1.1 Key Terms

NetIQ Identity Manager is a service that synchronizes data among servers in a set of connected systems by using a robust set of configurable policies. Identity Manager uses the Identity Vault to store shared information, and uses the Identity Manager engine for policy-based management of the information as it changes in the vault or connected system. Identity Manager runs on the server in which the Identity Vault and the Identity Manager engine are located.

A connected system is any system that can share data with Identity Manager through a driver. PAM is a connected system.

The Identity Vault is a persistent database powered by eDirectory. Identity Manager uses Identity Vault to hold data for synchronization with a connected system. The vault can be viewed as a private data store for Identity Manager, or as a metadirectory that holds enterprise-wide data. Data in the vault is available to any protocol supported by eDirectory, including the NetWare Core Protocol (NCP), which is the traditional protocol used by iManager, LDAP, and DSML.

Because the vault is powered by eDirectory, Identity Manager can be easily integrated into your corporate directory infrastructure by using your existing directory tree as the vault.

The Identity Manager engine is the core server that implements the event management and policies of Identity Manager. The engine runs on the Java Virtual Machine in eDirectory.

The Identity Manager driver for NetIQ Privileged Account Manager (PAM) was previously called driver for Privileged User Manager. This driver lets you automate access control to privileged accounts in database, applications, Windows servers, and Unix/Linux servers. You can utilize the self-service request and approval workflow capabilities of Identity Manager to provide self-service access to privileged accounts on servers managed by PAM.

PAM helps IT administrators to provide controlled access to super-user and root accounts, allowing them to perform jobs without needlessly exposing administrative account credentials. PAM delegates privileged access to users and the access control policies are authorized via a centralized database. The driver for PAM automates authorization of users into PAM, based on the Identity Manager Entitlement grant.

PAM resets the defined application, and database password during a password check-in process, but to change the password in a database such as SAP, or ORACLE and synchronize the password we require the PAM driver. The PAM driver connects PAM to the Identity Manager and allows the synchronization of password through Identity Manager from PAM to any application or database. For more information about the password check-in feature, refer Managing Shared Accounts in the NetIQ Privileged Account Manager 3.0.1 Administration Guide.

For more information about PAM, see the NetIQ Privileged Account Manager Documentation Web site.

Figure 1-1 illustrates the data flow between Identity Manager and PAM, through the driver.

Figure 1-1 Data Flow between Identity Manager and PAM

A driver shim is the component of a driver that converts the XML-based Identity Manager command and event language (XDS) to the protocols and API calls needed to interact with PAM or any other connected system. The shim is called to execute commands on the connected system after the Output Transformation runs. Commands are generated on the Subscriber channel but can be generated by command write-back on the Publisher channel.

The PAM driver shim is implemented in Java and the name of the shim is NPUMDriverShim.jar. The PAM driver shim communicates with PAM through NPUM_api.jar. These APIs require PAM authentication to succeed.

If you use the Remote Loader, NPUMDriverShim.jar and NPUM_api.jar run on the server where the Remote Loader is running. Otherwise, it runs on the server where the Identity Manager engine is running.

The driver communicates with the PAM server via HTTPS protocol using the JSON API provided by PAM.

A Remote Loader enables a driver shim to execute outside the Identity Manager engine (perhaps remotely on a different machine).

The Remote Loader is a service that executes the driver shim and passes information between the shim and the Identity Manager engine. When you use a Remote Loader, you install the driver shim on the server where the Remote Loader is running, not on the server where the Identity Manager engine is running. You can choose to use SSL to encrypt the connection between the Identity Manager engine and the Remote Loader. For more information, see the Identity Manager 4.0.2 Remote Loader Guide.

When you use the Remote Loader with the PAM driver shim, two network connections exist: