IBM Security Verify

Greeting gurus of the IBM Security world,

I would like to adopt iTim Service accounts from an older iSim system to current iSvg users who already have iTim service accounts.

In essence, adopting iSim\iTim service accounts to iSvg users who happen to have identical eruserid.

Is this possible?

Thanks,

I do not understand this use case as ITIM (systemuser) accounts never ever should exist as orphans.

Can you explain your problem in more detail - e.g. did you do a migration or did you install a new version with out migration and now you want to reestablish the itim accounts from the old system in the new deployment ? 

Greeting gurus of the IBM Security world,

I would like to adopt iTim Service accounts from an older iSim system to current iSvg users who already have iTim service accounts.

In essence, adopting iSim\iTim service accounts to iSvg users who happen to have identical eruserid.

Is this possible?

Thanks,

I do not understand this use case as ITIM (systemuser) accounts never ever should exist as orphans.

Can you explain your problem in more detail - e.g. did you do a migration or did you install a new version with out migration and now you want to reestablish the itim accounts from the old system in the new deployment ? 

Greeting gurus of the IBM Security world,

I would like to adopt iTim Service accounts from an older iSim system to current iSvg users who already have iTim service accounts.

In essence, adopting iSim\iTim service accounts to iSvg users who happen to have identical eruserid.

Is this possible?

Thanks,

Am I barking up the wrong tree here?

I do not understand this use case as ITIM (systemuser) accounts never ever should exist as orphans.

Can you explain your problem in more detail - e.g. did you do a migration or did you install a new version with out migration and now you want to reestablish the itim accounts from the old system in the new deployment ? 

Greeting gurus of the IBM Security world,

I would like to adopt iTim Service accounts from an older iSim system to current iSvg users who already have iTim service accounts.

In essence, adopting iSim\iTim service accounts to iSvg users who happen to have identical eruserid.

Is this possible?

Thanks,

To me it looks like you are trying to synchronize the ITIM Service password on an ISIM systm using the ootb ldap adapter ? 

If that is what your are trying I do not think that is possible as the ITIM (system user) accounts are not using standard ldap password hashing. For that purpose you will probably need to use APIs (REST or JAVA APIs). Looking at the REST APIs for resetting password for a system user (ITIM account) it looks like it needs the old password - there does not seem to be an administrative password change - but I may have missed that as I am not working much with the REST API.

Does this help ?  

Am I barking up the wrong tree here?

I do not understand this use case as ITIM (systemuser) accounts never ever should exist as orphans.

Can you explain your problem in more detail - e.g. did you do a migration or did you install a new version with out migration and now you want to reestablish the itim accounts from the old system in the new deployment ? 

Greeting gurus of the IBM Security world,

I would like to adopt iTim Service accounts from an older iSim system to current iSvg users who already have iTim service accounts.

In essence, adopting iSim\iTim service accounts to iSvg users who happen to have identical eruserid.

Is this possible?

Thanks,

I believe you are on to the correct definition. I suppose I am trying to understand the request myself and need some guidance.

How then does the AD Password Synch adapter work? Is it because "AD" knows the last known password and is allowed to change the iTim service password using the AD Password Synch adapter?

How does password reset work? If a user logs in to iSim, they can reset passwords as Help Desk Assistants, or iTim Service Admins? They do not need to know the last known good pwd to reset a password, do they? Why can't this be done in ldap? The ldap adapter even has an option to choose password policy enabled...

To me it looks like you are trying to synchronize the ITIM Service password on an ISIM systm using the ootb ldap adapter ? 

If that is what your are trying I do not think that is possible as the ITIM (system user) accounts are not using standard ldap password hashing. For that purpose you will probably need to use APIs (REST or JAVA APIs). Looking at the REST APIs for resetting password for a system user (ITIM account) it looks like it needs the old password - there does not seem to be an administrative password change - but I may have missed that as I am not working much with the REST API.

Does this help ?  

Am I barking up the wrong tree here?

I do not understand this use case as ITIM (systemuser) accounts never ever should exist as orphans.

Can you explain your problem in more detail - e.g. did you do a migration or did you install a new version with out migration and now you want to reestablish the itim accounts from the old system in the new deployment ? 

Greeting gurus of the IBM Security world,

I would like to adopt iTim Service accounts from an older iSim system to current iSvg users who already have iTim service accounts.

In essence, adopting iSim\iTim service accounts to iSvg users who happen to have identical eruserid.

Is this possible?

Thanks,

Let me first be clear on one thing - I do not know how your environment is configured so I am really a little confused.

Do you use an external registry for your ISIM authentication (the ldap service shown here ?)   - else I do not  really understand what you need to do...

But I can explain how the reverse password synch is working.....

The reverse pw synch adapter is installed on the DCs an uses a published exit on the lsass service to intercept the password change and retrieve the password in clear text.

Then it is send to the ISIM server as what is called an "unsolicited event notification" over SSL which is basically a DAML Password change.

When the password change arrives in ISIM it can be handled in basically 2 different ways - if password synch in ISIM is enabled it will basically do a password change on all services for the owner of the AD account (unless specific services are excluded in enRole.properties) or it can run under a specific ITIM account that changes the passwords on all services it can see (this was the original version 4.x way of doing it - more flexible but requires more setup).

Does that explain your question ? 

I believe you are on to the correct definition. I suppose I am trying to understand the request myself and need some guidance.

How then does the AD Password Synch adapter work? Is it because "AD" knows the last known password and is allowed to change the iTim service password using the AD Password Synch adapter?

How does password reset work? If a user logs in to iSim, they can reset passwords as Help Desk Assistants, or iTim Service Admins? They do not need to know the last known good pwd to reset a password, do they? Why can't this be done in ldap? The ldap adapter even has an option to choose password policy enabled...

To me it looks like you are trying to synchronize the ITIM Service password on an ISIM systm using the ootb ldap adapter ? 

If that is what your are trying I do not think that is possible as the ITIM (system user) accounts are not using standard ldap password hashing. For that purpose you will probably need to use APIs (REST or JAVA APIs). Looking at the REST APIs for resetting password for a system user (ITIM account) it looks like it needs the old password - there does not seem to be an administrative password change - but I may have missed that as I am not working much with the REST API.

Does this help ?  

Am I barking up the wrong tree here?

I do not understand this use case as ITIM (systemuser) accounts never ever should exist as orphans.

Can you explain your problem in more detail - e.g. did you do a migration or did you install a new version with out migration and now you want to reestablish the itim accounts from the old system in the new deployment ? 

Greeting gurus of the IBM Security world,

I would like to adopt iTim Service accounts from an older iSim system to current iSvg users who already have iTim service accounts.

In essence, adopting iSim\iTim service accounts to iSvg users who happen to have identical eruserid.

Is this possible?

Thanks,

Thank you Franz, sorry for not getting back sooner.

Three stand alone environments. 1. iSim 7, 2. iSvg 10.2.1 (TST) 3, iSvg 10.1.5 (PRD) <- or soon to be PRD.

iSim does password synch now for AD, iSeries, Notes and a bunch of workflows.

iSvg (TST) reconciles a few accounts from AD, a Test Notes environment, and a small Test partition on our iSeries.

iSvg (PRD) reconciles everything that iSim 7 does and includes additional workflows which have been painstakingly recreated. But no Password Synch!

Does an API or other mechanism exist which can adopt the iSim 7 ITIM Service accounts into iSvg (PRD)? I want the password to change in iSim 7 when the users iSvg (PRD) account password change is made.

I'd be happy to take this out of the forum if you need more details.

Thanks!

Let me first be clear on one thing - I do not know how your environment is configured so I am really a little confused.

Do you use an external registry for your ISIM authentication (the ldap service shown here ?)   - else I do not  really understand what you need to do...

But I can explain how the reverse password synch is working.....

The reverse pw synch adapter is installed on the DCs an uses a published exit on the lsass service to intercept the password change and retrieve the password in clear text.

Then it is send to the ISIM server as what is called an "unsolicited event notification" over SSL which is basically a DAML Password change.

When the password change arrives in ISIM it can be handled in basically 2 different ways - if password synch in ISIM is enabled it will basically do a password change on all services for the owner of the AD account (unless specific services are excluded in enRole.properties) or it can run under a specific ITIM account that changes the passwords on all services it can see (this was the original version 4.x way of doing it - more flexible but requires more setup).

Does that explain your question ? 

I believe you are on to the correct definition. I suppose I am trying to understand the request myself and need some guidance.

How then does the AD Password Synch adapter work? Is it because "AD" knows the last known password and is allowed to change the iTim service password using the AD Password Synch adapter?

How does password reset work? If a user logs in to iSim, they can reset passwords as Help Desk Assistants, or iTim Service Admins? They do not need to know the last known good pwd to reset a password, do they? Why can't this be done in ldap? The ldap adapter even has an option to choose password policy enabled...

To me it looks like you are trying to synchronize the ITIM Service password on an ISIM systm using the ootb ldap adapter ? 

If that is what your are trying I do not think that is possible as the ITIM (system user) accounts are not using standard ldap password hashing. For that purpose you will probably need to use APIs (REST or JAVA APIs). Looking at the REST APIs for resetting password for a system user (ITIM account) it looks like it needs the old password - there does not seem to be an administrative password change - but I may have missed that as I am not working much with the REST API.

Does this help ?  

Am I barking up the wrong tree here?

I do not understand this use case as ITIM (systemuser) accounts never ever should exist as orphans.

Can you explain your problem in more detail - e.g. did you do a migration or did you install a new version with out migration and now you want to reestablish the itim accounts from the old system in the new deployment ? 

Greeting gurus of the IBM Security world,

I would like to adopt iTim Service accounts from an older iSim system to current iSvg users who already have iTim service accounts.

In essence, adopting iSim\iTim service accounts to iSvg users who happen to have identical eruserid.

Is this possible?

Thanks,

Moving operational workflows across system is actually very easy using the Expert/Import features - as they do not rely on other data than an eventual profile you move the workflows between unrelated systems without any problems which is NOT possible for most other entities.

I am still somewhat puzzled of what you want to achieve - can you explain this in more detail : 

Does an API or other mechanism exist which can adopt the iSim 7 ITIM Service accounts into iSvg (PRD)? I want the password to change in iSim 7 when the users iSvg (PRD) account password change is made.

What are the "ITIM Service Accounts" ? 

Is you target goal to send a reverse password change request from your ISVG IM 10 system back to your old ISIM 7 system ?

The latter is certainly possible - if PasswordSynch is enabled in your ISIM 7 system this can be done using either REST or APPS APIs - but as this requires ITIM Administrator rights there are security implications and you would not like to have the credentials of the ISIM 7 administrative rights floating around in the wild....

Be aware that this community is not any official support forum - I am answering questions here on best effort basis where I can do this with limited effort. Helping your out solving you problem would probably require a billable effort from some of my IBM Security Expert Labs local colleagues - I do not know where you are located but assuming US ?   

Thank you Franz, sorry for not getting back sooner.

Three stand alone environments. 1. iSim 7, 2. iSvg 10.2.1 (TST) 3, iSvg 10.1.5 (PRD) <- or soon to be PRD.

iSim does password synch now for AD, iSeries, Notes and a bunch of workflows.

iSvg (TST) reconciles a few accounts from AD, a Test Notes environment, and a small Test partition on our iSeries.

iSvg (PRD) reconciles everything that iSim 7 does and includes additional workflows which have been painstakingly recreated. But no Password Synch!

Does an API or other mechanism exist which can adopt the iSim 7 ITIM Service accounts into iSvg (PRD)? I want the password to change in iSim 7 when the users iSvg (PRD) account password change is made.

I'd be happy to take this out of the forum if you need more details.

Thanks!

Let me first be clear on one thing - I do not know how your environment is configured so I am really a little confused.

Do you use an external registry for your ISIM authentication (the ldap service shown here ?)   - else I do not  really understand what you need to do...

But I can explain how the reverse password synch is working.....

The reverse pw synch adapter is installed on the DCs an uses a published exit on the lsass service to intercept the password change and retrieve the password in clear text.

Then it is send to the ISIM server as what is called an "unsolicited event notification" over SSL which is basically a DAML Password change.

When the password change arrives in ISIM it can be handled in basically 2 different ways - if password synch in ISIM is enabled it will basically do a password change on all services for the owner of the AD account (unless specific services are excluded in enRole.properties) or it can run under a specific ITIM account that changes the passwords on all services it can see (this was the original version 4.x way of doing it - more flexible but requires more setup).

Does that explain your question ? 

I believe you are on to the correct definition. I suppose I am trying to understand the request myself and need some guidance.

How then does the AD Password Synch adapter work? Is it because "AD" knows the last known password and is allowed to change the iTim service password using the AD Password Synch adapter?

How does password reset work? If a user logs in to iSim, they can reset passwords as Help Desk Assistants, or iTim Service Admins? They do not need to know the last known good pwd to reset a password, do they? Why can't this be done in ldap? The ldap adapter even has an option to choose password policy enabled...

To me it looks like you are trying to synchronize the ITIM Service password on an ISIM systm using the ootb ldap adapter ? 

If that is what your are trying I do not think that is possible as the ITIM (system user) accounts are not using standard ldap password hashing. For that purpose you will probably need to use APIs (REST or JAVA APIs). Looking at the REST APIs for resetting password for a system user (ITIM account) it looks like it needs the old password - there does not seem to be an administrative password change - but I may have missed that as I am not working much with the REST API.

Does this help ?  

Am I barking up the wrong tree here?

I do not understand this use case as ITIM (systemuser) accounts never ever should exist as orphans.

Can you explain your problem in more detail - e.g. did you do a migration or did you install a new version with out migration and now you want to reestablish the itim accounts from the old system in the new deployment ? 

Greeting gurus of the IBM Security world,

I would like to adopt iTim Service accounts from an older iSim system to current iSvg users who already have iTim service accounts.

In essence, adopting iSim\iTim service accounts to iSvg users who happen to have identical eruserid.

Is this possible?

Thanks,

Exactly!

Moving operational workflows across system is actually very easy using the Expert/Import features - as they do not rely on other data than an eventual profile you move the workflows between unrelated systems without any problems which is NOT possible for most other entities.

I am still somewhat puzzled of what you want to achieve - can you explain this in more detail : 

Does an API or other mechanism exist which can adopt the iSim 7 ITIM Service accounts into iSvg (PRD)? I want the password to change in iSim 7 when the users iSvg (PRD) account password change is made.

What are the "ITIM Service Accounts" ? 

Is you target goal to send a reverse password change request from your ISVG IM 10 system back to your old ISIM 7 system ?

The latter is certainly possible - if PasswordSynch is enabled in your ISIM 7 system this can be done using either REST or APPS APIs - but as this requires ITIM Administrator rights there are security implications and you would not like to have the credentials of the ISIM 7 administrative rights floating around in the wild....

Be aware that this community is not any official support forum - I am answering questions here on best effort basis where I can do this with limited effort. Helping your out solving you problem would probably require a billable effort from some of my IBM Security Expert Labs local colleagues - I do not know where you are located but assuming US ?   

Thank you Franz, sorry for not getting back sooner.

Three stand alone environments. 1. iSim 7, 2. iSvg 10.2.1 (TST) 3, iSvg 10.1.5 (PRD) <- or soon to be PRD.

iSim does password synch now for AD, iSeries, Notes and a bunch of workflows.

iSvg (TST) reconciles a few accounts from AD, a Test Notes environment, and a small Test partition on our iSeries.

iSvg (PRD) reconciles everything that iSim 7 does and includes additional workflows which have been painstakingly recreated. But no Password Synch!

Does an API or other mechanism exist which can adopt the iSim 7 ITIM Service accounts into iSvg (PRD)? I want the password to change in iSim 7 when the users iSvg (PRD) account password change is made.

I'd be happy to take this out of the forum if you need more details.

Thanks!

Let me first be clear on one thing - I do not know how your environment is configured so I am really a little confused.

Do you use an external registry for your ISIM authentication (the ldap service shown here ?)   - else I do not  really understand what you need to do...

But I can explain how the reverse password synch is working.....

The reverse pw synch adapter is installed on the DCs an uses a published exit on the lsass service to intercept the password change and retrieve the password in clear text.

Then it is send to the ISIM server as what is called an "unsolicited event notification" over SSL which is basically a DAML Password change.

When the password change arrives in ISIM it can be handled in basically 2 different ways - if password synch in ISIM is enabled it will basically do a password change on all services for the owner of the AD account (unless specific services are excluded in enRole.properties) or it can run under a specific ITIM account that changes the passwords on all services it can see (this was the original version 4.x way of doing it - more flexible but requires more setup).

Does that explain your question ? 

I believe you are on to the correct definition. I suppose I am trying to understand the request myself and need some guidance.

How then does the AD Password Synch adapter work? Is it because "AD" knows the last known password and is allowed to change the iTim service password using the AD Password Synch adapter?

How does password reset work? If a user logs in to iSim, they can reset passwords as Help Desk Assistants, or iTim Service Admins? They do not need to know the last known good pwd to reset a password, do they? Why can't this be done in ldap? The ldap adapter even has an option to choose password policy enabled...

------------------------------
James Iversen

Original Message:
Sent: Tue April 02, 2024 02:44 AM
From: Franz Wolfhagen
Subject: Adopt iSim iTim Service account to iSvg user as new service

To me it looks like you are trying to synchronize the ITIM Service password on an ISIM systm using the ootb ldap adapter ? 

If that is what your are trying I do not think that is possible as the ITIM (system user) accounts are not using standard ldap password hashing. For that purpose you will probably need to use APIs (REST or JAVA APIs). Looking at the REST APIs for resetting password for a system user (ITIM account) it looks like it needs the old password - there does not seem to be an administrative password change - but I may have missed that as I am not working much with the REST API.

Does this help ?  

Am I barking up the wrong tree here?

I do not understand this use case as ITIM (systemuser) accounts never ever should exist as orphans.

Can you explain your problem in more detail - e.g. did you do a migration or did you install a new version with out migration and now you want to reestablish the itim accounts from the old system in the new deployment ? 

Greeting gurus of the IBM Security world,

I would like to adopt iTim Service accounts from an older iSim system to current iSvg users who already have iTim service accounts.

In essence, adopting iSim\iTim service accounts to iSvg users who happen to have identical eruserid.

Is this possible?

Thanks,

ISVG IM 10 supports AD Passwdsync,  AD passwdsync must map a AD Profile service, not LDAP Profile.

Exactly!

Moving operational workflows across system is actually very easy using the Expert/Import features - as they do not rely on other data than an eventual profile you move the workflows between unrelated systems without any problems which is NOT possible for most other entities.

I am still somewhat puzzled of what you want to achieve - can you explain this in more detail : 

Does an API or other mechanism exist which can adopt the iSim 7 ITIM Service accounts into iSvg (PRD)? I want the password to change in iSim 7 when the users iSvg (PRD) account password change is made.

What are the "ITIM Service Accounts" ? 

Is you target goal to send a reverse password change request from your ISVG IM 10 system back to your old ISIM 7 system ?

The latter is certainly possible - if PasswordSynch is enabled in your ISIM 7 system this can be done using either REST or APPS APIs - but as this requires ITIM Administrator rights there are security implications and you would not like to have the credentials of the ISIM 7 administrative rights floating around in the wild....

Be aware that this community is not any official support forum - I am answering questions here on best effort basis where I can do this with limited effort. Helping your out solving you problem would probably require a billable effort from some of my IBM Security Expert Labs local colleagues - I do not know where you are located but assuming US ?   

Thank you Franz, sorry for not getting back sooner.

Three stand alone environments. 1. iSim 7, 2. iSvg 10.2.1 (TST) 3, iSvg 10.1.5 (PRD) <- or soon to be PRD.

iSim does password synch now for AD, iSeries, Notes and a bunch of workflows.

iSvg (TST) reconciles a few accounts from AD, a Test Notes environment, and a small Test partition on our iSeries.

iSvg (PRD) reconciles everything that iSim 7 does and includes additional workflows which have been painstakingly recreated. But no Password Synch!

Does an API or other mechanism exist which can adopt the iSim 7 ITIM Service accounts into iSvg (PRD)? I want the password to change in iSim 7 when the users iSvg (PRD) account password change is made.

I'd be happy to take this out of the forum if you need more details.

Thanks!

Let me first be clear on one thing - I do not know how your environment is configured so I am really a little confused.

Do you use an external registry for your ISIM authentication (the ldap service shown here ?)   - else I do not  really understand what you need to do...

But I can explain how the reverse password synch is working.....

The reverse pw synch adapter is installed on the DCs an uses a published exit on the lsass service to intercept the password change and retrieve the password in clear text.

Then it is send to the ISIM server as what is called an "unsolicited event notification" over SSL which is basically a DAML Password change.

When the password change arrives in ISIM it can be handled in basically 2 different ways - if password synch in ISIM is enabled it will basically do a password change on all services for the owner of the AD account (unless specific services are excluded in enRole.properties) or it can run under a specific ITIM account that changes the passwords on all services it can see (this was the original version 4.x way of doing it - more flexible but requires more setup).

Does that explain your question ? 

I believe you are on to the correct definition. I suppose I am trying to understand the request myself and need some guidance.

How then does the AD Password Synch adapter work? Is it because "AD" knows the last known password and is allowed to change the iTim service password using the AD Password Synch adapter?

How does password reset work? If a user logs in to iSim, they can reset passwords as Help Desk Assistants, or iTim Service Admins? They do not need to know the last known good pwd to reset a password, do they? Why can't this be done in ldap? The ldap adapter even has an option to choose password policy enabled...

------------------------------
James Iversen

Original Message:
Sent: Tue April 02, 2024 02:44 AM
From: Franz Wolfhagen
Subject: Adopt iSim iTim Service account to iSvg user as new service

To me it looks like you are trying to synchronize the ITIM Service password on an ISIM systm using the ootb ldap adapter ? 

If that is what your are trying I do not think that is possible as the ITIM (system user) accounts are not using standard ldap password hashing. For that purpose you will probably need to use APIs (REST or JAVA APIs). Looking at the REST APIs for resetting password for a system user (ITIM account) it looks like it needs the old password - there does not seem to be an administrative password change - but I may have missed that as I am not working much with the REST API.

Does this help ?  

Am I barking up the wrong tree here?

I do not understand this use case as ITIM (systemuser) accounts never ever should exist as orphans.

Can you explain your problem in more detail - e.g. did you do a migration or did you install a new version with out migration and now you want to reestablish the itim accounts from the old system in the new deployment ? 

Greeting gurus of the IBM Security world,

I would like to adopt iTim Service accounts from an older iSim system to current iSvg users who already have iTim service accounts.

In essence, adopting iSim\iTim service accounts to iSvg users who happen to have identical eruserid.

Is this possible?

Thanks,

Hi Lyndon, Thank you for the insight. I do believe a service of any type can and will synchronize with iSvg if AD Password Synch is enabled.

Example:

AD Password Change (Ctrl, Alt Del) Initiates (Change Password for Multiple Accounts) by IBM Tivoli Identity Manager for User.

My hope is to include old iSim (ITIM Service) in the above (Change Password for Multiple Accounts).

I hope this clarifies the intention.

Thanks,

ISVG IM 10 supports AD Passwdsync,  AD passwdsync must map a AD Profile service, not LDAP Profile.

Exactly!

Moving operational workflows across system is actually very easy using the Expert/Import features - as they do not rely on other data than an eventual profile you move the workflows between unrelated systems without any problems which is NOT possible for most other entities.

I am still somewhat puzzled of what you want to achieve - can you explain this in more detail : 

Does an API or other mechanism exist which can adopt the iSim 7 ITIM Service accounts into iSvg (PRD)? I want the password to change in iSim 7 when the users iSvg (PRD) account password change is made.

What are the "ITIM Service Accounts" ? 

Is you target goal to send a reverse password change request from your ISVG IM 10 system back to your old ISIM 7 system ?

The latter is certainly possible - if PasswordSynch is enabled in your ISIM 7 system this can be done using either REST or APPS APIs - but as this requires ITIM Administrator rights there are security implications and you would not like to have the credentials of the ISIM 7 administrative rights floating around in the wild....

Be aware that this community is not any official support forum - I am answering questions here on best effort basis where I can do this with limited effort. Helping your out solving you problem would probably require a billable effort from some of my IBM Security Expert Labs local colleagues - I do not know where you are located but assuming US ?   

Thank you Franz, sorry for not getting back sooner.

Three stand alone environments. 1. iSim 7, 2. iSvg 10.2.1 (TST) 3, iSvg 10.1.5 (PRD) <- or soon to be PRD.

iSim does password synch now for AD, iSeries, Notes and a bunch of workflows.

iSvg (TST) reconciles a few accounts from AD, a Test Notes environment, and a small Test partition on our iSeries.

iSvg (PRD) reconciles everything that iSim 7 does and includes additional workflows which have been painstakingly recreated. But no Password Synch!

Does an API or other mechanism exist which can adopt the iSim 7 ITIM Service accounts into iSvg (PRD)? I want the password to change in iSim 7 when the users iSvg (PRD) account password change is made.

I'd be happy to take this out of the forum if you need more details.

Thanks!

Let me first be clear on one thing - I do not know how your environment is configured so I am really a little confused.

Do you use an external registry for your ISIM authentication (the ldap service shown here ?)   - else I do not  really understand what you need to do...

But I can explain how the reverse password synch is working.....

The reverse pw synch adapter is installed on the DCs an uses a published exit on the lsass service to intercept the password change and retrieve the password in clear text.

Then it is send to the ISIM server as what is called an "unsolicited event notification" over SSL which is basically a DAML Password change.

When the password change arrives in ISIM it can be handled in basically 2 different ways - if password synch in ISIM is enabled it will basically do a password change on all services for the owner of the AD account (unless specific services are excluded in enRole.properties) or it can run under a specific ITIM account that changes the passwords on all services it can see (this was the original version 4.x way of doing it - more flexible but requires more setup).

Does that explain your question ? 

I believe you are on to the correct definition. I suppose I am trying to understand the request myself and need some guidance.

How then does the AD Password Synch adapter work? Is it because "AD" knows the last known password and is allowed to change the iTim service password using the AD Password Synch adapter?

How does password reset work? If a user logs in to iSim, they can reset passwords as Help Desk Assistants, or iTim Service Admins? They do not need to know the last known good pwd to reset a password, do they? Why can't this be done in ldap? The ldap adapter even has an option to choose password policy enabled...

------------------------------
James Iversen

Original Message:
Sent: Tue April 02, 2024 02:44 AM
From: Franz Wolfhagen
Subject: Adopt iSim iTim Service account to iSvg user as new service

To me it looks like you are trying to synchronize the ITIM Service password on an ISIM systm using the ootb ldap adapter ? 

If that is what your are trying I do not think that is possible as the ITIM (system user) accounts are not using standard ldap password hashing. For that purpose you will probably need to use APIs (REST or JAVA APIs). Looking at the REST APIs for resetting password for a system user (ITIM account) it looks like it needs the old password - there does not seem to be an administrative password change - but I may have missed that as I am not working much with the REST API.

Does this help ?  

Am I barking up the wrong tree here?

I do not understand this use case as ITIM (systemuser) accounts never ever should exist as orphans.

Can you explain your problem in more detail - e.g. did you do a migration or did you install a new version with out migration and now you want to reestablish the itim accounts from the old system in the new deployment ? 

Greeting gurus of the IBM Security world,

I would like to adopt iTim Service accounts from an older iSim system to current iSvg users who already have iTim service accounts.

In essence, adopting iSim\iTim service accounts to iSvg users who happen to have identical eruserid.

Is this possible?

Thanks,

You cannot include an "ITIM Service" on a different system as a Service. Every Service needs to go through either an Adapter (this is standard) or custom ServiceProvider (see examples to understand what a ServiceProvider is).

As you have have password synchronization enabled in your ISIM 7 system there are a couple of other ways you can handle this : 

• Sending an unsolicited event notification to your ISIM 7 system  - this is a DAML formatted message and is the mechanism the password syncronization adapters use
• Do a remote password change on the ISIM 7 Owner
  • Rest API - this is a little tricky as there is no Person password change - but you could change password for each owned account
  • APPS API - the PersonMO remote API allows you change the erpersonpassword which is the same as doing a password change on all accounts if password synchronization is enabled.
• Use a custom adapter - I would not recommend to do this on your own - but IBM Security Expert Labs has such an adapter in the works. This requires a lot of knowledge to implement so it is something we currently only offer on service contract. 

There are probably other ways (as writing a custom ServiceProvider, calling some external logic that triggers a password synch notification etc.) but remember to focus on KISS principle - this can easily get very complicated..

HTH

Hi Lyndon, Thank you for the insight. I do believe a service of any type can and will synchronize with iSvg if AD Password Synch is enabled.

Example:

AD Password Change (Ctrl, Alt Del) Initiates (Change Password for Multiple Accounts) by IBM Tivoli Identity Manager for User.

My hope is to include old iSim (ITIM Service) in the above (Change Password for Multiple Accounts).

I hope this clarifies the intention.

Thanks,

ISVG IM 10 supports AD Passwdsync,  AD passwdsync must map a AD Profile service, not LDAP Profile.

Exactly!

Moving operational workflows across system is actually very easy using the Expert/Import features - as they do not rely on other data than an eventual profile you move the workflows between unrelated systems without any problems which is NOT possible for most other entities.

I am still somewhat puzzled of what you want to achieve - can you explain this in more detail : 

Does an API or other mechanism exist which can adopt the iSim 7 ITIM Service accounts into iSvg (PRD)? I want the password to change in iSim 7 when the users iSvg (PRD) account password change is made.

What are the "ITIM Service Accounts" ? 

Is you target goal to send a reverse password change request from your ISVG IM 10 system back to your old ISIM 7 system ?

The latter is certainly possible - if PasswordSynch is enabled in your ISIM 7 system this can be done using either REST or APPS APIs - but as this requires ITIM Administrator rights there are security implications and you would not like to have the credentials of the ISIM 7 administrative rights floating around in the wild....

Be aware that this community is not any official support forum - I am answering questions here on best effort basis where I can do this with limited effort. Helping your out solving you problem would probably require a billable effort from some of my IBM Security Expert Labs local colleagues - I do not know where you are located but assuming US ?   

Thank you Franz, sorry for not getting back sooner.

Three stand alone environments. 1. iSim 7, 2. iSvg 10.2.1 (TST) 3, iSvg 10.1.5 (PRD) <- or soon to be PRD.

iSim does password synch now for AD, iSeries, Notes and a bunch of workflows.

iSvg (TST) reconciles a few accounts from AD, a Test Notes environment, and a small Test partition on our iSeries.

iSvg (PRD) reconciles everything that iSim 7 does and includes additional workflows which have been painstakingly recreated. But no Password Synch!

Does an API or other mechanism exist which can adopt the iSim 7 ITIM Service accounts into iSvg (PRD)? I want the password to change in iSim 7 when the users iSvg (PRD) account password change is made.

I'd be happy to take this out of the forum if you need more details.

Thanks!

Let me first be clear on one thing - I do not know how your environment is configured so I am really a little confused.

Do you use an external registry for your ISIM authentication (the ldap service shown here ?)   - else I do not  really understand what you need to do...

But I can explain how the reverse password synch is working.....

The reverse pw synch adapter is installed on the DCs an uses a published exit on the lsass service to intercept the password change and retrieve the password in clear text.

Then it is send to the ISIM server as what is called an "unsolicited event notification" over SSL which is basically a DAML Password change.

When the password change arrives in ISIM it can be handled in basically 2 different ways - if password synch in ISIM is enabled it will basically do a password change on all services for the owner of the AD account (unless specific services are excluded in enRole.properties) or it can run under a specific ITIM account that changes the passwords on all services it can see (this was the original version 4.x way of doing it - more flexible but requires more setup).

Does that explain your question ? 

I believe you are on to the correct definition. I suppose I am trying to understand the request myself and need some guidance.

How then does the AD Password Synch adapter work? Is it because "AD" knows the last known password and is allowed to change the iTim service password using the AD Password Synch adapter?

How does password reset work? If a user logs in to iSim, they can reset passwords as Help Desk Assistants, or iTim Service Admins? They do not need to know the last known good pwd to reset a password, do they? Why can't this be done in ldap? The ldap adapter even has an option to choose password policy enabled...

------------------------------
James Iversen

Original Message:
Sent: Tue April 02, 2024 02:44 AM
From: Franz Wolfhagen
Subject: Adopt iSim iTim Service account to iSvg user as new service

To me it looks like you are trying to synchronize the ITIM Service password on an ISIM systm using the ootb ldap adapter ? 

If that is what your are trying I do not think that is possible as the ITIM (system user) accounts are not using standard ldap password hashing. For that purpose you will probably need to use APIs (REST or JAVA APIs). Looking at the REST APIs for resetting password for a system user (ITIM account) it looks like it needs the old password - there does not seem to be an administrative password change - but I may have missed that as I am not working much with the REST API.

Does this help ?  

Am I barking up the wrong tree here?

I do not understand this use case as ITIM (systemuser) accounts never ever should exist as orphans.

Can you explain your problem in more detail - e.g. did you do a migration or did you install a new version with out migration and now you want to reestablish the itim accounts from the old system in the new deployment ? 

Greeting gurus of the IBM Security world,

I would like to adopt iTim Service accounts from an older iSim system to current iSvg users who already have iTim service accounts.

In essence, adopting iSim\iTim service accounts to iSvg users who happen to have identical eruserid.

Is this possible?

Thanks,