+-----------------------------------------------------+ Interim Fix 7.2.0-ISS-SDI-LA0020 README Security Directory Integrator 7.2.0 LA Interim Fix 20 (All platforms) Date: Mar 2019 +-----------------------------------------------------+ COPYRIGHT STATEMENT ==================== Mar 2019 References in this publication to IBM products, programs, or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM program product in this publication is not intended to state or imply that only IBM's program product may be used. Any functionally equivalent program may be used instead. IBM is a trademark of the International Business Machines Corporation. Copyright International Business Machines Corporation 2019. All rights Reserved. Fix For ======== APAR - IO26846 and IO26891. General Description: ==================== This Limited Availability Interim Fix contains fix for APAR IO26846 and IO26891. Details: ======== IO26846 NTLM AUTHENTICATION FOR HTTP CLIENT CONNECTOR IO26891 TDI ISSUE WITH SUB AL AFTER HANDLED ERROR Prerequisites: ============== Security Directory Integrator v7.2.0 Fixpack 4 is recommended. Platforms: ========== All supported Platforms Sizes of Files Included in this Fix: ============================ 33,400 HTTPClientConnector.jar 1,189,020 miserver.jar md5sum of Files Included in this Fix: ===================================== 009a45ce4b081286275a233c5c2f6944 HTTPClientConnector.jar ad91ba489026301a3af0ae6117f4742d miserver.jar Applying the Fix: ================= - Unzip the fix package to a temporary directory. The zip file contains HTTPClientConnector.jar and miserver.jar - Backup the older HTTPClientConnector.jar from the TDI installed system (\jars\connectors\). - Backup the older miserver.jarfrom the TDI installed system (\jars\common\). - Replace the existing files which were backed up earlier with the fix files. Note: HTTPClientConnector.jar has fix for APAR IO26846 ( See Section NTLM and HTTPClientConnector ) miserver.jar has fix for APAR IO26891 Confirming the Fix has been applied successfully: ================================================= The problem should be solved. NTLM and HTTPClientConnector ================================================= Use: The HTTP Client Connector will default to Basic Authentication, as before. If the HTTP server offers NTLM authentication, by returning a 401 status and the header "WWW-Authenticate: NTLM", then NTLM authentication will be triggered. NTLM: NTLM uses 4 strings, compared to the 2 used by Basic Authentication: user name - See HTTP Client Connector for how to provide this, but look below. password - See HTTP Client Connector for how to provide this domain - If the user name contains a backslash, e.g SHAREPOINTV2013\Administrator, the domain will be SHAREPORTV2013 and the user name will be changed to Administrator. Splitting happens at the first backslash. Default value for domain is empty string. And see below. host - empty string (see below). New connector parameters: authMethod - Setting the connector parameter "authMethod" to "NTLM", e.g. with thisConnector.setConnectorParam("authMethod", "NTLM") in the Before Execute hook, will cause Basic Authentication to be switched off. This is helpful if it is considered a security risk that the username and password is sent in clear text (Basic Authentication) before NTLM negotiation. NTLM.domain - Setting this connector parameter allows you to specify the NTLM domain. Setting this has the side effect of not splitting the user name at backslash. NTLM.host - Allows you to specify the NTLM host. http.Authorization - Setting this parameter allows you to specify the Authorization header which is sent to the HTTP server, overriding username and password. E.g. set it to "Bearer XYZ" to use a bearer token. The parameter can be set with code like this in the "Before Execute" hook: thisConnector.setConnectorParam("http.Authorization", "Bearer XYZ") Debug logging (if there are issues): The HTTP Client Connector allows you to set "Detailed Logging". This should only be done while debugging, not in production, since it will cause a lot of sensitive logging. When "Detailed Logging" is turned on, you will see that the new connector is loaded, with this information in the log file: CTGDIS484I Connector com.ibm.di.connector.HTTPClientConnector: 2.3-di7.2 (NTLM) 2019-02-15. If the NTLM string is missing, the new version of the HTTP Client Connector was not properly installed.