Tivoli Access Manager for Enterprise SSO
Connector name |
|
Connector type | Executable |
Type (UI field value) | Tivoli Access Manager for Enterprise SSO |
Target system versions supported | IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM ESSO) systems |
Connector status / support | Customer-Verified Clients may contact Bravura Security support for assistance with this connector. Troubleshooting and testing must be completed in the client's test environment as Bravura Security does not maintain internal test environments for the associated target system. |
Bravura Security Fabric performs the following operations on an IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM ESSO) system using the agttamsso connector:
administrator reset password
List:
accounts
The following sections show you how to:
Prepare for target configuration
Target a TAM ESSO server
Troubleshoot integration problems
See also
Bravura Security Fabric performs operations on an IBM Tivoli Access Manager (TAM) system using the agttam connector.
Preparation
Before you can target TAM ESSO from Bravura Security Fabric you must:
Create a target administrator account on the TAM ESSO server
Configure the reset operation
Creating a target administrator
Use the TAM ISM Configuration utility to create an IMS Bridge that will be used as target system administrator credentials by the Bravura Security Fabric server. When configuring the bridge:
The name of the bridge will be the administrator ID in the ESSO Target system configuration in Bravura Security Fabric .
The IMS Bridge password will be the administrator password in the ESSO target system configuration in Bravura Security Fabric .
Ensure that the IMS Bridge IP Addresses includes the IP address of all Bravura Security Fabric nodes that will contact TAM ESSO.
Set the IMS Bridge Type to "Provisioning".
Once the bridge is created, you must restart your IMS Server application from within web-sphere in order for the changes to be picked up.
Configuring the reset operation
To enable Bravura Security Fabric to reset TAM ESSO accounts or authentication services, you must set the TAM ESSO accounts’ secret.
If resets fail because secrets are not set on the account, configure the following in TAM ESSO:
Click AccessAdmin > System policies > Sign Up Policies > Option for specifying secret.
Set to "Secret not required".
Note
If this is not configured, TAM ESSO returns an error when trying to reset these accounts:
The pid_secret_option is not set to zero.
Updating authentication service passwords only updates the passwords stored in the wallet. In order to update both the wallet password and the account for the service, you must create a target system for the respective services.
After a successful reset, users must log out and log back into AccessAgent to retrieve a new wallet. If the wallet is not successfully retrieved, the old wallet with old passwords is still used.
Targeting the TAM ESSO server
For each TAM ESSO server, add a target system in Bravura Security Fabric (Manage the system > Resources > Target systems):
Type is Tivoli Access Manager for Enterprise SSO
Address uses the following settings:
URL The URL address of the web server running the TAM ESSO IMS application.
Authentication services are the authentication services to reset. This is a list of Authentication service IDs found under: IMS Configuration Utility > Authentication services > Authentication service details.
Caution
If authentication services are omitted from the target address, then only the TAM ESSO account is reset, and no authentication services are reset.
The address is entered in KVGroup format:
{url=<TAM URL>;[authsvc={<AUTHSVC ID>;...};]}Credentials are the name and password of the IMS Bridge you set up in earlier.
The full list of target parameters is explained in Target system options .
Troubleshooting
If you experience any errors, and have made any changes to the IMS Bridge or any other configuration settings, try restarting the TAM ESSO IMS application under WebSphere.
IIS issues
Testing administrative credentials in the Manage the system (PSA) module might not work correctly with IIS, because Microsoft .NET Framework prevents the connector from loading correctly. However, a test list executes successfully since it is launched via the testlist utility.