This blog is designed to provide the necessary procedures, configuration steps, and general product guidelines to successfully integrate IBM Security Identity Manager (ISIM) into your SailPoint production environment.
This blog is intended for ISIM and IdentityIQ System Administrators and assumes a high degree of technical knowledge of these systems.

Supported features

The IBM Security Identity Manager Provisioning Integration Module provides the ability to provision Target Application accounts from IdentityIQ.
The Security Provisioning Integration Module supports the following functions:
• User Management
-Manages IBM Security Identity Manager Users as Accounts
-Aggregating Users
• Target Application Accounts Management
-Manages Target Application Accounts as Accounts
-Aggregating Target Accounts directly
-Create, Update, Delete
-Enable, Disable, Reset Password

General configuration

The installation steps for ISIM integrations vary based on the functions you wish to perform. IdentityIQ in conjunction with ISIM allows the following functionality:
• Aggregation
• Provisioning Entitlements in ISIM

Configuration for Aggregation

Aggregating from IBM Security Identity Manager involves configuring the ISIM application settings within the IdentityIQ user interface.
ISIM has two types of objects that can be aggregated; people and accounts. IdentityIQ refers to these as identities and accounts (or links). To aggregate from ISIM, perform the following:

1. Create An ISIM Application: Create a new application using the IBM Security Identity Manager connector and fill in the required parameters following the steps provided in the IdentityIQ User’s Guide.
Use the tenant DN search base. For example, erglobalid=00000000000000000000,ou=example,dc=com
Leave the search filter blank. This is auto-generated correctly during aggregation. This application is used to aggregate ISIM person objects.

2. Setup Correlation Attribute: Create an identity attribute that is sourced from the erglobalid on the ISIM application and mark it as searchable. This is used to correlate ISIM accounts to this identity.

3. Create ISIM Account Applications: Run the ITIM Application Creator task to inspect ISIM and retrieve information about the ISIM services (applications). This task auto-generates an application for each service defined in ISIM.

4. Setup Correlation on the ISIM Account Applications: Set the correlation rule on the generated applications to Correlation – ISIM Account. This correlates the account to the identity using the erglobalid. If the rule is not listed by default, import it from the $ISIM_INTEGRATION_PACKAGE/samples/ITIM-AccountCorrelationRule.xml location.

5.Aggregate: Run aggregation for the ISIM application first and then for each ISIM account application.

Configuration for Provisioning

Provisioning entitlements and role assignments in ISIM requires the installation of IdentityIQ’s ISIM integration web application in WebSphere with ISIM. This process varies slightly depending on the version of WebSphere.
IdentityIQ roles are queued and pushed in ISIM on a schedule. This is accomplished by using the Synchronize Roles task.

1. Prepare the WAR: The iiqIntegration-ITIM.war file contains a properties file named itim.properties with information about how to connect using ISIM. In order to execute, this must be edited to include appropriate information about the ISIM installation. Additionally, the .war file does not include any of the required jar files of ISIM files since these can change depending on the version and fixpack level of ISIM. These need to be copied out of the ISIM lib directory and added to the .war file.

a.Expand the iiqIntegration-ITIM.war file in a temporary directory.
b.Edit the WEB-INF/classes/itim.properties file and change the properties match your environment. Save the file with your changes. The following can be changed:
• PLATFORM_URL: URL to use to communicate with ISIM.
The format of the URL must be same as the value of enrole.appServer.url from enRole.properties located under /data directory.
• PLATFORM_PRINCIPAL: The administrator user who can login to the administrator Console of WAS.
• PLATFORM_CREDENTIALS: Password of the principal. Encrypting password is supported.
• TENANT_DN: The root DN of the ISIM tenant.
c.Copy the required jar files of ISIM into the lib directory. These .jar files are located in the deployed ISIM ear directory.
• (For ISIM 6.0): Example ISIM ear directory: $WAS_HOME/installedApps//ITIM.ear
Following are the required files:
• api_ejb.jar
• isim_api.jar
• isim_server.jar
d.Update the iiqIntegration-ITIM.war file to include the updated itim.properties and required jar files of ISIM.
For example,
jar uvf iiqIntegration-ISIM.war WEB-INF/classes/itim.properties \
WEB-INF/lib/api_ejb.jar WEB-INF/lib/isim_api.jar \
WEB-INF/lib/isim_common.jar WEB-INF/lib/isim_server_api.jar \
WEB-INF/lib/jlog.jar

2. Install the IdentityIQ ISIM Integration Web Application: In the WebSphere Administrative Console, navigate to Enterprise Applications and select Install.
a.Select iiqIntegration-ITIM.war as the application to install and type iiqisim as the context root.
b.Continue through the rest of the installation wizard accepting the defaults.
c.When completed, click Save to save the changes to the master configuration.

3. Setup the Integration Config: The IntegrationConfig object holds information about how to connect IdentityIQ to ISIM and all of the configuration requirements for various functions. ISIM supports dual role push mode, which means that both detectable and assignable roles can be used. An example can be found in the ISIM integration folder within your IdentityIQ installation directory in the $INSTALLDIR/integration/ITIM/samples/exampleIntegration.xml directory
The main properties that need to be set are:
-executor: sailpoint.integration.isim.ISIMIntegrationExecutor
-ApplicationRef: The reference to the ISIM application
-Attributes=> URL: The URL to the IIQ web service on the ISIM server. For example,
https://myisim.example.com:9080/iiqisim/resources
Note:SailPoint recommends that you use SSL when transmitting sensitive electronic information.
-Attributes=> username: ISIM user’s credentials used for basic HTTP authentication.
-Attributes=> password: ISIM user’s password used for basic HTTP authentication.
-ManagedResources map: Mappings of local IdentityIQ applications to ISIM services, including mappings of local IdentityIQ attribute names to ISIM service attribute names.
For more information, see Appendix: A: Common Identity Management Integration Configuration.

4. Verify: Be certain that the integration has been installed correctly by using the ping command in the integration console. If successful, this should respond and list version information about the ISIM jar files that were put into the iiqIntegration-ISIM.war file. Compare this version information against the version of the ISIM server to ensure correct operation.

5. Role Requests: Set the roleSyncStyle to dual in the IntegrationConfig file as follows:

Other than this, the role should be assignable (for example, a business role) and the name has to match the name of the role in ISIM.

Troubleshooting

1 – An error message appears when the url format in itim.properties is not valid
The following error messages appear when the url format in itim.properties is not valid:
• java.lang.NoClassDefFoundError: com.ibm.cv.CVProxyException
Workaround: Copy com.ibm.cv.kmip.ext.jar file to /profiles//classes directory and restart the application server.
• java.util.MissingResourceException: Can’t find resource for bundle tmsMessages
Workaround: Copy tmsMessages.properties and tmsMessages_en.properties file from /data to /profiles//classes directory and restart the application server.

Standard Deployment Integration Modules:

Service Management Integration Modules

IdentityIQ supports Service Management Systems for Service Desk Integration and Service Catalog Integration.
Service Desk Integration
Creates tickets in Helpdesk systems based on compliance and provisioning actions taken in IdentityIQ (For example, new account request).
• “SailPoint BMC Remedy Service Desk Service Integration Module” on page 31
• “SailPoint ServiceNow Service Integration Module” on page 41
Service Catalog Integration
Enables enterprises to include LCM requests (for example, access request, password change) in the service catalog of the Service Request Management system.
• “SailPoint BMC Remedy Service Request Management Adapter” on page 57

Note:Many SailPoint customers have deployed the Integration Modules in this section. SailPoint still encourages deployment teams to obtain the latest troubleshooting and best practice information beyond what is contained in this document. For more specific information, refer to the Connector and Integration Deployment Center in Compass, SailPoint’s Online customer portal.