IT Mutt

July 19, 2009

[ITIM] Quiescing a provisioning policy

Filed under: Tivoli Identity Manager — Jose Negron @ 7:49 pm

Disabling a provisioning policy in ITIM 4.5.1 will “do things”. There are times, however, when I simply need to have it stop what it’s doing without triggering some sort of mass re-evaluation.

To disable:
ldapmodify -D cn=root -w password -h host -p 389 -f disable_myprovisioning_pol.txt

Where disable_myprovisioning_pol.txt contains:
dn: erglobalid=ERGLOBALID,ou=policies,erglobalid=00000000000000000000,o=myco,c=us
changetype: modify
replace: erenabled
erenabled: false

To enable:
ldapmodify -D cn=root -w password -h host -p 389 -f enable_myprovisioning_pol.txt

Where enable_myprovisioning_pol.txt contains:
dn: erglobalid=ERGLOBALID,ou=policies,erglobalid=00000000000000000000,o=myco,c=us
changetype: modify
replace: erenabled
erenabled: true

If you’re making an update to the policy (using the ITIM interface) be careful to NOT:
– Remove any memberships from the policy
– Modify any users (using TAM, ITIM or a ldapmodify)

re: ITIM 4.5.1

[TDS, LDAP] Adding an organizational unit

Filed under: LDAP, Tivoli Directory Server — Jose Negron @ 3:16 pm

ldapmodify -D cn=root -w password -h host -p 389 -a -f myous.txt

Where myous.txt contains the following:

dn: ou=users,o=myco,c=us
ou: users
objectclass: organizationalUnit

dn: ou=groups,o=myco,c=us
ou: groups
objectclass: organizationalUnit

January 4, 2009

[ITIM] JavaScript examples

Filed under: JavaScript, Tivoli Identity Manager — Jose Negron @ 11:39 pm

Finding JavaScript examples is easy enough but for some reason finding examples that are relevant to TIM…not so much. A few are found in the following docs:

Extending IBM Tivoli Identity Manager 4.6 Using JavaScript (mirror)

Identity and Access Management Solutions Using WebSphere Portal V5.1, TIM V4.5.1, and TAM V5.1 (mirror)

A Sample Integration of IBM Tivoli Security Management Products (mirror)

re: ITIM 4.5.1/4.6

[ITIM] JavaScript snippet – ertam4groupmember – assigning more than one group

Filed under: JavaScript, Tivoli Identity Manager — Tags: , — Jose Negron @ 10:30 pm 
{var timRoles = "";
var tamGrps = new Array();

timRoles = subject.getProperty("role");

if (timRoles != null) {
        if (timRoles.length > 0) {
                for (i = 0; i < timRoles.length; i++) {
                        if (timRoles[i].name == "User Role 1") {
                                tamGrps[tamGrps.length] = "usergrp1";
                        }
                        else if (timRoles[i].name == "User Role 2") {
                                tamGrps[tamGrps.length] = "usergrp2";
                        }
                        else if (timRoles[i].name == "User Role 3") {
                                tamGrps[tamGrps.length] = "usergrp3";
                        }
                        else if (timRoles[i].name == "User Role 4") {
                                tamGrps[tamGrps.length] = "usergrp4";
                        }
                        else if (timRoles[i].name == "User Role 5") {
                                tamGrps[tamGrps.length] = "usergrp5";
                        }
                }
        }
}

return tamGrps;}

File with snippet (formatted)

re: ITIM 4.5.1

October 29, 2008

[eTrust] Perl script to extract users

Filed under: Uncategorized — Tags: , — Jose Negron @ 10:08 pm

Nothing fancy. Grab users and write them to file.

File with snippet

re: eTrust

August 25, 2008

[TAM] Running Web Portal Manager with WAS Security turned on

Filed under: Tivoli Access Manager for e-business, WebSphere Application Server — Tags: — Jose Negron @ 6:20 pm

Once you enable WAS security on the WAS instance to which the TAM WPM was deployed you will see that you will be prompted for a username and password before even getting to the WPM homepage. That’s WAS security kicking in.

In order to disable it navigate to the WAS console then Applications -> Enterprise Applications -> TAMWPM -> Map security roles to users/groups. Uncheck everything under “All Authenticated?” and check everything under “Everyone?”. Save and restart. The next time you browse to the WPM you will get to the WPM homepage without WAS prompting you for anything.

Screenshot!

Oh yeah…probably not a bad idea to apply WAS & Java fixpacks…
WebSphere Application Server 5.0.2 Cumulative Fix 17
V5.0.2: SDK 1.3.1 Cumulative Fix

re: TAM 5.1

July 23, 2008

[TAM] Perl script to replicate the authorization database

Filed under: Tivoli Access Manager for e-business — Tags: — Jose Negron @ 9:33 pm

Straight forward perl script that will use the pdadmin command line utility to retrieve a server listing and then execute a server replicate for each server.

If you’re running it on Windows grab yourself the Perl distribution from Activestate and unix utilities from Cygwin. You will of course also need to have the TAM Runtime component installed.

File with snippet

re: TAM 5.1

July 22, 2008

[TIM] JavaScript snippet – ertam4groupmember

Filed under: Tivoli Identity Manager — Tags: , — Jose Negron @ 4:35 pm

{var timRoles = subject.getProperty(“role”);
var tamGrp = ” “;
var adminRl = false;
var userRl = false;

if (timRoles.length > 0) {
for (var i =0; i < timRoles.length; i++)

if (timRoles[i].name == “Application ABC Admin”)
adminRl = true;
if (timRoles[i].name == “Application ABC User”)
userRl = true;
}

if (adminRl)
tamGrp = “appabc_admins”;
else if (userRl)
tamGrp = “appabc_users”;
else
tamGrp = ” “;
}
else
tamGrp = ” “;

return tamGrp;}

File with snippet

re: TIM 4.5.1

September 28, 2007

[TAM] Removing ghost server entries – svrsslcfg

Filed under: Tivoli Access Manager for e-business — Jose Negron @ 2:56 pm

What’s a “ghost server”? I’m referring to the leftover reference to a WebSEAL server, authorization server, Web Portal Manager server, so on so forth, in the master authorization database after either a failed configuration/unconfiguration attempt or the removal of a physical server without having first executed pdconfig to cleanly remove whatever TAM server components happen to have lived there. To remove use the C-based version of svrsslcfg.

svrsslcfg -unconfig -f /tmp/null.conf -n <APP/SVRNAME>-webseald -h <HOST> -P <ADMIN_PWD> -A <ADMIN_ID>

If for example one had a WebSEAL server reference mysite.com-webseald-svrhost1 (output from a server list command):

svrsslcfg -unconfig -f /tmp/null.conf -n mysite.com-webseald -h svrhost1 -P passw0rd -A sec_master

You can provide the -f switch an empty file.

re: TAM 5.1

November 1, 2006

[TAM] Using the TAM Java Admin API – Part 3 Sample Code

Filed under: Tivoli Access Manager for e-business — Jose Negron @ 6:29 pm

Nothing fancy here, just enough to connect, get a list of servers and then disconnect:

TAMTestPDJrte.java

To compile:
JAVA_HOME=/usr/j2se
CLASSPATH=.:$JAVA_HOME/jre/lib/rt.jar:$JAVA_HOME/jre/lib/ext/PD.jar
$JAVA_HOME/bin/javac -classpath %CLASSPATH% TAMTestPDJrte.java

To run:
JAVA_HOME=/usr/j2se
CLASSPATH=.:$JAVA_HOME/jre/lib/rt.jar:$JAVA_HOME/jre/lib/ext/PD.jar
$JAVA_HOME/jre/bin/java -classpath $CLASSPATH TAMTestPDJrte <USERID> <PASSWORD> file:///usr/j2se/jre/PolicyDirector/PDPerm.properties

re: TAM 5.1

Older Posts »

Blog at WordPress.com.