cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Password Interceptor for IBM i

Password Interceptor for IBM i

This ancillary component has been deprecated with the release of IdentityIQ version 8.2 and for IdentityNow in July 2021. For more information on the end of support for this ancillary component, see Notification: Deprecated/Changed Connectors/Sources.

Overview

The password interceptor functionality on the Server is managed through a web service method and a workflow. The password interceptor client calls the web service which in turn launches the workflow to complete the password interception process (usually propagation to other systems).

 

SailPoint supports IBM i Password Interceptor for V7R3, V7R2 and V7R1. When the password of the user is changed using the CHGPWD command, the password is intercepted and sent to IdentityIQ/IdentityNow. This synchronizes the new password with applications configured for password change.

 

The SailPoint IBM i Password Interceptor (PWI) consists of the following components:

  • IBM i PWI Save File (SPIBMIPWI.SAVF The IBM i PWI Save file contains:
    • The exit program to capture password change on the IBM i computer
    • The installation command and script
    • The display component for interactive installation
  • IBM i PWI Client zip file (PWIClient.zip The zip file contains a set of jar files that are used to retrieve the password from an exit program and send it to IdentityIQ/IdentityNow server.

Installation

This section provides the installation procedure of the IBM i Password Interceptor.

 

Supported platforms

The following platforms are supported by Password Interceptor for IBM i:

  • V7R3
  • V7R2
  • V7R1

Pre-requisites

  • Ensure that the user performing the installation has a user class *SECADM and special authorities (*ALLOBJ, *AUDIT, *SECADM and *JOBCTL).
  • Java version 1.8 or higher is present on the IBM i computer.
  • Ensure that there are no running instances of SPPWISBS subsystem present by checking all active jobs using the WRKACTJOB command.
  • Ensure that the SPEXITPWD exit program is not associated with QIBM_QSY_VLD_PASSWRD (VLDP0100) exit point by using the WRKREGINF command.
  • Verify that the QPWDVLDPGM system value is set to *REGFAC by entering the following command:
    DSPSYSVAL SYSVAL(QPWDVLDPGM)
    If the value is other than *REGFAC, enter the following command to change the value to *REGFAC:
    CHGSYSVAL SYSVAL(QPWDVLDPGM) VALUE(*REGFAC)
  • User must use the Master Key ID already set on IBM console to be used for IBM i Password Interceptor installation.

 

Installation process

  1. Download the Password Interceptor zip file to a temporary directory (tempDir).
    Note: You are only entitled to download components for which you have an active license with SailPoint and the availability of a component for download does not grant you a license to use a component or entitle you to use a component for which you do not have an active license.  Please contact your Account Representative or CSM for more information.
  2. Copy and extract the PwdClientForIBMi-releaseVersion.zip file.
    where releaseVersion is the version of the current Password Interceptor Client for IBM i.
    The following files are extracted:
    • PWIClient.zip
    • SPIBMIPWI.SAVF
  3. On IBM i file system, create SPPWIJAR folder. Extract all jar files from PWIClient.zip and place it in this folder.
  4. Ensure that the location (SPPWIJAR) where extracted jar files are placed on the IBM i file system has read, write and execute access.
    To provide these access, enter to IBM i command prompt by using QSH command. Verify the present working directory location by using PWD command.
    Navigate to the location where extracted jar files are placed using the following command in command prompt:
    cd /SPPWIJAR
    The files present at above location can be viewed by using the following command:
    ls -lrt
    Execute the following command to ensure that the jar files are given read, write and execute permission:
    chmod 777 *.jar
  5. Create a temporary library on IBM i using the following command:
    CRTLIB SPTEMP
    Create SPIBMIPWI save file in the above created temporary library using the following command:
    CRTSAVF FILE(SPTEMP/SPIBMIPWI) TEXT('SailPoint Password Interceptor Installer v7.2’)
  6. Connect to IBM i server from windows client by using ftp.
    1. Navigate to the command prompt and enter the following command:
      ftp <IBM i host IP Address>
    2. Enter username and password of IBM i server.
    3. Navigate to SPTEMP library using the following command:
      cd SPTEMP
    4. Switch to binary mode using the bin command and enter the following command to copy SPIBMIPWI.SAVF file to the SPTEMP library:
      put SPIBMIPWI.SAVF
  7. Create SPINSTALL library using the following command on IBM i computer:
    CRTLIB SPINSTALL
    Restore the save file into the above library using the following command:
    RSTOBJ OBJ(*ALL) SAVLIB(SPINSTALL) DEV(*SAVF) SAVF(SPTEMP/SPIBMIPWI)
  8. Execute the following command to start the installation:
    CALL PGM(SPINSTALL/SPMENU) PARM('1')
    This command displays the SailPoint Password Interceptor Installer screen.
    Specify the parameters as described in the following table:

    Parameters Description
    SailPoint Product Specify that the installation is for IdentityIQ/IdentityNow.
    Enter Jar Path

    Location of the Jars extracted from PWIClient.zip.

    Default: /SPPWIJAR/

    Note: The JARPATH parameter must end with a trailing /

    Enter Master Key ID Enter Master Key ID which is set on IBM i computer.
  9. Specify the following configuration parameters:

    Any parameters that are not specified in the following table must not be changed for the successful operation of the SailPoint Password Interceptor service.


    Parameters Description
    URL

    (For IdentityIQ) IdentityIQ URL. For example, http(s)://<hostname>:port/identityiq URL

    where:

    hostname: is the hostname of IdentityIQ

    port: is the port number on which IdentityIQ is running

    (For IdentityNow) IdentityNow URL

    PWI Port No Port where the client program is executed. Any free available port can be used.
    For IdentityIQ only
    Application Name Name of the IdentityIQ application for which client must be configured.
    User Name IdentityIQ administrator.
    Password IdentityIQ administrator password.
    For IdentityNow only
    Source ID Source ID of the application for which client must be configured.
    API client ID IdentityNow API client ID.
    API client key IdentityNow API client key.
    Proxy URL URL of the proxy server in case it is configured.
    Proxy User User to use for authentication on proxy server.
    Proxy Password Password to be used for authentication on proxy server.

    User can change the value of the parameters specified in the following table:

    Parameters Description
    PWI Log File Size

    Maximum log file size in MB. Once this threshold is achieved the log file is achieved and a new log file is created.

    Default value: 10 MB

    Request Intercept Timeout

    The expiration time (in minutes) of password change. For example, if the intercept timeout is set to 24 hours (1440 min) then any password change that has been performed in 24 hours prior to sending to IdentityIQ would be discarded.

    Default value: 1440 minutes

    Retry Server Request

    The time (in minutes) that the client must wait before it sends the password request again to IdentityIQ.

    Default value: 5 minutes

All the configuration parameters are stored in data areas (as follows) within SPPWI library on the IBM i system:

(For IdentityIQ) SPAPPNM, SPFILESIZE, SPINTERCEPT, SPJARPATH, SPPORTNO, SPPRODUCT, SPPWIVER, SPSVRRTY, SPURL, SPUSRNM

(For IdentityNow) SPAPPNM, SPFILESIZE, SPINTERCEPT, SPJARPATH, SPPORTNO, SPPRODUCT, SPPROXYURL, SPPROXYUSR, SPPWIVER, SPSVRRTY, SPURL, SPUSRNM

 

Verifying the Password Interceptor installation

  1. To verify that SPPWISBS subsystem is active and SPPWISRV job is running in it, issue the WRKACTJOB command. This lists all the active jobs.
  2. Verify that the SPEXITPWD exit program is correctly associated with the QIBM_QSY_VLD_PASSWRD (VLDP0100) exit point. Enter the WRKREGINF command and traverse to QIBM_QSY_VLD_PASSWRD (VLDP0100) exit point, then select option 8, list of all associated exit programs will be present. Ensure that SPEXITPWD is on the list of associated programs.
  3. Ensure that the location (SPPWIJAR) where extracted jar files are placed on the IBM i file system has read, write and execute access. Navigate to the location where extracted jar files are placed using cd SPPWIJAR command in QSH and execute the following command:
    chmod 777 *.jar

 

Checking the Password Interceptor Version

To check the IBM i PWI version, see the description of the data area. To check the description of the data area follow the following steps:

  1. Execute STRPDM command and enter number 2 to work with the objects.
  2. Enter SPPWI as library name and press enter.
  3. Navigate to any data area and enter number 8 in option to check the description of the data area.

 

Managing Password Interceptor logs

The following logs will be generated at the location where extracted jar files are placed for the password interceptor related messages:

  • SailPointPasswordInterceptor<<Date>>.log
  • SailPointPasswordInterceptorRelay.log

By default, logging for Password Interceptor messages is enabled at error level. This means that logs are generated only in case any process error occurs.

To enable logging at debug level, perform the following steps.

  1. Execute the following command to run IBM i Password Interceptor in debug mode:
    CALL PGM(SPPWI/SPMENU) PARM('3')
  2. To verify that the SPPWISRV job is running in SPPWISBS subsystem use the WRKACTJOB command.
  3. Detail logs are displayed in SailPointPasswordInterceptor<<Date>>.log and SailPointPasswordInterceptorRelay.log files.

The SailPointPasswordInterceptorRelay.log file is generated only when the password change would be intercepted.

Manually Start/Stop the Password Interceptor

If you restart SPPWISBS job, then all pending change password interception in Queue waiting to be sent to Identity Management server will be lost.

 

To stop Password Interceptor

  1. End the SPPWISBS subsystem by executing the following command:
    ENDSBS SBS(SPPWISBS)
  2. To verify that the SPPWISBS subsystem has stopped, run the following command and check the subsystems that are running:
    WRKACTJOB

 

To start Password Interceptor

  1. Issue the following command to start IBM i Password Interceptor in error mode or debug mode:
    • Error mode: CALL PGM(SPPWI/SPMENU) PARM('4')
    • Debug mode: CALL PGM(SPPWI/SPMENU) PARM('3')
  2. To verify that the SPPWISRV job is running in SPPWISBS subsystem, enter the following command:
    WRKACTJOB

Managing Password Interceptor parameters

After the Password Interceptor Client is installed, the user can update the parameters specified in the configuration parameters table above by navigating to the data area and performing the following steps:

  1. End SPPWISBS subsystem by executing the following command:
    ENDSBS SBS(SPPWISBS)
  2. Navigate to the data area by using the STRPDM command. Select option 2 to work with objects and then select SPPWI library.
  3. Traverse to the variable which must be modified and press 2 to change the values.
  4. Issue the following command to start the installer in error mode:
    CALL PGM(SPPWI/SPMENU) PARM('4')
  5. To verify that the SPPWISRV job is running in SPPWISBS subsystem use the WRKACTJOB command.

 

Change Master Key ID

To change Master Key ID, execute the following command:

CALL PGM(SPPWI/SPMENU) PARM('2')

Specify the following parameters:

 

Parameters Description
Enter Master Key ID Enter Master Key ID which is set on IBM i computer.
For IdentityIQ only
Enter Application Password Enter IdentityIQ password.
For IdentityNow only
Enter API Client Key Enter IdentityNow API Client Key.
Proxy Password (Optional if using proxy server with authentication) Enter proxy server password.

For more information on setting up the master Key ID in IBM Console, see Setting up Master Key ID in IBM Console.

 

Support for TLS 1.2

SailPoint Password Interceptor for IBM i provides support for TLS version 1.2.

 

(For IdentityIQ only) If communication is occurring between IBM i system and IdentityIQ Server using https protocol.

Install IdentityIQ server certificate on IBM i system to establish the https connection between IBM i and IdentityIQ server.    

 

Uninstallation

Perform the following steps to uninstall the Password Interceptor Client:

  1. End the SPPWISBS subsystem using the following command:
    ENDSBS SBS(SPPWISBS)
  2. Remove the exit program. Exit program is created as SPEXITPWD and attached to the QIBM_QSY_VLD_PASSWRD (VLDP0100) exit point.
    To find out the program number, enter the WRKREGINF command and traverse to QIBM_QSY_VLD_PASSWRD (VLDP0100) then press 8 in option.
  3. Delete SPPWI, SPINSTALL and SPTEMP libraries using the following command:
  • DLTLIB SPPWI
  • DLTLIB SPINSTALL
  • DLTLIB SPTEMP

 

Additional Information

This section describes any additional information related to Password Interceptor for IBM i.

 

Setting up Master Key ID in IBM Console

 

Perform the following:

  1. Login to IBM Console (IBM Navigator for i) using the IBM i credentials.

    NOTE: To set Master Key ID user must have have  authority and user class *SECADM.

  2. On IBM Navigator for i page, navigate to Security==> Cryptographic Services Key Management and click on Manage Master Keys.

  3. On Manage Master Keys page, perform the following based on the available option:

    • Select the Master Key number and select Load Part from Select Action drop down.
    • Select the Master Key number and right click to select Load Part from the options.

  4. On the Local Master Key Port page, enter the value of the Passphrase field for Master Keys and click OK.

  5. On the Manage Master Keys page that appears, perform the following based on the available option:
    • Select the Master Key number and select Set from Select Action drop down.
    • Select the Master Key number and right click to select Set from the options.

This sets the selected Master Key as the Master Key ID in IBM Console.

Labels (2)
Version history
Revision #:
7 of 7
Last update:
‎Jul 04, 2022 03:30 AM
Updated by:
 
Contributors