Once PasswordSync is installed on your Windows domain controllers, you must take additional steps on the application server running Identity Manager.
You do not need to install the PasswordSync servlet on the application server. It is automatically installed when you installed Identity Manager.
To finish deploying PasswordSync, however, you do need to perform the following actions in Identity Manager:
Add and configure the JMS Listener Adapter (if using JMS)
Implement the “Synchronize User Password” Workflow
Set up notifications
If the PasswordSync servlet is using JMS to send messages to Identity Manager, you need to add Identity Manager’s JMS Listener resource adapter. The JMS Listener resource adapter periodically checks the JMS Message Queue for messages placed there by the PasswordSync servlet. If the Queue contains a new message, it sends it to Identity Manager for processing.
Log on to the Identity Manager Administrator Interface (Identity Manager Administrator Interface).
Select Resources -> Configure Types from the main menu.
The Configure Managed Resources page opens as shown in Figure 11–10.
Verify that the JMS Listener checkbox in the Managed? column is selected as shown in Figure 11–10.
If the box is not selected, select it and click Save.
Click List Resources in the secondary menu.
Locate the Resource Type Actions drop-down menu and select New Resource.
The New Resource page is displayed.
To add the JMS Listener Adapter, select JMS Listener from the drop-down menu (as shown in Figure 11–11) and click New.
Configure the following settings on the Resource Parameters page, and then click Next.
Destination Type. Specify the This value is typically set to Queue. (Topics are not usually relevant because there is one subscriber and potentially multiple publishers.)
Initial context JNDI properties. Define the set of properties that are used to build the initial JNDI context.
You must define the following name/value pairs:
java.naming.factory.initial. Specify the classname (including the package) of the Initial Context Factory for the JNDI Service Provider.
java.naming.provider.url. Specify the URL of the machine running the JNDI service.
You might have to define additional properties. The list of properties and values should match those specified on the JMS settings page on the JMS server. For example, to provide the credentials and bind method, you might need to specify the following sample properties:
java.naming.security.principal — Bind DN (for example, cn=Directory manager)
java.naming.security.authentication — Bind method (for example, simple)
java.naming.security.credentials — Password
JNDI name of Connection factory. Enter the name of a connection factory, as defined on the JMS server.
JNDI name of Destination. Enter the name of a destination, as defined on the JMS server.
User and Password. Enter the account name and password of the administrator that requests new events from the queue.
Reliable Messaging Support. Select LOCAL (Local Transactions). The other options are not applicable for password synchronization.
Message Mapping. Enter java:com.waveset.adapter.jms.PasswordSyncMessageMapper. This class transforms messages from the JMS server into a format that can be used by the Synchronize User Password workflow.
On the Account Attributes wizard page (Figure 11–12), click Add Attribute and map the following attributes, which are made available to the JMS Listener Adapter by PasswordSyncMessageMapper.
IDMAccountId — This attribute is resolved by the PasswordSyncMessageMapper, based on the resourceAccountId and resourceAccountGUID attributes passed in the JMS message.
password — The encrypted password forwarded in the JMS message.
The Identity Template wizard page opens as shown in Figure 11–13. Note that the attributes you added in the previous step are available in the Attribute Mappings section of the Resource Wizard (Figure 11–13).
Click Next and configure the options on Identity System Parameters page as needed.
See Sun Identity Manager 8.1 Resources Referencefor more information about setting up the JMS Listener resource adapter.
When Identity Manager receives a password change notification, it starts the Synchronize User Password workflow. The default Synchronize User Password workflow checks out the ChangeUserPassword viewer, and then checks it back in again. Next, the workflow processes all of the resources accounts (except the Windows resource that sent the initial password change notification). Finally, Identity Manager sends the user email indicating whether the password change was successful on all resources.
If you want to use the default implementation of the Synchronize User Password workflow, assign it as the process rule for the JMS Listener adapter instance. Process rules may be assigned when you configure the JMS Listener for synchronization (see Configuring Active Sync).
If you want to modify the workflow, copy the $WSHOME/sample/wfpwsync.xml file and make your modifications. Then, import the modified workflow into Identity Manager.
Some of the modifications you might want to make to the default workflow include:
Which entities are notified when a password is changed.
What happens if an Identity Manager account cannot be found.
How resources are selected in the workflow.
Whether to allow password changes from Identity Manager.
For detailed information about using workflows, see Chapter 2, Workflow, in Sun Identity Manager Deployment Reference.
Identity Manager provides two email templates that can inform users whether a password change was successful across all resources.
These templates are:
Password Synchronization Notice
Password Synchronization Failure Notice
Both templates should be updated to provide company-specific information about what users should do if they need further assistance. For more information see Customizing Email Templates in Chapter 4, Configuring Business Administration Objects.