Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

IBM Maximo Asset Management

advertisement 
IBM® Security Systems Division
Ready for IBM Security Intelligence
Validation requirements document for
IBM Security Identity Manager
Please visit the Ready for IBM Security Intelligence software validation site
for assistance, enablement support, and current copy of this document:
https://www.ibm.com/partnerworld/page/isv_com_dvm_techval_security
Validated solution integrations and extensions can be found in the Ready for IBM Security Intelligence
Showcase
http://www-304.ibm.com/partnerworld/gsd/homepage.do
Send documents to pwisv@us.ibm.com, “Ready for IBM Security Intelligence” in subject line.
Document Version 1.0
Table of Contents
Introduction ........................................................................................................................ 3
Items required to complete validation ................................................................................ 4
Validation contact information .......................................................................................... 6
Solution to be validated ...................................................................................................... 7
Solution overview .................................................................................................................................. 7
Integration requirements .................................................................................................... 8
Architecture and overview ..................................................................................................................... 8
Integration methods and interfaces ........................................................................................................ 9
Integration options for validation ..................................................................................... 12
Integration exceptions ...................................................................................................... 12
Resources.......................................................................................................................... 13
Validation Requirements Document
IBM Security Identity Manager
Page 2 of 13
Introduction
Ready for IBM Security Intelligence program validates partner integrations with IBM Security
software and represents the solution integrations in the IBM Security section of the Ready for IBM
Security Intelligence Showcase. This includes partners working to complete Industry Frameworks,
Solution Initiatives, and Specialties or other offerings with a dependency on validating integrations
with IBM Security Software.
This document provides the steps and validation requirements for demonstrating integrations with IBM
Security Identity Manager. A brief overview of the integration points are provided, along with the
testing, documentation and demonstration results needed to verify and validate the solution integration.
Reference the following resources for assistance. In addition, inquiries can be directed to the Security
Integration Specialist: Matthew Duggan, dugganm@us.ibm.com.
Ready for IBM Security Intelligence Resources
Ready for IBM Security Intelligence Home
Getting Started with the Ready for
IBM Security Intelligence program
Ready for IBM Security Intelligence
integration points and resources
Ready for IBM Security Intelligence
Message Board
IBM PartnerWorld Contact Services
assistance getting started
Ready for IBM Security Intelligence
Showcase
Program Manager Contact
IBM Security Communities
best practices and scenarios
IBM Service Management Connect
IBM Software Access Catalog
download IBM Security software
IBM PartnerWorld option support
assistance with listed products
Validation Requirements Document
IBM Security Identity Manager
https://www.ibm.com/partnerworld/wps/servlet/Content
Handler/isv_com_dvm_techval_security
https://www.ibm.com/partnerworld/wps/servlet/Content
Handler/isv_com_dvm_techval_security_start
https://www.ibm.com/partnerworld/wps/servlet/Content
Handler/isv_com_dvm_techval_security_integration
https://www.ibm.com/developerworks/mydeveloperwork
s/groups/service/forum/topics?communityUuid=85cce0f
0-581e-4b9e-9da8-b57c4a257949&ps=10&page=0
US Number: 800-426-9990, 770-858-5052, e-mail:
pwisv@us.ibm.com, ask for Ready for IBM Security
Intelligence assistance.
http://www-304.ibm.com/partnerworld/gsd/homepage.do
Russ Warren, russell.warren@us.ibm.com
Other Resources
http://www.ibm.com/developerworks/security/communit
y.html
https://www.ibm.com/developerworks/servicemanageme
nt/srm/index.html
http://www.ibm.com/isv/welcome/softmall.html
Voice US Number: 800-426-9990, 770-858-5052,
Remote e-mail:
https://www.ibm.com/isv/tech/member/index.html
Page 3 of 13
Items required to complete validation
To validate your IBM Security Identity Manager based integration and include the solution highlight in
the Integrated Service Management Library, the following items must be submitted to the validation lab
at pwisv@us.ibm.com. Please consult the Ready for IBM Security Intelligence software validation
Web site for guidance and details concerning the validation process at
https://www.ibm.com/partnerworld/wps/servlet/ContentHandler/isv_com_dvm_techval_security
Items required for validation
Final validation Final version of this document representing the solution integration being
requirements validated Ready for IBM Security Intelligence. Need to document and
document identify the classes and interfaces used.
Test plan report Document containing use scenarios, data points, and information on the
solution integration with IBM Security Identity Manager. Will be used when
reviewing test results and files, performing the validation, and during the
solution integration demonstration.
Integration Setup Solution setup or administration documentation, or a portion of a document
Information providing information customers would use to setup or configure the
integration between your solution and IBM Security Identity Manager.
Should include items in Identity Manager that need to be customized to
make the integration work.
Demonstration A remote demonstration or captured demo to walk through the integration
scenarios with IBM Security Identity Manager.
Ready for IBM Integration highlights (solution overview, requirements, contacts) used for
Security the Ready for IBM Security Intelligence Showcase solution entry
Intelligence (http://www-304.ibm.com/partnerworld/gsd/homepage.do). This should
Showcase include a company logo that can be used (Recommended size 100 x 50).
Web page To include your solution integration reference in the Ready for IBM Security
Intelligence Showcase (http://www304.ibm.com/partnerworld/gsd/homepage.do), you need to provide a Web
page link highlighting the solution integration. Also, encourage using the
Ready for IBM Security Intelligence logo mark on your Web page, solution
material, at conferences and on other marketing material.
Adapter profile The adapter profile, normally stored on the LDAP directory server, is
imported by the Security Identity Manager server. The profile has the
following components or files: (The variable <ADAPTER> should be
replaced by the adapter name.)
a. Schema definition (schema.dsml) (required).
b. Service definition (service.def) (required).
- Supported operation definitions
- Assembly line XML files for all operations.
c. Account form (er<ADAPTER> account.xml).
d. Service form (er<ADAPTER> service.xml).
e. CustomLabels.properties.
Validation Requirements Document
IBM Security Identity Manager
Page 4 of 13
Tivoli Directory
Integrator
assembly lines
Tivoli Directory
Integrator
connectors
Adapter operations
- Labels displayed on forms for attributes.
Note: The adapter profile is only required for Tivoli Directory
Integrator based RMI custom adapters.
The Tivoli Directory Integrator runs the appropriate assemblyline to perform
a requested operation on a managed resource. An assemblyline is a data flow
that receives information from an input unit, performs an operation on this
input, and then conveys the finished product through an output unit.
Note: The Tivoli Directory Integrator assemblyline(s) is only required
for Tivoli Directory Integrator based RMI custom adapters.
The adapter process uses connectors to establish communication between
Tivoli Directory Integrator and the managed resource. Connectors are the
input and output units of a Tivoli Directory Integrator assemblyline.
Note: The Tivoli Directory Integrator connector(s) is only required for
Tivoli Directory Integrator based RMI custom adapters.
A custom IBM Security Identity Manager adapter must support one or
more of the following operations for managing the resource. These
operations are specifically supported by RMI.
Add -- Add an account.
Delete -- Delete an account.
Modify -- Modify the specified attributes of an account.
Test -- Test connection parameters by opening a connection to the
managed resource.
Search -- Search for accounts matching the specified search filter.
The following additional operations, not directly supported by RMI (handled
by the Modify operation), can be issued from Tivoli Identity Manager:
Suspend --Suspend an account. This operation conveys an “account status”
attribute containing a “true” or “false” value.
Restore -- Restore a suspended account. This operation conveys an “account
status” attribute containing a “true” or “false” value.
changePassword -- Change the password on the specified account. This
operation conveys a new password value.
The following operation, not directly supported by RMI (handled by the
Search operation), can be issued from Tivoli Identity Manager:
Reconciliation
Note: Adapter operation(s) is only required for Tivoli Directory
Integrator based RMI custom adapters.
Validation Requirements Document
IBM Security Identity Manager
Page 5 of 13
Validation contact information
Please complete ALL the fields below to provide the validation project contact information.
Submitted by:
Title/Position:
Company:
Address:
Telephone:
Fax:
E-mail:
IBM Tivoli Product:
IBM Security Identity Manager (5.0 or higher)
Your Solution Name and
Version:
Solution URL:
Current Date:
Anticipated Solution Start
Date:
Anticipated Solution
Completion Date:
Validation Requirements Document
IBM Security Identity Manager
201X/mm/dd
201X/mm/dd
201X/mm/dd
Page 6 of 13
Solution to be validated
Solution overview
Please fill in the auto-sizing text box below to provide the validation lab a technical overview of
the application or solution, the integration points and solution to be validated.
To be filled in.
Validation Requirements Document
IBM Security Identity Manager
Page 7 of 13
Integration requirements
This section provides an overview of the Ready for IBM Security Intelligence validation
requirements for IBM Security Identity Manager. The next section “Integration Options for
Validation” will allow you to identify the configuration and pertinent platforms used by your
offering for validation.
Architecture and overview
This following diagram shows the overall architecture of the IBM Security Identity Manager.
This following diagram shows the overall architecture of the IBM Security Identity Manager server.
The IBM Security Identity Manager server has a layered, modular design that is composed of:
1. A Web client (User Interface) layer that provides an authenticated user access to the system via
browser or via Web Services interface
2. An application layer containing application services for the management of user and policy data
3. A core services layer composed of modules that provide the low-level implementation of the
concepts presented by the application layer.
Validation Requirements Document
IBM Security Identity Manager
Page 8 of 13
The IBM Security Identity Manager server is a J2EE based application running on a Web application
server like IBM WebSphere. This application also provides the IBM Security Identity Manager
browser based admin tool.
The LDAP directory is an LDAPv3 directory such as IBM Directory Server or Oracle Directory. IBM
Security Identity Manager stores all user account information (i.e. userids, group membership, etc) in
LDAP.
Audit information is stored in a relational database such DB2, Oracle or MS-SQL Server.
Credential Vault is a new component introduced in the 6.0 release to store account credentials.
There are many possible integration methods since IBM Security Identity Manager provides a
common Identity Management platform for different application architectures. The following
sections describe the minimum technical requirements for each integration method that will meet
Ready for IBM Tivoli software integration standards. You should fill out the section(s) for the
integration method that you plan to use. You may need to fill out more than one section,
depending on your application/solution and integration plan.
Integration methods and interfaces
IBM Security Identity Manager API integration
The IBM Security Identity Manager Application API is designed to allow access to the application
layer of the IBM Security Identity Manager Platform. The Application API could be used to develop a
custom-lightweight user interface or integration with an existing application needing to leverage the
platform to extend its own functionality.
The Application API consists of a set of java classes that abstract the more commonly used functions of
the provisioning platform, such as identity management, password management, and account
management. The classes that make up this API are the same classes IBM Security Identity Manager
uses for its out-of-the-box user interface.
The application tier makes use of the low-level services to implement the end-to-end business logic
involved in a provisioning action. This may require workflow processes to execute (see the Workflow
API), the data store to be updated (see the Data Services API), or resources to be provisioned (see the
Service Provider API). These implementation details of a provisioning action are encapsulated within
the application module to ensure that the action will be implemented correctly and that backwards
compatibility with platform upgrades will not be an issue for the API client.
One aspect of the business logic behind a provisioning action is authorizing the caller to perform the
action by using the security mechanisms put in place the Authorization module. For this reason, all
Application API calls require user information about the caller so that the proper authorization can take
Validation Requirements Document
IBM Security Identity Manager
Page 9 of 13
place. To make calls in an unrestricted manner, the client must be authenticated as the administrator
and pass the administrator’s information into the API calls.
The Application API can be accessed remotely. This allows clients to communicate with the
provisioning platform without requiring co-location. To establish communications with the
provisioning platform, a context must be created. This context is established using a set of classes that
make up a framework that can support connecting to different platform deployment configurations
easily without changes to the client.
For complete details of the Application API and other IBM Security Identity Manager API’s please
refer to the IBM Security Identity Manager InfoCenter and please check for API examples under
<IBM_Security_Identity_Manager_install_dir>\extensions\6.0\examples
IBM Tivoli Directory Integrator integration
IBM Tivoli Directory Integrator is a data synchronization tool shipped with IBM Security Identity
Manager that will assist in manipulating data from a variety of identity sources and storing and
updating that identity information in IBM Security Identity Manager. Tivoli Directory Integrator can
manage account data from a variety of data sources. SQL Databases and LDAP directories can be
easily accessed with Tivoli Directory Integrator in a bi-directional way. Tivoli Directory Integrator is
useful in filling functionality gaps to deliver a complete solution.
Tivoli Directory Integrator identity feed
There are three scenarios where Tivoli Directory Integrator could feed information into IBM Security
Identity Manager:
1) Tivoli Directory Integrator can be used to load changes from many different authoritative data
sources (I.e. HR systems, email systems, etc) into IBM Security Identity Manager. This helps
solve a significant problem for many customers who have multiple sources for authoritative
data. For instance, some employee information is usually kept in an HR system such as
PeopleSoft. Many customers do not keep information on contractors or temporary employees
in their HR system. Contractor/temp information is often maintained in a separate datastore
(Oracle). Email addresses are often kept in yet another store, maybe Active Directory or
Domino NAB. That is three datastores alone. Tivoli Directory Integrator lets IBM Security
Identity Manager connect to each of these datastores and get only the data IBM Security
Identity Manager needs. Tivoli Directory Integrator can get manager names and department
numbers from PeopleSoft, contractor information from Oracle and email addresses from Active
Director or Domino. Tivoli Directory Integrator sends only the necessary pieces of information
to IBM Security Identity Manager. IBM Security Identity Manager now has the most current
information and uses that information to provision users.
2) This scenario is slightly different from the first scenario. In the first scenario, we were using
Tivoli Directory Integrator to obtain authoritative identity information for a user. In this second
scenario, Tivoli Directory Integrator can be used to bulk load existing users from an existing
data-store into IBM Security Identity Manager (i.e. AD or RACF). This is particularly useful
Validation Requirements Document
IBM Security Identity Manager
Page 10 of 13
during new deployments of IBM Security Identity Manager when customers already have a
significant number of users in another datastore.
3) Tivoli Directory Integrator can also be used to synchronize information between two endpoints
that are managed by IBM Security Identity Manager. For example, a customer might be using
MS-Exchange, Active Directory and SunOne LDAP. They may have a requirement to store
email addresses in both AD and the SunOne Directory. Tivoli Directory Integrator can be
configured to read only the user’s email address from AD and write the email address to the
user’s corresponding mail attribute in LDAP.
Tivoli Directory Integrator Resource adapter
Tivoli Directory Integrator can be used as a custom rmi resource adapter. A custom Tivoli
Directory Integrator resource adapter provides the ability to do additional data manipulation and
customization that a normal IBM Security Identity Manager agent would not. In this case a custom
Tivoli Directory Integrator assembly line can be created for each of the IBM Security Identity
Manager actions. That is, an assembly line can be created for adding a user, modifying a user,
deleting a user and so on.
Workflow extensions API
Features:


Integrated with IBM Security Identity Manager UI
Allows definition of custom workflow units that are executed as part of the IBM
Security Identity Manager workflow engine.
The workflow API is designed for interaction with the IBM Security Identity Manager workflow
engine, and allows you to create your own workflow extensions that can be called within a lifecycle
operation or approval process. Clients may also integrate other systems, possibly other workflow
engines, into a workflow process through this API.
All workflow extensions are defined in workflowextensions.xml.
Validation Requirements Document
IBM Security Identity Manager
Page 11 of 13
Integration options for validation
Check each integration type you will use to integrate your solution with IBM Security Identity
Manager. Check each operating system platform the integration supports.
IBM Identity
Manager API
integration?
IBM Directory
Integrator
integration?
Workflow
extensions API
integrations?
OS platforms:
Yes
No
Yes
No
Yes
No
Windows 2008
Windows 2008 R2
Solaris
AIX
RedHat
SUSE
Other (Specify)
Integration exceptions
Use this section to note any exceptions to the Integration Requirements that should be considered for
this integration. Also List any additional considerations or system impact not explicitly stated
previously. May include, but not limited to: database changes, application functionality, or any task that
affects the integration but is outside the scope of this estimate. Information will be review and
discussed during validation.
Validation Requirements Document
IBM Security Identity Manager
Page 12 of 13
Resources
Use the following information and resource links to assist with setting up and integrating with IBM
Security Identity Manager.
IBM Security Identity Manager
Information
IBM Security Identity Manager
Documentation
IBM Security Identity Manager (ISIM)
Adapter Development Tool (ADT)
http://www01.ibm.com/software/tivoli/products/identity-mgr/
Documentation Tool (DocTool) for
Identity Manager
Ready for IBM Security Enablement
Resources
http://www.ibm.com/software/ismlibrary?NavCode=1TW10I
M0C
Support Portal
Support Forum
SMC Community
Validation Requirements Document
IBM Security Identity Manager
http://www.ibm.com/developerworks/wikis/display/tivolidoccentral/
Tivoli+Identity+Manager
http://www.ibm.com/software/ismlibrary?NavCode=1TW10I
M0H
https://www.ibm.com/partnerworld/page/isv_com_dvm_techv
al_security
http://www947.ibm.com/support/entry/myportal/Overview/Software/Tivo
li/Tivoli_Identity_Manager
http://www.ibm.com/developerworks/forums/forum.jspa?foru
mID=1517
https://www.ibm.com/developerworks/servicemanagement/
Page 13 of 13
Related documents
IBM - Satya College of Engineering and Technology
IBM - Satya College of Engineering and Technology
IBM Presentations: Blue Pearl Asterisk template
IBM Presentations: Blue Pearl Asterisk template
Version - Pass4Test
Version - Pass4Test
Discussion Topics Chapter 4
Discussion Topics Chapter 4
IBM Model for a Smart Planet, How Engineers Are Contributing
IBM Model for a Smart Planet, How Engineers Are Contributing
IBM Storwize V7000 Customer Presentation
IBM Storwize V7000 Customer Presentation
Software Engineer Skill Level 0
Software Engineer Skill Level 0
Download
advertisement