identity Manager Server
The third supported configuration includes multiple Tivoli Identity Manager
Servers communicating with a single machine running the Notes Client with one
instance of the Lotus Notes Adapter, and a single Lotus Domino Server.
Scenario 4: Running multiple Lotus Domino Servers
The fourth supported configuration includes a single Tivoli Identity Manager
Server, a single machine running the Notes Client with one instance of the Lotus
Notes Adapter, and multiple Lotus Domino Servers. While the Lotus Notes
Adapter can work with multiple Lotus Domino Servers, it cannot do so
simultaneously. For more information on configuring the Lotus Notes Adapter to
work with multiple instances of the Lotus Domino Server, see “Configuring the
adapter to run multiple Lotus Domino Servers” on page 17.
Figure 2. Multiple instances of Lotus Notes Adapter configuration
Figure 3. Multiple instances of the Tivoli Identity Manager Server configuration
Chapter 1. Overview of the Lotus Notes adapter 3
Non-supported configurations
The Lotus Notes Adapter has two non-supported configuration scenario.
Scenario 1: Running multiple Lotus Domino Servers and
configuring multiple instances of the Tivoli Identity Manager
Server
The first non-supported configuration includes multiple Tivoli Identity Manager
Servers, a single machine running the Notes Client with one instance of the Lotus
Notes Adapter, and multiple Lotus Domino Servers.
Scenario 2: Running the Universal Provisioning adapter on
the same server as the Lotus Notes adapter
The second non-supported configuration includes a Tivoli Identity Manager Server,
a single machine running the Notes Client with one instance of the Universal
Provisioning Adapter and one instance of the Lotus Notes Adapter, and one Lotus
Domino Server. The Universal Provisioning Adapter can be used to send e-mail
using the Notes Client, therefore both adapters require the use of an ID file.
Scenarios in which both adapters have the same ID file, or in which both adapters
are installed on the same server, have not been tested and as such remain
unsupported.
Figure 4. Multiple instances of the Tivoli Identity Manager Server configuration
4 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Chapter 2. Adapter interactions with the Tivoli Identity
Manager Server
Data Transfer from the Tivoli Identity Manager Server to the adapter
The Lotus Notes Adapter is an individual Tivoli Identity Manager software
program that must reside on a machine where the Notes Client is installed. That
machine may be the Lotus Domino Server. Data is transferred between the Lotus
Notes Adapter and the Tivoli Identity Manager Server using the Directory Access
Markup Language (DAML) protocol. DAML uses Secure Sockets Layer (SSL) to
send XML-formatted messages between the adapter and the server.
Tivoli Identity Manager communicates with the Lotus Notes Adapter in order to
administer user accounts. When the Tivoli Identity Manager Server issues a request
to the Lotus Notes Adapter, the server opens a TCP/IP connection. This connection
stays open until the adapter completes the request and responds back to the server
with an acknowledgement message. Once the Tivoli Identity Manager Server
receives the anticipated response, it drops the connection to the adapter.
Basic configuration for server-to-adapter SSL communication
The following information pertains to a Tivoli Identity Manager deployment on
either the WebSphere or the WebLogic application server. In this scenario, the
Tivoli Identity Manager Server initiates communication with the adapter
(server-to-adapter) using one-way authentication over SSL. The version of the SSL
protocol that is used is either RSA SSL-C or Open SSL.
For more information on SSL, see Chapter 5, “Configuring SSL authentication for
the Lotus Notes adapter,” on page 41.
© Copyright IBM Corp. 2003, 2005 5
6 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Chapter 3. Installing and configuring the Lotus Notes adapter
Installing and configuring the Lotus Notes Adapter involves several steps that you
must complete in the appropriate sequence. Review the prerequisites before you
begin the installation process. You can also create an account on the managed
resource for the adapter to use.
Prerequisites
Table 1 identifies the system prerequisites to install the Lotus Notes Adapter. Verify
that all of the prerequisites have been met before installing the Lotus Notes
Adapter. Also, complete the installation worksheet before installing the adapter.
Table 1. Prerequisites to install the adapter
System, memory, and disk
space
v A 32-bit x86-based microprocessor.
v A minimum of 256 MB of memory.
v At least 300 MB of free disk space.
Operating System v Windows NT® 4.0 with Service Pack 6 or Windows
2000 with Service Pack 2.
Lotus Notes Software One of the following Lotus Notes Client software:
v Notes Client 6 for Windows
v Notes Client 6.5 for Windows
One of the following Lotus Domino Administrator
(Domino Administrator) software:
v Domino Administrator 6 for Windows
v Domino Administrator 6.5 for Windows
Note:
v The Notes Client is required for the adapter to run and
it manages e-mail, while the Domino Administrator is
required to manage the Lotus Domino Server by a user
with administrator privileges.
v The version of the Notes Client and Domino
Administrator must correspond to the version of the
Lotus Domino Server. For example, version 6.5 of the
Notes Client and Domino Administrator must be used
with version 6.5 of the Lotus Domino Server.
Lotus Notes Managed Resource One of the following Lotus Domino Server:
v Lotus Domino Server 6
v Lotus Domino Server 6.5
Network Connectivity v TCP/IP network
v SSL enabled
v For security purposes, the adapter should be installed
on a Windows NT File System (NTFS).
Tivoli Identity Manager Server Version 4.6
© Copyright IBM Corp. 2003, 2005 7
Installation worksheet
Use the following worksheet to document information required to install and
configure the Lotus Notes Adapter. Complete this worksheet before starting the
installation procedure. The worksheet identifies the information you need to
modify during the installation process.
Make a copy of the worksheet for each server where you are installing the Lotus
Notes Adapter. For example, if you have five Windows servers where you are
installing the Lotus Notes Adapter, you need five copies of the worksheet.
Table 2. Installation worksheet
Option Description, default, notes Value
Administration Server name The name of the Lotus
Domino Server that the
Lotus Notes Adapter will
connect to.
Workstation ID file location The location of the user.id
file, which the Administrator
will use to access to the
Lotus Domino Server.
Lotus Domino Server
password
The password that
corresponds to the user ID
that the Lotus Notes Adapter
will use to connect to the
Lotus Notes or Lotus
Domino Server.
Certification File Location
and Password
Typically, the certification file
is installed in the data
directory under the directory
where the Lotus Notes or
Lotus Domino server is
installed. In most cases, the
cert.id file is installed in a
directory called Notes\Data\
on a shared drive. The
Certification Password is
created by the Lotus Notes
Network Administrator
during installation of the
Lotus Notes Server.
Therefore, you must ask your
Lotus Notes Network
Administrator for the
Certification File Location
and Password information.
Lotus Domino Version
Number
The version number for your
Lotus Domino Server (either
Version 5 or Version 6). The
default is Version 6.
Lotus Domino Server’s
Address Book
The name of the Lotus
Domino Server address book
that the adapter uses, if it is
any address book other than
the default (NAMES.NSF).
8 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Table 2. Installation worksheet (continued)
Option Description, default, notes Value
Suspend Group Name The name of the group to
which suspended users will
be added.
Suspend HTTP Group Name The name of the group to
which the suspended users
will be added for HTTP
access.
Delete Group Name The name of the group to
which the deleted users will
be added.
Deny Access Log Name The name of the database file
that will list the user
documents which are deleted
or suspended.
Attributes to be Reconciled A list of attributes to include
in the reconciliation process.
Not Reconciled Attributes
List
A list of attributes to exclude
from the reconciliation
process.
Notes IDs Address Book The name of the database file
to use to store ID file and
password information for
newly created users in Tivoli
Identity Manager. This
option is also used by the
Shadow utility.
Synchronize HTTP Password Specify whether to
synchronize the user
password with the
Internet/HTTP password for
the user.
Short Name Specify whether to use short
names as user IDs in Tivoli
Identity Manager.
Audit Short Name Specify whether to use
internet addresses as user
IDs in Tivoli Identity
Manager. The internet
address is used only when a
user’s short name is not
present on the resource.
Delete Mail Database File Specify whether to delete the
mail database file of a user
when an account is deleted
in Tivoli Identity Manager.
Custom Eruid The name of the custom field
used for Eruid.
Use ITIM_ERUID Specify whether to use the
ITIM_ERUID to store the
Eruid value.
Chapter 3. Installing and configuring the Lotus Notes adapter 9
Table 2. Installation worksheet (continued)
Option Description, default, notes Value
Refresh ITIM_ERUID Specify whether to delete the
ITIM_ERUID field from each
person document for the
user.
Installing the adapter
The Tivoli Identity Manager Lotus Notes Adapter installation program is available
for download from the IBM Web site. Contact your IBM account representative for
the Web address and download instructions.
Before you begin to install the Lotus Notes Adapter, verify that the following
conditions are met:
v Any existing instance of the Lotus Notes Adapter must not be running.
If the Lotus Notes Adapter is running, use the Services window to stop the
adapter.
v When you are installing the Lotus Notes Adapter, you must use the
Administrator’s ID file, so that the adapter has administrator privileges.
v The ID file that is specified during installation must have system administrator
authority.
v You must verify that the Domino Administrator can communicate with the
Lotus Domino Server. Use a low-level communications ping to ensure that the
client can communicate with the server appropriately.
In order to install the Lotus Notes Adapter, complete the following steps:
1. Download the Lotus Notes Adapter compressed file from the IBM Web site.
2. Extract the contents of the compressed file into a temporary directory.
3. Start the installation program using the setup.exe file in the temporary
directory. For example, you can select Run from the Start menu, and type
C:\TEMP\setup.exe in the Open field.
4. On the Welcome window, click Next.
5. On the License Agreement window, review the license agreement and decide
if you accept the terms of the license. If you do, click Accept.
6. On the Agent Name window, in the Agent Name field, type the name of the
adapter instance. This name is used in the adapter registry settings, for the
name of the installation folder, and as the service name for the Lotus Notes
Adapter. Then, click Next.
7. On the Select Destination Directory window, specify where you want to install
the adapter in the Directory Name field. You can accept the default location,
or you can click Browse to specify a different directory. Then, click Next.
10 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
8. On the Domino Server Name window, specify the required information about
your Lotus Domino Server in the following fields:
Domino Version Number
The version number of your Lotus Domino Server (either Version 6 or
Version 6.5). The default is Lotus Domino Version 6.
Domino Server Name
Type the Lotus Domino Server name that the adapter uses. Enter the
server name in the following format:
CN=<Server Name>/O=<Organization Name>
For example,
CN=Condor/O=IBM
Domino Server’s Address Book
Type the name of the Lotus Domino Server address book that the
adapter uses, if it is any address book other than the default
(NAMES.NSF).
Then, click Next.
9. On the Workstation Information window, specify the login information for the
Domino Administrator in the following fields:
File Location
Type the workstation ID file that the adapter will use. Enter the
fully-qualified name of the file, for example,
D:\Lotus\Notes\Data\user.id
Workstation Password
Type the password associated with the ID file, which is used to access
the Lotus Domino Server, through the Domino Administrator.
Passwords are case-sensitive.
InstallShieldInstallShield
Click Next to install < > to this directory, orclick Browse to install to a different directory.
agentname
Directory Name:
Installer
C:\tivoli\agents\< >agentname
Browse...
CancelNext >< Back
Figure 5. Select Destination Directory window
Chapter 3. Installing and configuring the Lotus Notes adapter 11
Then, click Next.
10. On the Suspend Group and Suspend HTTP Group Name window, specify the
groups where suspended users are added in the following fields:
Suspend Group Name
Type the name of the group to which suspended users will be added,
for example,
Suspended Users
Suspend HTTP Group Name
Type the name of the group to which suspended users will be added
for HTTP access, for example,
HTTPSuspended Users
Then, click Next.
11. On the Delete Group Name and Deny Access Log window, specify the group
where deleted users are added and the database file that contains the list of
users who were denied access in the following fields:
Delete Group Name
Type the name of the group to which deleted users will be added. For
example,
Deleted Users
Deny Access Log Name
Type the name of the database file that will list the deleted or
suspended user documents. User documents are removed from this
database file when a user is added or restored. For example,
LogDB.nsf
Then, click Next.
12. On the Attributes to be Reconciled, Not Reconciled Attributes, and
Synchronize HTTP Password window, specify which attributes you want
reconciled or not reconciled and specify whether you want to synchronize the
password:
Attributes to be Reconciled
Specify a list of attributes to include in the reconciliation process.
Separate the attributes with a semi-colon if you list more than one
attribute, for example, Certificate;$UpdatedBy;$Revisions. If you
leave the Reconciled Attributes field blank, all attributes except the
ones specified in the Not Reconciled Attributes List will be returned
during reconciliation.
Not Reconciled Attributes List
Specify a list of attributes to exclude from the reconciliation process.
Separate the attributes with a semi-colon if you list more than one
attribute, for example, Certificate;$UpdatedBy;$Revisions.
Synchronize HTTP Password
Select Yes to synchronize the user password as the Internet/HTTP
password for the user. Select No to not synchronize the user
password. The default is Yes.
Then, click Next.
13. On the Use Short Name and Audit Short Name window, specify how you
want to use short names in the following fields:
12 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Use Short Name
Select Yes to use short names as user IDs in Tivoli Identity Manager.
Select No to not use short names. The default is No.
Note: When Yes is selected during this step, do not use the Short
Name field on the Tivoli Identity Manager GUI Account form.
Audit Short Name
Select Yes to use internet addresses as user IDs in Tivoli Identity
Manager. The internet address is used only when a user’s short name
is not present on the resource. Select No to not use internet addresses.
The default is No.
Then, click Next.
14. On the Note IDs Address Book and Delete Mail Database File window, specify
information about the user address book and mail file in the following fields:
Note IDs Address Book
Type the name of the database file to use to store ID file and
password information for newly created users in Tivoli Identity
Manager. For example,
NoteIDsAddressBook.nsf
Delete Mail Database File
Select Yes to delete the mail database file of a user when an account is
detected in Tivoli Identity Manager. Select No to keep the mail
database file. The default is Yes.
Then, click Next.
15. On the Setup Information window, review the installation settings. Click Back
to change any of these settings. Otherwise, click Next to begin the installation.
16. On the Install Completed window, click Finish to exit the program.
Installing the NotesShadowAgent utility
The NotesShadowAgent utility (Shadow utility) is shipped with the Lotus Notes
Adapter. While the Lotus Notes Adapter stores user information for newly created
user accounts, the Shadow utility has the capability of storing information for
existing users. Existing users send their user name, password, and a copy of their
mail file to a Lotus Notes mailbox, which the Shadow utility uses.
Installing the Shadow utility
The Shadow utility is used to store user information for those user accounts that
were created prior to running the Lotus Notes Adapter.
Before you begin to install the Shadow utility, verify that the following conditions
are met:
v A Lotus Notes e-mail account named ITIM has been created, which is used to
receive the password and ID file information from different users. The Lotus
Notes account that is used by the Shadow utility must have manager plus delete
documents access to the account.
v The NotesIDsAddressBook database file on the Lotus Domino registration server
only has been created. This database file is used to store file ID and password
Chapter 3. Installing and configuring the Lotus Notes adapter 13
information for newly created users from Tivoli Identity Manager. It is also used
by the Shadow utility to store the user information it receives from the ITIM
account.
v Ensure that all users mail the required information to the newly created Lotus
Notes e-mail account.
To install the Shadow utility, complete the following steps:
1. Start the installation program using the setup.exe file in the temporary
directory. For example, you can select Run from the Start menu, and type
C:\TEMP\setup.exe in the Open field.
2. On the Welcome window, click Next.
3. On the License Agreement window, review the license agreement and decide if
you accept the terms of the license. If you do, click Accept and then click Next.
4. On the Agent Name window, in the Agent Name field, browse to find the
name of the Lotus Notes Adapter. The registry settings for this instance of the
Lotus Notes Adapter will be used to create the entries for the Shadow utility.
Then, click Next.
5. On the Preview window, review the installation settings. Click Back to change
any of these settings. Otherwise, click Next to begin the installation.
6. On the Install Completed window, click Finish to exit the program.
For information on using the Shadow utility to store existing user data, see
“Storing existing data using the Shadow utility” on page 64.
Importing the adapter profile into the Tivoli Identity Manager Server
Before you can add an adapter as a service to the Tivoli Identity Manager Server,
the server must have an adapter profile to recognize the adapter as a service. The
files that are packaged with the Lotus Notes Adapter include the adapter JAR file,
NotesProfile.jar. Using the Import feature of the Tivoli Identity Manager Server,
you can import the adapter profile into the server as a service profile.
The NotesProfile.jar file includes all of the files that are needed to define the
adapter schema, account form, service form, and profile properties. The
NotesProfile.jar file will be referenced in this document to make any changes to the
schema or the profile. You will be required to extract the files from the JAR file,
make changes to the necessary files, and repackage the JAR file with the updated
files. For more information on how to update the JAR files, see “Copy the
NotesProfile.jar file and extract the files” on page 59.
Importing the adapter profile
An adapter profile defines the types of resources that the Tivoli Identity Manager
Server can manage. You must import the adapter profile onto the Tivoli Identity
Manager Server before using the Lotus Notes Adapter. The profile is used to create
a Lotus Notes Adapter service on the Tivoli Identity Manager Server and to
communicate with the adapter.
Before you begin to import the adapter profile, verify that the following conditions
are met:
v The Tivoli Identity Manager Server must be installed and running.
v You must have root or Administrator authority on the Tivoli Identity Manager
Server.
14 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
In order to import the adapter profile, complete the following steps:
1. Log into the Tivoli Identity Manager Server using an account that has the
authority to perform administrative tasks.
2. From the Main Menu Navigation Bar, select the Configuration tab.
3. On the Configuration window, select Import/Export → Import tabs.
4. On the Import window, in the File to Upload field, type the location of the
NotesProfile.jar file, or click Browse to locate the file.
5. Click the Import data into Identity Manager link to import the adapter profile
into the Tivoli Identity Manager Server.
v If the adapter profile import completes successfully, the following message is
displayed:
Profile installation complete.
v If the adapter profile import fails, the following message is displayed:
Profile installation failed.
When you import the adapter profile, if you receive an error related to the
schema, the trace.log file will contain information about that error. The
trace.log file location is specified by the handler.file.fileDir property that
is defined in the Tivoli Identity Manager enRoleLogging.properties file,
which is installed in the Tivoli Identity Manager \data directory.
Creating a Lotus Notes service
After the adapter profile is imported into the Tivoli Identity Manager Server, you
must create a provisioning service to allow Tivoli Identity Manager to
communicate with the adapter.
In order to create a provisioning service, complete the following steps:
1. Log into the Tivoli Identity Manager Server using an account that has the
authority to perform administrative tasks.
2. On the Main Menu Navigation Bar, click the Provisioning tab.
3. On the Provisioning window, click the Manage Services tab.
4. On the Manage Services window, click Add.
5. From the list of service types, select Lotus Notes Profile, and then click
Continue. The Lotus Notes Adapter service form is displayed. The service
form contains the following fields:
Service Name
Specify a name that defines this Lotus Notes service on the Tivoli
Identity Manager Server. Service Name is a required field.
Description
Specify an optional description for this service.
URL Specify the location and port number of the Lotus Notes Adapter. The
port number is defined in the protocol configuration using the agentCfg
program. For additional information about protocol configuration
settings, see “Changing protocol configuration settings” on page 20.
URL is a required field.
If https is specified as part of the URL, the adapter must be configured
to use SSL authentication. If the adapter is not configured to use SSL
authentication, specify http for the URL. For additional information
Chapter 3. Installing and configuring the Lotus Notes adapter 15
about configuring the adapter to use SSL authentication, see Chapter 5,
“Configuring SSL authentication for the Lotus Notes adapter,” on page
41.
User Id
Specify the DAML protocol user name. The user name is defined in the
protocol configuration using the agentCfg program. For additional
information about the protocol configuration settings, see “Changing
protocol configuration settings” on page 20. User Id is a required field.
Password
Specify the password for the DAML protocol user name. This password
is defined in the protocol configuration using the agentCfg program.
For additional information about the protocol configuration settings, see
“Changing protocol configuration settings” on page 20. Password is a
required field.
Owner
Specify the service owner, if any. Owner is an optional field.
Service Prerequisite
Specify an existing Tivoli Identity Manager service that is a prerequisite
for the Lotus Notes service. Service Prerequisite is an optional field.6. To verify the connection, press Test.
7. To create the service, press Submit.
Configuring the adapter
Once you have installed the Tivoli Identity Manager Lotus Notes Adapter,
configuration is required to ensure that it functions properly.
Before you begin to configure the Lotus Notes Adapter, verify the following
conditions are met:
v The Administrator ID must have previously been logged on the Notes Client, on
the same machine where the Adapter is running. The adapter requires that the
last ID logged on the client be the Administrator ID. See the first bullet on page
63 for more information on logging on the Notes Client.
v You must obtain a production certificate from a well-known Certificate
Authority or create your own certificate using your own Certificate Authority.
The Lotus Notes Adapter does not come prepackaged with a certificate.
In order to configure the Lotus Notes Adapter, complete the following steps:
1. Start the Lotus Notes Adapter service using the Windows Services Tool.
2. Configure Directory Access Markup Language (DAML) to ensure
communication with the Tivoli Identity Manager Server. For more information
on configuring DAML, see “Changing protocol configuration settings” on page
20.
3. Configure the Lotus Notes Adapter to communicate with the Tivoli Identity
Manager Server by configuring the adapter for event notification. For more
information on configuring event notification, see “Configuring event
notification” on page 23.
4. For secure communication, install a certificate on the machine where the
adapter resides and on the Tivoli Identity Manager Server. For more
information on installing certificates, see Chapter 5, “Configuring SSL
authentication for the Lotus Notes adapter,” on page 41.
16 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
5. Install the adapter profile on the Tivoli Identity Manager Server. For more
information on installing the adapter profile, see “Importing the adapter profile
into the Tivoli Identity Manager Server” on page 14.
6. Configure the adapter service form. For more information on configuring the
service form, see “Creating a Lotus Notes service” on page 15.
7. Use the agentCfg utility to modify the adapter parameters. For more
information on parameter configuration, see Chapter 4, “Configuring the
adapter for IBM Tivoli Identity Manager,” on page 19.
8. Configure the adapter account form. For more information on configuring the
account form, refer to the IBM Tivoli Identity Manager Information Center.
9. Verify that you have correctly installed and configured the Lotus Notes
Adapter. See Chapter 8, “Verification of the Lotus Notes adapter installation,”
on page 63 for more information on verifying the installation and configuration
of the adapter.
Configuring the adapter to run multiple Lotus Domino Servers
Once you have configured the Tivoli Identity Manager Lotus Notes Adapter,
additional configuration is required to allow the adapter to work with multiple
Lotus Domino Servers. While the Lotus Notes Adapter can work with multiple
Lotus Domino Servers, it cannot do so simultaneously.
To configure the Lotus Notes Adapter to work with multiple instances of the Lotus
Domino Server, complete the following steps:
1. Log into the Lotus Domino Server, using the Domino Administrator.
2. You can change the registry settings by using the adapter configuration tool,
agentCfg. Change the following registry settings:
v Domino Server
v Workstation ID File Location
v Workstation Password
For more information on using the adapter configuration tool, see “Starting the
adapter configuration tool” on page 19.
3. Verify that the other registry settings apply to the new Lotus Domino Server.
For example, the value of NoteIdsAddressBook should apply to the new server
settings. Refer to Table 2 on page 8 for the registry settings for the Lotus
Domino Server.
Configuring the Adapter to use Custom ERUID
After installing the Lotus Notes Adapter, a new registry key, CustomEruid, is
created with an empty value. The value of this key should be the resource field
name of the attribute to be used as Custom ERUID.
To use Custom ERUID, complete the following steps:
1. Start the Lotus Notes Adapter.
2. Start the agentCfg tool to add a value to the registry key CustomEruid.
3. Add the name of the Notes field (to be used as Custom ERUID) to the
CustomEruid registry key.
For example, assume the following:
v A field is present on the Domino resource with the name DirSynchKey,
v A DirSynchKey field is added to the CustomAttributes.xml file,
Chapter 3. Installing and configuring the Lotus Notes adapter 17
v The DirSynchKey field is to be used as Custom ERUID.
Then add the value DirSynchKey to the registry key CustomEruid.
4. Restart the Adapter.
Note: Existing User attributes that are supported by the Lotus Notes Adapter are
not allowed as Custom ERUID by the Lotus Notes Adapter.
Configuring the adapter to use ITIM_ERUID
After installing the Lotus Notes Adapter, two new registry keys, Use ITIM_ERUID
and Refresh ITIM_ERUID, are created with a default value of FALSE. The Lotus
Notes Adapter uses these registry keys as follows:
Use ITIM_ERUID
v To create the ITIM_ERUID field in the person document of each user
during an ADD operation.
v To save the value of Eruid from the Tivoli Identity Manager Server to
the ITIM_ERUID field in the person document of each user.
v To use the value of the ITIM_ERUID field as the value of Eruid to be
sent back to the Tivoli Identity Manager Server.
Refresh ITIM_ERUID
During a reconciliation operation, to delete the ITIM_ERUID field from
the person document for all users.
You can use the agentCfg utility, depending on your Lotus Notes Adapter and
Domino deployment of the UserID attribute storage location on the Lotus Domino
Server.
18 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Chapter 4. Configuring the adapter for IBM Tivoli Identity
Manager
Use the adapter configuration program, agentCfg, in order to view or modify the
Lotus Notes Adapter parameters. All changes that you make to parameters with
this tool take effect immediately.
Starting the adapter configuration tool
In order to start the adapter configuration tool, agentCfg, for Lotus Notes Adapter
parameters, complete these steps:
1. From the Start Menu, select Programs → Accessories → Command Prompt.
2. In the Command Prompt window, change to the bin directory for the adapter.
For example, type the following command, if the Lotus Notes Adapter
directory is in the default location:
cd \Tivoli\Agents\NotesAgent\bin
3. Type the following command:
agentCfg -agent NotesAgent
You can also use agentCfg to view or change configuration settings from a
remote computer. See the table in “Accessing help and additional options” on
page 37 for procedures on using additional arguments.
4. At the Enter configuration key for Agent ’NotesAgent’: prompt, type the
configuration key for the Lotus Notes Adapter.
The default configuration key is agent. You must change the configuration key
once installation completes, to prevent unauthorized access to the configuration
of the adapter. See “Changing protocol configuration settings” on page 20 for
procedures to change the configuration key.
The Main Configuration Menu is displayed.
NotesAgent 4.6.1000 Agent Main Configuration Menu
-------------------------------------------
A. Configuration Settings.
B. Protocol Configuration.
C. Event Notification.
D. Change Configuration Key.
E. Activity Logging.
F. Registry Settings.
G. Advanced Settings.
H. Statistics.
I. Codepage Support.
X. Done.
Select menu option:
From the Main Menu, you can configure the protocol, view statistics, and modify
settings, including configuration, registry, and advanced settings.
Table 3. Options for the main configuration menu
Option Configuration task For more information
A Viewing configuration settings See page 20.
© Copyright IBM Corp. 2003, 2005 19
Table 3. Options for the main configuration menu (continued)
B Changing protocol configuration
settings
See page 20.
C Configuring event notification See page 23.
D Changing the configuration key See page 29.
E Changing activity logging settings See page 29.
F Changing registry settings See page 31.
G Changing advanced settings See page 35.
H Viewing statistics See page 36.
I Changing code page settings See page 37.
Viewing configuration settings
The following procedure describes how to view the Lotus Notes Adapter
configuration settings.
1. At the Agent Main Configuration Menu, type A. The configuration settings for
the Lotus Notes Adapter are displayed. The following screen is an example of
the Lotus Notes Adapter configuration settings.
Configuration Settings
-------------------------------------------
Name : NotesAgent
Version : 4.6.1000
ADK Version : 4.65
ERM Version : 4.65
License : NONE
Asynchronous ADD Requests : TRUE (Max.Threads:3)
Asynchronous MOD Requests : TRUE (Max.Threads:3)
Asynchronous DEL Requests : TRUE (Max.Threads:3)
Asynchronous SEA Requests : TRUE (Max.Threads:3)
Available Protocols : DAML
Configured Protocols : DAML
Logging Enabled : TRUE
Logging Directory : C:\Tivoli\Agents\NotesAgent\Log
Log File Name : NotesAgent.log
Max. log files : 3
Max.log file size (Mbytes) : 1
Debug Logging Enabled : TRUE
Detail Logging Enabled : FALSE
Press any key to continue
2. Press any key to return to the Main Menu.
Changing protocol configuration settings
The Lotus Notes Adapter uses the DAML protocol to communicate with the Tivoli
Identity Manager Server. By default, when the adapter is installed, the DAML
protocol is configured to be used in nonsecure mode. In order to configure a secure
environment, you must configure the DAML protocol to use SSL and install a
certificate. Refer to “Installing the certificate” on page 50 for more information
about installing certificates.
In previous versions of this adapter, you could add and remove protocols.
However, in the latest version of this adapter, the DAML protocol is the only
supported protocol that you can use. Therefore, you will not need to add or
remove a protocol.
20 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
In order to configure the DAML protocol for the Lotus Notes Adapter, complete
the following steps:
1. At the Agent Main Configuration Menu, type B. The DAML protocol is
configured and available by default for the Lotus Notes Adapter.
Agent Protocol Configuration Menu
-----------------------------------
Available Protocols: DAML
Configured Protocols: DAML
A. Add Protocol.
B. Remove Protocol.
C. Configure Protocol.
X. Done
Select menu option
2. At the Agent Protocol Configuration Menu, type C. The Configure Protocol
Menu is displayed.
3. At the Configure Protocol Menu, type C. The Protocol Properties Menu for the
configured protocol is displayed with protocol properties. The properties on
your menu might be different from the ones shown in the examples.
The following screen is an example of the DAML protocol properties:
DAML Protocol Properties
--------------------------------------------------------------------
A. USERNAME ****** ;Authorized user name.
B. PASSWORD ****** ;Authorized user password.
C. MAX_CONNECTIONS 100 ;Max Connections.
D. PORTNUMBER 45580 ;Protocol Server port number.
E. USE_SSL FALSE ;Use SSL secure connection.
F. SRV_NODENAME 9.38.215.20 ;Event Notif. Server name.
G. SRV_PORTNUMBER 9443 ;Event Notif. Server port number.
H. VALIDATE_CLIENT_CE FALSE ;Require client certificate.
I. REQUIRE_CERT_REG FALSE ;Require registered certificate.
X. Done
Select menu option:
4. Type the letter of the menu option that you want to configure.
See Table 4 below for additional information about the properties that you can
configure for the DAML protocol.
Table 4. Options for the DAML protocol menu
Option Configuration task
A The following prompt is displayed:
Modify Property ’USERNAME’:
Type a user ID, for example, admin.
This value is the user ID that the Tivoli Identity Manager Server uses to
connect to the adapter.
B The following prompt is displayed:
Modify Property ’PASSWORD’:
Type a password, for example, admin.
This value is the password for the user ID that the Tivoli Identity
Manager Server uses to connect to the adapter.
Chapter 4. Configuring the adapter for IBM Tivoli Identity Manager 21
Table 4. Options for the DAML protocol menu (continued)
Option Configuration task
C The following prompt is displayed:
Modify Property ’MAX_CONNECTIONS’:
Enter the maximum number of concurrent open connections that the
adapter supports.
The default number is 100.
D The following prompt is displayed:
Modify Property ’PORTNUMBER’:
Type a different port number.
This value is the port number that the Tivoli Identity Manager Server
uses to connect to the adapter. The default port number is 45580.
E The following prompt is displayed:
Modify Property ’USE_SSL’:
Enter TRUE or FALSE to specify whether a secure SSL connection will
be used to connect to or from the adapter.
The default value is FALSE.
You must install a certificate when USE_SSL is set to TRUE. For more
information on certificate installation, see “Installing the certificate” on
page 50.
F The following prompt is displayed:
Modify Property ’SRV_NODENAME’:
Type a server name or an IP address, for example, 9.38.215.20.
This value is the DNS name or IP address of the Tivoli Identity Manager
Server that is used for event notification and asynchronous request
processing.
Note: If your platform supports Internet Protocol version 6 (IPv6)
connections, you can specify an IPv6 server.
G The following prompt is displayed:
Modify Property ’SRV_PORTNUMBER’:
Type a different port number to access the Tivoli Identity Manager
Server.
This value is the port number that the adapter uses to connect to the
Tivoli Identity Manager Server. The default port number is 9443.
22 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Table 4. Options for the DAML protocol menu (continued)
Option Configuration task
H The following prompt is displayed:
Modify Property ’VALIDATE_CLIENT_CE’:
Type TRUE to require the Tivoli Identity Manager Server to send a
certificate when it communicates with the adapter.
Type FALSE to allow the Tivoli Identity Manager Server to communicate
with the adapter without a certificate. The default value is FALSE.
Notes:
1. If you set this option to TRUE, you must configure options D
through H.
2. The property name is actually VALIDATE_CLIENT_CERT. It is
truncated by agentCfg to fit onto the screen.
3. You must use CertTool to install the appropriate CA certificates and
optionally register the Tivoli Identity Manager Server certificate. For
more information on using CertTool, see “Managing SSL certificates
using CertTool” on page 47.
I The following prompt is displayed:
Modify Property ’REQUIRE_CERT_REG’:
This value only applies when option H is set to TRUE.
Type TRUE to require the client certificate from the Tivoli Identity
Manager Server to be registered with the adapter before it will accept an
SSL connection.
Type FALSE to require the client certificate only be verified against the
list of CA certificates. The default value is FALSE.
For more information on certificates, see Chapter 5, “Configuring SSL
authentication for the Lotus Notes adapter,” on page 41.
5. At the prompt, change the value, and press Enter.
The Protocol Properties Menu is displayed with your new settings.
If you do not want to change the value, just press Enter to return to the
Protocol Properties Menu.
6. Repeat steps 4 and 5 to configure as many protocol properties as you need to.
7. At the Protocol Properties Menu, type X to exit the menu.
Configuring event notification
Event notification is a feature of the Lotus Notes Adapter that updates the Tivoli
Identity Manager Server at set intervals. Event notification detects changes that are
made on the managed resource and updates the Tivoli Identity Manager Server
with the changes. You can enable event notification if you want to have updated
information from the managed resource sent back to the Tivoli Identity Manager
Server between full reconciliations. Event notification is not intended to replace
reconciliations on the Tivoli Identity Manager Server.
When event notification is enabled, a database of the reconciliation data is kept on
the machine where the adapter is installed. The database is updated with the
changes that are requested by the Tivoli Identity Manager Server and will remain
synchronized with the server. You can specify an interval for the event notification
Chapter 4. Configuring the adapter for IBM Tivoli Identity Manager 23
process to compare the database to data that currently exists on the managed
resource. When the interval has elapsed, any differences between the managed
resource and the database are forwarded to the Tivoli Identity Manager Server and
updated in the local snapshot database.
There are several steps to enabling event notification. These steps assume that the
adapter is communicating successfully with the managed resource and the Tivoli
Identity Manager Server.
First, you must configure the host name, port number, and login information for
the Tivoli Identity Manager Server. In order to identify the server for the DAML
protocol to use, complete the following steps:
1. At the Agent Protocol Configuration Menu, select Configure Protocol. For more
information on configuring a protocol, see “Changing protocol configuration
settings” on page 20.
2. Type the letter of the menu option for the SRV_NODENAME property.
3. Specify the IP address or server name that identifies the Tivoli Identity
Manager Server, and press Enter.
The Protocol Properties Menu is displayed with your new settings.
4. Type the letter of the menu option for the SRV_PORTNUMBER property.
5. Specify the port number that the adapter uses to connect to the Tivoli Identity
Manager Server for event notification and press Enter.
The Protocol Properties Menu is displayed with your new settings.
The example menu shows all of the options displayed when Event Notification is
enabled. If Event Notification is disabled, not all of the options are displayed. In
order to set Event Notification for the Tivoli Identity Manager Server, complete the
following steps:
1. At the Agent Main Configuration Menu, type C. The Event Notification Menu is
displayed.
Event Notification Menu
--------------------------------------------------------------
* Reconciliation interval : 1 day(s)
* Next Reconciliation time : 23 hour(s) 56 min(s). 23 sec(s).
* Configured Contexts : Jupiter, dd309
A. Enabled.
B. Time interval between reconciliations.
C. Set Processing cache size. (currently: 50 Mbytes)
D. Start event notification now.
E. Set attributes to be reconciled.
F. Reconciliation process priority. (current: 1)
G. Add Event Notification Context.
H. Modify Event Notification Context.
I. Remove Event Notification Context.
J. List Event Notification Contexts.
X. Done
Select menu option:
Note: This menu shows all of the options that are displayed when Event
Notification is enabled. If Event Notification is disabled, all of the
options will not be displayed.
2. Type the letter of the menu option that you want to change.
Option A must be enabled in order for the values of the other options to take
affect.
24 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Press Enter to return to the Agent Event Notification Menu without changing
the value.
Table 5. Options for the event notification menu
Option Configuration task
A If this option is enabled, the adapter updates the Tivoli Identity Manager
Server with changes to the adapter at regular intervals.
When the option is set to:
v Disabled, pressing the A key changes to enabled
v Enabled, pressing the A key changes to disabled
Type A to toggle between the options.
B The following prompt is displayed:
Enter new interval
([ww:dd:hh:mm:ss])
Type a different reconciliation interval. For example,
[00:01:00:00:00]
Note: This value is the interval to wait once event notification completes
before it is run again. The event notification process is resource
intensive, therefore this value must not be set to run too frequently.
C The following prompt is displayed:
Enter new cache size[5]:
Type a different value to change the processing cache size.
D If this option is selected, event notification is started.
E The Event Notification Entry Types Menu is displayed. See “Setting
event notification triggers” on page 26 for more information.
F The following prompt is displayed:
Enter new thread priority [1-10]:
Type a different thread value to change the event notification process
priority.
Setting the thread priority to a lower value reduces the impact that the
event notification process has on the performance of the adapter. A
lower value might also cause event notification to take longer.
G The following prompt is displayed:
Context name:
Type the new context name, and press Enter. The new context is added.
H A menu listing the available contexts is displayed. See “Modifying an
event notification context” on page 27 for more information.
I The Remove Context Menu is displayed. Select the context to remove.
The following prompt is then displayed:
Delete context context1? [no]:
Press Enter to exit without deleting the context, or type Yes and press
Enter to delete the context.
Chapter 4. Configuring the adapter for IBM Tivoli Identity Manager 25
Table 5. Options for the event notification menu (continued)
Option Configuration task
J The Event Notification Contexts are displayed in the following format:
Context Name : Context1
Target DN :
erservicename=context1,o=IBM,
ou=IBM,dc=com
--- Attributes for search request ---
{search attributes listed}
-----------------------------------------------
3. If you changed the value for options B, C, E, or F, press Enter. The other
options are automatically changed when you type the corresponding letter of
the menu option.
The Event Notification Menu is displayed with your new settings.
Setting event notification triggers
By default, all attributes are queried for value changes. Certain attributes that
change frequently (for example, password age or last successful logon) must be
omitted.
1. At the Event Notification Menu, type E. The Event Notification Entry Types
Menu is displayed.
Event Notification Entry Types
-------------------------------------------
A. USER
B. GROUP
X. Done
Select menu option:
The USER and GROUP types will not appear in the above menu until the
following conditions have been met:
a. Event notification has been enabled
b. A context has been created and configured
c. A full reconciliation has been run2. Type A for a list of the attributes returned during a user reconciliation, or type B
for attributes returned during a group reconciliation.
The Event Notification Attribute Listing for the selected reconciliation type is
displayed. The default setting lists all attributes that the adapter supports. The
example below lists example attributes, and might differ from the list that is
displayed on your machine.
Event Notification Attribute Listing
-------------------------------------
(a) **erNotesClientLicenset (b) **erNotesAltSortFullName (c) **erNotesClientBuild
(d) **erNotesAdminPRequest (e) **erNotesAdminpDBTitle (f) **erNotesComment
(g) **erNotesFullName (h) **erNotesAdminpCertifier (i) **erNotesOrigCertifier
(j) **erNotesOrigCertPasswd (k) **erNotesNewCertPath (l) **erNotesAssistant
(m) **erNotesChildren (n) **erNotesCity (o) **erNotesCountry
(p) **erNotesDepartment (q) **erNotesEmployeeID (r) **erNotesFirstName
(p)rev page 1 of 3 (n)ext
-----------------------------
X. Done
Select menu option:
3. Type the letter option for the attribute to exclude from an event notification.
26 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Attributes that are marked with two asterisks (**) are returned during the event
notification. Attributes that are not marked with asterisks are not returned
during the event notification.
Modifying an event notification context
An event notification context corresponds to a service on the Tivoli Identity
Manager Server. Some adapters support multiple services. One Lotus Notes
Adapter can have several Tivoli Identity Manager services, by specifying a
different base point for each service.
The base point for the Lotus Notes Adapter is the point in the directory server that
is used as the root for the adapter. This point can be an organizational unit (OU) or
domain container (DC) base point. Because the base point is an optional value, if a
value is not specified, the adapter uses the default domain of the machine on
which it is installed.
You can have multiple event notification contexts, but you must have at least one
adapter. In the example screen below, note that Context1, Context2, and Context3
are three different contexts, all having a different base point.
In order to modify an event notification context, complete the following steps:
1. At the Event Notification Menu, type H. The Modify Context Menu is
displayed.
Modify Context Menu
------------------------------
A. Context1
B. Context2
C. Context3
X. Done
Select menu option:
2. Type the letter of the menu option that you want to modify. The Modify
Context Menu for the selected context is displayed.
A. Set attributes for search
B. Target DN:
C. Delete Baseline Database
X. Done
Select menu option:
Table 6. Options for the modify context menu
Option Configuration task For more information
A Adding search attributes for event notification See page 27.
B Configuring the target DN for event notification
contexts
See page 28.
C Removing the baseline database for event
notification contexts
See page 29.
Adding search attributes for event notification
For some adapters, you might need to specify an attribute-value pair for one or
more contexts. These attribute-value pairs, which are defined by completing the
steps below, serve multiple purposes:
v When multiple services are supported by a single adapter, each service needs to
specify one or more attributes to differentiate it from the other services.
Chapter 4. Configuring the adapter for IBM Tivoli Identity Manager 27
v The search attributes are passed to the event notification process, once the event
notification interval has occurred or is started manually. For each context, a full
search request is sent to the adapter. Additionally, the attributes specified for
that context are passed to the adapter.
v When the Tivoli Identity Manager Server initiates a reconciliation process, the
adapter replaces the local database that represents this service with the new
database.
In order to add search attributes, complete the following steps:
1. At the Modify Context Menu for the context, type A. The Reconciliation
Attribute Passed to Agent Menu is displayed.
Reconciliation Attributes Passed to Agent for Context: Context1
----------------------------------------------------
----------------------------------------------------
A. Add new attribute
B. Modify attribute value
C. Remove attribute
X. Done
Select menu option:
The Lotus Notes Adapter does not have any attributes that need to be specified
for Event Notification.
2. Type the letter of the menu option that you want to change.
The supported attribute names will be displayed with two asterisks (**) in front
of each name. When you type the letter of an attribute, it will toggle the
asterisks on and off. Attributes without asterisks will not be updated during an
event notification.
The Reconciliation Attributes Passed to Agent Menu is displayed with the
changes displayed.
Configuring the target DN for event notification contexts
The target DN field holds the unique name of the service that receives event
notification updates.
In order to configure the target DN, complete the following steps:
1. At the Modify Context Menu for the context, type B. The following prompt is
displayed:
Enter Target DN:
2. Type the target DN for the context, and press Enter. The target DN for the
event notification context must be in the following format:
erservicename=erservicename,o=organizationname,ou=tenantname,rootsuffix
Each element of the DN is defined as follows:
Table 7. DN elements and definitions
Element Definition
erservicename Specifies the name of the target service
o Specifies the name of the organization
ou Specifies the name of the tenant in which
the organization is in
rootsuffix Specifies the root of the directory tree
The Modify Context Menu is displayed with the new target DN listed.
28 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Removing the baseline database for event notification contexts
This option is only available once a context is created and a reconciliation is run on
the context to create a Baseline Database file.
At the Modify Context Menu for the context, type C. The Modify Context Menu is
displayed with the Delete Baseline Database option removed.
Changing the configuration key
You use the configuration key as a password to access the configuration tool for
the adapter.
In order to change the Lotus Notes Adapter configuration key, complete the
following steps:
1. At the Main Menu prompt, type D.
2. Change the value of the configuration key, and press Enter.
Press Enter to return to the Main Configuration Menu without changing the
configuration key. The default configuration key is agent. Make sure that you
choose passwords that cannot be easily guessed.
The following message is displayed:
Configuration key successfully changed.
The configuration program exits, and the Main Menu prompt is displayed.
Changing activity logging settings
When you enable logging, Tivoli Identity Manager maintains a dated log file of all
transactions, NotesAgent.log. By default, the log file is installed in the \log
directory.
In order to change the Lotus Notes Adapter activity logging settings, complete the
following steps:
1. At the Main Menu prompt, type E.
The Agent Activity Logging Menu is displayed. The following example shows
the default activity logging settings.
Agent Activity Logging Menu
-------------------------------------
A. Activity Logging (Enabled).
B. Logging Directory (current: C:\Tivoli\Agents\NotesAgent\Log).
C. Activity Log File Name (current: NotesAgent.log).
D. Activity Logging Max. File Size ( 1 mbytes)
E. Activity Logging Max. Files ( 3 )
F. Debug Logging (Enabled).
G. Detail Logging (Disabled).
H. Base Logging (Disabled).
I. Thread Logging (Disabled).
X. Done
Select menu option:
2. Type the letter of the menu option that you want to change.
Option A must be enabled in order for the values of the other options to take
effect.
Press Enter to return to the Agent Activity Logging Menu without changing the
value.
Chapter 4. Configuring the adapter for IBM Tivoli Identity Manager 29
Table 8. Options for the activity logging menu
Option Configuration Task
A Set this option to enabled to have the adapter maintain a dated log file
of all transactions.
When the option is set to:
v Disabled, pressing the A key changes to enabled
v Enabled, pressing the A key changes to disabled
Type A to toggle between the options.
B The following prompt is displayed:
Enter log file directory:
Type a different value for the logging directory, for example, C:\Log.
When the logging option is enabled, details about each access request
are stored in the logging file that is installed in this directory.
C The following prompt is displayed:
Enter log file name:
Type a different value for the log file name. When the logging option is
enabled, details about each access request are stored in the logging file.
D The following prompt is displayed:
Enter maximum size of log files (mbytes):
Type a new value, for example, 10. The oldest data is archived when the
log file reaches the maximum file size. File size is measured in
megabytes. It is possible for the activity log file size to exceed disk
capacity.
E The following prompt is displayed:
Enter maximum number of log files to retain:
Type a new value up to 100, for example, 5. The adapter automatically
deletes the oldest activity logs beyond the specified limit.
F If this option is set to enabled, the adapter includes the debug
statements in the log file of all transactions.
When the option is set to:
v Disabled, pressing the F key changes the value to enabled
v Enabled, pressing the F key changes the value to disabled
Type F to toggle between the options.
G If this option is set to enabled, the adapter maintains a detailed log file
of all transactions. The detail logging option must be used for diagnostic
purposes only. Detailed logging enables more messages from the adapter
and might increase the size of the logs.
When the option is set to:
v Disabled, pressing the G key changes the value to enabled
v Enabled, pressing the G key changes the value to disabled
Type G to toggle between the options.
30 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Table 8. Options for the activity logging menu (continued)
Option Configuration Task
H If this option is set to enabled, the adapter maintains a log file of all
transactions in the Adapter Development Kit (ADK) and library files.
Base logging will substantially increase the size of the logs.
When the option is set to:
v Disabled, pressing the H key changes the value to enabled
v Enabled, pressing the H key changes the value to disabled
Type H to toggle between the options.
I If this option is enabled, the log file will contain thread IDs, in addition
to a date and timestamp on every line of the file.
When the option is set to:
v Disabled, pressing the I key changes the value to enabled
v Enabled, pressing the I key changes the value to disabled
Type I to toggle between the options.
3. Press Enter if you changed the value for option B, C, D, or E. The other options
are changed automatically when you type the corresponding letter of the menu
option.
The Agent Activity Logging Menu is displayed with your new settings.
Changing registry settings
In order to change the Lotus Notes Adapter registry settings, complete the
following steps:
1. At the main menu, type F. The Registry menu is displayed.
NotesAgent 4.6.1000 Agent Registry Menu
-------------------------------------------
A. Modify Non-encrypted registry settings.
B. Modify encrypted registry settings.
C. Multi-instance settings.
X. Done
Select menu option:
2. See the following procedures on modifying registry settings.
Modifying non-encrypted registry settings
In order to modify the non-encrypted registry settings, complete the following
steps:
1. At the Agent Registry Menu, type A. The Non-encrypted Registry settings menu
is displayed.
Chapter 4. Configuring the adapter for IBM Tivoli Identity Manager 31
Agent Registry Items
---------------------------
01. Attributes not RECONCILED ’Certificate;$UpdatedBy;$Revisions’
02. Attributes RECONCILED ’ ’
03. AuditShortName ’FALSE’
04. CustomEruid ’ ’
05. Delete Group ’Delete’
06. Delete Mail DB ’TRUE’
07. Domino Server ’CN=ps2125/O=pspl’
08. Domino Version Number ’6’
09. ENROLE_VERSION ’4.0’
10. Log DB ’ ’
--------------------------------
Page 1 of 2
A. Add new attribute
B. Modify attribute value
C. Remove attribute
D. Next Page
X. Done
Select menu option:
2. Type the letter of the menu action that you want to perform on an attribute.
Table 9. Attribute configuration option descriptions
Option Configuration task
A Add new attribute
B Modify attribute value
C Remove attribute
3. Type the registry item name, and press Enter.
See Table 10 for a description of each registry key.
4. If you selected option A or B, type the registry item value and press Enter.
The non-encrypted registry settings menu reappears and displays your new
setting(s).
Table 10 describes the registry keys and their available settings:
Table 10. Registry key descriptions
Key Description
Attributes not Reconciled Specifies a list of attribute names to exclude
from the reconciliation process. If more than
one name is listed, separate them by
semicolon. The default values are
Certificate;$UpdatedBy;$Revisions.
Attributes Reconciled Specifies a list of attribute names to include
in the reconciliation process. If more than
one name is listed, separate them by
semicolon. If this field is left blank, all
attributes except those specified in the
Attributes not RECONCILED list will be
returned during a reconciliation.
32 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Table 10. Registry key descriptions (continued)
Key Description
AuditShortName Specifies whether your adapter needs the
internet address to be a unique ID on the
Tivoli Identity Manager Server when the
shortname value is NULL. Only set this key
to TRUE when the Use ShortName key is
also set to TRUE. The default value is
FALSE.
CustomEruid Specifies the resource name of the Custom
ERUID attribute. The following data types
are supported:
v Single value STRING attribute
v Multiple value STRING attribute
v Single value NUMERIC attribute
Delete Group Specifies the name of the group that is used
by the adapter to keep the CN values of the
deleted users. This group must be created on
the Lotus Domino Server prior to running
the adapter.
Delete Mail DB Specifies whether your Lotus Notes Adapter
requires the deletion of the mail database file
when a user deletion occurs. The default
value is TRUE.
Domino Server Specifies the Lotus Domino Registration
Server name that the adapter uses
Domino Version Number Specifies the version number of your Lotus
Domino Server. The default value is version
6.
Log DB Specifies the name of a Lotus Notes
database. This database file must be created
on the Lotus Domino Server prior to running
the Lotus Notes Adapter.
NoteIDsAddressBook Specifies the name of the Lotus Notes
database file that is used by the adapter to
store the user information (ID file, password
in ADK encrypted form and the CN name of
the user). This database file must be created
on the Lotus Domino Server prior to running
the Lotus Notes Adapter.
Notes Address Book Specifies the name of the Lotus Notes
Address Book, if it is anything other than
names.nsf. The Lotus Notes Address Book
database file is different from the
NoteIdsAddressBook database file.
Refresh ITIM_ERUID Specifies whether to delete the ITIM_ERUID
filed from the person document for all users,
during a reconciliation. The value for
ITIM_ERUID will come from the Full name,
Short name, or Custom field. The default
value is FALSE.
Chapter 4. Configuring the adapter for IBM Tivoli Identity Manager 33
Table 10. Registry key descriptions (continued)
Key Description
Suspend Group Specifies the name of the group that is used
by the Lotus Notes Adapter to keep the CN
values of the suspended users. This group
must be created on the Lotus Domino Server
prior to running the adapter.
Suspend HTTPPassword Specifies the name of the group that is used
by the Lotus Notes Adapter to keep the CN
values of the suspended users for restricting
Internet access. This group must be created
on the Lotus Domino Server prior to running
the adapter.
Synchronize HTTPPassword Specifies whether your Lotus Notes Adapter
requires the User Password to be set to
Internet Password during an ADD or
MODIFY request. The default value is TRUE.
Use ITIM_ERUID Specifies whether:
1. The Lotus Notes Adapter will create an
ITIM_ERUID field in the person
document when a new user ID is created
2. The Lotus Notes Adapter will save the
value of Eruid from the Tivoli Identity
Manager Server to the ITIM_ERUID field
in the person document of a user ID
3. During the first reconciliation after this
key is set to TRUE, the Lotus Notes
Adapter will create the ITIM_ERUID field
in the person document for each user.
The value from the Full name, Short
name, or Custom field will be used for
the Eruid.
The default value is FALSE.
Use ShortName Specifies whether your Lotus Notes Adapter
is configured to use the shortname value as a
unique ID on the Tivoli Identity Manager
Server. If you set this value to TRUE, do not
use the Short Name attribute that is on the
Lotus Notes account form. The adapter will
ignore the specified value of the Short Name
field during an ADD or MODIFY request.
The default value is FALSE.
Workstation ID File Location Specifies the path to the Lotus Domino
Server Administrator ID file. The adapter
will use this password to connect to the
Lotus Domino Server.
Workstation Password Specifies the password for the Lotus Domino
Server Administrator ID file. The adapter
will use this password to connect to the
Lotus Domino Server. The password is in
ADK encrypted format and can be changed
using the agentCfg tool.
34 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Modifying encrypted registry settings
In order to modify the encrypted registry settings, complete the following steps:
1. At the Agent Registry Menu, type B. The Encrypted Registry settings menu is
displayed.
Encrypted Registry Items
-------------------------------------------
01. Workstation Password ’*****’
Page 1 of 1
A. Add new attribute
B. Modify attribute value.
C. Remove attribute.
X. Done
Select menu option:
2. Type the menu letter for the action that you want to perform on an attribute.
Table 11. Attribute configuration option descriptions
Option Configuration task
A Add new attribute
B Modify attribute value
C Remove attribute
3. Type the registry item name, and press Enter.
4. If you selected option A or B, type the registry item value and press Enter.
The encrypted registry settings menu reappears and displays your new
setting(s).
Changing advanced settings
You can change the Lotus Notes Adapter thread count settings for the following
types of requests:
v System Login Add
v System Login Change
v System Login Delete
v Reconciliation
These settings determine the maximum number of requests that the Lotus Notes
Adapter processes concurrently. In order to change these settings, complete the
following steps:
1. At the Main Menu prompt, type G.
The Advanced Settings Menu is displayed. The following example shows the
default thread count settings.
Chapter 4. Configuring the adapter for IBM Tivoli Identity Manager 35
NotesAgent 4.6.1000 Advanced Settings Menu
-------------------------------------------
A. Single Thread Agent (current:TRUE)
B. ADD max. thread count. (current:3)
C. MODIFY max. thread count. (current:3)
D. DELETE max. thread count. (current:3)
E. SEARCH max. thread count. (current:3)
F. Allow User EXEC procedures (current:FALSE)
G. Archive Request Packets (current:FALSE)
H. UTF8 Conversion support (current:TRUE)
I. Pass search filter to agent (current:FALSE)
J. Thread Priority Level (1-10) (current:4)
X. Done
Select menu option:
2. Type the letter of the menu option that you want to change. For a description
of each option, see Table 12.
Table 12. Options for the advanced settings menu
Option Description
A Forces the adapter to allow only one request at a time.
The default value is TRUE.
B Controls how many simultaneous ADD requests can run at one time.
The default value is 3.
C Controls how many simultaneous MODIFY requests can run at one time.
The default value is 3.
D Controls how many simultaneous DELETE requests can run at one time.
The default value is 3.
E Controls how many simultaneous SEARCH requests can run at one time.
The default value is 3.
F Determines whether the adapter allows pre- and post-exec functions.
Enabling this option is a potential security risk.
The default value is FALSE.
G This option is no longer supported.
H This option is no longer supported.
I Currently, this adapter does not support processing filters directly. This
option must always be FALSE.
J Sets the thread priority level for the adapter.
The default value is 4.
3. Change the value, and press Enter.
The Advanced Settings Menu is displayed with your new settings.
Viewing statistics
In order to view an event log for the Lotus Notes Adapter, complete the following
steps:
1. At the Main Menu prompt, type H.
The activity history for the adapter is displayed.
36 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
NotesAgent 4.6.1000 Agent Request Statistics
--------------------------------------------------------------------
Date Add Mod Del Ssp Res Rec
-----------------------------------------------------------------
11/15/02 000001 000000 000000 000000 000000 000001
-----------------------------------------------------------------
X. Done
2. Type X to return to the Main Configuration Menu.
Changing code page settings
In order to list the supported code page information for the Lotus Notes Adapter,
the adapter must be running. Run the following command to view the code page
information:
agentCfg -agent [adapter_name] -codepages
In order to change the code page settings for the Lotus Notes Adapter, complete
the following steps:
1. At the Main Menu prompt, type I.
The Code Page Support Menu for the adapter is displayed.
NotesAgent 4.6.1000 Codepage Support Menu
-------------------------------------------
* Configured codepage: US-ASCII
-------------------------------------------
*
*******************************************
* Restart Agent After Configuring Codepages
*******************************************
A. Codepage Configure.
X. Done
Select menu option:
2. Type A to configure a code page.
Note: The NotesAgent uses unicode, therefore this option is not applicable.
3. Type X to return to the Main Configuration Menu.
Accessing help and additional options
In order to access the agentCfg help menu and use the help arguments, complete
the following steps:
1. At the Main Menu prompt, type X. The command prompt is displayed, and
you are in the \bin directory.
2. Type agentCfg -help at the prompt to view the help menu.
The following list of possible commands is displayed:
Chapter 4. Configuring the adapter for IBM Tivoli Identity Manager 37
-version ; Show version
-hostname < value> ; Target nodename to connect to (Default:Local host IP address)
-findall ; Find all agents on target node
-list ; List available agents on target node
-agent <value> ; Name of agent
-tail ; Display agent’s activity log
-schema ; Display agent’s attribute schema
-portnumber <value>; Specified agent’s TCP/IP port number
-netsearch <value> ; Lookup agents hosted on specified subnet
-confidencetest ; Confidence test
-setup ; Confidence test setup
-help ; Display this help screen
Table 13 describes each argument.
Table 13. Arguments and descriptions for the agentCfg help command
Argument Description
-version Use this argument to display the version of the agentCfg tool.
-hostname <value> Use the -hostname argument with any of the following
arguments to specify a different host:
v -findall
v -list
v -tail
v -agent
Enter a host name or IP address as the value.
-findall Use this argument to search and display all port addresses
between 44970 and 44994 and their assigned adapter names.
This option will timeout on unused port numbers, so it might
take several minutes to complete.
Add the -hostname argument to search a remote host.
-list Use this argument to display the adapters that are installed
on the local host of the Lotus Notes Adapter. By default, the
first time you install an adapter, it is either assigned to port
address 44970 or to the next available port number. All
subsequently installed adapters are then assigned to the next
available port address. Once an unused port is found, the
listing stops.
Use the -hostname argument to search a remote host.
-agent <value> Use this argument to specify the adapter that you want to
configure. Enter an adapter name as the value. Use this
argument with the -hostname argument to modify the
configuration setting from a remote host. You can also use
this argument with the -tail argument.
-tail Use this argument with the -agent argument to display the
activity log for an adapter. Add the -hostname argument to
display the log file for an adapter on a different host.
-schema This option is no longer supported.
-portnumber <value> Use this argument with the -agent argument to specify the
port number that is used for connections for the agentCfg
tool.
-netsearch <value> Use this argument with the -findall argument to display all
active adapters on the system. You must specify a subnet
address as the value.
38 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Table 13. Arguments and descriptions for the agentCfg help command (continued)
Argument Description
-confidencetest Use this argument to run a test to add, modify, search, and
delete a request to the adapter. The confidence test allows
you to test the connection between the adapter and the Lotus
Domino Server. This allows you to verify that the adapter can
connect to Lotus Domino Server without the Tivoli Identity
Manager Server.
-setup Use this argument, along with the −confidence argument, to
configure the confidence test.
-help Use this argument to display the Help information for the
agentCfg command.
3. Type agentCfg and one or more of the supported arguments at the prompt.
You must type agentCfg before every argument to run the adapter
configuration tool.
Type agentCfg -list to list all of the adapters on the local host IP address.
Note that the port address for the Tivoli Identity Manager Server is 44970. The
output is similar to the following output:
Agent(s) installed on node ’127.0.0.1’
-----------------------
NotesAgent (44970)
Type agentCfg -agent NotesAgent to display the Main Menu of the agentCfg
tool, which is used to view or modify the Lotus Notes Adapter parameters.
Type agentCfg -list -hostname 192.9.200.7 to list the adapters on a host
whose IP address is 192.9.200.7. The output is similar to the following output:
Agent(s) installed on node ’192.9.200.7’
------------------
NotesAgent (44970)
Type agentCfg -agent NotesAgent -hostname 192.9.200.7 to display the Main
Menu of the agentCfg tool for a host whose IP address is 192.9.200.7. Use the
menu options to view or modify the Lotus Notes Adapter parameters.
Chapter 4. Configuring the adapter for IBM Tivoli Identity Manager 39
40 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Chapter 5. Configuring SSL authentication for the Lotus Notes
adapter
In order to establish a secure connection between a Tivoli Identity Manager
adapter and the Tivoli Identity Manager Server, you must configure the adapter
and the server to use the Secure Sockets Layer (SSL) authentication with the
default communication protocol, DAML. By configuring the adapter for SSL, you
ensure that the Tivoli Identity Manager Server verifies the identity of the adapter
before a secure connection is established.
You can configure SSL authentication for connections that originate from the Tivoli
Identity Manager Server or from the adapter. Typically, the Tivoli Identity Manager
Server initiates a connection to the adapter in order to set or retrieve the value of a
managed attribute on the adapter. However, depending on the security
requirements of your environment, you might need to configure SSL authentication
for connections that originate from the adapter. For example, if the adapter uses
events to notify the Tivoli Identity Manager Server of changes to attributes on the
adapter, you can configure SSL authentication for Web connections that originate
from the adapter to the Web server used by the Tivoli Identity Manager Server.
In a production environment, you need to enable SSL security; however, for testing
purposes you might want to disable SSL. If an external application that
communicates with the adapter (such as the Tivoli Identity Manager Server) is set
to use server authentication, you must enable SSL on the adapter to verify the
certificate that the application presents.
This chapter presents an overview of SSL authentication, certificates, and how to
enable SSL authentication using the CertTool utility.
Overview of SSL and digital certificates
When you deploy Tivoli Identity Manager in an enterprise network, you must
secure communication between the Tivoli Identity Manager Server and the
software products and components with which the server communicates. The
industry-standard SSL protocol, which uses signed digital certificates from a
certificate authority (CA) for authentication, is used to secure communication in a
Tivoli Identity Manager deployment. Additionally, SSL provides encryption of the
data exchanged between the applications. Encryption makes data transmitted over
the network intelligible only to the intended recipient.
Signed digital certificates enable two applications connecting in a network to
authenticate each other’s identity. An application acting as an SSL server presents
its credentials in a signed digital certificate to verify to an SSL client that it is the
entity it claims to be. An application acting as an SSL server can also be configured
to require the application acting as an SSL client to present its credentials in a
certificate, thereby completing a two-way exchange of certificates. Signed
certificates are issued by a third-party certificate authority for a fee. Some utilities,
such as those provided by OpenSSL, can also issue signed certificates.
A certificate-authority certificate (CA certificate) must be installed to verify the
origin of a signed digital certificate. When an application receives another
application’s signed certificate, it uses a CA certificate to verify the originator of
© Copyright IBM Corp. 2003, 2005 41
the certificate. A certificate authority can be well-known and widely used by other
organizations, or it can be local to a specific region or company. Many applications,
such as Web browsers, are configured with the CA certificates of well−known
certificate authorities to eliminate or reduce the task of distributing CA certificates
throughout the security zones in a network.
Private keys, public keys, and digital certificates
Keys, digital certificates, and trusted certificate authorities are used to establish and
verify the identities of applications.
SSL uses public key encryption technology for authentication. In public key
encryption, a public key and a private key are generated for an application. Data
encrypted with the public key can only be decrypted using the corresponding
private key. Similarly, the data encrypted with the private key can only be
decrypted using the corresponding public key. The private key is
password-protected in a key database file so that only the owner can access the
private key to decrypt messages that are encrypted using the corresponding public
key.
A signed digital certificate is an industry-standard method of verifying the
authenticity of an entity, such as a server, client, or application. In order to ensure
maximum security, a certificate is issued by a third-party certificate authority (CA).
A certificate contains the following information to verify the identity of an entity:
Organizational information
This section of the certificate contains information that uniquely identifies
the owner of the certificate, such as organizational name and address. You
supply this information when you generate a certificate using a certificate
management utility.
Public key
The receiver of the certificate uses the public key to decipher encrypted
text sent by the certificate owner to verify its identity. A public key has a
corresponding private key that encrypts the text.
Certificate authority’s distinguished name
The issuer of the certificate identifies itself with this information.
Digital signature
The issuer of the certificate signs it with a digital signature to verify its
authenticity. This signature is compared to the signature on the
corresponding CA certificate to verify that the certificate originated from a
trusted certificate authority.
Web browsers, servers, and other SSL-enabled applications generally accept as
genuine any digital certificate that is signed by a trusted certificate authority and is
otherwise valid. For example, a digital certificate can be invalidated because it has
expired or the CA certificate used to verify it has expired, or because the
distinguished name in the digital certificate of the server does not match the
distinguished name specified by the client.
Self-signed certificates
You can use self-signed certificates to test an SSL configuration before you create
and install a signed certificate issued by a certificate authority. A self-signed
certificate contains a public key, information about the owner of the certificate, and
the owner’s signature. It has an associated private key, but it does not verify the
origin of the certificate through a third-party certificate authority. Once you
42 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
generate a self-signed certificate on an SSL server application, you must extract it
and add it to the certificate registry of the SSL client application.
This procedure is the equivalent of installing a CA certificate that corresponds to a
server certificate. However, you do not include the private key in the file when
you extract a self-signed certificate to use as the equivalent of a CA certificate.
Use a key management utility to generate a self-signed certificate and a private
key, to extract a self-signed certificate, and to add a self-signed certificate.
Where and how you choose to use self-signed certificates depends on your security
requirements. In order to achieve the highest level of authentication between
critical software components, do not use self-signed certificates, or use them
selectively. For example, you can choose to authenticate applications that protect
server data with signed digital certificates, and use self-signed certificates to
authenticate Web browsers or Tivoli Identity Manager adapters.
If you are using self-signed certificates, in the following procedures you can
substitute a self-signed certificate for a certificate and CA certificate pair.
Certificate and key formats
Certificates and keys are stored in files with the following formats:
.pem format
A privacy-enhanced mail (.pem ) format file begins and ends with the
following lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
A .pem file format supports multiple digital certificates, including a
certificate chain. If your organization uses certificate chaining, use this
format to create CA certificates.
.arm format
An .arm file contains a base-64 encoded ASCII representation of a
certificate, including its public key, but not its private key. An .arm file
format is generated and used by the IBM Key Management utility.
.der format
A .der file contains binary data. A .der file can only be used for a single
certificate, unlike a .pem file, which can contain multiple certificates.
.pfx format (PKCS12)
A PKCS12 file is a portable file that contains a certificate and a
corresponding private key. This format is useful for converting from one
type of SSL implementation to a different implementation. For example,
you can create and export a PKCS12 file using the IBM Key Management
utility, then import the file to another machine using the CertTool utility.
The use of SSL authentication
When you start the adapter, the available connection protocols are loaded. The
DAML protocol is the only available protocol that supports the use of SSL
authentication. You can specify to use the DAML SSL implementation.
The DAML SSL implementation uses a certificate registry to store private keys and
certificates. The location of the certificate registry is managed internally by the
Chapter 5. Configuring SSL authentication for the Lotus Notes adapter 43
CertTool key and certificate management tool; therefore, you do not specify the
location of the registry when you perform certificate management tasks.
For more information on the DAML protocol, see “Changing protocol
configuration settings” on page 20.
Configuring certificates for SSL authentication
Use the following procedures to configure the adapter for one-way or two-way SSL
authentication using signed certificates. In order to perform these procedures, use
the CertTool utility.
Configuring certificates for one-way SSL authentication
In this scenario, the Tivoli Identity Manager Server and the Tivoli Identity Manager
adapter are set to use SSL. Client authentication is not set on either application.
The Tivoli Identity Manager Server operates as the SSL client and initiates the
connection. The adapter operates as the SSL server and responds by sending its
signed certificate to the Tivoli Identity Manager Server. The Tivoli Identity
Manager Server uses the CA certificate that is installed to validate the certificate
sent by the adapter.
In Figure 6, Application A operates as the Tivoli Identity Manager Server, and
Application B operates as the Tivoli Identity Manager adapter.
In order to configure one-way SSL, perform the following tasks for each
application:
1. On the adapter, complete these steps:
a. Start the CertTool utility.
b. In order to configure the SSL-server application with a signed certificate
issued by a certificate authority:
1) Create a certificate signing request (CSR) and private key. This step
creates the certificate with an embedded public key and a separate
private key and places the private key in the PENDING_KEY registry
value.
2) Submit the CSR to the certificate authority using the instructions
supplied by the CA. When you submit the CSR, specify that you want
the root CA certificate returned with the server certificate.2. On the Tivoli Identity Manager Server, complete one of these steps:
Hello
Tivoli Identity ManagerServer (SSL client)
KeystoreCA
CertificateA
1
Send Certificate B
Tivoli Identity Manageradapter (SSL server)C
CertificateA
Verify
Figure 6. One-way SSL authentication (server authentication)
44 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
v If you are configuring the use of a signed certificate issued by a well-known
CA, ensure that the Tivoli Identity Manager Server has stored the root
certificate of the CA (CA certificate) in its keystore. If the keystore does not
contain the CA certificate, extract the CA certificate from the adapter and add
it to the keystore of the server.
v If you are configuring the use of self-signed certificates:
– If you generated the self-signed certificate on the Tivoli Identity Manager
Server, the certificate is already installed in its keystore.
– If you generated the self-signed certificate using the key management
utility of another application, extract the certificate from that application’s
keystore and add it to the keystore of the Tivoli Identity Manager Server.
Configuring certificates for two-way SSL authentication
In this scenario, the Tivoli Identity Manager Server and the Tivoli Identity Manager
adapter are set to use SSL and the adapter is set to use client authentication. Once
sending its certificate to the Tivoli Identity Manager Server, the adapter requests
identity verification from the server, which sends its signed certificate to the
adapter. Both applications are configured with signed certificates and
corresponding CA certificates.
In Figure 7, the Tivoli Identity Manager Server operates as Application A, and the
Tivoli Identity Manager adapter operates as Application B.
The following procedure assumes that you have already configured the adapter
and Tivoli Identity Manager Server for one-way SSL authentication using the
procedure described in “Configuring certificates for one-way SSL authentication”
on page 44. Therefore, if you are using signed certificates from a CA:
v The adapter is configured with a private key and a signed certificate that was
issued by a CA.
v The Tivoli Identity Manager Server is configured with the CA certificate of the
CA that issued the signed certificate of the adapter.
In order to complete the certificate configuration for two-way SSL, perform the
following tasks:
CHello
KeystoreCA
CertificateA
CertificateB
CertificateA
CACertificate
B
Send Certificate A
Tivoli Identity Manageradapter (SSL server) C
Tivoli Identity ManagerServer (SSL client)
Send Certificate AVerify
Verify
Send Certificate B
Figure 7. Two-way SSL authentication (client authentication)
Chapter 5. Configuring SSL authentication for the Lotus Notes adapter 45
1. On the Tivoli Identity Manager Server, create a CSR and private key, obtain a
certificate from a CA, install the CA certificate, install the newly signed
certificate, and extract the CA certificate to a temporary file.
2. On the adapter, add the CA certificate that was extracted from the keystore of
the Tivoli Identity Manager Server to the adapter.
When you have finished the two-way certificate configuration, each application has
its own certificate and private key and the CA certificate of the CA that issued the
certificates for each application.
Configuring certificates when the adapter operates as an SSL
client
In this scenario, the adapter operates as an SSL client in addition to operating as
an SSL server. This scenario applies if the adapter initiates a connection to the Web
server (used by the Tivoli Identity Manager Server) to send an event notification.
For example, the adapter initiates the connection and the Web server responds by
presenting its certificate to the adapter.
Figure 8 illustrates how a Tivoli Identity Manager adapter operates as an SSL sever
and an SSL client. When communicating with the Tivoli Identity Manager Server,
the adapter sends its certificate for authentication. When communicating with the
Web server, the adapter receives the certificate of the Web server.
If the Web Server is configured for two-way SSL authentication, it verifies the
identity of the adapter, which sends its signed certificate to the Web server (not
shown in the illustration). In order to enable two-way SSL authentication between
the adapter and Web server, use the following procedure:
1. Configure the Web server to use client authentication.
2. Follow the procedure for creating and installing a signed certificate on the Web
server.
3. Install the CA certificate on the adapter using the CertTool utility.
4. Add the CA certificate corresponding to the signed certificate of the adapter to
the Web server.
TivoliIdentityManagerAdapter
TivoliIdentityManagerServer
CA Certificate ACertificate ACA Certificate C
Certificate C
Web server
A B
C
Hello
Certificate A
Hello
Certificate C
Figure 8. Tivoli Identity Manager adapter operating as an SSL server and an SSL client
46 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
For more information on configuring certificates when the adapter initiates a
connection to the Web server (used by the Tivoli Identity Manager Server) to send
an event notification, see the Tivoli Identity Manager Information Center.
Managing SSL certificates using CertTool
The procedures in this section describe how to use the CertTool utility to manage
private keys and certificates.
This section includes instructions for performing the following tasks:
v “Starting CertTool.”
v “Generating a private key and certificate request” on page 49.
v “Installing the certificate” on page 50.
v “Installing the certificate and key from a PKCS12 file” on page 50.
v “Viewing the installed certificate” on page 51.
v “Viewing CA certificates” on page 51.
v “Installing a CA certificate” on page 51.
v “Deleting a CA certificate” on page 51.
v “Viewing registered certificates” on page 52.
v “Registering a certificate” on page 52.
v “Unregistering a certificate” on page 52.
Starting CertTool
In order to start the certificate configuration tool, CertTool, for the Lotus Notes
Adapter, complete these steps:
1. Select Programs from the Start menu, select Accessories, and then select
Command Prompt.
2. In the Microsoft Windows DOS Command Prompt window, change to the bin
directory for the adapter. For example, if the Lotus Notes Adapter directory is
in the default location, type the following command:
cd \Tivoli\Agents\NotesAgent\bin
3. Type CertTool -agent NotesAgent at the prompt. The Main menu is displayed:
Main menu - Configuring agent: NotesAgent
------------------------------
A. Generate private key and certificate request
B. Install certificate from file
C. Install certificate and key from PKCS12 file
D. View current installed certificate
E. List CA certificates
F. Install a CA certificate
G. Delete a CA certificate
H. List registered certificates
I. Register certificate
J. Unregister a certificate
K. Export certificate and key to PKCS12 file
X. Quit
Choice:
Chapter 5. Configuring SSL authentication for the Lotus Notes adapter 47
From the Main Menu, you can generate a private key and certificate request, install
and delete certificates, register and unregister certificates, and list certificates. The
following sections summarize the purpose of each group of options.
The first set of options (A through D) allows you to generate a CSR and install the
returned signed certificate on the adapter.
A. Generate private key and certificate request
Generate a CSR and the associated private key that is sent to the certificate
authority. For more information on option A, see “Generating a private key
and certificate request” on page 49.
B. Install certificate from file
Install a certificate from a file. This file must be the signed certificate
returned by the CA in response to the CSR that is generated by option A.
For more information on option B, see “Installing the certificate” on page
50.
C. Install certificate and key from a PKCS12 file
Install a certificate from a PKCS12 format file that includes both the public
certificate and a private key. If options A and B are not used to obtain a
certificate, the certificate that you use must be in PKCS12 format. For more
information on option C, see “Installing the certificate and key from a
PKCS12 file” on page 50.
D. View current installed certificate
View the certificate that is installed on the system. For more information
on option D, see “Viewing the installed certificate” on page 51.
The second set of options enable you to install root CA certificates on the adapter.
A CA certificate is used by the Tivoli Identity Manager adapter to validate the
corresponding certificate presented by a client, such as the Tivoli Identity Manager
Server.
E. List CA certificates
Show the installed CA certificates. The adapter only communicates with
Tivoli Identity Manager Servers whose certificates are validated by one of
the installed CA certificates.
F. Install a CA certificate
Install a new CA certificate so that certificates generated by this CA can be
validated. The CA certificate file can either be in X.509 or PEM encoded
formats. For more information on how to install a CA certificate, see
“Installing a CA certificate” on page 51.
G. Delete a CA certificate
Remove one of the installed CA certificates. For more information on how
to delete a CA certificate, see “Deleting a CA certificate” on page 51.
The remaining options (H through K) apply to adapters that must authenticate the
application (for example, the Tivoli Identity Manager Server or the Web server) to
which the adapter is sending information. These options enable you to register
certificates on the adapter. For Tivoli Identity Manager Version 4.5 or earlier, the
signed certificate of the Tivoli Identity Manager Server must be registered with an
adapter to enable client authentication on the adapter. If you do not intend to
upgrade an existing adapter to use CA certificates for client authentication, the
signed certificate presented by the Tivoli Identity Manager Server must be
registered with the adapter.
48 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
If you configure the adapter to use event notification, or client authentication is
enabled in DAML, then you must install the CA certificate corresponding to the
signed certificate of the Tivoli Identity Manager Server using the Install a CA
certificate option, option F.
H. List registered certificates
List all registered certificates that will be accepted for communications. For
more information on listing registered certificates, see “Viewing registered
certificates” on page 52.
I. Register a certificate
Register a new certificate. The certificate to be registered be in Base 64
encoded X.509 format or PEM. For more information on registering
certificates, see “Registering a certificate” on page 52.
J. Unregister a certificate
Unregister (remove) a certificate from the registered list. For more
information on unregistering certificates, see “Registering a certificate” on
page 52.
K. Export certificate and key to PKCS12 file
Export a previously installed certificate and private key. You will be
prompted for the filename and a password for encryption. For more
information on exporting a certificate and key to a PKCS12 file, see
“Exporting a certificate and key to PKCS12 file” on page 53.
Generating a private key and certificate request
A certificate signing request is an unsigned certificate that is a text file. When you
submit an unsigned certificate to a certificate authority, the CA signs the certificate
with the private digital signature that is included in their corresponding CA
certificate. When the CSR is signed, it becomes a valid certificate. A CSR contains
information about your organization, such as the organization name, country, and
the public key for your Web server.
In order to generate a CSR file, complete these steps:
1. At the Main Menu of the CertTool, type A. The following message and prompt
is displayed:
Enter values for certificate request (press enter to skip value)
-------------------------------------------------------------------------
2. At the Organization prompt, type your organization name, and press Enter.
3. At the Organizational Unit prompt, type the organizational unit, and press
Enter.
4. At the Agent Name prompt, type the name of the adapter you are requesting
a certificate for, and press Enter.
5. At the Email prompt, type the e-mail address for the contact person for this
request, and press Enter.
6. At the Country prompt, type the country in which the adapter resides, and
press Enter.
7. At the State prompt, type the state in which the adapter resides (if the adapter
is located in the United States), and press Enter. Some certificate authorities
do not accept two letter abbreviations for states, so you must type the full
name of the state.
8. At the Locality prompt, type the name of the city in which the adapter
resides, and press Enter.
Chapter 5. Configuring SSL authentication for the Lotus Notes adapter 49
9. At the Accept these values prompt, type Y to accept the values displayed, or
type N to re-enter the values, and press Enter.
The private key and certificate request are generated once the values are
accepted.
10. At the Enter name of file to store PEM cert request prompt, type the name of
the file that you want to use to store the values you specified during the
previous steps, and press Enter.
11. Press Enter to continue. The certificate request and input values are written to
the file you specified, and the Main Menu is displayed again.
You can now request a certificate from a trusted CA by sending the .pem file that
you just generated to a certificate authority vendor.
Example of certificate signing request
Your CSR file will look similar to the following example:
-----BEGIN CERTIFICATE REQUEST-----
MIIB1jCCAT8CAQAwgZUxEjAQBgNVBAoTCWFjY2VzczM2MDEUMBIGA1UECxMLZW5n
aW5lZXJpbmcxEDAOBgNVBAMTB250YWdlbnQxJDAiBgkqhkiG9w0BCQEWFW50YWdl
bnRAYWNjZXNzMzYwLmNvbTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExDzANBgNVBAcTBklydmluZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
mR6AcPnwf6hLLc72BmUkAwaXcebtxCoCnnTH9uc8VuMHPbIMAgjuC4s91hPrilG7
UtlbOfy6X3R3kbeR8apRR9uLYrPIvQ1b4NK0whsytij6syCySaFQIB6V7RPBatFr
6XQ9hpsARdkGytZmGTgGTJ1hSS/jA6mbxpgmttz9HPECAwEAAaAAMA0GCSqGSIb3
DQEBAgUAA4GBADxA1cDkvXhgZntHkwT9tCTqUNV9sim8N/U15HgMRh177jVaHJqb
N1Er46vQSsOOOk4z2i/XwOmFkNNTXRVl9TLZZ/D+9mGZcDobcO+lbAKlePwyufxK
Xqdpu3d433H7xfJJSNYLYBFkrQJesITqKft0Q45gIjywIrbctVUCepL2
-----END CERTIFICATE REQUEST-----
Installing the certificate
Once you receive your certificate from your trusted CA, you install it in the
registry of the adapter. In order to install the certificate, complete these steps:
1. If you received the certificate as part of an e-mail message, copy the text of the
certificate to a text file, and copy that file to the bin directory for the adapter.
For example,
C:\Tivoli\Agents\<adaptername>\bin
2. At the Main Menu of the CertTool, type B. The following prompt is displayed:
Enter name of certificate file:
-------------------------------------------------------------------------
3. At the Enter name of certificate file prompt, type the full path to the
certificate file, and press Enter.
The certificate is installed in the registry for the adapter, and the Main Menu is
displayed again.
Installing the certificate and key from a PKCS12 file
If you do not use the CertTool utility to generate a CSR to obtain a certificate, you
must install both the certificate and private key, which must be stored in a PKCS12
file. The CA might send a password−protected file, or PKCS12 file (a file with the
.pfx extension), which includes both the certificate and private key. In order to
install the certificate from this PKCS12 file, complete these steps:
1. Copy the PKCS12 file to the \bin directory for the adapter. For example,
C:\Tivoli\Agents\<adaptername>\bin
2. At the Main Menu for the CertTool, type C. The following prompt is displayed:
Enter name of PKCS12 file:
-------------------------------------------------------------------------
50 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
3. At the Enter name of PKCS12 file prompt, type the name of the PKCS12 file
that has the certificate and private key information, and press Enter. For
example, DamlSrvr.pfx.
4. At the Enter password prompt, type the password to access the file, and press
Enter.
The certificate and private key are installed in the adapter registry, and the Main
Menu is displayed.
Viewing the installed certificate
In order to list the certificate that is installed on your system, at the Main Menu of
CertTool, type D.
The installed certificate is listed, and the Main Menu is displayed. The following
example lists an installed certificate:
The following certificate is currently installed.
Subject: c=US,st=California,l=Irvine,o=DAML,cn=DAMLServer
Installing a CA certificate
If you are using client authentication, you need to install a CA certificate. The CA
certificate you install is issued by a certificate authority vendor.
In order to install a CA certificate that was extracted into a temporary file,
complete the following steps:
1. At the Main Menu prompt, type F (Install a CA certificate).
The following prompt is displayed:
Enter name of certificate file:
2. At the Enter name of certificate file prompt, type the name of the certificate
file, such as DamlCACerts.pem, and press Enter.
The certificate file is opened, and the following prompt is displayed:
[email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
Install the CA? (Y/N)
3. At the Install the CA prompt, type Y to install the certificate, and press Enter.
The certificate file is installed in the CACerts.pem file.
Viewing CA certificates
CertTool only installs one certificate and one private key. In order to list the CA
certificate that is installed on the adapter, type E at the Main Menu prompt.
The installed CA certificates are displayed and the Main Menu is displayed. The
following example lists an installed CA certificate:
Subject: o=IBM,ou=SampleCACert,cn=TestCA
Valid To: Wed Jul 26 23:59:59 2006
Deleting a CA certificate
In order to delete a CA certificate from the adapter directories, complete the
following steps:
1. At the Main Menu prompt, type G.
A list of all CA certificates installed on the adapter is displayed.
0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support
Enter number of CA certificate to remove:
Chapter 5. Configuring SSL authentication for the Lotus Notes adapter 51
2. At the Enter number of CA certificate to remove prompt, type the number of
the CA certificate that you want to remove, and press Enter.
The CA certificate is deleted from the CACerts.pem file, and the Main Menu is
displayed.
Viewing registered certificates
Only requests that present a registered certificate will be accepted by the adapter
when client validation is enabled.
In order to view a list of all registered certificates available to the adapter, at the
Main Menu prompt, type H.
The registered certificates are displayed and the Main Menu is displayed. The
following example lists registered certificates:
0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support
Registering a certificate
In order to register a certificate for the adapter, complete the following steps:
1. At the Main Menu prompt, type I.
The following prompt is displayed:
Enter name of certificate file:
2. At the Enter name of certificate file prompt, type the name of the certificate
file that you want to register, and press Enter.
The subject of the certificate is displayed, and a prompt is displayed, for
example:
[email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
Register this CA? (Y/N)
3. At the Register this CA prompt, type Y to register the certificate, and press
Enter.
The certificate is registered to the adapter, and the Main Menu is displayed.
Unregistering a certificate
In order to unregister a certificate for the adapter, complete the following steps:
1. At the Main Menu prompt, type J.
The registered certificates are displayed. The following example lists registered
certificates:
0 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
1 - [email protected],c=US,st=California,l=Irvine,o=IBM,ou=Support,cn=Support
2. Type the number of the certificate file that you want to unregister, and press
Enter.
The subject of the selected certificate is displayed, and a prompt is displayed,
for example:
[email protected],c=US,st=California,l=Irvine,o=IBM,ou=Engineering,cn=Eng
Unregister this CA? (Y/N)
3. At the Unregister this CA prompt, type Y to unregister the certificate, and
press Enter.
The certificate is removed from the registered certificate list for the adapter, and
the Main Menu is displayed.
52 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Exporting a certificate and key to PKCS12 file
In order to export a certificate and key to a PKCS12 file for the adapter, complete
the following steps:
1. At the Main Menu prompt, type K.
The following prompt is displayed:
Enter name of PKCS12 file:
2. At the Enter name of PKCS12 file prompt, type the name of the PKCS12 file
for the installed certificate or private key, and press Enter.
3. At the Enter Password prompt, type the password for the PKCS12 file, and
press Enter.
4. At the Confirm Password prompt, type the password again, and press Enter.
The certificate or private key are exported to the PKCS12 file, and the Main
Menu is displayed.
Chapter 5. Configuring SSL authentication for the Lotus Notes adapter 53
54 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Chapter 6. Configuring the managed resource
Configuring the Domino server involves several steps that you must complete to
ensure proper setup for the Lotus Notes Adapter. While these steps can be
performed prior to installing the Lotus Notes Adapter, they must be performed
before the adapter will function properly.
Configuration of the Windows server is also required.
Domino Server configuration
In order for the Lotus Notes Adapter to work properly, the following configuring
must be done on the Lotus Domino Server.
Database creation on the Lotus Domino Server
The following registry keys are created by the Lotus Notes Adapter installer. The
values of the registry keys are user defined; the values listed are examples:
Table 14. Registry keys and their values
Registry key Key value/database name
NoteIDsAddressBook NoteIDsAddressBook.nsf
Log DB LogDB.nsf
To create a new database on the Lotus Domino Server, complete the following
steps for each registry key:
1. In the Domino Administrator console, click on File → Database → New.
2. In the New Database window, set the parameters for database creation
according to the following values:
Table 15. Values to specify during database creation
Field name Value
Server Name of the registration server
Title Title of the new database
File name Filename of the database to be created. This
value should correspond to the value of the
registry key, for example
NoteIDsAddressBook and LogDB.
Template The recommended template for the
NotesIDsAddressBook database file is the
blank template.
The recommended template for the LogDB
database file is the Personal Address Book
template.
Click OK.
3. Repeat steps 1 and 2 for each registry key.
© Copyright IBM Corp. 2003, 2005 55
Group creation on the Lotus Domino Server
Before you begin to create a group on the Lotus Domino Server, set the values of
the following registry keys. The values of the registry keys are user defined; the
values listed are examples:
Table 16. Registry keys and their values
Registry key Key value/group name
Suspend Group Suspended users
Suspend HTTPPassword Suspended HTTP users
Delete Group Deleted users
To create a new group on the Lotus Domino Server, complete the following steps
for each registry key:
1. In the Domino Administrator console, select the People & Groups tab.
2. In the left window pane, click on Groups.
3. In the Group View, click the Add Group icon.
4. In the New Group window, set the parameters for group creation according to
the following values:
Table 17. Values to specify during group creation
Field name Value
Group name Name of the group
Group type Multi-purpose
Description Brief description of the group
Click Save & Close.
5. Repeat steps 3 and 4 for each registry key.
Mail quota size requirements for Lotus Notes 6
In order to enforce the mail quota size on a Lotus Notes 6 server, complete these
steps:
1. In the Domino Administrator console, select the Configuration tab.
2. In the left window pane, click on Messaging → Configurations.
3. In the Configuration Settings console, click the Add Configuration icon to
create a new configuration document.
4. In the Configuration Settings console, click the Basics tab and select one of the
following fields:
v Use these settings as the default setting for all servers
v Group or Server name5. In the Configuration Setting console, select the Router/SMTP → Restrictions
and Controls → Delivery Controls tabs.
For the Over quota enforcement setting, click on the drop down list and select
Non deliver to originator. and click OK.
6. In the Configuration Setting console, press the Save & Close button to save the
configuration setting change.
The new configuration document is listed in the console.
56 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Required environment settings on Windows
To add the directory path of the nnotes.dll file to the environment path, complete
the following steps:
1. On your desktop, right click on the My Computer icon and select the
Properties menu.
2. In the System Properties window, click on the Advanced tab, then the
Environment Variables button.
3. In the Advanced tab, select Path under the System variables section and click
Edit.
4. In the Variable Value field, append the location of your Notes Client, for
example
C:\Lotus\Notes
5. In the Edit System Variable window, click OK.
6. In the Environment Variables window, click OK.
7. In the System Properties window, click Apply and then OK.
8. If the Lotus Notes Adapter is running, stop the adapter and restart it.
Chapter 6. Configuring the managed resource 57
58 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Chapter 7. Customizing the Lotus Notes adapter
You can update the Lotus Notes Adapter JAR file, NotesProfile.jar, to make
changes to the adapter schema, account form, service form, and profile properties.
In order to make such updates, you must extract the files from the JAR file, make
changes to the necessary files, and repackage the JAR file with the updated files.
Follow these steps in order to customize the Lotus Notes Adapter profile:
1. Copy the JAR file to a temporary directory and extract the files. For more
information on extracting the files, see “Copy the NotesProfile.jar file and
extract the files.”
2. Make the appropriate file changes.
3. Install the new attributes on the Tivoli Identity Manager Server. For more
information on updating this file, see “Create a new JAR file and install the
new attributes on the Tivoli Identity Manager Server” on page 60.
Copy the NotesProfile.jar file and extract the files
The profile JAR file, NotesProfile.jar, is included in the Lotus Notes Adapter
compressed file that you downloaded from the IBM Web site. The NotesProfile.jar
file contains the following files:
v CustomLabels.properties
v erNotesAccount.xml
v erNotesDAMLService.xml
v resource.def
v schema.dsml
v xforms.xml
You can modify these files to customize your environment.
When you finish updating the profile JAR file, install it on the Tivoli Identity
Manager Server. For more information on the profile installation, see “Importing
the adapter profile into the Tivoli Identity Manager Server” on page 14.
In order to modify the NotesProfile.jar file, complete the following steps:
1. Log into to the system where the Lotus Notes Adapter is installed.
2. On the Start menu, click Programs → Accessories → Command Prompt.
3. Copy the NotesProfile.jar file into a temporary directory.
4. Extract the contents of` the NotesProfile.jar file into the temporary directory by
running the following command:
cd c:\temp
jar -xvf NotesProfile.jar
The jar command will create the c:\temp\NotesProfile directory.
5. Edit the appropriate file.
© Copyright IBM Corp. 2003, 2005 59
Create a new JAR file and install the new attributes on the Tivoli
Identity Manager Server
Once you modify the schema.dsml and CustomLabels.properties files, you must
import these files, and any other files that were modified for the adapter, into the
Tivoli Identity Manager Server for the changes to take effect.
In order to install the new attributes, complete the following steps:
1. Create a new JAR file using the files in the \temp directory by running the
following commands:
cd c:\temp
jar -cvf NotesProfile.jar NotesProfile
2. Import the NotesProfile.jar file into the Tivoli Identity Manager Application
Server. For more information on importing the file, see “Importing the adapter
profile” on page 14.
3. Stop and start the directory server.
4. Stop and start the Lotus Notes Adapter service for the changes to take effect.
Managing passwords when restoring accounts
When a person’s accounts are restored from being previously suspended, you are
prompted to supply a new password for the reinstated accounts. However, there
are circumstances when you might want to circumvent this behavior.
The password requirement to restore an account on Lotus Domino Server falls into
two categories: allowed and required. How each restore action interacts with its
corresponding managed resource depends on either the managed resource, or the
business processes that you implement. Certain resources will reject a password
when a request is made to restore an account. In this case, you can configure Tivoli
Identity Manager to forego the new password requirement. You can set the Lotus
Notes Adapter to require a new password when the account is restored, if your
company has a business process in place that dictates that the account restoration
process must be accompanied by resetting the password.
In the resource.def file, you can define whether or not a password is required as a
new protocol option. When you import the adapter profile, if an option is not
specified, the adapter profile importer determines the correct restoration password
behavior from the schema.dsml and xforms.xml files. Adapter profile components
also enable remote services to find out if you discard a password that is entered by
the user in a situation where multiple accounts on disparate resources are being
restored. In this scenario, only some of the accounts being restored might require a
password. Remote services will discard the password from the restore action for
those managed resources that do not require them.
In order to configure the Lotus Notes Adapter to not prompt for a new password
when restoring accounts:
1. Stop the Tivoli Identity Manager Server.
2. Extract the files from the NotesProfile.jar file. For more information on
customizing the adapter profile file, see “Copy the NotesProfile.jar file and
extract the files” on page 59.
3. Change to the \NotesProfile directory, where the resource.def file has been
created.
4. Edit the resource.def file to add the new protocol options, for example:
60 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.
PASSWORD_NOT_REQUIRED_ON_RESTORE" Value = "TRUE"/>
<Property Name = "com.ibm.itim.remoteservices.ResourceProperties.
PASSWORD_NOT_ALLOWED_ON_RESTORE" Value = "FALSE"/>
By adding the two options in the example above, you are ensuring that you
will not be prompted for a password when an account is restored.
5. Create a new NotesProfile.jar file using the resource.def file and import the
adapter profile file into the Tivoli Identity Manager Server. For more
information, see “Create a new JAR file and install the new attributes on the
Tivoli Identity Manager Server” on page 60.
6. Start the Tivoli Identity Manager Server again.
Note: If you are upgrading an existing adapter profile, the new adapter profile
schema will not be reflected immediately. You need to stop and start the
Tivoli Identity Manager Server in order to refresh the cache and therefore
the adapter schema. For more information on upgrading an existing adapter,
see “Upgrading the Lotus Notes adapter” on page 69.
Chapter 7. Customizing the Lotus Notes adapter 61
62 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Chapter 8. Verification of the Lotus Notes adapter installation
The Lotus Notes Adapter is installed on the Lotus Domino Server and
automatically starts whenever the server is rebooted. However, the service is not
active after the adapter is installed.
To ensure that the Lotus Notes Adapter installed correctly, verify that the following
conditions are met, once the server has been started:
v The Administrator ID must have previously been logged on the Notes Client, on
the same machine where the Adapter is running. The adapter requires that the
last ID logged on the Notes Client be the Administrator ID.
You can use any of the following scenarios to start the adapter:
– You can stay logged onto the Notes Client, as the Administrator ID, while the
Lotus Notes Adapter is running.
– You can log on as the Administrator ID, immediately log off, and then start
the adapter. After you log off of the Administrator ID, make sure that no
other user logs on while the adapter is running.
– You can log on as the Administrator ID, log off immediately, and then restart
the machine where the adapter is installed. Start the adapter after the
machine is restarted and ensure that no other user logs on while the adapter
is running.
Note: Make sure that Administrator is logged on properly, using its own ID file
and not the ID file of another user. There can be cases where the ID file
being used is the server.id file, the dolcert.id file, or another user’s ID file.
Avoid logging on with these ID files prior to running the adapter.
v The xforms.xml file that is in the adapter’s \data directory should be the same
as the one on the Tivoli Identity Manager Server.
v No dll files should be in the adapter’s \bin directory.
v If the registry entries for the Notes Adapter are present, then the adapter is
installed. Use one of the following methods to check the registry settings:
– If the adapter is running, start the agentcfg.exe tool to view the registry
entries that are present.
– If the adapter is not running, start the regis.exe utility to check the registry
keys and their values.v Make sure that there are Log DB and NoteIDsAddressbook entries in the
registry, along with their proper values. Both of these databases should be
created on the Lotus Domino Registration Server before the adapter is started.
v The Suspend Group, HTTP Suspend Group and Delete Group entries, and
their respective values, should be in the registry. These groups should also be
created on the Lotus Domino Server before the adapter is started.
v The name of the Lotus Notes Adapter should appear in the Services window.
To check the Services window, do the following:
1. Go to Start → Settings → Control Panel →Administrative Tools → Services.
2. Scan the list of Service names for Lotus Notes Adapter.
© Copyright IBM Corp. 2003, 2005 63
Storing existing data using the Shadow utility
Once you have verified that the adapter was properly installed and started, the
NotesShadowAgent utility (Shadow utility) can be used to create a database that
will store the information for existing users, which were created before running the
Lotus Notes Adapter.
The Shadow utility is shipped with the Lotus Notes Adapter. While the Lotus
Notes Adapter stores user information for newly created user accounts, the
Shadow utility has the capability of storing information for existing users. Existing
users send their user name, password, and a copy of their user ID file to a Lotus
Notes mailbox, which the Shadow utility uses. Prior to running the Shadow utility,
all existing Lotus Notes user information should be e-mailed to the Lotus Notes
e-mail address that is used by the Shadow utility.
Before you run the Shadow utility, create a Lotus Notes e-mail account via the
Domino Administrator. This mailbox will be used to receive the password and ID
file information from existing users. To properly setup the mailbox to receive the
user’s information, complete the following steps:
1. Create a user ID, for example, ITIM, on the Lotus Domino Server. Specify the
name of the mail file for this mailbox, for example, ITIM.nsf. The e-mail
account (ITIM) can be created by specifying a different e-mail server for its mail
file (ITIM.nsf).
2. Ensure that the Administrator has the following access to this mailbox:
manager plus delete.
Next, have the existing users send their user name, password, and attach a copy of
their ID file in a Lotus Notes memo, to the ITIM.nsf e-mail account that the
Shadow utility will use to update the NoteIdsAddressBook database. The user
information must be in the following format:
CN=fn mn ln/O=company
password
fn is the user’s first name, mn is the user’s middle name, ln is the user’s last name,
company is your company name, and password is the user’s ID file password.
Note: Avoid adding a space before and after the = sign in the CN value.
Run the following command, with the specified arguments, to run the Shadow
utility:
NotesShadowDB -m MailDB [-s ServerName] [-n ShadowDBName] [-k]
The options are:
-m MailDB
This is a mandatory parameter. MailDB is the mail database name that
contains the user’s password and ID file. If this switch is not specified, the
Shadow utility will display the following error message:
MailDB not specified, Mandatory Argument
-s ServerName
If the registration server and e-mail server are the same:
This is an optional parameter. ServerName is the name of the Lotus
Domino E-mail Server, where the e-mail file (for example,
ITIM.nsf) is installed. If this option is not specified, the default
64 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
value for the e-mail server is read from the Domino Server registry
key, which is installed in the directory:
HKEY_LOCAL_MACHINE\SOFTWARE\Access360\NotesShadowAgent\Specific
If the registration server and e-mail server are NOT the same:
This is a mandatory optional parameter. ServerName is the name of
the Lotus Domino E-mail Server, where the e-mail file (for
example, ITIM.nsf) is installed. If the value for this option is not
specified, the Shadow utility returns an error indicating that the
mail file was not found on the Domino Server.
-n ShadowDBName
This is an optional parameter. ShadowDBName is the name of the
NoteIDsAddressBook database file name. If this option is not specified, the
default value is read from the NoteIDsAddressBook registry key, which is
installed in the HKEY_LOCAL_MACHINE\SOFTWARE\Access360\NotesShadowAgent\Specific directory.
-k This is an optional parameter. This option is used to keep the user’s mail
in the mail database after its information is imported to the
NoteIDsAddressBook database file. If this switch is not specified, the user’s
mail is deleted from the mail database file after it is successfully imported.
Chapter 8. Verification of the Lotus Notes adapter installation 65
66 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Chapter 9. Troubleshooting the Lotus Notes adapter
installation
Troubleshooting is the process of determining why a product does not function as
it is designed to function. This chapter provides information and techniques to use
while attempting to identify and resolve problems related to the Lotus Notes
Adapter installation. It also provides information about troubleshooting errors that
occur due to improper input during installation.
To troubleshoot the adapter installation, complete the following steps:
v If the Lotus Notes Adapter installation fails or does not install correctly, check
the adapter installer log file, NotesAgentSetup.log, for incorrect input and error
messages. This log file is generated in the Lotus Notes Adapter installation
directory. The name of the Lotus Notes Adapter directory, along with its path, is
specified during the installation. Use the log file to find out what operation
failed, not to get information on the correctness of the values entered.
v Verify that the input values given while installing the adapter are correct. This
can be done by comparing the values you entered during the installation
procedure with those specified in “Installing the adapter” on page 10.
v Check for the following error message to be displayed by the installer while
inputting information for the Administrator ID file:
"FileName" is not a valid file name or does not exist.
Please specify a valid file name.
To correct this error, correctly specify the Administrator ID file path.
© Copyright IBM Corp. 2003, 2005 67
68 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Chapter 10. Upgrading the Lotus Notes adapter or the ADK
You can either upgrade the Lotus Notes Adapter or the Adapter Development Kit
(ADK). The ADK is the base component of the adapter. While all adapters have the
same ADK, the remaining adapter functionality is specific to the managed
resource.
You can perform an adapter upgrade to migrate your current adapter installation
to a newer version, for example version 4.4 to version 4.6. Upgrading the adapter,
as opposed to reinstalling it, will allow you to keep your configuration settings.
Additionally, you will not have to uninstall the current adapter and install the
newer version.
On the other hand, if a code fix has been made to the ADK, instead of upgrading
the entire adapter, you can upgrade just the ADK to the newer version.
Upgrading the Lotus Notes adapter
During an upgrade, in order to maintain all of your current configuration settings,
as well as the certificate and private key, do not uninstall the old version of the
adapter before installing the new version. During the install, specify the same
installation directory where the previous adapter was installed. For more
information on how to install the adapter, see Chapter 3, “Installing and
configuring the Lotus Notes adapter,” on page 7.
If you currently have version 4.4 or 4.5 of the Lotus Notes Adapter installed, and
you want version 4.6, an upgrade of the adapter is necessary. Upgrading the
adapter involves several steps that you must complete in the appropriate sequence.
In order to upgrade an existing adapter, complete the following steps:
1. Stop the Lotus Notes Adapter service.
2. Install the new version of the adapter.
When the upgraded adapter starts for the first time, new log files will be created,
replacing the old files.
Upgrading the ADK
The ADK consists of the runtime library, filtering and event notification
functionality, protocol settings, and logging information. The remainder of the
adapter is comprised of the Add, Modify, Delete, and Search functions. While all
adapters have the same ADK, the remaining functionality is specific to the
managed resource.
You can use the ADK upgrade program to update the ADK portion of the adapters
that are currently installed on a machine. This allows you to install just the ADK,
and not the entire adapter. As part of the ADK upgrade, the ADK library and the
DAML protocol library are updated. In addition, the agentCfg and CertTool
binaries are updated.
© Copyright IBM Corp. 2003, 2005 69
Prior to upgrading the ADK files, the upgrade program checks the current version
of the ADK. If the current level is higher than what you are attempting to install, a
warning message is displayed.
In order to upgrade the Lotus Notes Adapter ADK, complete the following steps:
1. Download the ADK upgrade program compressed file from the IBM Web site.
2. Extract the contents of the compressed file into a temporary directory.
3. Stop the Lotus Notes Adapter service.
4. Start the upgrade program using the adkinst_win32.exe file in the temporary
directory. For example, select Run from the Start menu, and type
C:\TEMP\adkinst_win32.exe in the Open field.
If no adapter is installed, you will receive the following error message, and the
program exits:
No Agent Installed - Cannot Install ADK.
5. On the Welcome window, click Next.
6. On the Software License Agreement window, review the license agreement and
decide if you accept the terms of the license. If you do, click Accept.
7. On the Installation Information window, click Next to begin the installation.
8. On the Install Completed window, click Finish to exit the program.
Log files
Logging entries are stored in the <ADKVersion>Installer.log and
<ADKVersion>Installeropt.log files, where <ADKVersion> is the version of the ADK.
For example, ADK46Installer.log and ADK46Installeropt.log. These files are
created in the folder where you run the installation program.
70 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Chapter 11. Uninstalling the Lotus Notes adapter
Before you remove the adapter, inform your users that the Lotus Notes Adapter
will be unavailable. If the server is taken offline, Lotus Notes Adapter requests that
are not completed might not be recoverable when the server is back online.
To remove the Lotus Notes Adapter, complete the following steps:
1. Stop the Lotus Notes Adapter service.
2. Open Windows Explorer and run <adapter_directory>\_uninst\uninstaller.exe,
where adapter_directory is the directory where the adapter was installed.
3. In the Welcome window, click Next.
4. In the Lotus Notes Adapter uninstallation summary window, click Next.
5. Click Finish.
Inspect the directory tree for Lotus Notes Adapter directories, subdirectories,
and files to verify that uninstall is complete. The instance of the Lotus Notes
Adapter that was uninstalled should no longer appear in the Services window.
Uninstalling the Lotus Notes Shadow adapter
To remove the Lotus Notes Shadow Adapter, complete these steps:
1. Open Windows Explorer and run NotesShadowAgent\_uninst\uninstaller.exe.
2. In the Welcome window, click Next.
3. In the Lotus Notes Shadow Agent uninstallation summary window, click Next.
4. Click Finish.
Inspect the directory tree for Lotus Notes Shadow Adapter directories,
subdirectories, and files to verify that uninstall is complete.
© Copyright IBM Corp. 2003, 2005 71
72 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Appendix A. Files
There are adapter-specific files, which you might be required to configure. This
appendix lists the file that is associated with the Lotus Notes Adapter.
xforms.xml file
The xforms.xml file contains the mapping of attributes on the Tivoli Identity
Manager Server to those that exist on the Lotus Domino Server. This file is copied
to the data directory during installation of the Lotus Notes Adapter. The following
is a sample mapping entry from the xforms.xml file, where erNotesTitle is the
attribute on the Tivoli Identity Manager Server and Title is the value that it is
mapped to on the Lotus Domino Server.
<EnRoleAttribute Name = "erNotesTitle" RemoteName = "Title" />
If you want pre-exec and post-exec attributes to be sent to the adapter during
requests to delete an account, add the following text to the xforms.xml file:
<EnRoleAttribute Name="preexec" RemoteName="preexec" RemoteRDN="true"/>
<EnRoleAttribute Name="postexec" RemoteName="postexec" RemoteRDN="true"/>
Pre-exec and post-exec attributes will not only be sent with the delete request, but
they will also be sent with the add, modify, suspend, restore, and password change
account requests.
© Copyright IBM Corp. 2003, 2005 73
74 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Appendix B. Adapter attributes
As part of the adapter implementation, a dedicated account for Tivoli Identity
Manager to access Lotus Domino Server is created on Lotus Domino Server. The
Lotus Notes Adapter consists of files and directories that are owned by the Tivoli
Identity Manager account. These files establish communication with the Tivoli
Identity Manager Server.
The following attributes are automatically defined for a newly created user ID:
Table 18. Default attributes and their values
Attribute Default value
CertExpDate If this value is not specified, then default, 2 years, is
taken.
CheckPassword Do not check password
Generational Qualifier I
MailOwnerAccess Designer
MailSystem Notes
PersonalTitle Mr.
Attribute descriptions
The Tivoli Identity Manager Server communicates with the Lotus Notes Adapter
using attributes that are included in transmission packets that are sent over a
network. The combination of attributes, included in the packets, depends on the
type of action that the Tivoli Identity Manager Server requests from the Lotus
Notes Adapter.
Table 19 is an alphabetical listing of the attributes that are used by the Lotus Notes
Adapter. The table gives a brief description and the data type for the value of the
attribute.
Table 19. Attributes, descriptions, and corresponding data types
Attribute Directory server attribute Description Data type
$Conflict erNotesReplicationConflict Specifies if there is a
replication conflict
Boolean
AddCertPasswd erNotesPasswdAddCert Specifies the password of
the certifier ID file
String
AddCertPath erNotesAddCertPath Specifies the path to the
certifier ID
String
AdminpCertifier erNotesAdminpCertifier Specifies the ADMINP
certifier ID
String
AdminpDBTitle erNotesAdminpDBTitle Specifies the database title String
AdminpDestDBPath erNotesDestDBPathAdminp Specifies the destination
database path, relative to
\data directory on the
Lotus Domino Server
String
AdminpDestDBServer erNotesDestDBServerAdminp Specifies the destination
database server
String
© Copyright IBM Corp. 2003, 2005 75
Table 19. Attributes, descriptions, and corresponding data types (continued)
Attribute Directory server attribute Description Data type
AdminpFirstName erNotesAdminpFirstName Specifies the first name of
the ADMINP
String
AdminpLastName erNotesAdminpLastName Specifies the last name of
the ADMINP
String
AdminpMiddleName erNotesAdminpMiddleName Specifies the middle name
of the ADMINP
String
AdminpOrgUnitName erNotesAdminpOrgUnitName Specifies the organization
unit name for the
ADMINP
String
AdminPRequest erNotesAdminPRequest Specifies the ADMINP
command to run
String???
AdminpSrcDBPath erNotesSrcDBPathAdminp Specifies the source
database path, relative to
\data directory on the
Lotus Domino Server
String
AdminpSrcDBServer erNotesSrcDBServerAdminp Specifies the source
database server
String
AltFullNameSort erNotesAltSortFullName Specifies the phonetic
name of the user
String
Assistant erNotesAssistant Specifies the assistant
name of the user
String
CalendarDomain erNotesCalendarDomain Specifies the domain name
of the alternate scheduling
application
String
CellPhoneNumber erNotesCellPhoneNumber Specifies the cell phone
number for the user
String
CertExpiryDate erNotesCertExpiryDate Specifies the expiration
date of certifier
String
CheckPassword erNotesCheckPassword Specifies whether to
require the user to enter a
password to authenticate
with servers that have
password checking
enabled
Boolean
Children erNotesChildren Specifies the name of the
children of the user
String
City erNotesCity Specifies the city where
the user works
String
ClientType erNotesClientType Specifies whether the user
has full or limited Notes
access
String
ClntBld erNotesClientBuild Specifies the list of client
build versions that the
user runs. This is updated
automatically by the Notes
Client.
String
ClntMachine erNotesClientMachine Specifies the list of
machines that the user
runs the client on. This is
updated automatically by
the Notes Client.
String
ClntPltfrm erNotesClientPlatform Specifies the list of
machine platforms that the
user runs. This is updated
automatically by the Notes
Client.
String
76 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Table 19. Attributes, descriptions, and corresponding data types (continued)
Attribute Directory server attribute Description Data type
Comment erNotesComment Specifies a brief comment
about the user
String
CompanyName erNotesCompanyName Specifies the name of the
company where the user
works
String
Country erNotesCountry Specifies the country
where the user works
String
CreateNorthAmericanId erNotesCreateNorthAmericanID Specifies a North
American ID
Boolean
Department erNotesDepartment Specifies the department
name for the user
String
EmployeeID erNotesEmployeeID Specifies the employee ID
of the user
String
EncryptIncomingMail erNotesEncryptIncomingMail Specifies whether the
incoming mail is
encrypted upon delivery
Boolean
FirstName erNotesFirstName Specifies the first name
and nickname of the user
String
FullName erNotesFullName Specifies the full name of
the user
String
HomeFAXPhoneNumber erNotesHomeFAXPhoneNumber Specifies the home FAX
number for the user
String
HTTPPasswordForceChange erNotesForceInetPwdChange Specifies whether to force
the user to change their
HTTP password
Boolean
InternetAddress erNotesInternetAddress Specifies the internet
e-mail address of the user
String
JobTitle erNotesJobTitle Specifies the job title of
the user
String
LastName erNotesLastName Specifies the last name of
the user
String
LocalAdmin erNotesLocalAdmin Specifies the local
administrator of the user
ID
String
Location erNotesLocation Specifies the office location
or mail-stop for the user
String
MailAddress erNotesMailAddress Specifies the e-mail
address for the user
String
MailDomain erNotesMailDomain Specifies the domain name
of the mail server for the
user account
String
MailFile erNotesMailFile Specifies the path and file
name for the mail file for
the user account
String
MailFileOwnerAccess erNotesMailFileOwnerAccess Specifies the owner access
of the mail file for the user
account
String
MailFileQuotaSize erNotesMailFileQuotaSize Specifies the quota size of
the mail file for the user
account
String
MailServer erNotesMailServer Specifies the hierarchical
name of the server that
stores the mail file for the
user account
String
Appendix B. Adapter attributes 77
Table 19. Attributes, descriptions, and corresponding data types (continued)
Attribute Directory server attribute Description Data type
MailSystem erNotesMailSystem Specifies the mail system
for the user
Integer
MailTemplateName erNotesMailTemplateName Specifies the mail template
file name for the user
String
Manager erNotesManager Specifies the name of the
manager for the user
String
MemberOfGroups erNotesMemberOfGroups Specifies the list of groups
that the user belongs to
String
Middlelnitial erNotesMiddleInitial Specifies the middle initial
of the user
String
NetUserName erNotesNetUserName Specifies the public
network, such as America
Online or Prodigy, for the
user name
String
NewCertExpiryDate erNotesNewCertExpiryDate Specifies the expiration
date of the new certificate
String
NewCertPasswd erNotesPasswdNewCert Specifies the password of
the new certificate ID file
String
NewCertPath erNotesNewCertPath Specifies the path to the
new certificate ID file
String
OfficeCity erNotesOfficeCity Specifies the city where
the office of the user is
String
OfficeCountry erNotesOfficeCountry Specifies the country
where the office of the
user is
String
OfficeFAXPhoneNumber erNotesOfficeFAXPhoneNumber Specifies the office fax
number for the user
String
OfficeNumber erNotesOfficeNumber Specifies the office number
of the user
String
OfficePhoneNumber erNotesOfficePhoneNumber Specifies the office phone
number of the user
String
OfficeState erNotesOfficeState Specifies the state where
the office is located for the
user
String
OfficeStreetAddress erNotesOfficeStreetAddress Specifies the street address
where the office is located
for the user
String
OfficeZIP erNotesOfficeZIP Specifies the postal zip
code of the office for the
user
String
OrigCertifier erNotesOrigCertifier Specifies the path to the
original certifier ID file
String
OrigCertPasswd erNotesOrigCertPasswd Specifies the password of
the original certifier ID file
String
Owner erNotesOwner Specifies the hierarchical
name of the user who
created a document
String
Password erNotesPassword Specifies the HTTP
password of the user
PasswordChangeInterval erNotesChangeIntervalPassword Specifies the number of
days that a password is
valid
Integer
78 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Table 19. Attributes, descriptions, and corresponding data types (continued)
Attribute Directory server attribute Description Data type
PasswordGracePeriod erNotesPasswordGracePeriod Specifies the number of
days after a required
change interval that the
user has to change his or
her password
Integer
PhoneNumber erNotesPhoneNumber Specifies the home
telephone number for the
user
String
PhoneNumber_6 erNotesPagerNumber Specifies the pager
number for the user
String
PreferredLanguage erNotesPreferredLanguage Specifies the preferred
language for the user
String
Profiles erNotesProfiles Specifies the setup profile
name. This name is used
to specify the default
settings for the user.
String
RASEXEC erNotesRasExec Specifies the system call
that will be run after each
Lotus Notes Adapter
operation
String
SaveIdInAddressBook erNotesSaveIdInAddressBook Specifies whether the ID
file is stored in the
Domino Address Book. If
it is, the ID file is attached
to the User’s Person
document.
Boolean
ShortName erNotesShortName Specifies the Short name
that is used by a foreign
mail system
String
Spouse erNotesSpouse Specifies the spouse name
of the user
String
State erNotesState Specifies the state or
province name where the
user resides
String
StreetAddress erNotesStreetAddress Specifies the street address
where the user resides
String
Suffix erNotesSuffix Specifies the suffix for the
user
String
Title erNotesTitle Specifies the title of the
user
String
UserIDfileName erNotesUserIDfileName Specifies the name of user
ID file that stores access
keys
String
UserIdInCertLog erNotesUserIdInCertLog Specifies the name that
should be stored in the
CertLog.nsf file
String
UserName erUid Specifies the logon ID of
the user
String
UserPassword erPassword Specifies the logon
password that can be
changed by the adapter
String
UserStatus erAccountStatus Specifies whether the user
has account access
Boolean
WebSite erNotesWebSite Specifies the Web site for
the user
String
Appendix B. Adapter attributes 79
Table 19. Attributes, descriptions, and corresponding data types (continued)
Attribute Directory server attribute Description Data type
x400Address erNotesx400Address Specifies additional x400
O/R attributes, excluding
/C, /A, /P
String
Zip erNotesZip Specifies the zip code for
the home address of the
user
String
The following attributes are supported by the Lotus Notes Adapter, but they do
not appear on the Notes Account form. In order to view these attributes on the
Notes Account form, additional configuration is required. For more information on
how to view the hidden attributes, see the IBM Tivoli Identity Manager Information
Center.
Table 20. Hidden attribute descriptions
Attribute Directory server attribute Description Data type
$FILE erNotesFILE Specifies the $FILE value for the user
account
String
Administrator erNotesAdministrator Specifies whether the user is also the
administrator of the Lotus Domino
Server
Boolean
AltFullName erNotesAltFullName Specifies the alternate full name of the
user
String
AltFullNameLanguage erNotesAltLanguageFullName Specifies the alternate full name
language of the user
String
AvailableForDirSync erNotesAvailableForDirSync Specifies whether Lotus Notes is
available for directory synchronization
Boolean
ccMailLocation erNotesccMailLocation Specifies the ccMailLocation value for
the user
String
ccMailUserName erNotesccMailUserName Specifies the ccMailUserName value for
the user
String
CertIDfileName erNotesCertIDfileName Specifies the cert ID filename for the user String
DocumentAccess erNotesDocumentAccess Specifies the access for a Lotus Notes
document for the user
String
Form erNotesForm Specifies the form for the user String
MessageStorage erNotesMessageStorage Specifies the message storage for the
user account
String
OU erNotesOU Specifies the organization unit for the
user
String
PasswordChangeDate erNotesChangeDatePassword Specifies the password change date for
the user
String
PasswordDigest erNotesPasswordDigest Specifies the password digest for the
user
String
PersonalID erNotesPersonalID Specifies the personal ID for the user String
PostalAddress erNotesPostalAddress Specifies the postal address for the user String
ProposedAlt
CommonName
erNotesAltCommonNameProposed Specifies the proposed alternate common
name for the user
String
ProposedAlt
FullNameLanguage
erNotesProposedAltFullNameLanguage Specifies the proposed alternate full
name language for the user
String
ProposedAltOrgUnit erNotesAltOrgUnitProposed Specifies the proposed alternate
organization unit for the user
String
PublicKey erNotesPublicKey Specifies the public key for the user String
80 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Table 20. Hidden attribute descriptions (continued)
Attribute Directory server attribute Description Data type
SametimeServer erNotesSametimeServer Specifies the Same Time server name that
the user accesses
String
Street erNotesStreet Specifies the street name for the user String
Type erNotesType Specifies the type of user ID String
Lotus Notes Adapter attributes by action
The following lists are typical Lotus Notes Adapter actions by their functional
transaction group. The lists include more information about required and optional
attributes sent to the Lotus Notes Adapter to complete that action.
System Login Add
A System Login Add is a request to create a new user account in the domain with
the specified attributes.
Table 21. Add request attributes
Required attribute Optional attribute
erUid
erNotesLastName
erNotesAddCertPath
erNotesPasswdAddCert
All other supported attributes
System Login Change
A System Login Change is a request to change one or more attributes for the
specified users.
Table 22. Change request attributes
Required attribute Optional attribute
erUid
erNotesLastName
erNotesAddCertPath
erNotesPasswdAddCert
All other supported attributes
System Login Delete
A System Login Delete is a request to remove the specified user from the Active
Directory.
Table 23. Delete request attributes
Required attribute Optional attribute
erUid None
Appendix B. Adapter attributes 81
System Login Suspend
A System Login Suspend is a request to disable a user account. The user is neither
removed nor are their attributes modified.
Table 24. Suspend request attributes
Required attribute Optional attribute
erUid
erAccountStatus
None
System Login Restore
A System Login Restore is a request to activate a user account that was previously
suspended. Once an account is restored, the user can access the system with the
same attributes as those before the Suspend function is called.
Table 25. Restore request attributes
Required attribute Optional attribute
erUid
erAccountStatus
erPassword
Reconciliation
The Reconciliation function synchronizes user account information between Tivoli
Identity Manager and the adapter.
Table 26. Attributes returned during reconciliation
Required attribute Optional attribute
None None
82 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Appendix C. Support information
This section describes the following options for obtaining support for IBM
products:
v “Searching knowledge bases”
v “Obtaining fixes” on page 84
v “Contacting IBM Software Support” on page 84
Searching knowledge bases
If you have a problem with your IBM software, you want it resolved quickly. Begin
by searching the available knowledge bases to determine whether the resolution to
your problem is already documented.
Search the information center on your local system or
network
IBM provides extensive documentation that can be installed on your local
computer or on an intranet server. You can use the search function of this
information center to query conceptual information, instructions for completing
tasks, reference information, and support documents.
Search the Internet
If you cannot find an answer to your question in the information center, search the
Internet for the latest, most complete information that might help you resolve your
problem. To locate Internet resources for your product, open one of the following
Web sites:
v IBM Tivoli Identity Manager Performance Tuning Guide
Provides information needed to tune Tivoli Identity Manager Server for a
production environment, available on the Web at:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the I character in the A-Z product list, and then, click the Tivoli Identity
Manager link. Browse the information center for the Technical Supplements
section.
v Redbooks and white papers are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html
Browse to the Self Help section, in the Learn category, and click the Redbooks
link.
v Technotes are available on the Web at:
http://www.redbooks.ibm.com/redbooks.nsf/tips/
v Field guides are available on the Web at:
http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v For an extended list of other Tivoli Identity Manager resources, search the
following IBM developerWorks Web address:
http://www.ibm.com/developerworks/
© Copyright IBM Corp. 2003, 2005 83
Obtaining fixes
A product fix might be available to resolve your problem. You can determine what
fixes are available for your IBM software product by checking the product support
Web site:
1. Go to the IBM Software Support Web site
(http://www.ibm.com/software/support).
2. Under Products support pages A to Z, select the letter for your product name.
3. In the list of specific products, click IBM Tivoli Identity Manager.
4. Under Self help, you find a list of fixes, fix packs, and other service updates
for your product.
5. Click the name of a fix to read the description and optionally download the fix.
To receive weekly e-mail notifications about fixes and other news about IBM
products, follow these steps:
1. From the support page for any IBM product, click My support in the upper-left
corner of the page.
2. If you have already registered, skip to the next step. If you have not registered,
click register in the upper-right corner of the support page to establish your
user ID and password.
3. Sign in to My support.
4. On the My support page, click Edit profiles in the left navigation pane, and
scroll to Select Mail Preferences. Select a product family and check the
appropriate boxes for the type of information you want.
5. Click Submit.
6. For e-mail notification for other products, repeat Steps 4 and 5.
For more information about types of fixes, see the Software Support Handbook
(http://techsupport.services.ibm.com/guides/handbook.html).
Contacting IBM Software Support
IBM Software Support provides assistance with product defects.
Before contacting IBM Software Support, your company must have an active IBM
software maintenance contract, and you must be authorized to submit problems to
IBM. The type of software maintenance contract that you need depends on the
type of product you have:
v For IBM distributed software products (including, but not limited to, Tivoli,
Lotus, and Rational products, as well as DB2 and WebSphere products that run
on Windows or UNIX operating systems), enroll in Passport Advantage in one
of the following ways:
– Online: Go to the Passport Advantage Web page
(http://www.lotus.com/services/passport.nsf/WebDocs/
Passport_Advantage_Home) and click How to Enroll
– By phone: For the phone number to call in your country, go to the IBM
Software Support Web site
(http://techsupport.services.ibm.com/guides/contacts.html) and click the
name of your geographic region.v For IBM eServer software products (including, but not limited to, DB2 and
WebSphere products that run in zSeries, pSeries, and iSeries environments), you
can purchase a software maintenance agreement by working directly with an
IBM sales representative or an IBM Business Partner. For more information
84 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
about support for eServer software products, go to the IBM Technical Support
Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).
If you are not sure what type of software maintenance contract you need, call
1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to
the contacts page of the IBM Software Support Handbook on the Web
(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of
your geographic region for phone numbers of people who provide support for
your location.
Follow the steps in this topic to contact IBM Software Support:
1. Determine the business impact of your problem.
2. Describe your problem and gather background information.
3. Submit your problem to IBM Software Support.
Determine the business impact of your problem
When you report a problem to IBM, you are asked to supply a severity level.
Therefore, you need to understand and assess the business impact of the problem
you are reporting. Use the following criteria:
Severity 1 Critical business impact: You are unable to use the program,
resulting in a critical impact on operations. This condition
requires an immediate solution.
Severity 2 Significant business impact: The program is usable but is
severely limited.
Severity 3 Some business impact: The program is usable with less
significant features (not critical to operations) unavailable.
Severity 4 Minimal business impact: The problem causes little impact on
operations, or a reasonable circumvention to the problem has
been implemented.
Describe your problem and gather background information
When explaining a problem to IBM, be as specific as possible. Include all relevant
background information so that IBM Software Support specialists can help you
solve the problem efficiently. To save time, know the answers to these questions:
v What software versions were you running when the problem occurred?
v Do you have logs, traces, and messages that are related to the problem
symptoms? IBM Software Support is likely to ask for this information.
v Can the problem be re-created? If so, what steps led to the failure?
v Have any changes been made to the system? (For example, hardware, operating
system, networking software, and so on.)
v Are you currently using a workaround for this problem? If so, please be
prepared to explain it when you report the problem.
Submit your problem to IBM Software Support
You can submit your problem in one of two ways:
v Online: Go to the ″Submit and track problems″ page on the IBM Software
Support site (http://www.ibm.com/software/support/probsub.html). Enter
your information into the appropriate problem submission tool.
Appendix C. Support information 85
v By phone: For the phone number to call in your country, go to the contacts page
of the IBM Software Support Handbook on the Web
(http://techsupport.services.ibm.com/guides/contacts.html) and click the name
of your geographic region.
If the problem you submit is for a software defect or for missing or inaccurate
documentation, IBM Software Support creates an Authorized Program Analysis
Report (APAR). The APAR describes the problem in detail. Whenever possible,
IBM Software Support provides a workaround for you to implement until the
APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the
IBM product support Web pages daily, so that other users who experience the
same problem can benefit from the same resolutions.
For more information about problem resolution, see Searching knowledge bases
and Obtaining fixes.
86 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Appendix D. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2003, 2005 87
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both:
IBM
IBM logo
AIX
DB2
Novell
SecureWay
Tivoli
Tivoli logo
Universal Database
WebSphere
Lotus is a registered trademark of Lotus Development Corporation and/or IBM
Corporation.
Domino is a trademark of International Business Machines Corporation and Lotus
Development Corporation in the United States, other countries, or both.
88 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation
in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
Java and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or
both.
Other company, product, and service names may be trademarks or service marks
of others.
Appendix D. Notices 89
90 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Index
Aaccessibility
pdf format, for screen-reader software ix
statement for documentation viii
text, alternative for document images ix
activity logging 29
adapterADK upgrade 69
attributesby adapter action 81
by Lotus Notes Adapter action 81
descriptions 75
communication with Tivoli Identity Manager Server 5
configuration 7
configuration steps 16
customization steps 59
features 1
files 73
installation 7
installation overview 1
non-supported configuration 4
profile purpose 14
removal 71
supported configurations 2
upgrade 69
verifying installation 63
adapter configuration 7
adapter configuration toolSee agentCfg
adapter installation 7
adapter overview 1
ADK46Installer.log file 70
ADK46Installeropt.log file 70
agentCfgarguments 37
changing adapter parametersconfiguration key 29
protocol settings 21
registry settings 31
request processing 35
menusactivity logging 29
advanced settings 35
event notification 24
help 37
Main Configuration 19
Protocol Configuration 20
registry 31
viewing configuration settings 20
architectural overviewnon-supported configuration 4
supported configurations 2
attributesby Lotus Notes Adapter action
add 81
change 81
delete 81
reconciliation 82
restore 82
suspend 82
default 75
attributes (continued)descriptions 75
hidden 80
Bbooks
see publications viii
Ccertificate authority
definition 41
certificate signing request (CSR) 50
certificatesCA
available functions 48
deleting 51
installing 51
viewing installed 51
certificate management toolsSee CertTool
definition 41
examplescertificate signing request (CSR) 50
install 50
installationfrom file 50
sample 50
key formats 43
overview 41
private keys and digital certificates 42
protocol configuration toolSee CertTool
register 48
registeredregistering 52
removing 52
viewing 52
request 49
self-signed 42
viewinginstalled 51
registered 52
viewing installed 51
viewing registered 52
CertToolCA certificate
deleting 51
installing 51
viewing 51
certificateinstall 50
register 48
request 49
viewing installed 51
viewing registered 52
changing adapter parametersaccessing 43, 47
options 48
© Copyright IBM Corp. 2003, 2005 91
CertTool (continued)client authentication 48
install certificate 50
private key, generating 49
registered certificateregistering 52
removing 52
viewing 52
character sets, supported 36
client authentication 45
client validation, SSL 46
configurationadapter 7
keychanging with agentCfg 29
default value 19, 29
purpose 19
managed resource 55
non-supported 4
settingschanging with agentCfg 19
default value 20
viewing with agentCfg 20
SSL 44
supported 2
contextbaseline database 28
deleting 25
listing 26
modifying 27
search attributes 27
target DN 28
conventionsHOME directory
Tivoli_Common_Directory xii
DB_INSTANCE_HOME x
HTTP_HOME xi
ITIM_HOME xii
LDAP_HOME xi
WAS_HOME xii
WAS_MQ_HOME xii
WAS_NDM_HOME xii
typeface ix
UNIX variable, directory notation x
used in this document ix
CSRdefinition 49
file, generating 49
customer supportsee Software Support 84
DDAML protocol
configuring with agentCfg 21
encryptiondefault value 21
type 21
options 21
properties, changing with agentCfgoptions 21
password 21
portnumber 22
require_cert_reg 23
srv_nodename 22
srv_portnumber 22
username 21
DAML protocol (continued)properties, changing with agentCfg (continued)
validate_client_ce 23
SSL authentication 43
DB_INSTANCE_HOMEDB2 UDB installation directory x
definition x
debug logdefault value 29
enable/disable with agentCfg 29
purpose 30
default attributes 75
detail logdefault value 29
enable/disable with agentCfg 29
purpose 30
directoryDB_INSTANCE_HOME x
HTTP_HOME xi
installationDB2 UDB x
IBM Directory Server xi
IBM HTTP Server xi
WebSphere Application Server base product xii
WebSphere Application Server Network Deployment
product xii
WebSphere MQ xii
installation for Sun ONE Directory Server xi
ITIM_HOME xii
LDAP_HOME xi
names, UNIX notation x
WAS_HOME xii
WAS_MQ_HOME xii
WAS_NDM_HOME xii
disabilities, using documentation viii
disk space prerequisites 7
documentsrelated viii
Tivoli Identity Manager library v
Domino Administratorprerequisites 7
Eenable/disable with agentCfg 29
encrypted registry settings 35
encryptionDAML protocol
default value 21
type 21
registry settings 31
SSL 41, 42
environment variableUNIX notation x
event notificationcache size 25
changing with agentCfg 24
contextbaseline database 28
deleting 25
listing 26
modifying 27
search attributes 27
target DN 28
enable/disable 25
reconciliationattributes 25
92 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
event notification (continued)reconciliation (continued)
context 25
intervals 25
modifying 25
process priority 25
starting manually 25
Ffixes, obtaining 84
Hhelp menu for agentCfg 37
accessing with -help command 37
hidden attributes 80
home directoriesDB_INSTANCE_HOME x
HTTP_HOME xi
ITIM_HOME xii
LDAP_HOME xi
WAS_HOME xii
WAS_MQ_HOME xii
WAS_NDM_HOME xii
HTTP_HOMEdefinition xi
IBM HTTP Server installation directory xi
Iimport
adapter profile 14, 60
PKCS12 file 43
information centers, searching to find software problem
resolution 83
installationadapter 7
certificate 50
directoryDB2 UDB x
IBM Directory Server xi
IBM HTTP Server xi
Sun ONE Directory Server xi
WebSphere Application Server base product xii
WebSphere Application Server Network Deployment
product xii
WebSphere MQ xii
profile 14
troubleshooting 67
uninstall 71
verification 63
installation prerequisitesdisk space 7
memory 7
network connectivity 7
operating system 7
system 7
Tivoli Identity Manager Server 7
Internet, searching to find software problem resolution 83, 84
ITIM_HOMEdefinition xii
directory xii
Kknowledge bases, searching to find software problem
resolution 83
LLDAP_HOME
definition xi
IBM Directory Server installation directory xi
Sun ONE Directory Server installation directory xi
logsactivity settings, changing 20
ADK46Installer.log file 70
ADK46Installeropt.log file 70
debug 29
detail 29
directory, changing with agentCfg 30
display using agentCfg 38
enable/disable, changing with agentCfg 30
file name, changing with agentCfg 29
NotesAgentSetup.log file 67
settings, changing with adapterCfg 30
settings, changing with agentCfglog file name 30
max file size 30
settings, default values 29
statistics 36
trace.log file 15
view events 20
viewing statistics 36
Lotus Domino Serverprerequisites 7
Lotus Notes managed resourceprerequisites 7
Lotus Notes softwareprerequisites 7
Mmanuals
see publications viii
memory prerequisites 7
Nnetwork connectivity 7
non-encrypted registry settings 31
non-supported configuration 4
Notes Clientadapter installation 10
communication with Lotus Domino Server 10
logging on 63
prerequisites 7
NotesShadowAgent utility (Shadow utility)installing 13
storing existing data 64
Oonline publications
accessing viii
operating system prerequisites 7
Index 93
Ppassword protected file
See PKCS12 file
passwordschanging configuration key 29
configuration key, default value 19, 29
ID file 2
Lotus Notes ID filecase-sensitive 11
NotesShadowAgent utility (Shadow utility) 64
passwords, changing with agentCfgDAML protocol 21
path names, notation x
pdf format, for screen-reader software ix
PKCS12 filecertificate and key installation 50
export certificate and key 53
portnumberchanging with agentCfg 21
portnumber, changing with agentCfg 22
private keydefinition 41
private key, generating 49
problem determinationdescribing problem for IBM Software Support 85
determining business impact for IBM Software Support 85
submitting problem to IBM Software Support 85
properties, changing with agentCfg 21
protocolDAML
configuring with agentCfg 21
encryption default value 21
encryption type 21
properties, changing with agentCfg 21
SSLoverview 41
server-to-adapter configuration 44
two-way configuration 45, 46
public key 42
publicationsaccessing online viii
related viii
Tivoli Identity Manager library v
Rreconciliation
attributes 25, 82
context 25
intervals 25
modifying 25
process priority 25
registry settingsencrypted 31, 35
non-encrypted 31
require_cert_reg, changing with agentCfg 23
restoring accountspassword requirements 60
Sself-signed certificate 42
Shadow utilitySee NotesShadowAgent utility (Shadow utility)
Software Supportcontacting 84
Software Support (continued)describing problem for IBM Software Support 85
determining business impact for IBM Software Support 85
submitting problem to IBM Software Support 85
srv_nodename, changing with agentCfg 22
srv_portnumber, changing with agentCfg 22
SSLcertificate installation 41
certificate signing request 49
definition 5
encryption 41
key formats 43
network connectivity 7
overview 41
private keys and digital certificates 42
self-signed certificates 42
server-to-adapter configuration 44
two-way configuration 45, 46
SSL implementations, DAML protocol 43
supported configurations 2
system prerequisites 7
Ttext, alternative for document images ix
thread count settingschanging with agentCfg 35
default values 35
maximum concurrent requests 35
reconciliation requests 35
system login add requests 35
system login change requests 35
system login delete requests 35
Tivoli Identity Manager Adaptercommunication with the server 45, 46
SSL communication 45, 46
Tivoli Identity Manager Servercommunication with adapter 5
communication with the adapter 44
configuring event notification 24
importing adapter profile 14
SSL communication 44
Tivoli Identity Manager Server prerequisites 7
Tivoli software information center viii
Tivoli_Common_Directorydefinition xii
trace.log file 15
troubleshooting adapter installation 67
two-way configurationSSL
client 45
client and server 46
typeface conventions ix
Uuninstallation 71
updatingadapter profile 59
upgradeadapter 69
adapter profile 14
ADK 69
username, changing with agentCfg 21
UTF8 support 36
94 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
Vvalidate_client_ce, changing with agentCfg 23
verificationadapter install 63
system prerequisites 7
WWAS_HOME
definition xii
WebSphere Application Server base installation
directory xii
WAS_MQ_HOMEdefinition xii
WebSphere MQ installation directory xii
WAS_NDM_HOMEdefinition xii
WebSphere Application Server Network Deployment
installation directory xii
western European character set, support 36
Xxforms.xml file 73
Index 95
96 IBM Tivoli Identity Manager: Lotus Notes Adapter Installation and Configuration Guide
����
Printed in USA
SC32-1707-03