Common configuration and utilities of password synchronization plug-ins

Common configuration and utilities of password synchronization plug-ins

The password synchronization plug-ins and the Java Proxy share the pwsync.props configuration file. We can use the command-line utilities to control the configuration of Password Synchronizers and the data flow process.

Configuration file parameters
You must specify the path to the pwsync.props configuration file when you register the plug-in. Configuration file path is then passed to the Java Proxy on startup by the plug-in, or by the command-line utility that starts the proxy. Note: The standard java.util.Properties class parses the configuration file and replaces control-like characters with actual control characters. For example, the \\n character is converted to \n character. Therefore, when you set a path in the configuration file on the Windows platform, you must set the \ character with another slash \\.
Common parameters for all password plug-ins in the configuration file are as follows:
proxyStartExe

This string parameter holds the path for an executable file, binary or shell script, and is used to start the Java Proxy. The default value is TDI_install_dir/pwd_plugins/bin/startProxy.bat(sh). Note: The password plug-in automatically starts the Java Proxy if it is not already running. Comment out the proxyStartExe parameter to manually control the Java Proxy startup. The password plug-in rejects all the password changes if Java Proxy is not running.

serverPort

This integer property specifies the port number that the Java proxy listens to. This property is read by the client plug-in to establish a connection to the Java Proxy. The default value is 18001.

logFile

This string parameter configures the log file of the client plug-in. If this parameter is not set, logging is not possible. Note: The PAM plug-in logs use the UNIX syslog daemon and do not use this property.

checkRepository

This Boolean property enables turning on or off of the function that checks for availability of the Password Storage.
When this property is set to true, the Password Synchronizer checks whether the Password Storage is available. If available, the password is changed in the directory, and then the password is sent to the Password Storage. If the check indicates that the storage is not available, the LDAP operation, which is the password update, is rejected on the Target System.
When the checkRepository property is set to false, the Password Synchronizer does not check for the storage availability. The password update is made in the directory, and then stored in the Password Storage. If the password cannot be stored, a message is logged in the log file (pointed to the logFile property) to indicate the password synchronization failure. The default value is true. Note: The check for availability of the Password Storage works with all the Password Store components.

syncClass

This required property defines the full name of the Java class of the Password Store component. The default value is com.ibm.di.plugin.pwstore.log.LogPasswordStore. The available parameters are:

com.ibm.di.plugin.pwstore.log.LogPasswordStore
com.ibm.di.plugin.pwstore.jms.JMSPasswordStore
com.ibm.di.plugin.pwstore.ldap.LDAPPasswordStore

javaLogFile

This string parameter configures the log file of the Java Proxy. If this parameter is not set, logging is not possible.

customData

This parameter specifies the custom string that is sent with each password change. Use this parameter to uniquely identify the system or the application that generates changes. For example, system IP, application name, and version. Note: The Java Proxy sends the same custom data for every password change it processes.

debug

This Boolean property turns on or off the debugging. Both the client plug-in and the Java Proxy check this property. The default value is true.

ProxyRetryAttempt

This property is used to specify the number of retry attempts to made before timeout. The default value is 15.

This property is available from Security Directory Integrator v7.2 onwards.

The parameters from the configuration file are set as Java system properties. Set the following properties in the configuration file if SSL is required for the communication with any of the stores or with the IBM Security Identity Manager servlet:
Table 1. SSL Java Properties
Property Value

javax.net.ssl.trustStore Specifies the truststore for the JVM.

javax.net.ssl.trustStorePassword Specifies the password of the truststore. Note: You must encrypt this password by using the encryptPasswd utility.

javax.net.ssl.trustStoreType Type of the truststore. For example: jks

javax.net.ssl.keyStore Specifies the keystore of the JVM.

javax.net.ssl.keyStorePassword Specifies the password for the keystore. Note: You must encrypt this password by using the encryptPasswd utility.

javax.net.ssl.keyStoreType Type of the keystore. For example: jks

Any additional parameters in the configuration file are specific to the actual password plug-in.

Command-line utilities
The following utilities are available to control certain aspects of configuration and flow process of the Password Synchronizers:
TDI_install_dir/pwd_plugins/bin/encryptPasswd.bat(sh)

Encrypts passwords before you set them in the various configuration files. Note: This utility uses a symmetric algorithm to encrypt the passwords. The passwords can be easily decrypted by a skilled user. Make sure that you allow the reading of the configuration files only by the trusted users.

TDI_install_dir/pwd_plugins/bin/startProxy.bat(sh)

Starts the Java Proxy manually. This utility automatically searches for the default jars folder and creates the class path of the Java Proxy. The default folder is TDI_install_dir/pwd_plugins/jars/. For example, if you configure the JMS Password Store to work with the IBM WebSphere® MQ, add the required IBM WebSphere MQ JAR files to the pwd_plugins/jars/ folder before you start the Java Proxy.

TDI_install_dir/pwd_plugins/bin/stopProxy.bat(sh)

Sends a stop request to the running Java Proxy process. The Java proxy waits until all operations are complete and then exits normally.
When a task, which is calling one of the Password Synchronizers is shut down, the Java Proxy process is not automatically terminated. The Password Synchronizer connects to the proxy process if it is already running and therefore termination of the proxy is not required.

TDI_install_dir\pwd_plugins\windows\pwsync_admin.exe

Starts or stops the Java Proxy and we can also use this utility to pause or resume the Windows plug-in. This utility is for the 32-bit version. For a Windows 64-bit installation, use the pwsync_admin_64.exe file.

TDI_install_dir\jvm\jre\bin\keytool and TDI_install_dir\jvm\jre\bin\ikeyman

Manages the keystore/truststore that are used during the plug-ins setup. See the "Keystore and truststore management" topic in the SDI v7.2 Installation and Administrator Guide.

Java Proxy with IBM Tivoli Monitoring
We can use the Agent Management Services of the IBM Tivoli® Monitoring Version 6.2.2, Fix Pack 2.0 to manage the Java Proxy process of password synchronizers.

Property	Value
javax.net.ssl.trustStore	Specifies the truststore for the JVM.
javax.net.ssl.trustStorePassword	Specifies the password of the truststore. Note: You must encrypt this password by using the encryptPasswd utility.
javax.net.ssl.trustStoreType	Type of the truststore. For example: jks
javax.net.ssl.keyStore	Specifies the keystore of the JVM.
javax.net.ssl.keyStorePassword	Specifies the password for the keystore. Note: You must encrypt this password by using the encryptPasswd utility.
javax.net.ssl.keyStoreType	Type of the keystore. For example: jks