This ancillary component has been deprecated with the release of IdentityIQ version 8.2 and for IdentityNow in July 2021. For more information on the end of support for this ancillary component, see Notification: Deprecated/Changed Connectors/Sources.
The password interceptor functionality on the Server is managed through a web service method and a workflow. The password interceptor client calls the web service which in turn launches the workflow to complete the password interception process (usually propagation to other systems).
SailPoint supports IBM i Password Interceptor for V7R3, V7R2 and V7R1. When the password of the user is changed using the CHGPWD command, the password is intercepted and sent to IdentityIQ/IdentityNow. This synchronizes the new password with applications configured for password change.
The SailPoint IBM i Password Interceptor (PWI) consists of the following components:
This section provides the installation procedure of the IBM i Password Interceptor.
The following platforms are supported by Password Interceptor for IBM i:
Parameters | Description |
---|---|
SailPoint Product | Specify that the installation is for IdentityIQ/IdentityNow. |
Enter Jar Path |
Location of the Jars extracted from PWIClient.zip. Default: /SPPWIJAR/ Note: The JARPATH parameter must end with a trailing / |
Enter Master Key ID | Enter Master Key ID which is set on IBM i computer. |
Any parameters that are not specified in the following table must not be changed for the successful operation of the SailPoint Password Interceptor service.
Parameters | Description |
---|---|
URL |
(For IdentityIQ) IdentityIQ URL. For example, http(s)://<hostname>:port/identityiq URL where: hostname: is the hostname of IdentityIQ port: is the port number on which IdentityIQ is running (For IdentityNow) IdentityNow URL |
PWI Port No | Port where the client program is executed. Any free available port can be used. |
For IdentityIQ only | |
Application Name | Name of the IdentityIQ application for which client must be configured. |
User Name | IdentityIQ administrator. |
Password | IdentityIQ administrator password. |
For IdentityNow only | |
Source ID | Source ID of the application for which client must be configured. |
API client ID | IdentityNow API client ID. |
API client key | IdentityNow API client key. |
Proxy URL | URL of the proxy server in case it is configured. |
Proxy User | User to use for authentication on proxy server. |
Proxy Password | Password to be used for authentication on proxy server. |
Parameters | Description |
---|---|
PWI Log File Size |
Maximum log file size in MB. Once this threshold is achieved the log file is achieved and a new log file is created. Default value: 10 MB |
Request Intercept Timeout |
The expiration time (in minutes) of password change. For example, if the intercept timeout is set to 24 hours (1440 min) then any password change that has been performed in 24 hours prior to sending to IdentityIQ would be discarded. Default value: 1440 minutes |
Retry Server Request |
The time (in minutes) that the client must wait before it sends the password request again to IdentityIQ. Default value: 5 minutes |
All the configuration parameters are stored in data areas (as follows) within SPPWI library on the IBM i system:
(For IdentityIQ) SPAPPNM, SPFILESIZE, SPINTERCEPT, SPJARPATH, SPPORTNO, SPPRODUCT, SPPWIVER, SPSVRRTY, SPURL, SPUSRNM
(For IdentityNow) SPAPPNM, SPFILESIZE, SPINTERCEPT, SPJARPATH, SPPORTNO, SPPRODUCT, SPPROXYURL, SPPROXYUSR, SPPWIVER, SPSVRRTY, SPURL, SPUSRNM
To check the IBM i PWI version, see the description of the data area. To check the description of the data area follow the following steps:
The following logs will be generated at the location where extracted jar files are placed for the password interceptor related messages:
By default, logging for Password Interceptor messages is enabled at error level. This means that logs are generated only in case any process error occurs.
To enable logging at debug level, perform the following steps.
The SailPointPasswordInterceptorRelay.log file is generated only when the password change would be intercepted.
If you restart SPPWISBS job, then all pending change password interception in Queue waiting to be sent to Identity Management server will be lost.
After the Password Interceptor Client is installed, the user can update the parameters specified in the configuration parameters table above by navigating to the data area and performing the following steps:
To change Master Key ID, execute the following command:
CALL PGM(SPPWI/SPMENU) PARM('2')
Specify the following parameters:
Parameters | Description |
---|---|
Enter Master Key ID | Enter Master Key ID which is set on IBM i computer. |
For IdentityIQ only | |
Enter Application Password | Enter IdentityIQ password. |
For IdentityNow only | |
Enter API Client Key | Enter IdentityNow API Client Key. |
Proxy Password | (Optional if using proxy server with authentication) Enter proxy server password. |
For more information on setting up the master Key ID in IBM Console, see Setting up Master Key ID in IBM Console.
SailPoint Password Interceptor for IBM i provides support for TLS version 1.2.
(For IdentityIQ only) If communication is occurring between IBM i system and IdentityIQ Server using https protocol.
Install IdentityIQ server certificate on IBM i system to establish the https connection between IBM i and IdentityIQ server.
Perform the following steps to uninstall the Password Interceptor Client:
This section describes any additional information related to Password Interceptor for IBM i.
Perform the following:
Login to IBM Console (IBM Navigator for i) using the IBM i credentials.
NOTE: To set Master Key ID user must have have authority and user class *SECADM.
On IBM Navigator for i page, navigate to Security==> Cryptographic Services Key Management and click on Manage Master Keys.
On Manage Master Keys page, perform the following based on the available option:
Select the Master Key number and right click to select Load Part from the options.
On the Local Master Key Port page, enter the value of the Passphrase field for Master Keys and click OK.
This sets the selected Master Key as the Master Key ID in IBM Console.