JAR File Prerequisites

Complete the tasks listed on this page before configuring the connector with .jar files.

  • Configure at least one virtual appliance (VA) cluster and successfully test the connection.

  • You must set up a service account that has the required permissions.

  • Ensure that the LDAP directory server associated with IBM Security Verify Access is configured and functional.

  • To support .jar file generation on IBM Security Directory Suite version 10.0, you should use Java version 8.0.7.16-ISS-JAVA-WinX64-FP0016 or later.

Install PDJRTE

Install PDJRTE to configure the IBM Security Verify Access Runtime for Java component which enables the Java application to use Security Verify Access security.

Perform the following steps to install PDJRTE on the LDAP Directory Server Machine:

  1. Copy the license file (PDLIC.txt) from the PDJRTE directory to the root directory (for example, C:\ or / in Unix).

  2. Go to PDJRTE directory through command prompt available on LDAP Directory Server machine.

    For example:

    C:\pdjrte-x.x.x-0\pdjrte\sbin)

    where x.x.x is 9.0.0.

  3. Open Command Prompt and execute the following command:

    • For Windowspdjrtecfg.bat -action config –interactive

    • For UNIXpdjrtecfg -action config -interactive

  4. On the UI dialogue box, configure the java run-time environment for Security Verify Access. Select the valid JRE path and select Next.

  5. Enter the existing policy server information (where your Security Verify Access policy server is running [machine details]) as follows:

    • Host name – IP of the configured IBM Security Verify Access

    • Port – 7135 (Default port)

    • Domain – Default (Recommended)

  6. Enable SVA common directory logging (recommended to keep it on for troubleshooting).

  7. Select Finish.

This adds an additional .jar file in the $JDK_HOME\jre\lib\ext directory which is used by the Security Verify Access Connector. For example:

Copy 
PD.jar
ibmjcefips.jar
ibmjcefw.jar
ibmjceprovider.jar
ibmjsseprovider2.jar
ibmpkcs.jar
local_policy.jar
US_export_policy.jar 

Generate config and keyfile

On the LDAP Directory Server host, use the com.tivoli.pd.jcfg.SvrSslCfg command to generate the config and keyfile required to communicate with the IBM Security Verify Access. The file path of the config file must be configured in the application configuration. For example:

>java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd <password> -appsvr_id server1 -host <host> -port <port_number> -mode remote -policysvr <host:7135:1> -authzsvr <host:7136:2> -domain default -cfg_file <path of config file to be generated> -key_file <Path of key file to generate> -cfg_action create

Where host = the IP address for IBM Security Verify Access.

Integration with IBM Security Verify Access

Perform the following steps to integrate with IBM Security Verify Access.

  1. Copy the following .jar — which are generated from jre/lib/ext file in IBM LDAP Directory Server — to $JDK_HOME\jre\lib\ext or WEB-INF\lib directory on the SailPoint host.

    Copy 
    Ibmjcefips.jar
    Ibmjcefw.jar
    Ibmjceprovider.jar
    ibmjsseprovider2.jar
    ibmpkcs.jar
    local_policy.jar
    US_export_policy.jar
    PD.jar

  2. Log in to the VA with SailPoint user credentials and create a directory as shown below:

    /home/sailpoint/TAM

  3. Copy the PD.properties and PDCA.ks files from PolicyDirector to the /home/sailpoint/TAM directory.

    The PD.properties and PDCA.ks files are located in the $JDK_HOME\jre directory.

    Note

    Optionally, to configure additional SVA sources on a single VA, rename the two files names mentioned above with the source ID. The source ID can be taken from the source URL.

    Using the following source URL as an example:

    https://<ISC Host>/ui/admin#admin:connections:sources:614226

    You can create the following file names:

    614226_PDCA.ks

    614226_PD.properties

  4. The config file has an entry pointing to the key file. Update the config file entry (pdcert-url) to point to key file such as pdcert-url=file\:/home/sailpoint/TAM/<keyfileName>

  5. The name keyfileName is a format you must change as provided during generation of config and key file.

  6. Copy the config and keystore files from LDAP server machine generated by the SvrSslCfg command to the /home/sailpoint/TAM directory.

    Important
    For multiple Security Verify Access sources on single VA, you must use unique names for the config and key file.