IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Active Directory Reverse Password Synch configuration issue on IVIG v11

    Posted Tue April 08, 2025 09:20 AM

    Hello folks, hope you're doing well!

    I am creating this thread to find a solution to an issue I'm facing while installing the Password Sync Adapter (v10.0.7).

    I have deployed my instance of ISVG and configured SSL on it (on a Microsoft Windows Server 2022 environment). I also set up the Password Sync Adapter, but when I try to update a password on my AD domain controller, I get the following error in the logs:

     
    content="WebSphere Application Server Version V8.5 Liberty Profile - Context Root Not Found" />
    <title data-externalizedString="CONTEXT_ROOT_NOT_FOUND"></title>

    I previously did the same configuration on version 10, and everything was working correctly.

    Is there, by any chance, something I am missing ?



    ------------------------------
    Mohamed El Harroudi
    ------------------------------


  • 2.  RE: Active Directory Reverse Password Synch configuration issue on IVIG v11

    Posted Tue April 08, 2025 10:07 AM

    There is something wrong in your Certificate setup it looks like.

    The IVIG WAS Liberty must trust your Password Sync Adapter - I have personally not tried to set it up (as I think the usage of password synchronization should have died 20 years ago ;-) ) - if you need assistance I am pretty sure a case is the quickest way to get it resolved and if the documentation fixed if there is something lacking for IVIG 11...

    HTH



    ------------------------------
    Franz Wolfhagen
    WW IAM Solution Architect - Certified Consulting IT Specialist
    IBM Expert Labs
    ------------------------------

    Original Message


  • 3.  RE: Active Directory Reverse Password Synch configuration issue on IVIG v11

    Posted Thu April 10, 2025 08:57 AM
    Edited by Mohamed El Harroudi Thu April 10, 2025 08:57 AM

    Thank you for your response.

    I will proceed with opening a case and discussing with IBM Support.

    Best regards,



    ------------------------------
    Mohamed El Harroudi
    ------------------------------

    Original Message


  • 4.  RE: Active Directory Reverse Password Synch configuration issue on IVIG v11

    Posted Fri April 18, 2025 03:50 AM

    Hello,

    Just a quick update regarding this issue - I've opened a case with IBM Support, and it appears that the URL used by the Password Sync plugin to reach the IVIG endpoint is incorrect. The support is currently working with the development team to correct this.

    Regards,



    ------------------------------
    Mohamed El Harroudi
    ------------------------------

    Original Message


  • 5.  RE: Active Directory Reverse Password Synch configuration issue on IVIG v11

    Posted 16 days ago

    Hello, 

    Currently not used IVIG yet, I will share my experience from ISIM + IGI and Reverse Password Sync Plugin, which we widely use within our clients. As far as i know, plug-in machine acts like a client. So your windows machine should reach application port of was ( 9443 on software ISIM, 9343 on IGI, 9082 on VA ISIM) and trust the certificate that WAS presents. We use the built in browser in windows DC machine to verify the SSL connection, if there is no error and if the lock sign appears ok, plug-in works. (one way ssl mode) 

    If this is the same with IVIG, you should use the application port on URL and IVIG's  CA certificate should be in AD DC's Trust store. If it's anything else case will probably point out. 

    Hope it helps. 



    ------------------------------
    Ali Malik Gürbüz
    Bilgibirikim A.S - Turkey/EMEA
    IBM Business Partner
    13+ Years with ISIM/ISVG etc.
    5.2.5 Certified Exam Developer *I* - 2019
    IBM Champion 2025
    ------------------------------

    Original Message


  • 6.  RE: Active Directory Reverse Password Synch configuration issue on IVIG v11

    Posted 10 days ago

    I can confirm that IVIG is working just like ISIM - and that is for a good reason - it is the same stuff with new additions :-) 

    The way that the password sync plugin works is that it sends an "unsolicited notification event" (nice term) to the ISIM/IVIG https port - basically a password change request formatted using the DAML protocol (which was an Access360 proposal for what was later became the DSML protocol). The only real challenge here is the format of the service string which is a kind of internal representation of the tree structure of the placement of the service - this is due to the fact that you can have multiple services with the same name and the erglobalid as the original uid was not designed to be externalized (local to the actual server). In IVIG there is now an UUID that is meant to be a global externalizable UUID - but there will be ways to use this to handle CI/CD flows and comparisons.



    ------------------------------
    Franz Wolfhagen
    WW IAM Solution Architect - Certified Consulting IT Specialist
    IBM Expert Labs
    ------------------------------

    Original Message


Related Content