IBM Security Verify

Jose,

What data model is being used in the environments?  See https://www.ibm.com/support/pages/tam-data-model for instructions.  If they are using the older standard model there can be issues.

------------------------------
Nick
IBM Security Verify Customer Support
------------------------------

Original Message:
Sent: Thu May 26, 2022 06:02 PM
From: Jose Fermaintt
Subject: Running New appliances on the same LDAP as old TAM versions

I got multiple large environments with TAM6 and ISAM 7 to upgrade to ISVA 10.0.3.1. The older environments will be running while I update separately to 10.0.3. I will be connecting the new appliances to the same LDAP as the ones used by the older versions. Are there any issues joining the new appliances using Federated Directory to the same LDAP?

Jose Fermaintt

Senior IT Specialist

IAM Automations Group

1-847-846-8369 Mobile

jose.fermaintt@kyndryl.com

OOO Alert =  6/15-6/20

www.kyndryl.com

Not running TDS but Oracle ODSEE. Could you elaborate on the issues? The reason is that TAM is already using the "Tamified" directory. I want to add a new 10.0.3 appliance using the Federated Directory. I will assume that it is already minimal since the customer has upgraded some machines to 9.0.7.

------------------------------
Jose Fermaintt
------------------------------

Original Message:
Sent: Fri May 27, 2022 08:57 AM
From: Nick Lloyd
Subject: Running New appliances on the same LDAP as old TAM versions

Jose,

What data model is being used in the environments?  See https://www.ibm.com/support/pages/tam-data-model for instructions.  If they are using the older standard model there can be issues.

------------------------------
Nick
IBM Security Verify Customer Support

Original Message:
Sent: Thu May 26, 2022 06:02 PM
From: Jose Fermaintt
Subject: Running New appliances on the same LDAP as old TAM versions

I got multiple large environments with TAM6 and ISAM 7 to upgrade to ISVA 10.0.3.1. The older environments will be running while I update separately to 10.0.3. I will be connecting the new appliances to the same LDAP as the ones used by the older versions. Are there any issues joining the new appliances using Federated Directory to the same LDAP?

Jose Fermaintt

Senior IT Specialist

IAM Automations Group

1-847-846-8369 Mobile

jose.fermaintt@kyndryl.com

OOO Alert =  6/15-6/20

www.kyndryl.com

The LDAP vendor is not relevant.  The standard model is support on the appliance for older migrations.  This should be verified before moving forward.  This type of pattern with standard data has the following caveats,

1. If a group has already been imported as a TAM 6/7 group in the
federated LDAP it cannot be imported into ISVA 10. The order must be
create group, import into 10, import into 6/7. This can be problematic if
you need to import existing TAM 6/7 groups. There are no settings to
over-come this.

2. Once successfully imported the secauthority-suffix setting cannot
be used. This will break the searches and cause an "Internal error"
message to be thrown when trying to show the group.

3. The basic user feature may be enabled. However, there may be
combinations of ldap.conf settings which break this and basic-user must
be disabled.

4. This is a use at your risk own solution. The Federated Directory
feature was not designed nor tested with this use case in mind. At any
time development may change LDAP searches which cause this to stop
working.

Even if using the minimal model there can be conflicts if needing to use full imported secUsers if both the old and new environments are using the same domain name of secAuthority=Default.

In general, the pattern of,

" I will be connecting the new appliances to the same LDAP as the ones used by the older versions."

has shown overtime to be problematic and error prone.

------------------------------
Nick
IBM Security Verify Customer Support
------------------------------

Original Message:
Sent: Fri May 27, 2022 10:00 AM
From: Jose Fermaintt
Subject: Running New appliances on the same LDAP as old TAM versions

Not running TDS but Oracle ODSEE. Could you elaborate on the issues? The reason is that TAM is already using the "Tamified" directory. I want to add a new 10.0.3 appliance using the Federated Directory. I will assume that it is already minimal since the customer has upgraded some machines to 9.0.7.

------------------------------
Jose Fermaintt

Original Message:
Sent: Fri May 27, 2022 08:57 AM
From: Nick Lloyd
Subject: Running New appliances on the same LDAP as old TAM versions

Jose,

What data model is being used in the environments?  See https://www.ibm.com/support/pages/tam-data-model for instructions.  If they are using the older standard model there can be issues.

------------------------------
Nick
IBM Security Verify Customer Support

Original Message:
Sent: Thu May 26, 2022 06:02 PM
From: Jose Fermaintt
Subject: Running New appliances on the same LDAP as old TAM versions

I got multiple large environments with TAM6 and ISAM 7 to upgrade to ISVA 10.0.3.1. The older environments will be running while I update separately to 10.0.3. I will be connecting the new appliances to the same LDAP as the ones used by the older versions. Are there any issues joining the new appliances using Federated Directory to the same LDAP?

Jose Fermaintt

Senior IT Specialist

IAM Automations Group

1-847-846-8369 Mobile

jose.fermaintt@kyndryl.com

OOO Alert =  6/15-6/20

www.kyndryl.com

Original Message:
Sent: 5/27/2022 10:17:00 AM
From: Nick Lloyd
Subject: RE: Running New appliances on the same LDAP as old TAM versions

The LDAP vendor is not relevant.  The standard model is support on the appliance for older migrations.  This should be verified before moving forward.  This type of pattern with standard data has the following caveats,

1. If a group has already been imported as a TAM 6/7 group in the
federated LDAP it cannot be imported into ISVA 10. The order must be
create group, import into 10, import into 6/7. This can be problematic if
you need to import existing TAM 6/7 groups. There are no settings to
over-come this.

2. Once successfully imported the secauthority-suffix setting cannot
be used. This will break the searches and cause an "Internal error"
message to be thrown when trying to show the group.

3. The basic user feature may be enabled. However, there may be
combinations of ldap.conf settings which break this and basic-user must
be disabled.

4. This is a use at your risk own solution. The Federated Directory
feature was not designed nor tested with this use case in mind. At any
time development may change LDAP searches which cause this to stop
working.

Even if using the minimal model there can be conflicts if needing to use full imported secUsers if both the old and new environments are using the same domain name of secAuthority=Default.

In general, the pattern of,

" I will be connecting the new appliances to the same LDAP as the ones used by the older versions."

has shown overtime to be problematic and error prone.

------------------------------
Nick
IBM Security Verify Customer Support
------------------------------

Original Message:
Sent: Fri May 27, 2022 10:00 AM
From: Jose Fermaintt
Subject: Running New appliances on the same LDAP as old TAM versions

Not running TDS but Oracle ODSEE. Could you elaborate on the issues? The reason is that TAM is already using the "Tamified" directory. I want to add a new 10.0.3 appliance using the Federated Directory. I will assume that it is already minimal since the customer has upgraded some machines to 9.0.7.

------------------------------
Jose Fermaintt

Original Message:
Sent: Fri May 27, 2022 08:57 AM
From: Nick Lloyd
Subject: Running New appliances on the same LDAP as old TAM versions

Jose,

What data model is being used in the environments?  See https://www.ibm.com/support/pages/tam-data-model for instructions.  If they are using the older standard model there can be issues.

------------------------------
Nick
IBM Security Verify Customer Support

Original Message:
Sent: Thu May 26, 2022 06:02 PM
From: Jose Fermaintt
Subject: Running New appliances on the same LDAP as old TAM versions

I got multiple large environments with TAM6 and ISAM 7 to upgrade to ISVA 10.0.3.1. The older environments will be running while I update separately to 10.0.3. I will be connecting the new appliances to the same LDAP as the ones used by the older versions. Are there any issues joining the new appliances using Federated Directory to the same LDAP?

Jose Fermaintt

Senior IT Specialist

IAM Automations Group

1-847-846-8369 Mobile

jose.fermaintt@kyndryl.com

OOO Alert =  6/15-6/20

www.kyndryl.com

All depends on the data model.  That needs to be verified.

------------------------------
Nick
IBM Security Verify Customer Support
------------------------------

Original Message:
Sent: Fri May 27, 2022 10:29 AM
From: Jose Fermaintt
Subject: Running New appliances on the same LDAP as old TAM versions

Not planning to import any groups or userids ever to 10.0.3. I will use the embedded ldap for the appliance sec_authority only. In my approach, I plan to use a regular ID to do reads for the Federated side and let TAM 6/7 do their thing with their tamified sec_authority. In other words, TAM and ISVA will not know about each other. Will that work?

Jose Fermaintt

Senior IT Specialist

IAM Automations Group

1-847-846-8369 Mobile

jose.fermaintt@kyndryl.com

OOO Alert =  6/15-6/20

www.kyndryl.com

Original Message:
Sent: 5/27/2022 10:17:00 AM
From: Nick Lloyd
Subject: RE: Running New appliances on the same LDAP as old TAM versions

The LDAP vendor is not relevant.  The standard model is support on the appliance for older migrations.  This should be verified before moving forward.  This type of pattern with standard data has the following caveats,

1. If a group has already been imported as a TAM 6/7 group in the
federated LDAP it cannot be imported into ISVA 10. The order must be
create group, import into 10, import into 6/7. This can be problematic if
you need to import existing TAM 6/7 groups. There are no settings to
over-come this.

2. Once successfully imported the secauthority-suffix setting cannot
be used. This will break the searches and cause an "Internal error"
message to be thrown when trying to show the group.

3. The basic user feature may be enabled. However, there may be
combinations of ldap.conf settings which break this and basic-user must
be disabled.

4. This is a use at your risk own solution. The Federated Directory
feature was not designed nor tested with this use case in mind. At any
time development may change LDAP searches which cause this to stop
working.

Even if using the minimal model there can be conflicts if needing to use full imported secUsers if both the old and new environments are using the same domain name of secAuthority=Default.

In general, the pattern of,

" I will be connecting the new appliances to the same LDAP as the ones used by the older versions."

has shown overtime to be problematic and error prone.

------------------------------
Nick
IBM Security Verify Customer Support

Original Message:
Sent: Fri May 27, 2022 10:00 AM
From: Jose Fermaintt
Subject: Running New appliances on the same LDAP as old TAM versions

Not running TDS but Oracle ODSEE. Could you elaborate on the issues? The reason is that TAM is already using the "Tamified" directory. I want to add a new 10.0.3 appliance using the Federated Directory. I will assume that it is already minimal since the customer has upgraded some machines to 9.0.7.

------------------------------
Jose Fermaintt

Original Message:
Sent: Fri May 27, 2022 08:57 AM
From: Nick Lloyd
Subject: Running New appliances on the same LDAP as old TAM versions

Jose,

What data model is being used in the environments?  See https://www.ibm.com/support/pages/tam-data-model for instructions.  If they are using the older standard model there can be issues.

------------------------------
Nick
IBM Security Verify Customer Support

Original Message:
Sent: Thu May 26, 2022 06:02 PM
From: Jose Fermaintt
Subject: Running New appliances on the same LDAP as old TAM versions

I got multiple large environments with TAM6 and ISAM 7 to upgrade to ISVA 10.0.3.1. The older environments will be running while I update separately to 10.0.3. I will be connecting the new appliances to the same LDAP as the ones used by the older versions. Are there any issues joining the new appliances using Federated Directory to the same LDAP?

Jose Fermaintt

Senior IT Specialist

IAM Automations Group

1-847-846-8369 Mobile

jose.fermaintt@kyndryl.com

OOO Alert =  6/15-6/20

www.kyndryl.com