12/11/2019 Release Notes

Release Notes

IBM® Security
Active Directory 64-Bit Adapter

Version 7.1.33
Edition notice

Note: This edition applies to versions 7.0.x of the IBM Security Identity Manager and version 5.2.x of the IBM Identity
Governance and Intelligence.

© Copyright IBM Corporation 2009,2 019

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.

Table of Contents
Preface
Adapter Features and Purpose
License Agreement

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 1/17
12/11/2019 Release Notes

Adapter profiles
Service Groups Management
Contents of this Release
Adapter Version
New Features
Closed Issues
Known Issues
Running in Federal Informa on Processing
Standards compliance mode
Configuring the adapter to run in FIPS mode
Opera onal differences running in FIPS mode
Security policy
Authen ca on roles
Rules of opera on
Remote Mailbox Support
Installa on and Configura on Notes
Correc ons to Installa on Guide
Configura on Notes
Correc ons to User Guide
Customizing or Extending Adapter Features
Ge ng Started
Update the targetprofile.json file (IGI only)
Support for Customized Adapters
Troubleshoo ng
Log Output From Exchange and Lync powershell calls
Exchange connec on issues
Issues when used with mul ple Exchange versions
Preferred servers

Installa on Pla orm

No ces

Preface
Welcome to the IBM Security Active Directory 64-bit (WinAD64) Adapter.

These Release Notes contain information for the following products that was not available when the IBM Security
Identity Manager manuals were printed:

IBM Security Active Directory Adapter with 64-Bit Support Installation and Configuration Guide

Adapter Features and Purpose

The Active Directory Adapter is designed to create and manage accounts on Microsoft Active Directory and mailboxes
on Exchange and Lync (Skype for Business). The adapter runs in “agentless" mode and communicates using Microsoft
ADSI API and PowerShell to the systems being managed.

IBM recommends the installation of this adapter in “agentless" mode on a 64-bit OS and computer in the domain being
managed. Installation on a Domain Controller is not recommended. A single copy of the adapter can handle multiple
Identity Manager Services. The deployment configuration is based, in part, on the topology of your network domain,
but the primary factor is the planned structure of your Identity Manager Provisioning Policies and Approval Workflow
process. Please refer to the Identity Manager Information Center for a discussion of these topics.

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 2/17
12/11/2019 Release Notes

The IBM Security adapters are powerful tools that require Administrator Level authority. Adapters operate much like a
human system administrator, creating accounts, permissions and home directories. Operations requested from the
Identity Manager server will fail if the adapter is not given sufficient authority to perform the requested task. IBM
recommends that this adapter run with administrative (root) permissions.

License Agreement
Review and agree to the terms of the IBM Security Identity Manager License prior to using this product. The license
can be viewed from the "license" folder included in the product package.

Adapter profiles
The adapter package includes two profiles:

· ADprofile.jar

o This profile is supported on ISIM and IGI. When used, if an AD group name or DN is changed in AD,
the reconciliation operation will result it deleting the original group and adding the updating group as a
new group.

§ IGI results: all users who had permission on the original group will lose that permission and new
permission will be added using the new name

o No additional configuration changes are required on the adapter when the ADprofile.jar is used.

· ADprofileGUID.jar

o This profile is supported on ISIM and IGI. When used, if an AD group name or DN is changed in AD,
the reconciliation operation will only change the name and/or DN of the group.

§ IGI results: all users who had permission on the original group will retain that permission but with
new name and/or DN

o When using ADprofileGUID.jar, you must configure the adapter to use GUID as the group naming
attribute using agentCfg.exe on the adapter server

§ Invoke agentCfg.exe -a adagent

- Use option (F) Registry Settings
- Use option (A) Modify Non-encrypted registry settings
- Use option (B) Modify attribute value
- Registry item to modify is: useGroup
- New registry item value is: GUID
- Use option (X) Done three times to exit out
- Restart the adapter service for the change to take effect.

Service Groups Management

The ability to manage service groups is a feature introduced prior to IBM Security Identity Manager 6.0. By service
groups, ISIM is referring to any logical entity that can group accounts together on the managed resource.

Managing service groups implies the following:

Create service groups on the managed resource.

Modify attributes of a service group (group name change is not supported)
Delete a service group.

The Windows Active Directory x64 adapter supports service groups management on IBM Security Identity
Manager only.

Contents of this Release

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 3/17
12/11/2019 Release Notes

Adapter Version
Component Version
Build Date 2019 September 10 19.05.49
Adapter Version 7.1.33
Component Versions Adapter Build: 7.1.33
Profile 7.1.33
ADK 7.0.6

Documentation Check the IBM Knowledge Centre for the following guide(s):
IBM Security Active Directory Adapter with 64-Bit Support Installation and
Configuration Guide

New Features
Enhancement Description
Items included in this release (7.1.33)
RFE 127449 (56512) Supporting eradeallowedaddresslist in hybrid environment (Adapter)
RFE 128222 (56765) ISIM and O365 email usage in hybrid environment
Items included in this release (7.1.32)
RFE 130064 (57543) 'businessCategory' attribute in Security Identity Adapter for Windows AD not
handled as multi-valued.

181168 Attribute values lookup support.

183288 Support for Windows 2019 server. Both as a managed service and adapter
platform. Support for Exchange 2019 and Skype for Business 2019.

PSIRT Upgraded to ADK 7.0.6 with OpenSSL 1.0.2r

Items included in this release (7.1.31)

None
Items included in 7.1.30 release
177537 As a developer of the Windows AD adapter, I need to use a newer OpenSSL
version that addresses PSIRT advisories.

OpenSSL is upgraded from version 1.0.2n to 1.0.2p

178202 Implementation for supporting recon for:
msDS-
LastSuccessfulInteractiveLogonTime and other 3 related attributes.

New attributes supported:

- msDS-LastSuccessfulInteractiveLogonTime,
- msDS-FailedInteractiveLogonCount,
- msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon,
- msDS-LastFailedInteractiveLogonTime

Note: On IGI Date attributes are not displayed correctly.

IGI team will provide a fix, after that the date attributes will get displayed.

Items included in 7.1.29 release

154239 US - As a Windows AD adapter developer, I need to update my adapter to use
the newer OpenSSL
Items included in 7.1.28 release
None
Items included in 7.1.27 release
50831 Windows AD adapter to support mailbox attribute msExchRecipientTypeDetails
50763 and msExchRemoteRecipientType in integer8 format

50988 Add businessCategory as a regular adapter attribute

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 4/17
12/11/2019 Release Notes

43334 Enhance AD Adapter to detect user's email status for remote mailbox (O365)
and manage proxy address and other exchange attrib

internal Added support for remote mailbox to support Office 365 mailboxes in a hybrid
Exchange environment

internal Modified installer to default to SSL enabled

Items included in 7.1.26 release

44871 Added support for lync Mobility and Persistent Chat policies

internal Now supports FIPS compliant mode

Items included in 7.1.25 release

internal This release includes ADK 7.0.3 which update openssl to 1.0.2f to address a vulnerability
to excessive CPU utilization

Items included in 7.1.24 release

internal This release officially supports Windows 2016 server. Both as a managed resource and
an installation platform

Items included in 7.1.23 release

internal Now using ADK 7.0.1 with updated openSSL, ICU and SQLite all built on Visual Studio
2012. Adapter is now built on Visual Studio 2012 using .NET 4.5. It no longer requires
.NET 3.5 to be installed.

Items included in 7.0.20 release

42641 Adapter Support for Exchange 2016 and Lync 2015

42071 Second and following Mailbox Move Requests Fail on Exchange 2013

43225 Reduce IO in WinAD Adapter for PW change

Items included in 7.0.18 release

38935 Support "Manager can update membership list" attribute for AD Group

38934 Support display name attribute for AD Groups

39511 WinAD Adapter does not reconcile Lync Registry Pools from AD

40129 ISIM AD Adapter Customization for Group Object class

internal Updated resource.def in profile to support external roles

Items included in initial release (7.0.16)

30303 ISIM AD adapter unable to set Mail box Retention policy check

internal Now using ADK 6.0.1027 which provides an option disabling sslv3. There is
also support for setting the list of ciphers used.

internal The Domain Admin and Domain Password fields have been removed from the
service form in the profile. They can still be used, but the preferred method is to
set the logon account on the adapter windows service.

Items included in 6.0.15 release

34001 Added support for Exchange Automatic Mailbox Distribution. Supplying only
eradealias without a mail store or external email address allows Exchange to
determine the mail store to use based on load balancing.

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 5/17
12/11/2019 Release Notes

31924 Prevent deletion of user accounts that have a mailbox that is under litigation
hold

32482 Add support for msExchCoManagedByLink to group schema

29995 Add support for msExchRequireAuthToSendTo to group schema

Updated logging to include output from Lync and Exchange modules

Items included in 6.0.14 release

The Password Synchronization plug-in is now released as a separate package.

It is no longer bundled in with the AD Adapter

Includes updated ADK 6.0.1020 which includes update to prevent password

values from being written to the log on password change failures

Items included in 6.0.13 release

Includes updated ADK 6.0.1019 which includes version 1.0.1h-fips of openSSL.

Closed Issues
Case APAR# PMR# / Description

Items closed in this release (7.1.33)

TS002562024 eradexdialin and erADEShowInAddrBook not working correctly due to
errors in targetprofile.json

Internal erUID incorrectly marked as immutable preventing renaming user.

Internal erADERstrctAdrsLs, erADEAllowedAddressList, erADEDelegates

incorrectly marked as not supported for remote mailboxes
erADETargetAddress incorrectly marked as supported for remote
mailboxes.

Items closed in this release (7.1.32)

183289 IJ12159 erADEHideFromAddrsBk not returned. Behaving as designed, the
value is not present when set to false through the ADSI api.

183292 ‘businessCategory’ on containers now supported as multi-valued.

Items closed in this release (7.1.31)

Internal RTC 181198:

Internal - As a WinAD adapter, i must ensure that the profile jars in 7.x
package are correct
Items closed in 7.1.30 release
TS001030655 US - As a WinAD adapter developer I must ensure that the correct
version numbers are set for the 6.x and 7.x adapter builds.

Bugz 2647 - wrong version of ad adapter in log post install

Items closed in 7.1.29 release
None
Items closed in 7.1.28 release
Added support for providing primary SMTP address when mailbox is
TS000028936 created. This avoids, the default SMTP address from becoming a
secondary SMTP address when the primary SMTP address is set after
the mailbox is created.

Items closed in 7.1.27 release

Error 0x00000037 and 0x80004005 trying to set
01351,SGC,740 eradnochangepassword
IV98275 WRONG SYNTAX FOR ERADPREFERREDEXCHANGESERVERS

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 6/17
12/11/2019 Release Notes

AND ERADPREFERREDLYNCSERVERS IN
TARGETPROFILE.JSON

IV97886 ADprofile.jar file from 7.1.26 package won't import on IGI 5.2.3
IV98275

Items closed in 7.1.26 release

IV96432 IN HYBRID EXCHG & O365, CREATING MAIL USER GETS REMOTE
ONE BUT UPON MODIFY EXCHG ATTR - GETS LOCAL MAILBOX

Items closed in 7.1.25 release

IV85621 WINAD ADAPTER: PASS PREFERRED LYNC SERVERS TO LYNC

MODULE

Items closed in 7.0.21 release

IV84875 ISIM AD ADAPTER CANNOT MANAGE LYNC ATTRIBUTES

reoponed
Items closed in 7.0.20 release

IV84875 ISIM AD ADAPTER CANNOT MANAGE LYNC ATTRIBUTES

75802,227,000 Issue with erADGrpWriteMembers attribute value on reconcile returning

both true and false.

04723,001,862 WinAD Adapter Release Notes Wrong+Missing Information

Items closed in 7.0.19 release

IV82951 SETTING NTFS HOME DIRECTORY PERMISSIONS FAILS AFTER

UPGRADE TO WINAD64 6.0.18

Items closed in 7.0.18 release

52479,004,000 ITIM adapter deleting the $IPC share accidentally

IV79632 ACTIVE DIRECTORY USERS WITH COUNTRY CODE 428 ARE

CREATED WITH COUNTRY LATIVA INSTEAD OF LATVIA.

IV79641 AD ADAPTER INTERMITTENTLY CRASHES DURING

RECONCILIATION

IV81775 INVALID PARAMETER GENERATED FOR EXCHANGE 2013

PROVISIONING (-ManagedFolderMailboxPolicyAllowed)

Items closed in 7.0.17 release

IV78917 ISSUES WHILE ENABLING LYNC FOR IDS WHICH HAVE SPECIAL
CHARACTERS IN THEIR EMAIL ADDRESS.

IV78758 WINAD ADAPTER CRASHING WHILE CALLING GETLYNCUSER

DURING RECONCILE

IV78492 AD ADAPTER CRASH IF PROXY ADDRESS IS NOT VALID.

IV78286 IADSTSUSEREX INTERFACE NOT WORKING TO RETRIEVE WTS

ATTRIBUTES

Items closed in initial release (7.0.16)

IV73908

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 7/17
12/11/2019 Release Notes

Event Notification no more working if USN-Changed attribute

exceeds 7 digits

Items closed in 6.0.15 release

Test connection fails. Test connection now only reports warning if
92067,69G,760 the Domain/Forest functional level cannot be determined
Change the default behavior for eradgroup to be add/delete rather
06429,707,707 than replace
LyncDisableSearch registry setting in wrong location after install

Items closed in 6.0.14 release

WTS attributes and recon error 1317

13541,035,724
WinAD adapter reports success in case of AD group interface
IV65653 problems during reconciliation
eradlynctelephony and eradlynclineurl fail on modify to Lync
IV67715
WinAD adapter logs password in clear text on password change
38947,031,724 failures. This addresses IBM Security Bulletin CVE-2014-8923.
CVE-2014-8923
Items closed in 6.0.13 release
Thread logging option not showing in WinAD adapter agentcfg
IV61397 program
WinAD adapter recon fails when AD cannot provide information
IV62916 about an attribute's schema
WinAD adapter crash if eradlynctelephony is NULL
IV63714

Known Issues
CMVC# APAR# PMR# / Description
N/A N/A
Support for Exchange and Lync is provided using remote powershell connections
to the Exchange or Lync server. There is a fixed limit of 5 concurrent connections
to a remote powershell. Setting the thread count to higher than the default of 3
could result in some Exchange or Lync attributes failing to be set under heavy
loads.

N/A N/A
Support for erADEAllowedAddressList and erADERstrctAdrsLs is no longer
available for Exchange 2007.

N/A N/A
Service form fields:

Administration User Account

Administration User Password

See “Corrections to Installation Guide", “

The settings for Exchange Mailbox security for Read and Full access were using
different values for settings in an attempt to have the default values on the form
match those of Exchange. This was confusing and causing issues when the
default settings on the Exchange server were changed from what the adapter
expected. The adapter now uses the same values for all Exchange security
settings. 1=Allow, 2=Deny and 0 or no value=None.

Chapter 4. Adapter installation" section below.

N/A N/A Class 3 Certificates

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 8/17
12/11/2019 Release Notes

Class 3 secure server CA-G2 certs are not written properly to

“DamlCACerts.pem" file through CertTool.exe Utility. The certificate data is written
twice between BEGIN CERTIFICATE and END CERTIFICATE.

Work around: To correct this issue, please follow the below steps and edit
“DamlCACerts.pem" file present in “<Adapter installation path>\data" folder.

Step 1. Start the CertTool utility

Step 2. Import the class 3 CA certificate by using “F" option from the main menu
of CertTool Utility.

Step 3. Once the class 3 CA certificate is successfully installed, open

“DamlCACerts.pem” file stored in the “<Adapter installed path>\data" folder using
text editor.

Step 4. Delete the class 3 CA certificate data (i.e. content between BEGIN
CERTIFICATE and END CERTIFICATE) from “DamlCACerts.pem".

Step 5. Open class 3 CA certificate file using text editor and copy the certificate
data (between the BEGIN CERTIFICATE and END CERTIFICATE)

Step 6. Paste the certificate data to “DamlCACerts.pem" file between the BEGIN
CERTIFICATE and END CERTIFICATE lines of same class 3 CA Certificate. If
more than one class 3 certificates are installed then you can identify the
certificate using issuer and subject data.

Step 7. Save “DamlCACerts.pem" file.

Step 8. To verify the “DamlCACerts.pem" file is edited properly, display certificate

information by using option “E" from the main menu of CertTool Utility.

Please note that this issue is seen after installing class 3 CA certificate. If you
correct the DamlCACerts.pem and then install another class 3 CA certificate, the
newly installed class 3 CA certificate will show same issue.

This issue is also seen when you delete any certificate using option "G" from the
main menu of CertTool utility. The delete option will affect all remaining class 3 CA
certificate and you have to follow step 1 to 8 to correct the DamlCACerts.pem file.

Running in Federal Information Processing

Standards compliance mode
Security Identity Adapters can be operated with FIPS 140-2 certified cryptographic modules. FIPS 140-2 is a standard
from the US National Institute of Standards and Technology (NIST) that applies to cryptographic modules.

Two FIPS 140-2 modules are used:

IBM Java™ Crytographic Extension
Open SSL module

As a user of these modules, there is no certification implied for Security Identity Adapters. However, for the correct use
of these FIPS 140-2 modules, IBM customers need to follow the instructions listed below.

The fipsEnable tool allows the adapter to be Federal Information Processing Standards (FIPS) compliant. The
fipsEnable tool causes the adapter to use a FIPS-certified encryption library so that all cryptographic keys that are
used are generated by a FIPS-compliant algorithm. Any communications with the adapter
are also secured. The tool generates the FIPS master key, enables the FIPS mode setting, changes the USE_SSL
parameter to TRUE and re-encrypts the existing encrypted values for:

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 9/17
12/11/2019 Release Notes

agentCfg key
ADK user name and password
Adapter specific encrypted registry items

Note: After FIPS mode is enabled, it cannot be disabled. You must reinstall the adapter, if you want to disable FIPS
mode.

Configuring the adapter to run in FIPS mode

1. Install the adapter.
2. Run the fipsEnable tool. Issue the command:
fipsEnable -reg agentName
3. Restart the adapter.

Operational differences running in FIPS mode

The ADK protocol that’s used to communicate between the adapter and the ADK service provider must run in SSL
mode. The fipsEnable tool sets the ADK SSL mode to TRUE. In SSL mode, however, you must install a server
certificate because the fipsEnable tool does not convert an existing ADK certificate and key.

Note: You cannot import a PKCS12 file containing a certificate and key. You must use CertTool (option A) to create a
Certificate Signing Request (CSR) and have it signed by a Certificate Authority. You can then install the signed
certificate with CertTool (option B).

The agentCfg tool automatically detects when the adapter is running in FIPS mode and initializes the encryption library
in FIPS mode. In addition, the ADK only accepts agentCfg connections from localhost (127.0.0.1).

Security policy
For FIPS compliance, a security policy must be defined that outlines the requirements for the end user to operate the
application in a FIPS-compliant mode. The software ensures that the correct algorithms and keys are used, however,
additional requirements for the environment are the responsibility of the security
officer. The security policy defines two roles, security officer and user. It defines the extent to which each of these
persons can physically access the workstation, file system and configuration tools. The security of the workstation, of
the file system, and of the configuration is the responsibility of the security officer.

Authentication roles
The FIPS security policy normally defines separate roles for a security officer and a user. In the case of an adapter, the
user role is actually the IBM Security Identity Manager (ISIM) or Identity Governance and Intelligence (IGI) server. The
installation and configuration of the adapter needs to be performed by the security officer.

It is the responsibility of the security officer to ensure that the proper physical and logical security is in place to prevent
access to the adapter by unauthorized personnel. This means that the physical workstation must be in a secure
location that is accessible only by persons with the authority and access privileges of the security officer. In addition,
the security on the folder in which the adapter is installed must be configured to prevent access by personnel other
than security officers.

For Windows installations, the system registry must be secured at the top-level key for the adapter to prevent access
by personnel other than security officers.

Rules of operation
· The replacement or modification of the adapter by unauthorized intruders is prohibited.
· The operating system enforces authentication methods to prevent unauthorized access to adapter services.
· All critical security parameters are verified as correct and are securely generated stored, and destroyed.
· All host system components that can contain sensitive cryptographic data (main memory, system bus, disk
storage) must be located in a secure environment.
· The operating system is responsible for multitasking operations so that other processes cannot access the
address space of the process containing the adapter. Secret or private keys that are input to or output from an
application must be encrypted using a FIPS-approved algorithm

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 10/17
12/11/2019 Release Notes

Remote Mailbox Support

The adapter now supports remote mailboxes. This allows supporting Office 365 mailboxes in a hybrid Exchange
environment. A new attribute (erADEremoteAddress) has been added to the user object to support this feature. There
are now 4 ways to create a mailbox with the adapter:

1. Supply a mailbox store (erADEmailboxStore) to create a standard mailbox in the local Exchange server
2. Supply a target mail address (erADEtargetAddress) to create an external mail account
3. Supply a valid remote mail address (erADEremoteAddress) to create a remote mailbox
4. Don’t supply any of the above attributes, but supply any Exchange attribute ( such as erADEalias ) to create a
standard mailbox and allow Exchange to decide which mail store to use.

To delete a mailbox, simply delete the value for the mail store or mail address.

The remote address and target address values use the same user attribute to store their value. The
msExchRecipientType value indicates whether the mailbox is remote or not. Currently remote addresses appear in the
target address field. You will need to run a full reconciliation after installing this update to populate the remote
addresses.

Installation and Configuration Notes

See the IBM Security Windows Local Account Adapter Installation and Configuration Guide for detailed instructions.

Corrections to Installation Guide

The following corrections to the Installation Guide apply to this release:

Exchange Mailbox Security

The settings for Exchange Mailbox security for Read and Full access were using different values for settings in an
attempt to have the default values on the form match those of Exchange. This was confusing and causing issues
when the default settings on the Exchange server were changed from what the adapter expected. The adapter now
uses the same values for all Exchange security settings. 1=Allow, 2=Deny and 0 or no value=None.

Chapter 4. Adapter installation

Section "Adapter user account creation"

The following paragraph is incorrect:

The account information must be supplied on the Active Directory Adapter service form. See “Creating an adapter
service” on page 14 for information about creating a service.

Furthermore, you must not supply the account information on the service form. The following two fields on the
adapter service form are not used and must be blank:
Administration User Account
Administration User Password

è The adapter account, used by the adapter to manage AD/Exchange/Lync, must be supplied on the logon tab of
the Windows Adapter service that is named ISIM Active Directory Adapter.

Configuration Notes
The following configuration notes apply to this release:

Managed Folder Mailbox Policy

Managed folder policies and retention policies are now treated as separate items. The type of policy is determined by
the location in the Active Directory LDAP.

Corrections to User Guide

The following corrections to the User Guide apply to this release:

Force Password Change

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 11/17
12/11/2019 Release Notes

The "Force Password Change" check box is documented incorrectly in section "Specifying controls for a user account"
of the User Guide.

It should be as follow: "If you select the Force Password Change check box, then the adapter sets the value of the
pwdLastSet attribute to 0. If you do not select the Force Password Change check box, then the adapter sets the value
of the pwdLastSet attribute to -1".

Table 7. Options for the DAML protocol menu

A new option L should be included in the table of DAML protocol options.

Displays the following prompt:

Modify Property ‘DISABLE_SSLV3’:

SSLv3 is now considered an unsecure protocol. SSLv3 is now disabled by default. In order to enable SSLv3 you
need to set this value to FALSE. If this value does not exist or is anything other than FALSE, the SSLv3 protocol will
be disabled when using SSL.

A new option M should be included in the table of DAML protocol options.

Displays the following prompt:

Modify Property ‘DISABLE_TLS10’:

TLS1.0 setting is configurable. By default, DISABLE_TLS10 is set to FALSE

Setting DISABLE_TLS10 to TRUE will disable TLS1.0 and SSLV3 regardless of the setting for DISABLE_SSLV3.

Add the following configuration settings topic:

Enabling TLS 1.2 in Identity Manager (ISIM/IGI/ISPIM):

After Setting up certificates in Identity Manager and Adapter, Enable TLS 1.2 by adding/modifying the following line in
enRole.properties file in ISIM (equivalent for ISPIM and IGI)
com.ibm.daml.jndi.DAMLContext.SSL_PROTOCOL=TLSv1.2

Chapter 7
The section “Modifying protocol configuration settings" should add this section for setting the SSL cipher list.

Setting the Cipher list

The DAML protocol now checks for an environment variable called "ISIM_ADAPTER_CIPHER_LIST". This variable
can contain a list of ciphers for the SSL protocol. DAML uses the openSSL library to support SSL. This cipher string is
passed to openSSL during initialization. The cipher names and the syntax can be found on the openSSL web site (
https://www.openssl.org/docs/apps/ciphers.html ). When this string is used, it only fails if none of the ciphers can be
loaded. It is considered successful if at least one of the ciphers is loaded.

Chapter 5
For IGI uses, under the section Customizing the Active Directory Adapter there should be another section between
steps 5 and 6 should be inserted for updating the targetProfile.json file ( see Update the targetprofile.json file (IGI
only) )

Customizing or Extending Adapter Features

The IBM Security Identity Manager adapters can be customized and/or extended. The type and method of this
customization may vary from adapter to adapter.

Getting Started
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the
following concepts and skills prior to beginning the modifications:

LDAP schema management

Working knowledge of scripting language appropriate for the installation platform
https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 12/17
12/11/2019 Release Notes

Working knowledge of LDAP object classes and attributes

Working knowledge of XML document structure

IBM Security Identity Manager Resources:

Check the “Training" section of the IBM Security Identity Manager Support website for links to training,
publications, and demos.

This adapter now supports extending the schema for group objects as well as user objects on. The procedure
is the same as for user objects except that the file name used for the
extended attributes is exschemagrp.txt. Extending the schema for group objects is supported on ISIM only.

Update the targetprofile.json file (IGI only)

The Active Directory Adapter targetprofile.json file identifies all of the supported Windows
account attributes for the IGI server.

About this task

Modify this file to identify the new extended attributes. To update the targetProfile.json file, complete the following
steps:

Procedure
Change to the \ADprofile directory, where the targetProfile.json file has been created.
Open the targetProfile.json file in a text editor. Find the section for “userExtension”. It should look like this:

"userExtension": {
"schema": "urn:ibm:idbrokerage:params:scim:schemas:extension:ADAccount:2.0:User",
"definition": {
"id": "urn:ibm:idbrokerage:params:scim:schemas:extension:ADAccount:2.0:User",
"name": "CustomUserExtension",
"description": "Security adapter view of a user",
"attributes": [

The “attributes” section contains an array of attribute definitions. Each definition is separated by a comma. You add
your extended attributes to this section. An attribute object contains these fields:

Field Description
name Attribute name
type data type (string, integer, boolean, binary)
multiValued True if attribute can have multiple values
description Attribute description text
required true if required attribute
caseExact true if value is case sensitive
mutability immutable, read, write, readwrite
returned Use “default”
uniqueness Use “server”
specialFlags Use “none”
canonicalValues Optional list of valid values for this attribute as a json array.

The attribute object is enclosed in braces ({}). Each field has the name in quotes followed by a colon and the value.
Each field is separated by a comma. Below is an example from the AD adapter:

{
"name": "eruid",
"type": "string",
"multiValued": false,
"description": "An identifier used to uniquely identify a user",
"required": true,
"caseExact": false,
"mutability": "immutable",
"returned": "default",
"uniqueness": "server",
"specialFlags": "none"
},

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 13/17
12/11/2019 Release Notes

Add the new attributes to the account class. For example (new attribute text in red):

"userExtension": {
"schema": "urn:ibm:idbrokerage:params:scim:schemas:extension:ADAccount:2.0:User",
"definition": {
"id": "urn:ibm:idbrokerage:params:scim:schemas:extension:ADAccount:2.0:User",
"name": "CustomUserExtension",
"description": "Security adapter view of a user",
"attributes": [
{
"name": "eruid",
"type": "string",
"multiValued": false,
"description": "An identifier used to uniquely identify a user",
"required": true,
"caseExact": false,
"mutability": "immutable",
"returned": "default",
"uniqueness": "server",
"specialFlags": "none"
},

…
{
"name": "title",
"type": "string",
"multiValued": false,
"description": "title",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none",
"specialFlags": "none"
},
{
"name": "shirtSize",
"type": "string",
"multiValued": true,
"description": "Shirt Size",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none",
"specialFlags": "none",
"canonicalValues": [
"small”,
"medium",
"large
]
}
]
},

Make sure to separate each attribute definition with a comma. Once you have updated the file, it is recommended that
you verify the syntax is correct by using one of the freely available json lint sites.

Support for Customized Adapters

The integration to the IBM Security Identity Manager server – the adapter framework – is supported. However, IBM
does not support the customizations, scripts, or other modifications. If you experience a problem with a customized
adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is
opened.

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 14/17
12/11/2019 Release Notes

Troubleshooting
Log Output From Exchange and Lync powershell calls
The adapter uses a remote powershell session to communicate with Exchange and Lync servers. This code runs as a
pair COM servers in the .NET environment. As such they do not have access to the adapter logging functions.
However, there are messages that are output to the console. In order to see these log messages, you must run the
adapter in console mode. This is done by running the adapter directly from the command line and specifying –console
as a command line option. This causes all of the adapter logging as well as any output from the Exchange and Lync
modules to be output to the console. To capture the logging to a file, simply redirect the output of the adapter to a file.
For example:

>ADAgent.exe –console > adagent.log

Exchange connection issues

The adapter uses remote powershell sessions to manage Exchange servers. If the adapter has issues connecting to
the servers, you can manually run the powershell cmdlets that the adapter uses to troubleshoot the connection errors.

Use this command to create a new session on the remote server. Replace <hostAddr> with the actual hostname or IP
of the Exchange server.

PS>$mySession = New-PSSession -configurationname Microsoft.Exchange -connectionuri

http://<hostAddr>/Powershell -authentication Kerberos

Use this command to import the remote session into your local session. If this is successful, you should be able to run
any Exchange cmdlets as if you were on the Exchange server.
PS>import-pssession $mySession

Issues when used with multiple Exchange versions

Different versions of Exchange Server have some issues when modifying mailboxes on a server of one version from a
powershell session on a server of a different version. Preferred servers allow you to specify which Exchange servers
are used to execute requests.

Preferred servers
There is no API for managing Exchange servers. They are managed through the use of powershell cmdlets. The
required cmdlets are only available on the Exchange servers. The adapter must use a remote powershell connection
to one of the servers to execute the cmdlets to process a request.
The adapter uses the concept of preferred servers for both Exchange and Lync. When a request comes in, the
adapter must connect to a remote server to execute the request. By default it does an LDAP search into AD to find the
servers, then tries to connect. It uses the first server that it can connect with. If preferred servers are specified, the
adapter will try to connect with those servers first. Setting the exclusive flag to TRUE will force the adapter to only use
the preferred servers.
Keep in mind that the preferred servers are where the request is executed. This has nothing to do with where
mailboxes are created. The account attribute erMailboxStore specifies the mail database which is not necessarily on
the preferred server.

Installation Platform
The IBM Security Identity Manager Adapter was built and tested on the following product versions.

Adapter Installation Platform:

Windows 10
Windows Server 2016
Windows Server 2019

Managed Resource:
Active Directory on Windows Server 2016
Active Directory on Windows Server 2019

With optional:

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 15/17
12/11/2019 Release Notes

Exchange Server 2016

Exchange Server 2019
Skype For Business Server 2015
Skype For Business Server 2019

IBM Security Identity Manager:

IBM Security Identity Manager v7.0.x

IBM Security Privileged Identity Manager (PIM):

ISPIM v2.0
ISPIM v2.1

Identity Governance and Intelligence (IGI):

IGI v5.2.x

Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products,
services, or features discussed in this document in other countries. Consult your local IBM representative for
information on the products and services currently available in your area. Any reference to an IBM product, program, or
service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally
equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead.
However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or
service.

IBM may have patents or pending patent applications covering subject matter described in this document. The
furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing,
to:

IBM Director of Licensing

IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in
your country or send inquiries, in writing, to:

Intellectual Property Licensing

Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the
information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner
serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any
obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of
information between independently created programs and other programs (including this one) and (ii) the mutual use of
the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 16/17
12/11/2019 Release Notes

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a
fee.

The licensed program described in this information and all licensed material available for it are provided by IBM under
terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement
between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in
other operating environments may vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on generally available systems.
Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of
this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities
of non-IBM products should be addressed to the suppliers of those products.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp.,
registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.

Microsoft, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other
countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

End of Release Notes

https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/ReleaseNotes-WinAD64-7.1.33_1.html 17/17