JAR File Prerequisites

Complete the tasks listed on this page before configuring the connector with .jar files.

You must set up a service account that has the required permissions.
Ensure that the LDAP directory server associated with IBM Security Verify Access is configured and functional.
To support .jar file generation on IBM Security Directory Suite version 10.0, you should use Java version 8.0.7.16-ISS-JAVA-WinX64-FP0016 or later.

Install PDJRTE

Install PDJRTE to configure the IBM Security Verify Access Runtime for Java component which enables the Java application to use Security Verify Access security.

Perform the following steps to install PDJRTE on the LDAP Directory Server Machine:

Copy the license file (PDLIC.txt) from the PDJRTE directory to the root directory (for example, C:\ or / in Unix).
Go to PDJRTE directory through command prompt available on LDAP Directory Server machine.

For example:

C:\pdjrte-x.x.x-0\pdjrte\sbin)

where x.x.x is 9.0.0.
Open Command Prompt and execute the following command:
- For Windows – pdjrtecfg.bat -action config –interactive
- For UNIX – pdjrtecfg -action config -interactive
On the UI dialogue box, configure the java run-time environment for Security Verify Access. Select the valid JRE path and select Next.
Enter the existing policy server information (where your Security Verify Access policy server is running [machine details]) as follows:
- Host name – IP of the configured IBM Security Verify Access
- Port – 7135 (Default port)
- Domain – Default (Recommended)
Enable SVA common directory logging (recommended to keep it on for troubleshooting).
Select Finish.

This adds an additional .jar file in the $JDK_HOME\jre\lib\ext directory which is used by the Security Verify Access Connector. For example:

Copy

PD.jar
ibmjcefips.jar
ibmjcefw.jar
ibmjceprovider.jar
ibmjsseprovider2.jar
ibmpkcs.jar
local_policy.jar
US_export_policy.jar

Generate `config` and `keyfile`

On the LDAP Directory Server host, use the com.tivoli.pd.jcfg.SvrSslCfg command to generate the config and keyfile required to communicate with the IBM Security Verify Access. The file path of the config file must be configured in the application configuration. For example:

>java com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master -admin_pwd <password> -appsvr_id server1 -host <host> -port <port_number> -mode remote -policysvr <host:7135:1> -authzsvr <host:7136:2> -domain default -cfg_file <path of config file to be generated> -key_file <Path of key file to generate> -cfg_action create

Where host = the IP address for IBM Security Verify Access.

Integration with IBM Security Verify Access

Perform the following steps to integrate with IBM Security Verify Access.

Copy the following .jar — which are generated from jre/lib/ext file in IBM LDAP Directory Server — to $JDK_HOME\jre\lib\ext or WEB-INF\lib directory on the SailPoint host.
Copy
```
Ibmjcefips.jar
Ibmjcefw.jar
Ibmjceprovider.jar
ibmjsseprovider2.jar
ibmpkcs.jar
local_policy.jar
US_export_policy.jar
PD.jar
```
Copy the Policy Director directory from LDAP Directory Server host to the $JAVA_HOME\jre directory on IdentityIQ host.

Note
If java installation is not a part of JRE folder then copy the Policy Director directory to $JAVA_HOME.
Copy the config and keystore files from LDAP server machine generated by SvrSslCfg command on IdentityIQ host.
Note

Sailpoint recommends that you place the config and keystore files in the root directory. An absolute path of the config file may be referenced and used in the application configuration.

The config file has an entry which points to the keyfile. As the files are generated on the LDAP Directory Server host and copied to the IdentityIQ server, the keyfile is in a different location. In such scenarios update the config file entry pdcert-url to point to the keyfile.

For example:
1. Windows – pdcert-url=file\:/C\:/keyfile
2. Linux – pdcert-url=file\:/usr/TAM/keyfile
Restart the Web Application Server. For example, Tomcat/WebSphere.

Java Authentication and Authorization Service (JAAS)

Security Verify Access Authorization APIs use Java Authentication and Authorization Service (JAAS). To support JAAS, perform the following changes in the java.security file:

Specify the login file location

Point to the login configuration file from the JAVA_HOME/jre/lib/security/java.security file.

For example, a sample entry from the java.security file displayed as:

login.config.url.1=file:${java.home}/lib/security/login.pd
Creating a login configuration file

Create login.pd on the specified location. If it does not exist, add an entry as follows:
Copy
```
pd {
com.tivoli.pd.jazn.PDLoginModule required; 
};
```

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

JAR File Prerequisites

Install PDJRTE

Generate config and keyfile

Integration with IBM Security Verify Access

Java Authentication and Authorization Service (JAAS)

Documentation Feedback

Generate `config` and `keyfile`