Am611 Install

Tivoli® Access Manager for e-businessVersion 6.1.1

Installation Guide

GC23-6502-01

��

Tivoli® Access Manager for e-businessVersion 6.1.1

Installation Guide

GC23-6502-01

��

NoteBefore using this information and the product it supports, read the information in Appendix D, “Notices,” on page 651.

Edition notice

This edition applies to version 6, release 1, modification 1 of IBM Tivoli Access Manager (product number5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions.

All rights reserved.

© Copyright IBM Corporation 2001, 2010.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

About this publication . . . . . . . . ixIntended audience . . . . . . . . . . . . ixPublications . . . . . . . . . . . . . . ix

IBM Tivoli Access Manager for e-business library ixRelated products and publications . . . . . . xiAccessing terminology online . . . . . . . xiiAccessing publications online . . . . . . . xiiOrdering publications. . . . . . . . . . xiii

Accessibility . . . . . . . . . . . . . . xiiiTivoli technical training . . . . . . . . . . xiiiTivoli user groups . . . . . . . . . . . . xiiiSupport information . . . . . . . . . . . xiiiConventions used in this publication . . . . . xiv

Typeface conventions . . . . . . . . . . xivOperating system-dependent variables and paths xv

Part 1. Planning for installation . . . 1

Chapter 1. Installation overview . . . . 3Planning for deployment . . . . . . . . . . 3Secure domain overview . . . . . . . . . . 4Tivoli Access Manager installation components . . . 5

Tivoli Access Manager base components . . . . 5Tivoli Access Manager Web security components . 8Tivoli Access Manager distributed sessionsmanagement components . . . . . . . . . 9Prerequisite products . . . . . . . . . . 10

Supported registries . . . . . . . . . . . 13IBM Tivoli Directory Server . . . . . . . . 13IBM z/OS LDAP Server . . . . . . . . . 13IBM Lotus Domino Server . . . . . . . . 13Microsoft Active Directory . . . . . . . . 13Microsoft Active Directory Application Mode(ADAM) . . . . . . . . . . . . . . 14Sun Java System Directory Server . . . . . . 14Novell eDirectory . . . . . . . . . . . 14

Components and prerequisites provided with TivoliAccess Manager systems . . . . . . . . . . 15

Tivoli Access Manager base systems . . . . . 15Tivoli Access Manager Web security systems . . 17Tivoli Access Manager distributed sessionsmanagement systems . . . . . . . . . . 19

Installation process . . . . . . . . . . . . 21Installation methods . . . . . . . . . . . 23

Installation wizards. . . . . . . . . . . 23Native installation utilities . . . . . . . . 26Software Distribution installation method . . . 26

Groups and administrator identities on UNIX andLinux systems . . . . . . . . . . . . . 30Default port numbers . . . . . . . . . . . 33

Chapter 2. Internationalization. . . . . 35Language support overview . . . . . . . . . 36

Installing language support packages for TivoliAccess Manager . . . . . . . . . . . . . 37Installing language support packages for IBM TivoliDirectory Server . . . . . . . . . . . . . 39

AIX: Installing Tivoli Directory Server languagepackages . . . . . . . . . . . . . . 39HP-UX: Installing Tivoli Directory Serverlanguage packages . . . . . . . . . . . 40Linux: Installing Tivoli Directory Server languagepackages . . . . . . . . . . . . . . 41Solaris: Installing Tivoli Directory Serverlanguage packages . . . . . . . . . . . 42Windows: Installing Tivoli Directory Serverlanguage packages . . . . . . . . . . . 43

Uninstalling Tivoli Access Manager languagesupport packages . . . . . . . . . . . . 44

Uninstalling IBM Tivoli Directory Serverlanguage packages . . . . . . . . . . . 45

Locale environment variables . . . . . . . . 46LANG variable on UNIX or Linux systems . . . 47LANG variable on Windows systems . . . . . 48Using locale variants . . . . . . . . . . 48

Message catalogs . . . . . . . . . . . . 49Text encoding (code set) support . . . . . . . 50

Location of code set files . . . . . . . . . 50

Part 2. Base system installation . . 51

Chapter 3. Setting up the registryserver . . . . . . . . . . . . . . . 53Setting up IBM Tivoli Directory Server . . . . . 54

Preinstallation requirements . . . . . . . . 54Installing using the installation wizard . . . . 57Installing using native utilities . . . . . . . 58Configuring a directory server instance for IBMTivoli Directory Server. . . . . . . . . . 87Configuring IBM Tivoli Directory Server forTivoli Access Manager . . . . . . . . . 100

Setting up IBM z/OS LDAP Server . . . . . . 105Updating schema files . . . . . . . . . 106Adding suffixes . . . . . . . . . . . 106Configuring Tivoli Access Manager for LDAP 106Native authentication user administration . . . 107

Setting up Lotus Domino . . . . . . . . . 108Creating a Tivoli Access Manager administrativeuser for Domino (versions 6.5, 7.0.1, 7.0.2, and8.0) . . . . . . . . . . . . . . . . 110Installing a Lotus Notes client on a Tivoli AccessManager system . . . . . . . . . . . 112

Setting up Microsoft Active Directory . . . . . 114Active Directory considerations . . . . . . 114Creating an Active Directory domain . . . . 115Joining an Active Directory domain . . . . . 116Creating an Active Directory administrative user 118Changing Active Directory replication settings 119

© Copyright IBM Corp. 2001, 2010 iii

Setting up Microsoft Active Directory ApplicationMode (ADAM) . . . . . . . . . . . . . 119

Installing and configuring Active DirectoryApplication Mode (ADAM) for Tivoli AccessManager (Overview) . . . . . . . . . . 120Installing Access Manager with support forActive Directory Application Mode (ADAM) . . 120Configuring the Tivoli Access Manager schemafor Active Directory Application Mode (ADAM). 121Configuring a default Tivoli Access Managerdirectory partition . . . . . . . . . . . 123Adding an administrator to the Tivoli AccessManager metadata directory partition . . . . 124Allowing anonymous bind . . . . . . . . 126

Setting up Novell eDirectory . . . . . . . . 127Configuring the Novell eDirectory for TivoliAccess Manager . . . . . . . . . . . 127When using Novell eDirectory . . . . . . 129Management domain location . . . . . . . 130

Setting up the Sun Java System Directory Server 132

Chapter 4. Setting up a policy server 137LDAP data format selection . . . . . . . . 137Tivoli Access Manager management domains. . . 138

Creating a management domain location(example). . . . . . . . . . . . . . 139Management domain location for an ActiveDirectory Application Mode (ADAM) registry . 140

Installing using the installation wizard . . . . . 141Installing using native utilities. . . . . . . . 142

AIX: Installing the policy server . . . . . . 142HP-UX: Installing the policy server . . . . . 144Linux: Installing the policy server . . . . . 146Solaris: Installing the policy server . . . . . 147Windows: Installing the policy server . . . . 149

Chapter 5. Setting up an authorizationserver . . . . . . . . . . . . . . 153Installing using the installation wizard . . . . . 154Installing using native utilities. . . . . . . . 155

AIX: Installing an authorization server . . . . 155HP-UX: Installing an authorization server . . . 156Linux: Installing an authorization server . . . 158Solaris: Installing an authorization server . . . 159Windows: Installing an authorization server . . 161

Chapter 6. Setting up a developmentsystem . . . . . . . . . . . . . . 163Installing using the installation wizard . . . . . 163Installing using native utilities. . . . . . . . 164

AIX: Installing a development (ADK) system 164HP-UX: Installing a development (ADK) system 165Linux: Installing a development (ADK) system 167Solaris: Installing a development (ADK) system 168Windows: Installing a development (ADK)system . . . . . . . . . . . . . . 170

Chapter 7. Setting up an AccessManager Runtime for Java system . . 173


AIX: Installing Access Manager Runtime forJava . . . . . . . . . . . . . . . 175HP-UX: Installing Access Manager Runtime forJava . . . . . . . . . . . . . . . 176Linux: Installing Access Manager Runtime forJava . . . . . . . . . . . . . . . 177Solaris: Installing Access Manager Runtime forJava . . . . . . . . . . . . . . . 178Windows: Installing Access Manager Runtimefor Java . . . . . . . . . . . . . . 180

Chapter 8. Setting up a policy proxyserver system . . . . . . . . . . . 181Installing using the installation wizard . . . . . 181Installing using native utilities. . . . . . . . 182

AIX: Installing a policy proxy server . . . . 183HP-UX: Installing a policy proxy server . . . 184Linux: Installing a policy proxy server . . . . 185Solaris: Installing a policy proxy server . . . . 187Windows: Installing a policy proxy server . . . 188

Chapter 9. Setting up a runtimesystem . . . . . . . . . . . . . . 191Installing using the installation wizard . . . . . 191Installing using native utilities. . . . . . . . 193

AIX: Installing Access Manager Runtime . . . 193HP-UX: Installing Access Manager Runtime . . 194Linux: Installing Access Manager Runtime . . 195Solaris: Installing Access Manager Runtime . . 197Windows: Installing Access Manager Runtime 199

Chapter 10. Setting up a Web PortalManager system . . . . . . . . . . 201Installing using the installation wizard . . . . . 201Installing using native utilities. . . . . . . . 203

AIX: Installing a Web Portal Manager system 204HP-UX: Installing a Web Portal Manager system 206Linux: Installing a Web Portal Manager system 208Solaris: Installing a Web Portal Manager system 211Windows: Installing a Web Portal Managersystem . . . . . . . . . . . . . . 214

Configuring WebSphere Application Server security 216

Part 3. Web security systeminstallation . . . . . . . . . . . . 217

Chapter 11. Setting up the AccessManager Attribute Retrieval Service. . 219Installing using the installation wizard . . . . . 219Installing using native utilities. . . . . . . . 220

AIX: Installing the Access Manager AttributeRetrieval Service . . . . . . . . . . . 220HP-UX: Installing the Access Manager AttributeRetrieval Service . . . . . . . . . . . 221Linux: Installing the Access Manager AttributeRetrieval Service . . . . . . . . . . . 222

iv Tivoli Access Manager Installation Guide

Solaris: Installing the Access Manager AttributeRetrieval Service . . . . . . . . . . . 223Windows: Installing the Access ManagerAttribute Retrieval Service . . . . . . . . 223

Chapter 12. Setting up the plug-in forEdge Server . . . . . . . . . . . . 225Preinstallation requirements . . . . . . . . 225AIX: Installing the plug-in for Edge Server . . . 226Red Hat Enterprise Linux: Installing the plug-in forEdge Server . . . . . . . . . . . . . . 227Solaris: Installing the plug-in for Edge Server. . . 228Windows: Installing the plug-in for Edge Server 230Overview of the plug-in for Edge Serverconfiguration . . . . . . . . . . . . . 231

Server configuration model . . . . . . . . 232Server configuration concepts . . . . . . . 233Object space configuration model. . . . . . 235Single sign-on configuration model . . . . . 236Configuration procedure summary . . . . . 237

Chapter 13. Setting up the plug-in forWeb servers . . . . . . . . . . . . 239Preinstallation requirements . . . . . . . . 239Installing using the installation wizard . . . . . 241Installing using native utilities. . . . . . . . 242

Installing the plug-in for Apache Web Server 242Installing the plug-in for IBM HTTP Server . . 247Installing the plug-in for Internet InformationServices . . . . . . . . . . . . . . 253Installing the plug-in for Sun Java System WebServer . . . . . . . . . . . . . . . 254

Chapter 14. Setting up a Web securitydevelopment system . . . . . . . . 259Installing using the installation wizard . . . . . 259Installing using native utilities. . . . . . . . 260

AIX: Installing a Web security development(ADK) system . . . . . . . . . . . . 261HP-UX: Installing a Web security development(ADK) system . . . . . . . . . . . . 262Linux: Installing a Web security development(ADK) system . . . . . . . . . . . . 263Solaris: Installing a Web security development(ADK) system . . . . . . . . . . . . 264Windows: Installing a Web securitydevelopment (ADK) system . . . . . . . 265

Chapter 15. Setting up WebSEAL . . . 267Installing using the installation wizard . . . . . 267Installing using native utilities. . . . . . . . 269

AIX: Installing WebSEAL . . . . . . . . 269HP-UX: Installing WebSEAL . . . . . . . 270Linux: Installing WebSEAL . . . . . . . . 272Solaris: Installing WebSEAL . . . . . . . 273Windows: Installing WebSEAL . . . . . . 275

Part 4. Session managementsystem installation . . . . . . . . 277

Chapter 16. Setting up a sessionmanagement server . . . . . . . . 279Preinstallation requirements . . . . . . . . 280Installing using the installation wizard . . . . . 282Installing using native utilities. . . . . . . . 285

AIX: Installing a session management serversystem . . . . . . . . . . . . . . 285HP-UX: Installing a session management serversystem . . . . . . . . . . . . . . 286Linux: Installing a session management serversystem . . . . . . . . . . . . . . 287Solaris: Installing a session management serversystem . . . . . . . . . . . . . . 287Windows: Installing a session managementserver system . . . . . . . . . . . . 288

Creating the login history database . . . . . . 289Deploying the Integrated Solutions Consoleextension . . . . . . . . . . . . . . . 291Deploying the Session Management Serverapplication . . . . . . . . . . . . . . 291

Deploying using the smscfg utility . . . . . 291Deploying using Session Management ServerIntegrated Solutions Console (ISC) . . . . . 292

Configuring the session management server . . . 292Configuring the session management serverusing the smscfg utility . . . . . . . . . 292Configuring the session management serverusing the Integrated Solutions Console (ISC) . . 293

Chapter 17. Setting up the sessionmanagement command line . . . . . 295Preinstallation requirements . . . . . . . . 295Installing using the installation wizard . . . . . 296Installing using native utilities. . . . . . . . 298

AIX: Installing the session managementcommand line . . . . . . . . . . . . 298HP-UX: Installing the session managementcommand line . . . . . . . . . . . . 299Linux: Installing the session managementcommand line . . . . . . . . . . . . 301Solaris: Installing the session managementcommand line . . . . . . . . . . . . 302Windows: Installing the session managementcommand line . . . . . . . . . . . . 304

Part 5. Reference information . . . 307

Chapter 18. Installing prerequisiteproducts . . . . . . . . . . . . . 311Installing the IBM Global Security Kit (GSKit) . . 311

AIX: Installing the IBM Global Security Kit(GSKit) . . . . . . . . . . . . . . 312HP-UX: Installing the IBM Global Security Kit(GSKit) . . . . . . . . . . . . . . 312Linux: Installing the IBM Global Security Kit(GSKit) . . . . . . . . . . . . . . 313Solaris: Installing the IBM Global Security Kit(GSKit) . . . . . . . . . . . . . . 314

Contents v

Windows: Installing the IBM Global Security Kit(GSKit) . . . . . . . . . . . . . . 315Setting up the GSKit iKeyman utility . . . . 315

Installing IBM Java Runtime . . . . . . . . 318AIX: Installing IBM Java Runtime . . . . . 318HP-UX: Installing IBM Java Runtime . . . . 319Linux: Installing IBM Java Runtime . . . . . 320Solaris: Installing IBM Java Runtime. . . . . 321Windows: Installing IBM Java Runtime . . . . 321

Installing the IBM Tivoli Security Utilities . . . . 323AIX: Installing the IBM Tivoli Security Utilities 323HP-UX: Installing IBM Tivoli Security Utilities 323Linux: Installing IBM Tivoli Security Utilities 324Solaris: Installing IBM Tivoli Security Utilities 325Windows: Installing IBM Tivoli Security Utilities 326

Installing the IBM Tivoli Directory Server client 327AIX: Installing the IBM Tivoli Directory Serverclient . . . . . . . . . . . . . . . 327HP-UX: Installing the IBM Tivoli DirectoryServer client . . . . . . . . . . . . . 328Linux: Installing the IBM Tivoli Directory Serverclient . . . . . . . . . . . . . . . 329Solaris: Installing the IBM Tivoli DirectoryServer client . . . . . . . . . . . . . 330Windows: Installing the IBM Tivoli DirectoryServer client . . . . . . . . . . . . . 331

Installing IBM WebSphere Application Server . . 333AIX: Installing WebSphere Application Server 333HP-UX: Installing WebSphere ApplicationServer . . . . . . . . . . . . . . . 334Linux: Installing WebSphere Application Server 335Solaris: Installing WebSphere Application Server 336Windows: Installing WebSphere ApplicationServer . . . . . . . . . . . . . . . 336

Installing the Web Administration Tool . . . . . 338AIX: Installing the Web Administration Tool . . 338HP-UX: Installing the Web Administration Tool 339Linux: Installing the Web Administration Tool 340Solaris: Installing the Web Administration Tool 341Windows: Installing the Web AdministrationTool . . . . . . . . . . . . . . . 342Installing the Web Administration Tool intoWebSphere . . . . . . . . . . . . . 344

Chapter 19. Uninstalling components 347Unconfiguring Tivoli Access Manager components 348Unconfiguring IBM Tivoli Directory Server . . . 349

Unconfiguring the database . . . . . . . 349Deleting a directory server instance . . . . . 350

Removing packages . . . . . . . . . . . 351AIX: Removing packages . . . . . . . . 351HP-UX: Removing packages . . . . . . . 353Linux: Removing packages . . . . . . . . 354Solaris: Removing packages . . . . . . . 356Windows: Removing packages . . . . . . 357

Chapter 20. Installation wizardscenarios . . . . . . . . . . . . . 359Installing the IBM Tivoli Directory Server(install_ldap_server wizard) . . . . . . . . 360

Pre-installation requirements . . . . . . . 360install_ldap_server scenario . . . . . . . 361

Installing the policy server (install_ammgr wizard) 369

Chapter 21. Installation wizard options 377Access Manager Runtime (LDAP) . . . . . . 378Access Manager Runtime (Active Directory) . . . 382Access Manager Runtime (Domino) . . . . . . 389install_amacld . . . . . . . . . . . . . 392install_amadk . . . . . . . . . . . . . 396install_amjrte . . . . . . . . . . . . . 397install_ammgr . . . . . . . . . . . . . 399install_amproxy . . . . . . . . . . . . 404install_amrte . . . . . . . . . . . . . 408install_amsms . . . . . . . . . . . . . 409install_amsmscli . . . . . . . . . . . . 420install_amweb . . . . . . . . . . . . . 424install_amwebadk . . . . . . . . . . . . 430install_amwebars . . . . . . . . . . . . 434install_amwpi . . . . . . . . . . . . . 435install_amwpm . . . . . . . . . . . . . 439install_ldap_server . . . . . . . . . . . 442

Chapter 22. pdconfig options . . . . 447Access Manager Runtime — LDAP . . . . . . 448Access Manager Runtime — Active Directory . . 451Access Manager Runtime — Domino . . . . . 455Access Manager Attribute Retrieval Service . . . 457Access Manager Authorization Server . . . . . 458Access Manager Runtime for Java . . . . . . 459Access Manager Plug-in for Edge Server . . . . 461Access Manager Plug-in for Web Servers on UNIX 462Access Manager Plug-in for Web Servers onWindows . . . . . . . . . . . . . . . 464Access Manager Policy Server . . . . . . . . 465Access Manager Policy Proxy Server . . . . . 467Access Manager Web Portal Manager . . . . . 468Access Manager WebSEAL . . . . . . . . . 471

Chapter 23. Enabling Secure SocketsLayer (SSL) security . . . . . . . . 473Configuring IBM Tivoli Directory Server for SSLaccess . . . . . . . . . . . . . . . . 474

Creating the key database file . . . . . . . 474Requesting or creating a personal certificate . . 475Using certificates from a Certificate Authority(CA) . . . . . . . . . . . . . . . 475Using self-signed certificates . . . . . . . 477Configuring a key database file for TivoliDirectory Server . . . . . . . . . . . 479Enabling SSL for Tivoli Directory Server . . . 480Verifying that SSL has been enabled on theserver . . . . . . . . . . . . . . . 482Enabling FIPS . . . . . . . . . . . . 483

Configuring IBM z/OS LDAP servers for SSLaccess . . . . . . . . . . . . . . . . 485

Setting the security options . . . . . . . . 485Creating a key database file . . . . . . . 486

Configuring Microsoft Active Directory for SSLaccess . . . . . . . . . . . . . . . . 488

vi Tivoli Access Manager Installation Guide

Verifying that SSL is enabled on the ActiveDirectory server . . . . . . . . . . . 488Exporting the certificate from the ActiveDirectory server . . . . . . . . . . . 488Importing the certificate on the LDAP clientsystem . . . . . . . . . . . . . . 489Testing SSL access . . . . . . . . . . . 489

Configuring Active Directory Application Mode(ADAM) for SSL access . . . . . . . . . . 491

Setting up Active Directory Application Mode(ADAM) to use SSL (Example) . . . . . . 491

Configuring Novell eDirectory server for SSLaccess . . . . . . . . . . . . . . . . 495

Creating an organizational certificate authorityobject . . . . . . . . . . . . . . . 495Creating a self-signed certificate . . . . . . 496Creating a server certificate for the LDAP server 496Enabling SSL . . . . . . . . . . . . 497Adding the self-signed CA certificate to the IBMkey file . . . . . . . . . . . . . . 497

Configuring Sun Java System Directory Server forSSL access . . . . . . . . . . . . . . 498

Obtaining a server certificate . . . . . . . 498Installing the server certificate . . . . . . . 499Enabling SSL access . . . . . . . . . . 499

Configuring the Tivoli Directory Server client forSSL access . . . . . . . . . . . . . . 501

Creating the key database file . . . . . . . 501Adding the signer certificate to the client keydatabase file . . . . . . . . . . . . . 502Configuring the client for SSL communications 503Testing SSL access from the client . . . . . 503

Configuring SSL for server and clientauthentication . . . . . . . . . . . . . 504

Creating the key database file on the client . . 504Requesting or creating a personal certificate onthe client . . . . . . . . . . . . . . 505Using certificates from a Certificate Authority(CA) on the client . . . . . . . . . . . 505Using self-signed certificates on the client . . . 507Adding the signer certificate to the server keydatabase file . . . . . . . . . . . . . 508Testing SSL access when using server and clientauthentication . . . . . . . . . . . . 509

Chapter 24. AIX: Setting up a standbypolicy server. . . . . . . . . . . . 511Preinstallation requirements . . . . . . . . 512HACMP environment scenario . . . . . . . 513

Example HACMP configuration . . . . . . 515Creating a standby policy server environment . . 523

Script: Setting UIDs for both the primary andstandby systems . . . . . . . . . . . 527Script: Linking files and directories on theprimary system. . . . . . . . . . . . 529Example: Verifying the primary serverdirectories, soft links, and permissions . . . . 530Script: Linking from the AIX system files to theshared directory on the standby system . . . 532Example: Verifying standby server directories,soft links and permissions . . . . . . . . 533

Chapter 25. Setting up a TivoliDirectory Server proxy environment . 535Configuring the Tivoli Directory Server proxy . . 535

Type of configuration information . . . . . 536Synchronizing server instances . . . . . . 537Creating server instances . . . . . . . . 537Global administration group . . . . . . . 537Configuring the Tivoli Directory Server proxyserver . . . . . . . . . . . . . . . 538Adding back-end servers to the proxy server 539Partitioning to back-end servers . . . . . . 540Setting up a proxy environment for TivoliAccess Manager . . . . . . . . . . . 542

Configuring Tivoli Access Manager to use theproxy . . . . . . . . . . . . . . . . 543

Redirecting the policy server to the proxy . . . 544Setting access controls for the proxy . . . . . 545

Unconfiguring Tivoli Access Manager from theproxy . . . . . . . . . . . . . . . . 545

Chapter 26. Tivoli Access Managerutilities . . . . . . . . . . . . . . 547amauditcfg . . . . . . . . . . . . . . 548amwebcfg . . . . . . . . . . . . . . 552amwpmcfg . . . . . . . . . . . . . . 557bassslcfg . . . . . . . . . . . . . . . 561install_component . . . . . . . . . . . . 564ivrgy_tool . . . . . . . . . . . . . . 569mgrsslcfg . . . . . . . . . . . . . . . 572pdbackup . . . . . . . . . . . . . . 574pdconfig . . . . . . . . . . . . . . . 578pdjrtecfg . . . . . . . . . . . . . . . 579pdproxycfg . . . . . . . . . . . . . . 583pdsmsclicfg . . . . . . . . . . . . . . 586pdversion . . . . . . . . . . . . . . 589pdwpicfg . . . . . . . . . . . . . . . 591smscfg. . . . . . . . . . . . . . . . 594svrsslcfg . . . . . . . . . . . . . . . 601

Chapter 27. Using response files . . . 607Prerequisite systems . . . . . . . . . . . 607Base systems . . . . . . . . . . . . . 607Web security systems. . . . . . . . . . . 608Session management systems . . . . . . . . 609Response file template . . . . . . . . . . 609

Chapter 28. Using software packagedefinition files . . . . . . . . . . . 621

Chapter 29. Tivoli Access Managerregistry adapter for WebSpherefederated repositories. . . . . . . . 629Tivoli Access Manager registry adapter installation 629Configuring the Tivoli Access Manager registryadapter . . . . . . . . . . . . . . . 629

Configuring a Tivoli Access Manager adapter 629Configuring the adapter as a WebSphere customregistry . . . . . . . . . . . . . . 631

Troubleshooting WebSphere login failure . . . . 632

Contents vii

Tivoli Access Manager registry adapter limitations 633

Appendix A. Installing IBM TivoliDirectory Integrator . . . . . . . . . 635

Appendix B. User registry differences 637General concerns . . . . . . . . . . . . 637LDAP concerns . . . . . . . . . . . . . 637

Sun Java System Directory Server concerns . . 638Microsoft Active Directory Application Mode(ADAM) concerns . . . . . . . . . . . 638

URAF concerns. . . . . . . . . . . . . 639Lotus Domino Server concerns . . . . . . 639Microsoft Active Directory Server concerns . . 639

Length of names . . . . . . . . . . . . 641

Appendix C. Support information . . . 645

Searching knowledge bases . . . . . . . . . 645Searching information centers . . . . . . . 645Searching the Internet . . . . . . . . . 645

Obtaining fixes . . . . . . . . . . . . . 645Registering with IBM Software Support . . . . 646Receiving weekly software updates . . . . . . 646Contacting IBM Software Support . . . . . . 647

Determining the business impact . . . . . . 647Describing problems and gathering information 648Submitting problems . . . . . . . . . . 648

Appendix D. Notices . . . . . . . . 651Trademarks . . . . . . . . . . . . . . 653

Glossary . . . . . . . . . . . . . 655

Index . . . . . . . . . . . . . . . 665

viii Tivoli Access Manager Installation Guide

About this publication

IBM® Tivoli® Access Manager (Tivoli Access Manager) is the software that isrequired to run applications in the Tivoli Access Manager product suite. It enablesthe integration of Tivoli Access Manager applications that provide a wide range ofauthorization and management solutions. Sold as an integrated solution, theseproducts provide an access control management solution that centralizes networkand application security policy for e-business applications.

The IBM Tivoli Access Manager for e-business: Installation Guide explains how toinstall and configure IBM Tivoli Access Manager for e-business, including TivoliAccess Manager systems, session management systems, and Web security systems.

Intended audienceThis guide is for system administrators responsible for the installation anddeployment of Tivoli Access Manager.

Readers should be familiar with the following:v PC and UNIX® operating systemsv Database architecture and conceptsv Security managementv Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and

Telnetv Lightweight Directory Access Protocol (LDAP) and directory servicesv Authentication and authorization

If you are enabling Secure Sockets Layer (SSL) communication, you also should befamiliar with SSL protocol, key exchange (public and private), digital signatures,cryptographic algorithms, and certificate authorities.

PublicationsThis section lists publications in the IBM Tivoli Access Manager for e-businesslibrary and related documents. The section also describes how to access Tivolipublications online and how to order Tivoli publications.

IBM Tivoli Access Manager for e-business libraryThe following documents are in the Tivoli Access Manager for e-business library:v IBM Tivoli Access Manager for e-business: Quick Start Guide, GI11-9333

Provides steps that summarize major installation and configuration tasks.v IBM Tivoli Access Manager for e-business: Release Notes, GC23-6501

Provides information about installing and getting started, system requirements,and known installation and configuration problems.

v IBM Tivoli Access Manager for e-business: Installation Guide, GC23-6502Explains how to install and configure Tivoli Access Manager for e-business.

v IBM Tivoli Access Manager for e-business: Upgrade Guide, SC23-6503Upgrade from version 5.0, 6.0, or 6.1 to version 6.1.1.

v IBM Tivoli Access Manager for e-business: Administration Guide, SC23-6504

© Copyright IBM Corp. 2001, 2010 ix

Describes the concepts and procedures for using Tivoli Access Manager. Providesinstructions for performing tasks from the Web Portal Manager interface and byusing the pdadmin utility.

v IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide,SC23-6505Provides background material, administrative procedures, and referenceinformation for using WebSEAL to manage the resources of your secure Webdomain.

v IBM Tivoli Access Manager for e-business: Plug-in for Edge Server AdministrationGuide, SC23-6506Provides instructions for integrating Tivoli Access Manager with the IBMWebSphere® Edge Server application.

v IBM Tivoli Access Manager for e-business: Plug-in for Web Servers AdministrationGuide, SC23-6507Provides procedures and reference information for securing your Web domainusing a Web server plug-in.

v IBM Tivoli Access Manager for e-business: Shared Session Management AdministrationGuide, SC23-6509Provides deployment considerations and operational instructions for the sessionmanagement server.

v IBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide,SC23-6510Provides information for enabling SSL communication in the Tivoli AccessManager environment.

v IBM Tivoli Access Manager for e-business: Auditing Guide, SC23-6511Provides information about configuring and managing audit events using thenative Tivoli Access Manager approach and the Common Auditing andReporting Service. You can also find information about installing andconfiguring the Common Auditing and Reporting Service. Use this service forgenerating and viewing operational reports.

v IBM Tivoli Access Manager for e-business: Command Reference, SC23-6512Provides reference information about the commands, utilities, and scripts thatare provided with Tivoli Access Manager.

v IBM Tivoli Access Manager for e-business: Administration C API Developer Reference,SC23-6513Provides reference information about using the C language implementation ofthe administration API to enable an application to perform Tivoli AccessManager administration tasks.

v IBM Tivoli Access Manager for e-business: Administration Java Classes DeveloperReference, SC23-6514Provides reference information about using the Java™ language implementationof the administration API to enable an application to perform Tivoli AccessManager administration tasks.

v IBM Tivoli Access Manager for e-business: Authorization C API Developer Reference,SC23-6515Provides reference information about using the C language implementation ofthe authorization API to enable an application to use Tivoli Access Managersecurity.

v IBM Tivoli Access Manager for e-business: Authorization Java Classes DeveloperReference, SC23-6516

x Tivoli Access Manager Installation Guide

Provides reference information about using the Java language implementation ofthe authorization API to enable an application to use Tivoli Access Managersecurity.

v IBM Tivoli Access Manager for e-business: Web Security Developer Reference,SC23-6517Provides programming and reference information for developing authenticationmodules.

v IBM Tivoli Access Manager for e-business: Troubleshooting Guide, GC27-2717Provides problem determination information.

v IBM Tivoli Access Manager for e-business: Error Message Reference, GI11-8157Provides explanations and recommended actions for the messages and returncode.

v IBM Tivoli Access Manager for e-business: Performance Tuning Guide, SC23-6518Provides performance tuning information for an environment consisting of TivoliAccess Manager with the IBM Tivoli Directory Server as the user registry.

Related products and publicationsThis section lists the IBM products that are related to and included with a TivoliAccess Manager solution.

IBM Global Security KitTivoli Access Manager provides data encryption through the use of the GlobalSecurity Kit (GSKit), version 7.0. GSKit is included on the IBM Tivoli AccessManager Base CD for your particular platform, as well as on the IBM Tivoli AccessManager Web Security CDs, the IBM Tivoli Access Manager Shared Session ManagementCDs, and the IBM Tivoli Access Manager Directory Server CDs.

The GSKit package provides the iKeyman key management utility, gsk7ikm, whichcreates key databases, public-private key pairs, and certificate requests. The IBMGlobal Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide isavailable on the Tivoli Information Center Web site in the same section as theTivoli Access Manager product documentation.

IBM Tivoli Directory ServerIBM Tivoli Directory Server, version 6.1, is included on the IBM Tivoli AccessManager Directory Server set of CDs for the required operating system.

You can find additional information about Tivoli Directory Server at:

http://www.ibm.com/software/tivoli/products/directory-server/

IBM Tivoli Directory IntegratorIBM Tivoli Directory Integrator, version 6.1.1, is included on the IBM TivoliDirectory Integrator CD for the required operating system.

You can find additional information about IBM Tivoli Directory Integrator at:

http://www-306.ibm.com/software/tivoli/products/directory-integrator/

IBM DB2 Universal DatabaseIBM DB2 Universal Database™ Enterprise Server Edition, version 9.1, is providedon the IBM Tivoli Access Manager Directory Server set of CDs and is installed withthe Tivoli Directory Server software. DB2® is required when using Tivoli Directory

About this publication xi

http://www.ibm.com/software/tivoli/products/directory-server

http://www-306.ibm.com/software/tivoli/products/directory-integrator/

Server or z/OS® LDAP servers as the user registry for Tivoli Access Manager. Forz/OS LDAP servers, you must separately purchase DB2.

You can find additional information about DB2 at:

http://www.ibm.com/software/data/db2

IBM WebSphere Application ServerWebSphere Application Server, version 6.1, is included on the IBM Tivoli AccessManager WebSphere Application Server set of CDs for the required operating system.WebSphere Application Server enables the support of the following applications:v Web Portal Manager interface, which administers Tivoli Access Manager.v Web Administration Tool, which administers Tivoli Directory Server.v Common Auditing and Reporting Service, which processes and reports on audit

events.v Session management server, which manages shared session in a Web security

server environment.v Attribute Retrieval Service.

You can find additional information about WebSphere Application Server at:

http://www.ibm.com/software/webservers/appserv/infocenter.html

Accessing terminology onlineThe Tivoli Software Glossary includes definitions for many of the technical termsrelated to Tivoli software. The Tivoli Software Glossary is available at the followingTivoli software library Web site:

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

The IBM Terminology Web site consolidates the terminology from IBM productlibraries in one convenient location. You can access the Terminology Web site athttp://www.ibm.com/software/globalization/terminology .

Accessing publications onlineThe documentation CD contains the publications that are in the product library.The format of the publications is PDF, HTML, or both. Refer to the readme file onthe CD for instructions on how to access the documentation.

The product CD contains the publications that are in the product library. Theformat of the publications is PDF, HTML, or both. To access the publications usinga Web browser, open the infocenter.html file. The file is in the appropriatepublications directory on the product CD.

IBM posts publications for this and all other Tivoli products, as they becomeavailable and whenever they are updated, to the Tivoli Documentation CentralWeb site at http://www.ibm.com/tivoli/documentation.

Note: If you print PDF documents on other than letter-sized paper, set the optionin the File → Print window that allows Adobe Reader to print letter-sizedpages on your local paper.

xii Tivoli Access Manager Installation Guide

http://www.ibm.com/software/data/db2

http://www.ibm.com/software/webservers/appserv/was

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/tivoli/documentation

Ordering publicationsYou can order many Tivoli publications online at http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss.

You can also order by telephone by calling one of these numbers:v In the United States: 800-879-2755v In Canada: 800-426-4968

In other countries, contact your software account representative to order Tivolipublications. To locate the telephone number of your local representative, performthe following steps:1. Go to http://www.ibm.com/e-business/linkweb/publications/servlet/pbi.wss.2. Select your country from the list and click Go.3. Click About this site in the main panel to see an information page that

includes the telephone number of your local representative.

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

Visit the IBM Accessibility Center at http://www.ibm.com/alphaworks/topics/accessibility/ for more information about IBM's commitment to accessibility.

For additional information, see the Accessibility Appendix in IBM Tivoli AccessManager for e-business Installation Guide.

Tivoli technical trainingFor Tivoli technical training information, refer to the following IBM TivoliEducation Web site at http://www.ibm.com/software/tivoli/education.

Tivoli user groupsTivoli user groups are independent, user-run membership organizations thatprovide Tivoli users with information to assist them in the implementation ofTivoli Software solutions. Through these groups, members can share informationand learn from the knowledge and experience of other Tivoli users. Tivoli usergroups include the following members and groups:v 23,000+ membersv 144+ groups

Access the link for the Tivoli Users Group at http://www.tivoli-ug.org/.

Support informationIf you have a problem with your IBM software, you want to resolve it quickly. IBMprovides the following ways for you to obtain the support you need:

OnlineAccess the Tivoli Software Support site at http://www.ibm.com/software/

About this publication xiii

http://www.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www.ibm.com/alphaworks/topics/accessibility/

http://www.ibm.com/alphaworks/topics/accessibility/

http://www.ibm.com/software/tivoli/education

http://www.tivoli-ug.org/

http://www.ibm.com/software/sysmgmt/products/support/index.html?ibmprd=tivman

sysmgmt/products/support/index.html?ibmprd=tivman. Access the IBMSoftware Support site at http://www.ibm.com/software/support/probsub.html .

IBM Support AssistantThe IBM Support Assistant is a free local software serviceability workbenchthat helps you resolve questions and problems with IBM softwareproducts. The Support Assistant provides quick access to support-relatedinformation and serviceability tools for problem determination. To installthe Support Assistant software, go to http://www.ibm.com/software/support/isa.

Troubleshooting GuideFor more information about resolving problems, see the IBM Tivoli AccessManager for e-business Installation Guide.

Conventions used in this publicationThis publication uses several conventions for special terms and actions, operatingsystem-dependent commands, and paths.

Typeface conventionsThis publication uses the following typeface conventions:

Bold

v Lowercase commands and mixed case commands that are otherwisedifficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spinbuttons, fields, folders, icons, list boxes, items inside list boxes,multicolumn lists, containers, menu choices, menu names, tabs, propertysheets), labels (such as Tip:, and Operating system considerations:)

v Keywords and parameters in text

Italic

v Citations (examples: titles of publications, diskettes, and CDsv Words defined in text (example: a nonswitched line is called a

point-to-point line)v Emphasis of words and letters (words as words example: "Use the word

that to introduce a restrictive clause."; letters as letters example: "TheLUN address must start with the letter L.")

v New terms in text (except in a definition list): a view is a frame in aworkspace that contains data.

v Variables and values you must provide: ... where myname represents....

Monospace

v Examples and code examplesv File names, programming keywords, and other elements that are difficult

to distinguish from surrounding textv Message text and prompts addressed to the userv Text that the user must typev Values for arguments or command options

xiv Tivoli Access Manager Installation Guide

http://www.ibm.com/software/sysmgmt/products/support/index.html?ibmprd=tivman

http://www.ibm.com/software/support/probsub.html


http://www.ibm.com/software/support/isa

http://www.ibm.com/software/support/isa

Operating system-dependent variables and pathsThis publication uses the UNIX convention for specifying environment variablesand for directory notation.

When using the Windows command line, replace $variable with % variable% forenvironment variables and replace each forward slash (/) with a backslash (\) indirectory paths. The names of environment variables are not always the same inthe Windows and UNIX environments. For example, %TEMP% in Windowsenvironments is equivalent to $TMPDIR in UNIX environments.

Note: If you are using the bash shell on a Windows system, you can use the UNIXconventions.

About this publication xv

xvi Tivoli Access Manager Installation Guide

Part 1. Planning for installation

Chapter 1. Installation overview . . . . . . . 3Planning for deployment . . . . . . . . . . 3Secure domain overview . . . . . . . . . . 4Tivoli Access Manager installation components . . . 5

Tivoli Access Manager base components . . . . 5Access Manager Application Development Kit 5Access Manager Authorization Server . . . . 5Access Manager Policy Proxy Server . . . . 5Access Manager Policy Server . . . . . . 6Access Manager Runtime . . . . . . . . 6Access Manager Runtime for Java . . . . . 6Access Manager Web Portal Manager . . . . 7Access Manager License . . . . . . . . 7IBM Tivoli Security Utilities . . . . . . . 7

Tivoli Access Manager Web security components . 8Access Manager Attribute Retrieval Service . . 8Access Manager Plug-in for Edge Server . . . 8Access Manager Plug-in for Web Servers . . . 8Access Manager Web Security Runtime . . . 8Access Manager Web Security ApplicationDevelopment Kit . . . . . . . . . . . 8Access Manager WebSEAL. . . . . . . . 8

Tivoli Access Manager distributed sessionsmanagement components . . . . . . . . . 9

Access Manager Session Management Server . 9Access Manager Session ManagementCommand Line . . . . . . . . . . . 9

Prerequisite products . . . . . . . . . . 10IBM Global Security Kit (GSKit) . . . . . 10IBM Java Runtime . . . . . . . . . . 11IBM Tivoli Directory Server client . . . . . 11IBM Tivoli Directory Server . . . . . . . 11IBM Tivoli Directory Server WebAdministration Tool . . . . . . . . . 11IBM WebSphere Application Server . . . . 12IBM Network Authentication Service Toolkit 12

Supported registries . . . . . . . . . . . 13IBM Tivoli Directory Server . . . . . . . . 13IBM z/OS LDAP Server . . . . . . . . . 13IBM Lotus Domino Server . . . . . . . . 13Microsoft Active Directory . . . . . . . . 13Microsoft Active Directory Application Mode(ADAM) . . . . . . . . . . . . . . 14Sun Java System Directory Server . . . . . . 14Novell eDirectory . . . . . . . . . . . 14

Components and prerequisites provided with TivoliAccess Manager systems . . . . . . . . . . 15

Tivoli Access Manager base systems . . . . . 15Tivoli Access Manager Web security systems . . 17Tivoli Access Manager distributed sessionsmanagement systems . . . . . . . . . . 19

Installation process . . . . . . . . . . . . 21Installation methods . . . . . . . . . . . 23

Installation wizards. . . . . . . . . . . 23Installing in graphical mode . . . . . . . 23Installing in console mode . . . . . . . 25

Installing in response file mode. . . . . . 25Native installation utilities . . . . . . . . 26Software Distribution installation method . . . 26

Edit and import the software packagedefinition files . . . . . . . . . . . 27Generate a software package block file . . . 28Deploy the software package blocks . . . . 28

Groups and administrator identities on UNIX andLinux systems . . . . . . . . . . . . . 30Default port numbers . . . . . . . . . . . 33

Chapter 2. Internationalization . . . . . . . 35Language support overview . . . . . . . . . 36Installing language support packages for TivoliAccess Manager . . . . . . . . . . . . . 37Installing language support packages for IBM TivoliDirectory Server . . . . . . . . . . . . . 39

AIX: Installing Tivoli Directory Server languagepackages . . . . . . . . . . . . . . 39HP-UX: Installing Tivoli Directory Serverlanguage packages . . . . . . . . . . . 40Linux: Installing Tivoli Directory Server languagepackages . . . . . . . . . . . . . . 41Solaris: Installing Tivoli Directory Serverlanguage packages . . . . . . . . . . . 42Windows: Installing Tivoli Directory Serverlanguage packages . . . . . . . . . . . 43

Uninstalling Tivoli Access Manager languagesupport packages . . . . . . . . . . . . 44

Uninstalling IBM Tivoli Directory Serverlanguage packages . . . . . . . . . . . 45

AIX: Removing language packages . . . . 45HP-UX: Removing language packages . . . 45Linux: Removing language packages . . . . 45Solaris: Removing language packages. . . . 45Windows: Removing language packages. . . 45

Locale environment variables . . . . . . . . 46LANG variable on UNIX or Linux systems . . . 47LANG variable on Windows systems . . . . . 48Using locale variants . . . . . . . . . . 48

Message catalogs . . . . . . . . . . . . 49Text encoding (code set) support . . . . . . . 50

Location of code set files . . . . . . . . . 50

© Copyright IBM Corp. 2001, 2010 1

2 Tivoli Access Manager Installation Guide

Chapter 1. Installation overview

It is important that you create a deployment plan before installing Tivoli AccessManager software on the systems in your distributed environment. If you alreadyhave Tivoli Access Manager software installed, review your previous deploymentplan to determine the best method for upgrading to the most current version, andfollow the instructions provided in the IBM Tivoli Access Manager for e-business:Upgrade Guide.

Note: For the latest release information, including system requirements, disk spaceand memory requirements, and known defects and limitations, consult theIBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge database.

This chapter includes the following sections:v “Planning for deployment”v “Secure domain overview” on page 4v “Tivoli Access Manager installation components” on page 5v “Supported registries” on page 13v “Components and prerequisites provided with Tivoli Access Manager systems”

on page 15v “Installation process” on page 21v “Installation methods” on page 23v “Groups and administrator identities on UNIX and Linux systems” on page 30v “Default port numbers” on page 33

Planning for deploymentBefore you implement a particular Tivoli Access Manager solution, you mustdetermine the specific security and management capabilities that are required foryour network.

The first step in planning the deployment of a Tivoli Access Manager securityenvironment is to define the security requirements for your computingenvironment. Defining security requirements means determining the businesspolicies that must apply to users, programs, and data. This definition shouldinclude:v Objects to be securedv Actions permitted on each objectv Users that are permitted to perform the actions

Enforcing a security policy requires an understanding of the flow of accessrequests through your network topology. Your plan should identify proper rolesand locations for firewalls, routers, and subnets. Deploying a Tivoli AccessManager security environment also requires identifying the optimal points withinthe network for installing software that evaluates user access requests, and grantsor denies the requested access.

Implementation of a security policy requires understanding the quantity of users,data, and throughput that your network must accommodate. You must evaluate


performance characteristics, scalability, and the need for failover capabilities.Integration of previous versions of software, databases, and applications withTivoli Access Manager software must also be considered.

After you have an understanding of the features that you want to deploy, you candecide which Tivoli Access Manager systems and blades can be combined to bestimplement your security policy. For Tivoli Access Manager, a blade is a componentthat provides application-specific services and components.

For useful planning documentation, including actual business scenarios, seesupplemental product information at the following Web sites:

http://www.ibm.com/redbooks/

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

Secure domain overviewThe computing environment in which Tivoli Access Manager enforces securitypolicies for authentication, authorization, and access control is called a securedomain. The initial secure domain, called the management domain, is created whenyou install and configure the following systems:

Policy serverMaintains the master authorization database for the management domain.In addition, it updates authorization database replicas and maintainslocation information about other Tivoli Access Manager servers.

RegistryProvides a database of the user identities known to Tivoli Access Manager.It also provides a representation of groups in Tivoli Access Manager rolesthat are associated with users.

These core systems must exist for Tivoli Access Manager to perform fundamentaloperations, such as permitting or denying user access to protected objects(resources). All other Tivoli Access Manager services and components are built onthis base.

You can deploy Tivoli Access Manager on multiple systems or install all thesoftware necessary to configure and use the management domain on onestandalone system. A single system setup is useful only when prototyping adeployment or developing and testing an application.

After you configure the policy server and registry server, you can set up additionalsystems in the management domain, such as an authorization server or applicationdevelopment system. You can also create additional secure domains (if using anLDAP registry) to securely partition data into separate, logical groupings. Forinformation about creating multiple domains, see the IBM Tivoli Access Manager fore-business: Administration Guide.


http://www.ibm.com/redbooks

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

Tivoli Access Manager installation componentsThis section introduces Tivoli Access Manager base and prerequisite components,which are generally common to all Tivoli Access Manager installations. Use theseinstallation components to set up Tivoli Access Manager systems listed in“Components and prerequisites provided with Tivoli Access Manager systems” onpage 15.

Sections include the following:v “Tivoli Access Manager base components”v “Tivoli Access Manager Web security components” on page 8v “Tivoli Access Manager distributed sessions management components” on page

9v “Prerequisite products” on page 10

Note: When installing Tivoli Access Manager on an Windows® operating system,you can specify a nondefault installation path. Ensure that the installationpath that you specify does not include any national language version (NLV)characters.

Tivoli Access Manager base componentsThe Tivoli Access Manager base system includes the following installationcomponents. These components are on the IBM Tivoli Access Manager Base CD forthe supported platforms. Use these installation components to set up base systemslisted in “Components and prerequisites provided with Tivoli Access Managersystems” on page 15.

Access Manager Application Development KitThe Access Manager Application Development Kit provides a developmentenvironment that enables you to code third-party applications to query theauthorization server for authorization decisions. This kit contains support for usingboth C APIs and Java classes for authorization and administration functions. Torun the Java program or to compile and run your own Java programs, you mustinstall and configure a Tivoli Access Manager Runtime for Java system.

Access Manager Authorization ServerThe Access Manager Authorization Server provides access to the authorizationservice for third-party applications that use the Tivoli Access Managerauthorization API in remote cache mode. The authorization server also acts as alogging and auditing collection server to store records of server activity.

Access Manager Policy Proxy ServerThe Access Manager Policy Proxy Server is used to set up a proxy server, whichacts as an intermediary between a less trusted network and a more trustednetwork. This server ensures security and provides administrative control andcaching services. It is associated with, or part of, a gateway server that separatesthe enterprise network from the outside network, and a firewall server thatprotects the enterprise network from outside intrusion. In a Tivoli Access Managerenvironment, the proxy server runs on behalf of the policy server for a givennumber of authorization applications and administrative functions, such aspdadmin commands.

Chapter 1. Installation overview 5

Access Manager Policy ServerThe Access Manager Policy Server maintains the master authorization database forthe management domain as well as the policy databases associated with othersecure domains that you might decide to create. This server is key to theprocessing of access control, authentication, and authorization requests. It alsoupdates authorization database replicas and maintains location information aboutother Tivoli Access Manager servers.

Tivoli Access Manager supports the use of one standby policy server. However, thestandby policy server must be installed on a supported AIX® system that has theHigh Availability Cluster Multiprocessing (HACMP™) software installed andconfigured on it. The HACMP software provides a clustering solution that isdesigned to provide high-availability access to business-critical data andapplication through component redundancy and application failover.

In environments with a standby policy server, when the policy server goes down,the standby policy server takes over and acts as the primary policy server until theprimary policy server assumes its original role. In turn, the standby policy serverreverts back to a standby role. At any given time, there is only one active policyserver and only one shared copy of the policy databases.

Access Manager RuntimeThe Access Manager Runtime contains runtime libraries and supporting files thatapplications can use to access Tivoli Access Manager servers.

You must install and configure the Access Manager Runtime component on eachsystem that runs Tivoli Access Manager, with the exception of Access ManagerRuntime for Java systems, the Access Manager Attribute Retrieval Service, and thedistributed sessions management systems.

Access Manager Runtime for JavaThe Access Manager Runtime for Java offers a reliable environment for developingand deploying Java applications in a Tivoli Access Manager secure domain. Use itto add Tivoli Access Manager authorization and security services to new orexisting Java applications.

You can use the pdjrtecfg command to configure a Java Runtime Environment(JRE) to use Tivoli Access Manager Java security.

Note that if you plan to install the Web Portal Manager interface, this componentis required. It is also required with the Access Manager Application DevelopmentKit component if you are a developer using Access Manager Runtime for Javaclasses. For more information, see the IBM Tivoli Access Manager for e-business:Administration Java Classes Developer Reference and the IBM Tivoli Access Manager fore-business: Authorization Java Classes Developer Reference.


Access Manager Web Portal ManagerThe Access Manager Web Portal Manager is a Web-based graphical user interface(GUI) used for Tivoli Access Manager administration. The GUI counterpart to thepdadmin command line interface, Web Portal Manager provides management ofusers, groups, roles, permissions, policies, and other Tivoli Access Manager tasks.A key advantage of using Web Portal Manager is that you can perform these tasksremotely, without requiring any special network configuration.

The Web Portal Manager interface also includes a set of delegated managementservices that enables a business to delegate user administration, group and roleadministration, security administration, and application access provisioning toparticipants (sub-domains) in the business system. These sub-domains can furtherdelegate management and administration to trusted sub-domains under theircontrol.

Supported browsers for the Web Portal Manager interface are as follows:v Microsoft® Internet Explorer 5.5, 6.0 and 7.0v Mozilla 1.7

Access Manager LicenseThis component contains license information for Tivoli Access Manager. The AccessManager License component is installed automatically when an installation wizardis used to install either the Access Manager Runtime or the Access ManagerRuntime for Java component.

This component is provided separately for any supported platform on the IBMTivoli Access Manager Base CD, the IBM Tivoli Access Manager Shared SessionManagement CD, or the IBM Tivoli Access Manager Web Security CD.

IBM Tivoli Security UtilitiesThe IBM Tivoli Security Utilities provides common utilities that are required byAccess Manager Runtime.

This component is provided separately for any supported platform on the IBMTivoli Access Manager Base CD, the IBM Tivoli Access Manager Shared SessionManagement CD, or the IBM Tivoli Access Manager Web Security CD.


Tivoli Access Manager Web security componentsTivoli Access Manager Web security includes the following installationcomponents. These components are on the IBM Tivoli Access Manager Web SecurityCD for the supported platforms. Use these installation components to set up Websecurity systems listed in “Tivoli Access Manager Web security systems” on page17.

Access Manager Attribute Retrieval ServiceThe Access Manager Attribute Retrieval Service is used in conjunction with theWebSEAL authorization decision information (ADI) feature. This service providescommunication and format translation services between the WebSEAL entitlementservice library and an external provider of authorization decision information. Formore information, see the IBM Tivoli Access Manager for e-business: WebSEALAdministration Guide.

Access Manager Plug-in for Edge ServerThe Access Manager Plug-in for Edge Server adds authentication and authorizationfunctionality to the IBM WebSphere Edge Server product. When implemented asan authorization service in your secure domain, this plug-in can provide singlesignon solutions to resources within that domain. For more information, see theIBM Tivoli Access Manager for e-business: Plug-in for Edge Server Administration Guide.

Access Manager Plug-in for Web ServersAccess Manager Plug-in for Web Servers manages the security of your Web-basedresources by acting as the gateway between your clients and secure Web space.The plug-in implements the security policies that protect your Web object space.The plug-in can provide single sign-on solutions, support Web servers running asvirtual hosts and incorporate Web application server resources into its securitypolicy. For more information, see the IBM Tivoli Access Manager for e-business:Plug-in for Web Servers Administration Guide.

Access Manager Web Security RuntimeThe Access Manager Web Security Runtime contains shared authentication libraryfiles used for Web Security systems, such as Access Manager WebSEAL and theAccess Manager Plug-in for Web Servers.

Access Manager Web Security Application Development KitThe Access Manager Web Security ADK contains development APIs for the TivoliAccess Manager cross-domain authentication service (CDAS), the Tivoli AccessManager cross-domain mapping framework (CDMF), and the Tivoli AccessManager password strength module.

Access Manager WebSEALAccess Manager WebSEAL is a security manager for Web-based resources.WebSEAL is a high performance, multithreaded Web server that appliesfine-grained security policy to the protected Web object space. WebSEAL canprovide single sign-on solutions and incorporate backend Web application serverresources into its security policy.


Tivoli Access Manager distributed sessions managementcomponents

The Tivoli Access Manager distributed sessions management systems includes thefollowing installation components. These components are on the IBM Tivoli AccessManager Shared Session Management CD for the supported platforms. Use theseinstallation components to set up distributed sessions management systems listedin “Components and prerequisites provided with Tivoli Access Manager systems”on page 15.

Access Manager Session Management ServerAccess Manager Session Management Server (SMS) is an optional Tivoli AccessManager component that runs as an IBM WebSphere Application Server service. Itmanages user sessions across complex clusters of Tivoli Access Manager securityservers, ensuring that session policy remains consistent across the participatingservers. Using the session management server allows Access Manager WebSEALand Access Manager Plug-in for Web Servers to share a unified view of all currentsessions and permits an authorized user to monitor and administer user sessions.The session management server permits the sharing of session information andalso makes available session statistics and provides secure and high-performancefailover and single sign-on capabilities for clustered environments.

User sessions can be administered and monitored using the Access ManagerSession Management Command Line or the Integrated Solutions Console (ISC).

Access Manager Session Management Command LineThe session management server can be administered by the Access ManagerSession Management Command Line component, using either the pdadmincommand line utility located on the specified Tivoli Access Manager authorizationserver, or using the pdsmsadmin utility.

Note: If you wish to use pdadmin to administer the session management server,you must first install and configure the authorization server before installingthe command line interface.


Prerequisite products

Tivoli Access Manager includes the following prerequisite products. Theseproducts are required when setting up specific Tivoli Access Manager systems. Fora list of required installation components necessary to set up a Tivoli AccessManager system, see Table 1 on page 15.

Note that when using the installation wizards, the software prerequisites areautomatically installed in the appropriate order.

IBM Global Security Kit (GSKit)IBM Global Security Kit (GSKit) provides Secure Sockets Layer (SSL) dataencryption between Tivoli Access Manager systems and supported registry servers.The GSKit package also installs the iKeyman key management utility (gsk7ikm),which enables you to create key databases, public-private key pairs, and certificaterequests.

You must install GSKit before installing most other Tivoli Access Managercomponents. GSKit is a prerequisite to the Access Manager Runtime component,which is required on all Tivoli Access Manager systems with the exception of theAccess Manager Attribute Retrieval Service, Access Manager Runtime for Java,Tivoli Access Manager Session Management Server or Access Manager Web PortalManager. For information about using this utility to enable SSL with a supportedregistry server, see Chapter 23, “Enabling Secure Sockets Layer (SSL) security,” onpage 473 or refer to the IBM Global Security Kit: Secure Sockets Layer Introduction andiKeyman User's Guide.

Note: OpenSSL is included in GSKit and can be used for cryptographic operations(as per the OpenSSL license agreement).

FIPS Enablement: Tivoli Access Manager 6.1 includes enablement for FederalInformation Processing Standard 140-2 (FIPS 140-2). FIPS enablement providesTivoli Access Manager with government-approved cryptography wherevercryptography is required. Tivoli Access Manager uses cryptography in thefollowing areas:v Creation and replacement of internal, self-signed certificates. These certificates

are used by Access Manager Runtime and Tivoli Access Manager securityservers to authenticate with each other.

v Runtime and servers utilize a secure communication protocol to communicatebetween each other.

Federal Information Processing Standard 140-2 (FIPS 140-2) is a standard thatdescribes U.S. Federal Government requirements that IT products should meet forSensitive but Unclassified (SBU) use. The standard defines the securityrequirements that must be satisfied by a cryptographic module used in a securitysystem protecting unclassified information within IT systems. There are four levelsof security: from Level 1 (lowest) to Level 4 (highest). These levels are intended tocover the wide range of potential applications and environments in whichcryptographic modules can be deployed. The security requirements cover areasrelated to the secure design and implementation of a cryptographic module. Theseareas include basic design and documentation, module interfaces, authorized rolesand services, physical security, software security, operating system security, keymanagement, cryptographic algorithms, electromagnetic interference/electromagnetic compatibility (EMI/EMC), and self-testing.


The specifics for FIPS 140-2 are described at this Web site:

http://csrc.nist.gov/cryptval/140-2.htm

Enablement of FIPS for Tivoli Access Manager is only meant to satisfy therequirement of the Tivoli Access Manager’s cyptographic operations from anapplication aspect. Tivoli Access Manager is not responsible for other products orprerequisite products enablement of FIPS.

If in FIPS mode, Transport Layer Security version 1 (TLS v1) will be used as thesecure communication protocol instead of SSL v3. To communicate with the TivoliAccess Manager policy server using a secure communication protocol, TLS is therequired protocol. An attempt to communicate using SSL v3 (non-FIPS mode)when the policy server is configured in FIPS mode will result in a socket-closedexception.

IBM Java RuntimeThe IBM Java Runtime provided with Tivoli Access Manager is required wheninstalling and using language support packages and when using Tivoli AccessManager installation wizards. The Access Manager Runtime for Java componentonly supports the IBM Java Runtime.

IBM Tivoli Directory Server clientThe client application is provided on the IBM Tivoli Access Manager Directory ServerCD with IBM Tivoli Directory Server, the IBM Tivoli Access Manager Base CD, or theIBM Tivoli Access Manager Web Security CD for the supported AIX, HP-UX, HP-UXon Integrity, Linux®, Solaris, Solaris on x86_64 and Windows platforms.

You must install the IBM Tivoli Directory Server client on each system that runsTivoli Access Manager, with the following exceptions:v The Tivoli Access Manager system is on a supported Windows system that is

either the Active Directory domain or is joined to the Active Directory domainwhere the Tivoli Access Manager policy server is to be configured.

v You are setting up the Access Manager Attribute Retrieval Service, AccessManager Runtime for Java, or Tivoli Access Manager Web Portal Manager.

v You are using Lotus® Domino® as your registry server.

IBM Tivoli Directory ServerIBM Tivoli Directory Server is provided on the IBM Tivoli Access Manager DirectoryServer CD for the supported AIX, HP-UX, HP-UX on Integrity, Linux, Solaris,Solaris on x86_64 and Windows platforms. You can use this server as your TivoliAccess Manager registry server or use one of the registry servers listed in“Supported registries” on page 13. This Lightweight Directory Access Protocol(LDAP) directory runs as a standalone daemon. It is based on a client/servermodel that provides client access to an LDAP server. The IBM Tivoli DirectoryServer provides an easy way to maintain directory information in a central locationfor storage, updates, retrieval, and exchange.

IBM Tivoli Directory Server Web Administration ToolIBM Tivoli Directory Server provides the Web Administration Tool, a separatelyinstallable graphical user interface that runs on an application server, such as theIBM WebSphere Application Server. Use the Web Administration Tool to administerIBM Tivoli Directory Servers either locally or remotely. You can install a single WebAdministration console to manage multiple versions of IBM Tivoli DirectoryServer.


http://csrc.nist.gov/cryptval/140-2.htm

You can install the Web Administration Tool on a system with or without the IBMTivoli Directory Server client or server. The Web Administration Tool can be usedto administer LDAP servers of the following types:v IBM Tivoli Directory Server, Versions 6.1, 6.0 and 5.2v IBM Directory Server, Version 5.1v IBM z/OS™ LDAP Server Versions 1.6 or 1.8.

To use the Web Administration Tool, you also need:v IBM WebSphere Application Server, Version 6.1 or later.

The application server is required on the system where the Web AdministrationTool is installed. The application server is not required for the client or theserver.

v One of the following Web browsers on the system from which you will use theWeb Administration Tool. (This might or might not be the computer where theWeb Administration Tool is installed):– AIX platforms (64-bit/32-bit): Mozilla 1.6, 1.7, 1.7.5 or Firefox 1.0– HP-UX platforms: Mozilla 1.6, 1.7 or Firefox 1.5.– HP-UX on Integrity platforms: Mozilla 1.6, 1.7 or Firefox 1.5.– Linux on x86 platforms: Mozilla 1.6, 1.7 or Firefox 1.5.– Linux on POWER® and Linux on System z® platforms: Firefox 1.5– Solaris: Mozilla 1.6, 1.7 or Firefox 2.0.0.3.– Solaris on x86_64: Mozilla 1.7.– Windows platforms: Internet Explorer 6.x, 7.x or Firefox 2.0.0.3.The Web browser is required on the system from which you will use the WebAdministration Tool. (This might or might not be the system where the WebAdministration Tool is installed).

The Web Administration Tool is provided on the IBM Tivoli Access ManagerDirectory Server CD.

IBM WebSphere Application ServerIBM WebSphere Application Server is used for installation of Web Portal Manager,the Access Manager Attribute Retrieval Service, the IBM Tivoli Directory ServerWeb Administration Tool, and the distributed session management components.IBM WebSphere Application Server is on the IBM Tivoli Access Manager WebSphereApplication Server set of CDs for the supported platforms.

Note that IBM Tivoli Directory Server, on Windows systems only, includes theembedded version of IBM WebSphere Application Server for use with its WebAdministration Tool.

The same WebSphere Application Server can be used for Web Portal Manager andthe IBM Tivoli Directory Server Web Administration Tool.

IBM Network Authentication Service ToolkitThe IBM Network Authentication Service Toolkit provides a Kerberos runtime thatenables Windows desktop single signon on UNIX and Linux systems usingWebSEAL or the Access Manager Plug-in for Web Servers. The IBM NetworkAuthentication Service Toolkit is on the IBM Tivoli Access Manager Web Security CDfor the supported Solaris and Linux platforms.


Supported registriesTivoli Access Manager supports the following user registries, their supportedoperating systems, and any necessary prerequisite software. See the IBM TivoliAccess Manager for e-business: Release Notes or Technotes in the support knowledgedatabase to ensure that you have reviewed the most-recent release information,including system requirements, disk space requirements, and known defects andlimitations. Also, ensure that all necessary operating system patches are installed.

IBM Tivoli Directory ServerTivoli Access Manager supports the use of IBM Tivoli Directory Server as aregistry. Keep in mind:v IBM Tivoli Directory Server is included with Tivoli Access Manager.v The IBM Tivoli Directory Server client is required when an LDAP user registry is

selected during installation.v You can install the IBM Tivoli Directory Server, Version 6.1 client on the same

system as a 6.0 or 5.2 version of IBM Tivoli Directory Server client.

Attention: If you have an existing IBM Tivoli Directory Server that you want touse for Tivoli Access Manager, ensure that you upgrade the server to a supportedlevel. For upgrade instructions, see the IBM Tivoli Access Manager for e-business:Upgrade Guide.

IBM z/OS LDAP ServerTivoli Access Manager supports the use of IBM z/OS LDAP Server. For productinformation, see the z/OS Internet Library Web site at:

http://www.ibm.com/servers/eserver/zseries/zos/bkserv/

Customers can also obtain softcopy publications on CD-ROM, z/OS: Collection,SK3T-4269.

IBM Lotus Domino ServerTivoli Access Manager supports the use of Lotus® Domino as a user registry on theWindows platform. Note that the Domino server runs on all supported Dominoplatforms.

Attention: When Lotus Domino is used as the registry:v The IBM Tivoli Directory Server client is not required.v Tivoli Access Manager supports the Lotus Notes®® client. If you install a Lotus

Notes client, it must be installed prior to configuring the Access ManagerRuntime component.

Microsoft Active DirectoryTivoli Access Manager supports the use of Microsoft Active Directory as a userregistry.

Active Directory users can run Tivoli Access Manager on all Windows, UNIX orLinux platforms currently supported in the Tivoli Access Manager product.

When selecting Active Directory as the user registry, the Tivoli Access Managerpolicy server is supported on Windows 2003 systems.


http://www.ibm.com/servers/eserver/zseries/zos/bkserv

UNIX or Linux platforms make use of the IBM Tivoli Directory Server client tocommunicate with Active Directory. This LDAP client is also used on Windowsplatforms where the Active Directory domain of the local host is different from theActive Directory domain where the policy server is to be configured.

Microsoft Active Directory Application Mode (ADAM)Tivoli Access Manager supports the use of Microsoft Active Directory ApplicationMode (ADAM) as a user registry.

ADAM users can run Tivoli Access Manager with Windows Server 2003 StandardEdition, Windows Server 2003 Enterprise Edition, Windows XP ProfessionalEdition and Windows Vista. See Microsoft documentation for the complete list ofsupported systems.

ADAM is available with the Microsoft Server 2003 R2 product and as a separatedownload, including example lab testing files.

Sun Java System Directory ServerTivoli Access Manager supports the use of the Sun Java System Directory Server asa user registry.

For installation information, consult the product documentation that came withyour server. Sun Java System Directory Server product documentation is availableat:

http://docs.sun.com/app/docs/prod/entsys

Attention: If you have an existing Sun ONE Directory Server that you want touse for Tivoli Access Manager, ensure that you upgrade the server to a supportedlevel. For upgrade instructions, see the Sun documentation.

Novell eDirectoryTivoli Access Manager supports the use of Novell eDirectory as a user registry.

For installation information, consult the product documentation that came withyour Novell eDirectory server. Novell eDirectory product documentation isavailable at:

http://www.novell.com/documentation/a-z.html

The latest patches to these products are available at:

http://support.novell.com/patches.html

Attention: If you have an existing Novell eDirectory server that you want to usefor Tivoli Access Manager, ensure that you upgrade the server to a supported level.



http://www.novell.com/documentation/a-z.html

http://support.novell.com/patches.html

Components and prerequisites provided with Tivoli Access Managersystems

This section lists types of Tivoli Access Manager systems that you can set up in asecure domain. Required installation components for each system type areprovided with Tivoli Access Manager. It is recommended that you set up thepolicy server and registry server on separate systems. However, other system typesdo not have to be standalone systems. For example, you can install the Web PortalManager interface on the same system as the policy server.

This section includes the following:v “Tivoli Access Manager base systems”v “Tivoli Access Manager Web security systems” on page 17v “Tivoli Access Manager distributed sessions management systems” on page 19

Tivoli Access Manager base systemsTable 1 lists the types of Tivoli Access Manager base systems that you can set up inyour secure domain.

Notes:

1. You must install the IBM Tivoli Directory Server client on each system that runsTivoli Access Manager, with the following exceptions:v The Tivoli Access Manager system is on a supported Windows system that is

either the Active Directory domain or is joined to the Active Directorydomain where the Tivoli Access Manager policy server is to be configured.

v You are setting up the Access Manager Attribute Retrieval Service, AccessManager Runtime for Java, or Tivoli Access Manager Web Portal Manager.

v Domino is the registry server.2. If using an installation wizard to install and configure a Tivoli Access Manager

system, IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager isalso required.

Table 1. Required components for the Tivoli Access Manager base systems

System typeInstallation components

(provided on the Tivoli Access Manager CD)

Authorization server v IBM Global Security Kit (GSKit)

v IBM Tivoli Directory Server client (depending on theregistry used)

v Tivoli Security Utilities

v Access Manager License

v Access Manager Runtime

v Access Manager Authorization Server

Development (ADK) v IBM Global Security Kit (GSKit)





v Access Manager Application Development Kit


Table 1. Required components for the Tivoli Access Manager base systems (continued)



IBM Tivoli Directory Server If you plan to install the IBM Tivoli Directory Server asyour Tivoli Access Manager registry, the followingcomponents are required:

v IBM Global Security Kit (GSKit)

v DB2 Enterprise Server Edition

v IBM Tivoli Directory Server client

v IBM Tivoli Directory Server server

Note: Refer to the IBM Tivoli Directory Serverdocumentation for information about which versions of theserver are supported.

Runtime for Java v Access Manager License

v Access Manager Runtime for Java

Policy proxy server v IBM Global Security Kit (GSKit)





v Access Manager Policy Proxy Server

Policy server v IBM Global Security Kit (GSKit)





v Access Manager Policy Server

Runtime v IBM Global Security Kit (GSKit)





Web Portal Manager v IBM WebSphere Application Server (on separate CD)


v Access Manager Runtime for Java

v Access Manager Web Portal Manager


Tivoli Access Manager Web security systemsTable 2 lists types of Web security systems that you can set up in your securedomain. Installation components for these systems are provided on the IBM TivoliAccess Manager Web Security CD for your particular platform.

Notes:



v You are setting up Access Manager Attribute Retrieval Service, AccessManager Runtime for Java, or Tivoli Access Manager Web Portal Manager.



Table 2. Required components for the Tivoli Access Manager Web security systems



Attribute Retrieval Service v IBM WebSphere Application Server (on separate CD)

v Access Manager Attribute Retrieval Service

WebSEAL v IBM Global Security Kit (GSKit)





v Access Manager Web Security Runtime

v Access Manager WebSEAL

Web Security ApplicationDevelopment Kit (ADK)system






v Access Manager Application Development Kit


v Access Manager Web Security Application DevelopmentKit


Table 2. Required components for the Tivoli Access Manager Web securitysystems (continued)



Plug-in for Apache WebServer

v Apache Web Server (not provided on the Tivoli AccessManager CDs)







v Access Manager Plug-in for Web Servers

v Access Manager Plug-in for Apache Web Server

Plug-in for Edge Server v IBM WebSphere Edge Server (not provided on the TivoliAccess Manager CDs)







v Access Manager Plug-in for Edge Server

Plug-in for IBM HTTP Server v IBM HTTP Server (not provided on the Tivoli AccessManager CDs)








v Access Manager Plug-in for IBM HTTP Server

Plug-in for InternetInformation Services

v Internet Information Services (not provided on the TivoliAccess Manager CDs)








v Access Manager Plug-in for Internet InformationServices


Table 2. Required components for the Tivoli Access Manager Web securitysystems (continued)



Plug-in for Sun Java SystemWeb Server

v Sun Java System Web Server (not provided on the TivoliAccess Manager CDs)








v Access Manager Plug-in for Sun Java System Web Server

Tivoli Access Manager distributed sessions managementsystems

Table 3 lists types of session management systems that you can set up in yoursecure domain. Installation components for these systems are provided on the IBMTivoli Access Manager Shared Session Management CD for your particular platform.

Notes:



v You are setting up Access Manager Attribute Retrieval Service, AccessManager Runtime for Java, or Tivoli Access Manager Web Portal Manager.



Table 3. Required components for the Tivoli Access Manager session management systems


(provided on the Tivoli Access ManagerCDs)

Session Management Server v IBM WebSphere Application Server (onseparate CD)

v Access Manager Session ManagementServer


Table 3. Required components for the Tivoli Access Manager session managementsystems (continued)


(provided on the Tivoli Access ManagerCDs)

Session Management Command Line v IBM Global Security Kit (GSKit)

v Access Manager Session ManagementCommand Line


If you want to use the Tivoli Access Managerpdadmin utility to administer sessions, thefollowing components are also required:



v Access Manager Authorization Server

v Access Manager Session ManagementCommand Line

v IBM Tivoli Directory Server client(depending on the registry used)


Installation processTo create a Tivoli Access Manager management domain, follow these basic steps:1. Plan your Tivoli Access Manager deployment. Ensure that you understand the

business security requirements for which Tivoli Access Manager is beingdeployed.

2. Decide which combination of Tivoli Access Manager systems that you want toinstall. A supported registry and the policy server system are required to setup the initial management domain.

3. Ensure that your Tivoli Access Manager systems meet all software andhardware requirements listed in the IBM Tivoli Access Manager for e-business:Release Notes or Technotes in the support knowledge database.

4. Set up a registry for use with Tivoli Access Manager. For instructions, seeChapter 3, “Setting up the registry server,” on page 53.

5. Install and configure the Tivoli Access Manager policy server system. Forinstructions, see Chapter 4, “Setting up a policy server,” on page 137.

6. On AIX systems only, if you plan to use a standby policy server, install andconfigure the standby policy server. For instructions, see Chapter 24, “AIX:Setting up a standby policy server,” on page 511.

7. Install other types of Tivoli Access Manager base systems (as needed). Forexample, you can install one or more of the following systems:

Access Manager Authorization Server Page 153

Access Manager Application DevelopmentKit (ADK)

Page 163

Access Manager Runtime for Java Page 173

Access Manager Policy Proxy Server Page 181

Access Manager Runtime Page 191

Access Manager Web Portal Manager Page 201

8. Install Tivoli Access Manager Web security systems (as needed). For example,you can install one or more of the following systems:

Access Manager Attribute Retrieval Service Page 219

Access Manager Plug–in for Edge Server Page 225

Access Manager Plug–in for Web Servers Page 239

Access Manager Web Security ApplicationDevelopment Kit (ADK)

Page 259

Access Manager WebSEAL Page 267

Note: If you have already installed and configured a Tivoli Access Managercomponent and need to reinstall it, you must first unconfigure andremove it.

9. Install Tivoli Access Manager distributed sessions management systems (asneeded). For example, you can install one or more of the following systems:

Access Manager Session Management Server Page 219

Access Manager Session ManagementCommand Line

Page 225


Note: If you have already installed and configured a Tivoli Access Managercomponent and need to reinstall it, you must first unconfigure andremove it.

10. Use a certificate from a Certificate Authority (CA) to enable SSLcommunication between your supported registry server and IBM TivoliDirectory Server clients. See Chapter 23, “Enabling Secure Sockets Layer (SSL)security,” on page 473 for details.


Installation methodsYou can install and configure Tivoli Access Manager software in the followingways:v “Installation wizards”v “Native installation utilities” on page 26v “Software Distribution installation method” on page 26

Installation wizardsYou can run a single program to set up one of a variety of Tivoli Access Managersystems. Software prerequisites and product patches are automatically installed inthe appropriate order. Operating system patches are not installed automatically.

Use installation wizards to simplify installation and configuration of Tivoli AccessManager systems.

The Tivoli Access Manager components support installation wizards running ingraphical mode, text-based console mode, and response file (silent) mode. Thisflexibility of installation methods allows you to create multiple solutions fordeploying your software.

Choose one of the following installation methods:v Graphical modev Text-based (non-graphical) console modev Response file (silent) mode

Notes:

1. On operating systems such as Linux, Tivoli Access Manager does not supportinstallation in a nondefault directory.So do not use --relocate as an rpm option to specify a nondefault directoryduring installation. Otherwise, Tivoli Access Manager does not work afterinstallation.

2. For installations on Linux, ensure that the path to which you are mountingdoes not contain the "disk" string. Otherwise the license agreement does notdisplay.

To remove installations, see Chapter 19, “Uninstalling components,” on page 347.

Installing in graphical modeThe base, Web security, and session management installation wizards that areavailable for the indicated system types are listed in Table 4, Table 5 on page 24,and Table 6 on page 24. For a list of installed components for each of these systemtypes, see “Components and prerequisites provided with Tivoli Access Managersystems” on page 15.

Installation wizards for Tivoli Access Manager base systems are located in the rootdirectory on the IBM Tivoli Access Manager Base CD, except for theinstall_ldap_server installation wizard, which is located on the IBM Tivoli AccessManager Directory Server CD.

Table 4. Installation wizards for base systems

Installation wizard Type of base system

install_amacld Access Manager Authorization Server


Table 4. Installation wizards for base systems (continued)

Installation wizard Type of base system

install_amadk Access Manager Application Development Kit (ADK)

install_amjrte Access Manager Runtime for Java

install_ammgr Access Manager Policy Server

install_amproxy Access Manager Policy Proxy Server

install_amrte Access Manager Runtime

install_amwpm Access Manager Web Portal Manager

This component also requires the IBM Tivoli AccessManager WebSphere Application Server set of CDsprovided with Tivoli Access Manager.

install_ldap_server IBM Tivoli Directory serverNote: This installation wizard is located on the IBMTivoli Access Manager Directory Server CD.

Installation wizards for Tivoli Access Manager Web security systems are located inthe root directory on the IBM Tivoli Access Manager Web Security CD.

Table 5. Installation wizards for Web security systems

Installation wizard Type of Web security system

install_amweb Access Manager WebSEAL

install_amwebadk Access Manager Web Security ApplicationDevelopment Kit (ADK)

install_amwebars Access Manager Attribute Retrieval Service


install_amwpi Access Manager Plug-in for Web Servers for:

v Apache Web Server

v IBM HTTP Server

v Internet Information Services

v Sun Java System Web Server

Installation wizards for Tivoli Access Manager distributed sessions managementsystems are located in the root directory on the IBM Tivoli Access Manager SharedSession Management CD.

Table 6. Installation wizards for distributed sessions management systems

Installation wizard Type of distributed sessions management system

install_amsms Access Manager Session Management Server


install_amsmscli Access Manager Session Management Command Line


Installing in console modeOccasionally, there are times when there is no graphics display device available oryou want to run the installer without the graphical user interface when installingthe Tivoli Access Manager packages. Tivoli Access Manager supports installing inan ASCII text-based mode referred to as console mode. Console mode uses an ASCIIquestion and answer session, which asks you for the information interactively. Forexample, the non-graphical mode can be used for server-side deployments whenno graphical user interface is present, or for running the installation from a remotehost.

Console mode is an interactive installation without the use of a graphical userinterface.

Note: Several Tivoli Access Manager components require information from twoseparate CDs during the installation process. These components include:v Tivoli Access Manager Web Portal Manager (all supported platforms)v Tivoli Access Manager Attribute Retrieval Service (all supported

platforms)v Tivoli Access Manager Session Management Server (all supported

platforms)v IBM Tivoli Directory Server

To perform a console mode installation of one of these components, youmust first copy the contents of the first CD to a local drive and then launchthe installation program from that local copy. Later, during the installationprocess, you are prompted to mount the second CD.

To launch the installation wizard in console mode, enter:install_component_name -console

where component_name is the name of the Tivoli Access Manager installationwizard. For example:install_amrte -console

After obtaining user input, the installation wizard performs some verificationbefore displaying the summary screen. On some older systems, this might take aminute or more. You will not get any feedback while this verification occurs.

Installing in response file modeA response file streamlines installation and configuration of Tivoli Access Managercomponents. The installation process reads the information from the response fileinstead of prompting you to fill in the blanks. Each Tivoli Access Managercomponent can be installed by using a response file. The installation wizards use atemplate file, provided by Tivoli Access Manager, to create a file known as anoptions file, which contains all possible responses. Response files, created usingthese template files, are then used to perform the silent mode installations.

Response file templates are located in the /rspfile directory on the IBM TivoliAccess Manager Base CD, the IBM Tivoli Access Manager Web Security CD, the IBMTivoli Access Manager Shared Session Management CD, the IBM Tivoli Access ManagerDirectory Server CD and the IBM Tivoli Access Manager Language Support CD.

Edit the values in an options file template and then run the script as follows:install_amrte -options response_file


where response_file is the name of the options file. For example:install_amrte -options d:\temp\install_amrte.options

You can also run the script in optional silent mode:install_amrte -options response_file –silent

where response_file is the name of the options file. For example:install_amrte -options d:\temp\install_amrte.options -silent

For more information, see Chapter 27, “Using response files,” on page 607 forinstructions for how to use response files to install multiple products on multiplemachines at the same time.

Native installation utilitiesYou can use platform-specific utilities to install Tivoli Access Manager components.Unlike automated installation wizards, you must manually install each componentand its prerequisite software in the appropriate order. The platform specific utilitiesused are:

AIX installp

HP-UXswinstall

Linux rpm

Solarispkgadd

Note: If you are installing on Solaris 10 and above, using the -G option isrecommended. The -G option ensures that packages are added inthe current zone only. When the -G option is used in the globalzone, the package is added to the global zone only and is notpropagated to any existing or yet-to-be-created non-global zone.When used in a non-global zone, the package(s) are added to thenon-global zone only.

Windowssetup.exe

After installing, use the appropriate configuration commands. For example, if theAccess Manager Runtime component is installed on your system, you can use thepdconfig utility to configure Tivoli Access Manager components and, if the AccessManager Runtime component is not installed, you can use component-specificutilities, such as pdjrtecfg to configure the Access Manager Runtime for Javacomponent or amwpmcfg to configure the Access Manager Web Portal Managercomponent.

Note: For more information about these utilities, see Chapter 26, “Tivoli AccessManager utilities,” on page 547.

Software Distribution installation methodIBM Tivoli Configuration Manager is required for this type of installation. IBMTivoli Configuration Manager controls software distribution and asset managementinventory in a multi-platform environment. It is designed for configuration,distribution, change, version, and asset management in a distributed computingenvironment.


Using IBM Tivoli Configuration Manager, some of the tasks you can do include:v Package software elements ready for distribution and installation.v Use the integrated inventory database to determine targets for your software

distribution.v Manage your enterprise environment across firewalls without impacting your

enterprise securityv Automatically distribute and manage security patches and software updates in a

Tivoli environment.

If you choose this installation method, you should be familiar with using theSoftware Distribution installation method of IBM Tivoli Configuration Manager.You can view IBM Tivoli Configuration Manager topics at the Information CenterWeb site:

http://publib.boulder.ibm.com/infocenter/tiv3help/index.jsp?topic=/com.ibm.tivoli.itcm.doc/cmmst19.htm

To use the Software Distribution installation method, you will perform thesegeneral steps:1. Edit and import the software package definition files2. Generate a software package block file3. Deploy the software package blocks

See Chapter 28, “Using software package definition files,” on page 621 for anexample software package definition file.

Edit and import the software package definition filesTivoli Access Manager produces a software package definition (SPD) file for someTivoli Access Manager components. The definition files can then be easily createdinto install images.

The SPD files provided with Tivoli Access Manager contain a file stanza for eachfile needed by the installation wizard from the CD, a file stanza for each file thatyou will provide (such as a certificate to configure the environment), and a filestanza for the options file.

To add your own files to the Software Package Block (SPB), edit the softwarepackage definition file provided with Tivoli Access Manager. For example, if youwanted to edit the policy server template file for the Windows platform, youwould complete these steps:1. Provide the name and location of the options files that you want to provide by

searching for and changing these lines:### Drive letter of location of options file (leave blank if not Windows)options_drive =

### location of options fileoptions_filename = /install/config/windows/install_ammgr.options

2. Provide the name and location of the source installation directory by searchingfor and changing these lines:### Drive letter if source server is Windows (leave blank if not Windows)install_srcdrive =

### location of install imagesinstall_srcdir = /install/tam610.windows




3. Provide the source host name for the source by searching for and removing thepound sign (#) to uncomment this line:# source_host_name = your.source.host

4. Provide the fully qualified host name for the location of the SPD log file byuncommenting and providing configuration information for this line:# log_host_name = your.log.host

5. Provide the fully qualified path to the log file for the policy server onWindows:log_path = C:\Program Files\Tivoli\bin\swdis\work\install_ammgr_windows.log

When completed, the edited lines will look similar to the following lines:options_drive = C:options_filename = /install/config/windows/install_ammgr.optionsinstall_srcdrive = E:install_srcdir = /install/tam600.windowssource_host_name = mysourcehost.tivoli.comlog_host_name = myloghost.tivoli.comlog_path = C:\Program Files\Tivoli\bin\swdis\work\install_ammgr_windows.log

where mysourcehost.tivoli.com is your source host name andmyloghost.tivoli.com is your log host name.

After editing these files, import the modified software package definition file intoIBM Tivoli Configuration Manager.

Generate a software package block fileA software package block (.spb) bundles all the resources necessary to run the actionsthat are contained in the software package into a standard zipped format. Atdistribution time, the resources do not need to be collected from the source host;they are already contained in the software package block.

However, the software package block must reside on the source host. When thesoftware package block is distributed to an endpoint, it is not stored on theendpoint. The software package block is unzipped in the target directory. Byunpacking the zipped file immediately, there is no need for additional disk spaceon the endpoint for the .spb file.

After importing the software package definition file, you will need to compile theimported software package definition file information to bundle all of the files intosoftware package blocks and generate the SPB file.1. Place the cursor over the icon representing the software package definition

information and right-click to click Convert.A window displays requesting the final location of the software package blockfile.

2. Enter an appropriate name for the SPB file. Click Convert & Close. Theconversion process takes a few minutes because it has to bundle the installationwizard and native installation binaries into one file.When completed, the box icon appears sealed.

The SPBs can be installed by distributing them to the endpoints.

Deploy the software package blocksAfter the software package definition file has been created and converted to asoftware package block, the software package block is now ready to be distributedto endpoints.


1. Ensure that the timeout on your endpoint’s controlling gateway is set to avalue high enough to account for the time it will take to transfer theinstallation images. If problems occur while distributing to an endpoint, consultthe LCFD log that is located on that endpoint.

2. Use IBM Tivoli Configuration Manager to deploy the SPB to multiple systems.When the SPB file is deployed, all of these files will be downloaded to thetarget system and then the script file will be launched in silent mode with theprovided options file.

Note: If different configuration information is needed, you must producedifferent SPB files for each configuration.

3. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manageris installed on the endpoint. For instructions, see “Installing IBM Java Runtime”on page 318.

4. To install the software, right click and click Install. Select the appropriateendpoints and set the distribution parameters, as needed.

A successful distribution will install the binary files, run the installation wizard insilent mode, install, and then configure the Access Manager system.


Groups and administrator identities on UNIX and Linux systemsTable 7 lists the user IDs and groups that are used by Tivoli Access Manager andits prerequisite software during installation on UNIX and Linux systems. Theseuser IDs and groups are created automatically by the installation process if they donot already exist. If you wish to assign specific group IDs (GID) or user IDs (UID)for these groups and users, you can create them before installation.

Table 7. Users and groups required by Tivoli Access Manager

ID Type DescriptionGroup

membership

ivmgr group Access Manager Runtime installs files anddirectories that are owned by the group ivmgr.The installation process creates the group usingthe next available GID. To choose your ownGID for Access Manager Runtime:

Linux, Solaris, and HP-UX:

groupadd –g gid ivmgr

AIX:

mkgroup id=gid ivmgr

ivmgr, root

ivmgr user Access Manager installs files and directories thatare owned by the user ivmgr. The installationprocess creates the user using the next availableUID. To choose your own UID for AccessManager Runtime:

HP-UX:

useradd –u uid –g ivmgr-s /usr/bin/false–d /opt/PolicyDirector–c “Access Manager User” ivmgr

Linux and Solaris:

useradd –u uid –g ivmgr-s /bin/false–d /opt/PolicyDirector–c “Access Manager User” ivmgr

AIX:

mkuser id=uid groups=ivmgrgecos=”Access Manager User”home=/opt/PolicyDirector ivmgr


Table 7. Users and groups required by Tivoli Access Manager (continued)


membership

tivoli group Access Manager Runtime also creates a groupID named tivoli for use with the TivoliCommon Directory scheme. Note that otherTivoli products can create the group ID tivoliand that its creation is not unique to AccessManager Runtime. The installation processcreates the group ID using the next availableGID. To choose your own GID for AccessManager Runtime to be used with TivoliCommon Directory:


groupadd –g gid tivoli

AIX:

mkgroup id=gid tivoli

tivoli,ivmgr, root

tivoli user Access Manager Runtime also creates a user IDnamed tivoli for use with the Tivoli CommonDirectory scheme. Note that other Tivoliproducts can create the user ID tivoli and thatits creation is not unique to Access ManagerRuntime. The installation process creates theuser ID tivoli using the next available UID. Tochoose your own UID for Access ManagerRuntime to be used with Tivoli CommonDirectory:


useradd –u uid –g tivoli –c “Owner ofTivoli Common Files” tivoli

usermod –G tivoli ivmgr

AIX:

mkuser id=uid groups=tivoli gecos=“Owner ofTivoli Common Files” tivoli

chuser pgrp=staff groups=ivmgr,tivoli ivmgr

tivoli

idsldap group The IBM Tivoli Directory Server installs filesand directories owned by group idsldap. Theinstallation process creates the group using thenext available GID. To choose your own GID:


groupadd –g gid idsldap

AIX:

mkgroup id=gid idsldap


Table 7. Users and groups required by Tivoli Access Manager (continued)


membership

idsldap user The IBM Tivoli Directory Server installs filesand directories owned by user idsldap. Theinstallation process creates the user using thenext available UID. To choose your own UID:


useradd –u uid –g idsldap –d /home/idsldap–s /bin/ksh idsldap

AIX:

mkuser id=uid pgrp=staff groups=idsldap

idsldap

sys group The installation process creates the group forIBM Global Security Kit (GSKit).

root

The IBM Tivoli Directory Server installation also requests a local user ID to ownthe directory server instance and DB2 instance.


Default port numbersTable 8. Default port numbers used during Tivoli Access Manager installation

Installation components Fields to be completed Default port

Access Manager Policy Server Policy server port 7134

Access Manager Policy ServerAccess Manager RuntimeAccess Manager Runtime for JavaAccess Manager Web Portal Manager

Policy server SSL port 7135

Access Manager Authorization Server Authorization request port 7136

Access Manager Authorization Server Administration request port 7137

Access Manager Policy Proxy Server Policy request port 7138

Access Manager Policy Proxy Server Authorization request port 7139

Access Manager WebSEAL WebSEAL listening port 7234

Access Manager Session ManagementServer

IBM WebSphere ApplicationServer port

8879

LDAP servers Non-SSL port 389

LDAP servers SSL port 636

Access Manager WebSEAL HTTP port 80

Access Manager WebSEAL HTTPS port 443



Chapter 2. Internationalization

This chapter describes the internationalization features for a Tivoli Access Managersecure domain. This section contains the following topics:v “Language support overview” on page 36v “Installing language support packages for Tivoli Access Manager” on page 37v “Installing language support packages for IBM Tivoli Directory Server” on page

39v “Uninstalling Tivoli Access Manager language support packages” on page 44v “Locale environment variables” on page 46v “Message catalogs” on page 49v “Text encoding (code set) support” on page 50

AttentionEnsure that you review the internationalization section in the IBM TivoliAccess Manager for e-business: Release Notes or Technotes in the supportknowledge database for any language-specific limitations or restrictions.


Language support overviewTivoli Access Manager software is translated into the following languages:v Arabicv Brazilian Portuguesev Czechv Chinese (Simplified)v Chinese (Traditional)v Frenchv Germanv Hebrewv Hungarianv Italianv Japanesev Koreanv Polishv Spanishv Russian

Notes:

1. The installation wizard uses your language of choice, without installing thelanguage pack.

2. The installation wizards and the Windows native installation utility do notsupport the Arabic or Hebrew languages.

3. Only the panels in Web Portal Manager support the Hebrew language;messages and online help appear in English.

The translations for these languages are provided as language support packages onthe IBM Tivoli Access Manager Language Support CD for each product. To obtainlanguage support for Tivoli Access Manager, you must install the language supportpackage for that product. Each language is a separately installable productinstallation image.v If you use installation wizards to install Tivoli Access Manager, you must install

the language package before installing Tivoli Access Manager so that you canview configuration messages in your native language.

v If you use native installation utilities to install Tivoli Access Manager, you mustinstall the language package after installing Tivoli Access Manager componentsbut before configuring them. If you do not install the language support package,the associated product displays all text in English.

v If you are installing Tivoli Access Manager Session Management Server orSession Management Command Line on Windows, you must install thelanguage pack after installing the Session Management component. This isrequired for both the installation wizard and the native install.

If language support for a product is installed and you upgrade the product, youmust also install the corresponding language support product, if one exists. Referto the upgrade documentation for the specific product to determine if languagesupport is required. If you do not install the language support after upgrading, theassociated product might display some fields and messages in English.


Installing language support packages for Tivoli Access ManagerTo install language support packages for Tivoli Access Manager, follow these steps:1. Log on as root or as an Administrative user.2. Insert or mount the IBM Tivoli Access Manager Language Support CD and change

to the root directory where the CD is located.

Note: On HP-UX systems, mount the CD using the mount command. Forexample, enter the following:mount -F cdfs -o rr /dev/dsk/c0t0d0 /cd-rom

where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifiesthe CD device, and /cd-rom specifies the mount point.

3. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manageris installed for your particular operating system. For instructions, see one of thefollowing:v On AIX systems, see page 318.v On HP-UX systems, see page 319.v On Linux systems, see page 320.v On Solaris systems, see page 321.v On Windows systems, see page 321.

4. Depending on the Tivoli Access Manager component that you want to install,run one or more of the following setup scripts.v To install using a wizard, select the scripts for the desired components.

Notes:

a. Scripts are used for UNIX or Linux systems; batch files (.bat extension)are used for Windows systems.

b. If you issue a script without specifying the jre_path, you must ensure thatthe Java executable is part of the PATH statement. Otherwise, issue thescript specifying the jre_path as follows:language_package jre_path

For example, to install the language package for the Access ManagerRuntime, enter the following:install_pdrte_lp /usr/bin

where /usr/bin is the path to the JRE.The following language packages are available:

install_amsms_lp Installs language packages for AccessManager Session Management Server, AccessManager Session Management CommandLine.

install_cars_lp Installs language packages for CommonAuditing and Reporting Service.

install_pdwbpi_lp Installs language packages for AccessManager Plug-in for Web Servers.

install_pdwsl_lp Installs language packages for AccessManager Plug-in for Edge Server.

install_pdrte_lp Installs language packages for AccessManager Runtime.

Chapter 2. Internationalization 37

install_pdjrte_lp Installs language packages for AccessManager Runtime for Java.

install_pdwbrt_lp Installs language packages for AccessManager Web Security Runtime.

install_pdweb_lp Installs language packages for AccessManager WebSEAL.

v To install in console mode, ensure that the IBM Java Runtime 1.5.0 SR5 isavailable in the command execution path (or prefix the command with theJRE directory) and run the following command:java -jar language_package.jar -console

where language_package.jar is the name of the language package to install:

carslp.jar Installs language packages for CommonAuditing and Reporting Service.

pdjrte_lp_setup.jar Installs language packages for AccessManager Runtime for Java.

pdrte_lp_setup.jar Installs language packages for AccessManager Runtime.

pdweb_lp_setup.jar Installs language packages for AccessManager WebSEAL.

pdwbpi_lp_setup.jar Installs language packages for AccessManager Plug-in for Web Servers.

pdwebrte_lp_setup.jar Installs language packages for AccessManager Web Security Runtime.

pdwsl_lp_setup.jar Installs language packages for AccessManager Plug-in for Edge Server.

smslp.jar Installs language packages for AccessManager Session Management Server andAccess Manager Session ManagementCommand Line.

5. Click Next to begin installation. The Software License Agreement window isdisplayed.

6. To accept the license agreement, select the I accept check box to accept theterms and then click Next. A dialog showing a list of the languages isdisplayed.

7. Select the language packages that you want to install and click Next. A dialogshowing the location and features of the languages that you selected isdisplayed. To accept the languages selected, click Next.

8. The installation wizard validates that sufficient disk space is available. Toinstall the languages that you selected, click Next.

9. After installation for the Tivoli Access Manager language pack has completedsuccessfully, click Finish to close the wizard and restart your system.


Installing language support packages for IBM Tivoli Directory ServerIn addition to installing language packages for Tivoli Access Manager software,you must install language packages for the user registry, such as the IBM TivoliDirectory Server. These language packages are provided on the IBM Tivoli AccessManager Language Support CD for the supported platforms.

Note: The IBM Tivoli Directory Server requires that at least one language pack beinstalled on all UNIX-based systems for the IBM Tivoli Directory Serverclient and administrative utilities to operate correctly. To determine if alanguage pack is installed, see “LANG variable on UNIX or Linux systems”on page 47.

After installing the Tivoli Directory Server language packages, you must install theIBM DB2 language packs.

AIX: Installing Tivoli Directory Server language packagesTo install the Tivoli Directory Server language packages on AIX systems, followthese steps:1. Log in as root.2. Ensure that all necessary operating system patches are installed. Also, ensure

that you have reviewed the most-recent release information, including systemrequirements, disk space requirements, and known defects and limitations. Seethe IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge database.

3. Insert the IBM Tivoli Access Manager Language Support for AIX CD and mount it.4. Install the following packages:

installp –acgYXd cd_mount_point/usr/sys/inst.images packages

where:

cd_mount_point/usr/sys/inst.imagesSpecifies the directory where the install packages are located.

packages Specifies the package name or list of package names that youwant to install. For example:

idsldap.msg61.langSpecifies IBM Tivoli Directory Server messages package.

where lang is the language file abbreviation. The availablelanguage values include:

cs_CZ Czech

de_DE German

en_US English

es_ES Spanish

fr_FR French

hu_HU Hungarian

it_IT Italian

ja_JP Japanese

ko_KO Korean

pl_PL Polish


pt_BR Portuguese (Brazil)

ru_RU Russian

sk_SK Slovak

zh_CN Simplified Chinese

zh_TW Traditional Chinese

For example, to install IBM Tivoli Directory Server messages in the Italianlanguage, you would enter the following:installp -acgYXd /usr/sys/inst.images idsldap.msg61.it_IT

HP-UX: Installing Tivoli Directory Server language packagesTo install the Tivoli Directory Server language packages on HP-UX or HP-UX onIntegrity, follow these steps:1. Log in as root.2. Ensure that all necessary operating system patches are installed. Also, ensure


3. Insert the CD for your platform:v IBM Tivoli Access Manager Language Support for HP-UX

v IBM Tivoli Access Manager Language Support for HP-UX on Integrity

4. Mount the CD using the HP-UX mount command. For example, enter thefollowing command:mount -F cdfs -o rr /dev/dsk/c0t0d0 /cd-rom

where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies theCD device, and /cd-rom specifies the mount point.

5. Install the following packages:v For HP-UX:

swinstall -s /cd-rom/hp package

v For HP-UX on Integrity:swinstall -s /cd-rom/hp_ia64 package

where:

cd-rom/hp or cd-rom/hp_ia64Specifies the directory where the packages are located.

package Specifies the package name or list of package names that youwant to install. For example:

idsldap-msg61langSpecifies IBM Tivoli Directory Server messages package.

where lang is the language file abbreviation. The availablelanguage values include:

de German

en English

es Spanish

fr French

it Italian


ja Japanese

ko Korean



For example, to install IBM Tivoli Directory Server messages in the Koreanlanguage, you would enter the following:swinstall -s /cd-rom/hp idsldap-msg61ko

orswinstall -s /cd-rom/hp_ia64 idsldap-msg61ko

Linux: Installing Tivoli Directory Server language packagesNote to Linux on System z users: You must first obtain access to the Linux rpmfiles which are located in the /CD_mount_point/linux_s390 directory on the IBMTivoli Access Manager Base for Linux on System z CD.

To install the Tivoli Directory Server language packages for Linux systems, followthese steps:1. Log in as root.2. Insert the IBM Tivoli Access Manager Language Support for Linux on x86, IBM

Tivoli Access Manager Language Support for Linux on System z or IBM Tivoli AccessManager Language Support for Linux on POWER CD and mount it.

3. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is themount point for your CD and distribution specifies linux_i386 for x86,linux_ppc for POWER, or linux_s390 for System z.

4. Install the following packages:rpm -ihv packages

where packages are as follows:

Linux on x86: idsldap-msg61-lang-6.1.0-0.noarch.rpmLinux on POWER: idsldap.msg61.lang-6.1.0-0.noarch.rpmLinux on System z: idsldap-msg61-lang-6.1.0-0.noarch.rpm

and where lang is the language file abbreviation (for example, en). The availablelanguage values include:

de German

en English

es Spanish

fr French

it Italian

ja Japanese

ko Korean

pt_BR Portuguese (Brazil)




For example, to install IBM Directory Server messages in the German languageon a Linux on POWER system:rpm -ihv idsldap.msg61.de-6.1.0-0.noarch.rpm

Note: The English language packages have a version number of 6.1.0-6 and areplatform-specific. The English language packages for Linux are:

Linux on x86idsldap-msg61-en-6.1.0-6.i386.rpm

Linux on POWERidsldap-msg61-en-6.1.0-6.ppc.rpm

Linux on System zidsldap-msg61-en-6.1.0-6.s390.rpm

Solaris: Installing Tivoli Directory Server language packagesTo install the Tivoli Directory Server language packages on Solaris or Solaris onx86_64, follow these steps:

Attention: If you are installing on Solaris 10, using the -G option with thepkgadd utility is recommended. The -G option ensures that packages are added inthe current zone only.1. Insert the CD for your platform:

v IBM Tivoli Access Manager Language Support for Solaris

v IBM Tivoli Access Manager Language Support for Solaris on x86_64

2. Install the following package:v For Solaris:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefaultIDSlxx61

v For Solaris on x86_64:pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault

IDSlxx61

where:

/cdrom/cdrom0/solaris or /cdrom/cdrom0/solaris_x86Specifies the location of the package.

/cdrom/cdrom0/solaris/pddefault or /cdrom/cdrom0/solaris_x86/pddefaultSpecifies the installation administration script.

xx Specifies the 2–letter language file abbreviation. The availablelanguage values include:

br Portuguese (Brazil)

cn Simplified Chinese

de German

en English

es Spanish

fr French

it Italian

ja Japanese

ko Korean


tw Traditional Chinese

For example, to install IBM Tivoli Directory messages in the Japanese languageon a Solaris system, enter the following command:pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault

IDSlja61

Windows: Installing Tivoli Directory Server language packagesTo install the Tivoli Directory Server language packages on Windows, follow thesesteps:1. Log on as a user with Administrator group privileges.2. Insert the IBM Tivoli Access Manager Language Support for Windows CD.3. Go to the drive for your CD-ROM, and then change to the following directory

of the CD:

windows/tds4. Type the following command to install the package:

idslp_setup_win32.exe


Uninstalling Tivoli Access Manager language support packagesTo uninstall language support packages, follow these steps:1. Change to one of the following directories:

v On UNIX or Linux systems:/opt/location

v On Windows systems:C:\Program Files\location

where location is as follows:

CARSLP/lp_uninst Specifies the location of the language packagesfor Common Auditing and Reporting Service.

PDBLP/lp_uninst Specifies the location of the language packagesfor the Tivoli Access Manager base components,except for Access Manager Runtime for Javaand Web Portal Manager.

PDJrtLP/lp_uninst Specifies the location of the language packagesfor Access Manager Runtime for Java

PDWpiLP/lp_uninst Specifies the location of the language packagesfor Access Manager Plug-in for Web Servers.

PDWslLP/lp_uninst Specifies the location of the language packagesfor Access Manager for Plug-in for Edge Server.

PDWebLP/lp_uninst Specifies the location of the language packagesfor Access Manager WebSEAL.

AMWebRTELP/lp_uninst Specifies the location of the language packagesfor Access Manager Web Security Runtime.

SMSLP/lp_uninst Specifies the location of the language packagesfor Access Manager Session Management Serverand Access Manager Session ManagementCommand Line.

2. To uninstall the language support packages, enter one of the following:v On UNIX or Linux systems:

jre_path/java -jar package

v On Windows systems:jre_path\java -jar package

where jre_path is the path where the Java executable is located and package isone of the following:

Note: If the Java executable is in the path, you do not have to specify jre_path.

cars_lp_uninstall.jar Specifies the location of the language packagesfor Common Auditing and Reporting Service.

pdrte_lp_uninstall.jar Specifies the location of the language packagesfor Access Manager Runtime.

pdjrte_lp_uninstall.jar Specifies the language package for AccessManager Runtime for Java.

pdsms_lp_uninstall.jar Specifies the language package for Access


Manager Session Management Server andAccess Manager Session ManagementCommand Line.

pdwbpi_lp_uninstall.jar Specifies the language package for Plug-in forWeb Servers.

pdweb_lp_uninstall.jar Specifies the language package for AccessManager WebSEAL.

pdwebrte_lp_uninstall.jar Specifies the language package for AccessManager Web Security Runtime.

Uninstalling IBM Tivoli Directory Server language packagesUninstall any language packages that you installed for IBM Tivoli Directory Server.

To find the list of packages to remove, see:v “Installing language support packages for IBM Tivoli Directory Server” on page

39

Use the commands described for your operating system to remove the languagepackages.

AIX: Removing language packagesTo remove language packages from an AIX system, enter the following command:installp -u -g packages

where packages specifies the language packages to be removed.

Note: Use the –g option only if you want dependent software for the specifiedpackage removed.

HP-UX: Removing language packagesTo remove language packages from an HP-UX or HP-UX on Integrity system, enterthe following command:swremove packages


Linux: Removing language packagesTo remove language packages from a Linux system, enter the following command:rpm -e packages


Solaris: Removing language packagesTo remove language packages from a Solaris or Solaris on x86_64 system, enter thefollowing command:pkgrm packages


Windows: Removing language packagesTo remove language packages from a Windows system, do the following:1. In the Control Panel, click Add/Remove Programs.2. Select IBM Tivoli Directory Server 6.1 Language Pack. Click Change/Remove.


3. On the Welcome window, click Next.4. Select the language packs you want to uninstall. Click Next.5. On the confirmation window, to uninstall the selected features, click Next.6. Click Finish when the uninstallation is complete.

Locale environment variablesAs with most current operating systems, localized behavior is obtained byspecifying the desired locale. For Tivoli Access Manager software, you set theLANG environment variable to the desired locale name as specified by POSIX,X/Open, or other open systems standards.

Note: If you are in a Windows environment, you can alternatively modify thelanguage setting in the Regional Settings of the Control Panel.

If you specify the LANG environment variable and modify the regionalsettings, the LANG environment variable overrides this regional setting.

As specified by open systems standards, other environment variables overrideLANG for some or all locale categories. These variables include the following:v LC_COLLATE

v LC_CTYPE

v LC_MONETARY

v LC_NUMERIC

v LC_TIME

v LC_MESSAGES

v LC_ALL

If any of the previous variables are set, you must remove their setting for theLANG variable to have full effect.


LANG variable on UNIX or Linux systemsMost UNIX or Linux systems use the LANG variable to specify the desired locale.Different UNIX or Linux operating systems, however, require different localenames to specify the same language. Be sure to use a value for LANG that issupported by the UNIX or Linux operating system that you are using.

To obtain the locale names for your UNIX or Linux system, enter the following:locale –a

The IBM Tivoli Directory Server requires that at least one language pack beinstalled on all UNIX-based systems for the IBM Tivoli Directory Server client andadministrative utilities (for example, idscfgdb or db2dif) to operate correctly. Toverify that you have a language package installed for your UNIX or Linux system,enter the following:locale

If you had loaded a language package (for example bos.loc.iso.en_us), the outputof the locale command would be:LANG=en_USLC_COLLATE="en_US"LC_CTYPE="en_US"LC_MONETARY="en_US"LC_NUMERIC="en_US"LC_TIME="en_US"LC_MESSAGES="en_US"LC_ALL=

If no language packages have been installed, the output would be:LANG=en_USLC_COLLATE="C"LC_CTYPE="C"LC_MONETARY="C"LC_NUMERIC="C"LC_TIME="C"LC_MESSAGES="C"LC_ALL=


LANG variable on Windows systemsMost operating systems do not use the LANG environment variable. Tivoli AccessManager software, however, can use LANG to determine the desired language. Todo so, set the LANG environment variable to the canonical locale name based onthe ISO language or territory codes without a code set suffix. For example:v fr is the locale for standard Frenchv ja is the locale for Japanesev pt_BR is the locale for Brazilian Portuguesev C is the locale for English in C locale

Using locale variantsAlthough Tivoli Access Manager software currently provides only one translatedversion for each language, you can use a preferred locale variant, and Tivoli AccessManager finds the corresponding language translation. For example, Tivoli AccessManager provides one translation for French, but each of the following localesettings finds the appropriate translation:v fr is the locale name for standard Frenchv fr_FR is the locale name for French in Francev fr_CA is the locale name for French in Canadav fr_CH is the locale name for French in Switzerland


Message catalogsMessage catalogs are typically installed in a msg subdirectory and each of thesemessage catalogs is installed under a language-specific subdirectory. For example,the Tivoli Access Manager base components use the following directories:v On UNIX or Linux systems:

/opt/PolicyDirector/nls/msg/locale

v On Windows systems:install_dir/nls/msg/locale

Other Tivoli Access Manager components use similar directories for their messagecatalogs.

Tivoli Access Manager recognizes variations in UNIX or Linux locale names and isusually able to map the specified value to the appropriate message catalog.

The NLSPATH environment variable is used to find the appropriate messagecatalog directory, as specified by open systems standards. For example, if themessage catalogs are in /opt/PolicyDirector/nls/msg, the NLSPATH variable isset to the following:/opt/PolicyDirector/nls/msg/%L/%N.cat:/opt/PolicyDirector/nls/msg/%L/%N

Note: For Windows, use a semicolon (;) instead of a (:) as the separator. Forexample:C:\Program Files\PolicyDirector\nls\msg\%L\%N.cat;C:\ProgramFiles\PolicyDirector\nls\msg\%L\%N

The %L directive is expanded to the message catalog directory that most closelymatches the current user language selection, and %N.cat expands to the desiredmessage catalog.

If a message catalog is not found for the desired language, the English C messagecatalogs are used.

For example, suppose you specify the AIX locale for German in Switzerland asfollows:LANG=De_CH.IBM-850

The %L directive is expanded in the following order to locate the specified locale:1. de_CH

2. de

3. C

Because Tivoli Access Manager does not provide a German in Switzerlandlanguage package, de_CH is not found. If the Tivoli Access Manager Germanlanguage package is installed, de is used. Otherwise, the default locale C is used,causing text to be displayed in English.


Text encoding (code set) supportDifferent operating systems often encode text in different ways. For example,Windows systems use SJIS (code page 932) for Japanese text, but UNIX or Linuxsystems often use eucJP.

In addition, multiple locales can be provided for the same language so thatdifferent code sets can be used for the same language on the same machine.Providing multiple locales for the same language can cause problems when text ismoved from system to system or between different locale environments.

Tivoli Access Manager addresses these problems by using Unicode and UTF-8 (themultibyte form of Unicode) as the internal canonical representation for text.

Message catalogs are encoded using UTF-8, and the text is converted to the localeencoding before being presented to the user. In this way, the same French messagecatalog files can be used to support a variety of Latin 1 code sets, such asISO8859-1, Microsoft 1252, IBM PC 850, and IBM MVS™™

1047.

UTF-8 is also used to achieve text interoperability. For example, Common ObjectRequest Broker Architecture (CORBA) strings are transmitted as UTF-8. Thisenables remote management within a heterogeneous network in which local textencoding can vary. For example, Japanese file names can be manipulated onJapanese PC endpoints from a desktop executing in the UNIX Japanese EUC locale.

Text interoperability across the secure domain is also achieved by storing strings asUTF-8 within the Tivoli object database. Strings are converted to the local encodingfor viewing and manipulation by applications that are executing on differentoperating system code sets.

Location of code set filesInteroperability across your secure domain depends on code set files, which areused to perform UTF-8 conversion and other types of encoding-specific textprocessing. These files are installed in the following directories:v On UNIX or Linux systems:

/opt/PolicyDirector/nls/TISv On Windows systems:

install_dir\nls\TIS


Part 2. Base system installation

Chapter 3. Setting up the registry server. . . . 53Setting up IBM Tivoli Directory Server . . . . . 54

Preinstallation requirements . . . . . . . . 54Installing using the installation wizard . . . . 57Installing using native utilities . . . . . . . 58

Preinstallation requirements for nativeinstallations . . . . . . . . . . . . 59License terms for Tivoli Directory Server . . 61AIX: Installing IBM Tivoli Directory Server . . 62HP-UX: Installing IBM Tivoli Directory Server 67Linux: Installing IBM Tivoli Directory Server 72Solaris: Installing IBM Tivoli Directory Server 78Windows: Installing IBM Tivoli DirectoryServer . . . . . . . . . . . . . . 83

Configuring a directory server instance for IBMTivoli Directory Server. . . . . . . . . . 87

Creating an instance with the InstanceAdministration Tool . . . . . . . . . 87Migrating an instance . . . . . . . . . 95Setting the administrator DN and passwordfor a directory instance . . . . . . . . 96Configuring the database for a directoryinstance . . . . . . . . . . . . . 97Creating a backup of a directory instance . . 99Configuring a suffix for a directory instance 99

Configuring IBM Tivoli Directory Server forTivoli Access Manager . . . . . . . . . 100

Using the Web Administration Tool . . . . 101Using the command line . . . . . . . 104

Setting up IBM z/OS LDAP Server . . . . . . 105Updating schema files . . . . . . . . . 106Adding suffixes . . . . . . . . . . . 106Configuring Tivoli Access Manager for LDAP 106Native authentication user administration . . . 107

Setting up Lotus Domino . . . . . . . . . 108Creating a Tivoli Access Manager administrativeuser for Domino (versions 6.5, 7.0.1, 7.0.2, and8.0) . . . . . . . . . . . . . . . . 110

Determining if the Tivoli Access Manager IDhas access to create a database on a server. . 111Adding a user to the access control list andset the access level. . . . . . . . . . 111Defining an administration server for adatabase . . . . . . . . . . . . . 112

Installing a Lotus Notes client on a Tivoli AccessManager system . . . . . . . . . . . 112

Setting up Microsoft Active Directory . . . . . 114Active Directory considerations . . . . . . 114Creating an Active Directory domain . . . . 115Joining an Active Directory domain . . . . . 116Creating an Active Directory administrative user 118Changing Active Directory replication settings 119

Setting up Microsoft Active Directory ApplicationMode (ADAM) . . . . . . . . . . . . . 119

Installing and configuring Active DirectoryApplication Mode (ADAM) for Tivoli AccessManager (Overview) . . . . . . . . . . 120Installing Access Manager with support forActive Directory Application Mode (ADAM) . . 120Configuring the Tivoli Access Manager schemafor Active Directory Application Mode (ADAM). 121

Configuring Tivoli Access Manager locationfor Active Directory Application Mode(ADAM) . . . . . . . . . . . . . 122

Configuring a default Tivoli Access Managerdirectory partition . . . . . . . . . . . 123

Configuring a non-default Tivoli AccessManager directory partition . . . . . . 124

Adding an administrator to the Tivoli AccessManager metadata directory partition . . . . 124Allowing anonymous bind . . . . . . . . 126

Setting up Novell eDirectory . . . . . . . . 127Configuring the Novell eDirectory for TivoliAccess Manager . . . . . . . . . . . 127When using Novell eDirectory . . . . . . 129Management domain location . . . . . . . 130

Setting up the Sun Java System Directory Server 132

Chapter 4. Setting up a policy server . . . . 137LDAP data format selection . . . . . . . . 137Tivoli Access Manager management domains. . . 138

Creating a management domain location(example). . . . . . . . . . . . . . 139

Password change does not work in amultidomain environment . . . . . . . 140

Management domain location for an ActiveDirectory Application Mode (ADAM) registry . 140


AIX: Installing the policy server . . . . . . 142HP-UX: Installing the policy server . . . . . 144Linux: Installing the policy server . . . . . 146Solaris: Installing the policy server . . . . . 147Windows: Installing the policy server . . . . 149

Chapter 5. Setting up an authorization server 153Installing using the installation wizard . . . . . 154Installing using native utilities. . . . . . . . 155

AIX: Installing an authorization server . . . . 155HP-UX: Installing an authorization server . . . 156Linux: Installing an authorization server . . . 158Solaris: Installing an authorization server . . . 159Windows: Installing an authorization server . . 161

Chapter 6. Setting up a development system 163Installing using the installation wizard . . . . . 163Installing using native utilities. . . . . . . . 164

AIX: Installing a development (ADK) system 164HP-UX: Installing a development (ADK) system 165


Linux: Installing a development (ADK) system 167Solaris: Installing a development (ADK) system 168Windows: Installing a development (ADK)system . . . . . . . . . . . . . . 170

Chapter 7. Setting up an Access ManagerRuntime for Java system . . . . . . . . . 173Installing using the installation wizard . . . . . 173Installing using native utilities. . . . . . . . 175

AIX: Installing Access Manager Runtime forJava . . . . . . . . . . . . . . . 175HP-UX: Installing Access Manager Runtime forJava . . . . . . . . . . . . . . . 176Linux: Installing Access Manager Runtime forJava . . . . . . . . . . . . . . . 177Solaris: Installing Access Manager Runtime forJava . . . . . . . . . . . . . . . 178Windows: Installing Access Manager Runtimefor Java . . . . . . . . . . . . . . 180

Chapter 8. Setting up a policy proxy serversystem . . . . . . . . . . . . . . . 181Installing using the installation wizard . . . . . 181Installing using native utilities. . . . . . . . 182

AIX: Installing a policy proxy server . . . . 183HP-UX: Installing a policy proxy server . . . 184Linux: Installing a policy proxy server . . . . 185Solaris: Installing a policy proxy server . . . . 187Windows: Installing a policy proxy server . . . 188

Chapter 9. Setting up a runtime system. . . . 191Installing using the installation wizard . . . . . 191Installing using native utilities. . . . . . . . 193

AIX: Installing Access Manager Runtime . . . 193HP-UX: Installing Access Manager Runtime . . 194Linux: Installing Access Manager Runtime . . 195

Starting Tivoli Access Manager componentson SUSE Linux Enterprise Server 10 . . . . 196

Solaris: Installing Access Manager Runtime . . 197Windows: Installing Access Manager Runtime 199

Chapter 10. Setting up a Web Portal Managersystem . . . . . . . . . . . . . . . 201Installing using the installation wizard . . . . . 201Installing using native utilities. . . . . . . . 203

AIX: Installing a Web Portal Manager system 204HP-UX: Installing a Web Portal Manager system 206Linux: Installing a Web Portal Manager system 208Solaris: Installing a Web Portal Manager system 211Windows: Installing a Web Portal Managersystem . . . . . . . . . . . . . . 214

Configuring WebSphere Application Server security 216


Chapter 3. Setting up the registry server

The first step in establishing a management domain is to set up a registry serverfor use with Tivoli Access Manager. To install and configure a registry, do one ofthe following:v To install and configure IBM Tivoli Directory Server (included with Tivoli Access

Manager), follow the instructions in “Setting up IBM Tivoli Directory Server” onpage 54. The install_ldap_server installation wizard can be used to streamlinethe installation and configuration process. You also can consult the IBM TivoliDirectory Server documentation available on the Web at:

http://www.ibm.com/software/tivoli/products/directory-serverv To install a supported registry other than IBM Tivoli Directory Server, consult

the registry product’s documentation. For a list of supported registries, see“Supported registries” on page 13. The IBM Tivoli Directory Server client mustbe used as the registry client for LDAP-based user registries.

v To use an existing registry server with Tivoli Access Manager, ensure that youhave upgraded the server to a version that is supported by this release of TivoliAccess Manager. For upgrade instructions for IBM Tivoli Directory Server, seethe IBM Tivoli Access Manager for e-business: Upgrade Guide. For other supportedregistries, consult the registry product’s documentation. Then follow instructionsin this chapter to configure your registry for use with Tivoli Access Manager.

This chapter includes the following main sections:v “Setting up IBM Tivoli Directory Server” on page 54v “Setting up IBM z/OS LDAP Server” on page 105v “Setting up Lotus Domino” on page 108v “Setting up Microsoft Active Directory” on page 114v “Setting up Microsoft Active Directory Application Mode (ADAM)” on page 119v “Setting up Novell eDirectory” on page 127v “Setting up the Sun Java System Directory Server” on page 132



Setting up IBM Tivoli Directory ServerThis section provides information about installing and configuring IBM TivoliDirectory Server as your Tivoli Access Manager registry. You can set up this systemusing one of the following installation methods:v “Installing using the installation wizard” on page 57v “Installing using native utilities” on page 58

Notes:

1. The Tivoli Directory Server client and server that accompany the Tivoli AccessManager 6.1.1 are not the latest fix packs. Ensure that you have installed thelatest fix packs of Tivoli Directory Server client and server in your Tivoli AccessManager environment.If you are installing the Tivoli Access Manager using the installation wizards,you can upgrade the Tivoli Directory Server client and server to the latest fixpacks after you install and configure the Tivoli Access Manager. For nativeinstallation, you can upgrade the Tivoli Directory Server client and server tothe latest fix packs only after you install the Tivoli Directory Server client andserver.

2. During Tivoli Access Manager configuration on Linux operating systems,scripts may fail to run, stating that /bin/ksh was not found. On certainversions of SUSE Linux Enterprise Server, Yast-based installation does notinstall the Korn shell at /bin/ksh.Install the pdksh rpm that matches the hardware on which you are installingTivoli Access Manager. The appropriate rpm can be found on either the SUSELinux Enterprise Server installation media, or downloaded from the SUSELinux Enterprise Server or Novell support web sites.

3. IBM Tivoli Directory Server, IBM Directory Server Web Administration Tool,IBM DB2, and IBM Global Security Kit (GSKit) are on the IBM Tivoli AccessManager Directory Server set of CDs for the supported AIX, HP-UX, Linux,Solaris, and Windows platforms.

4. The server, client, and proxy server can be installed for IBM Tivoli DirectoryServer if you choose.

5. The IBM Tivoli Directory Server can use an instance, similar to how DB2 usesan instance. Before configuring IBM Tivoli Directory Server, you must create auser identity and group to own the IBM Tivoli Directory Server instance andthe DB2 instance. The installation wizard can create the user automatically ifyou choose.

6. The server and the client for IBM Tivoli Directory Server must be located onthe same system.

7. IBM WebSphere Application Server is on the IBM Tivoli Access ManagerWebSphere Application Server set of CDs for the supported AIX, HP-UX, Linux,Solaris, and Windows platforms.

For complete IBM Tivoli Directory Server product documentation, visit thefollowing Web site:


Preinstallation requirementsBefore you install and configure IBM Tivoli Directory Server, you must perform thefollowing preinstallation tasks (as required). These requirements are applicable,regardless of which installation method you plan to use.



v With the exception of Windows on x86 and a Linux on x86 platforms, IBMTivoli Directory Server requires 64-bit hardware and a 64-bit kernel on allplatforms.

v To verify that your AIX system is set up correctly for 64-bit hardware and a64-bit kernel, review the following:– To verify that your AIX hardware is 64-bit, enter the following:

bootinfo –y

If results display 64, your hardware is 64-bit. In addition, if you type thecommand lsattr -El proc0, the output of the command returns the type ofprocessor for your server. If you have any of the following types ofprocessors, you have 64-bit hardware: RS64 I, II, III, IV, POWER3, POWER3II, POWER4 or POWER5.

– 64-bit hardware can have either a 32 or 64-bit kernel. To verify that you havea 64-bit kernel (/usr/lib/boot/unix_64) installed and running, enter thefollowing:bootinfo –K

If results display 64, the kernel is 64-bit. However, if results display 32, youmust switch from the 32-bit kernel to 64-bit kernel. To do so, follow thesesteps:1. Ensure that you have the following 64-bit packages:

bos.64bitbos.mp64

2. To switch to the 64-bit kernel, enter the following commands:ln -sf /usr/lib/boot/unix_64 /unixln -sf /usr/lib/boot/unix_64 /usr/lib/boot/unixlslv -m hd5

You should see output from the lslv command similar to the followingoutput:#lslv -m hd5hd5:N/ALP PP1 PV1 PP2 PV2 PP3 PV30001 0001 hdisk0

Then enter:bosboot -ad /dev/ipldevice

where ipldevice is the hard disk device shown by running the lslvcommand. You should see output from the bosboot command similar tothe following output:#bosboot -ad/dev/hdisk0bosboot: Boot image is 13025 512 byte blocks

Then enter:shutdown -Fr

– Ensure that asynchronous I/O is enabled. To do so, enter the followingcommands:/usr/sbin/mkdev -l aio0/usr/sbin/chdev -l aio0 -P/usr/sbin/chdev -l aio0 -P -a autoconfig=available

v On Linux systems only (all platforms)

– If you install the Red Hat Enterprise Linux 5 operating system with SELINUXenabled (which is the default), instance creation fails. If you have already

Chapter 3. Setting up the registry server 55

installed the operating system and SELINUX is enabled, use the setenforce 0command to disable it. Then, in the /etc/selinux/config file, changeSELINUX=enforcing to SELINUX=disabled .

– The Korn shell, provided in the pdksh rpm package for all versions of Linuxexcept SUSE LINUX Enterprise Server 10 and Red Hat Enterprise Linux 5, isrequired. Install the most recent version for your operating system.The pdksh rpm package is not available for SUSE LINUX Enterprise Server 10or Red Hat Enterprise Linux 5. However, you must install a ksh package.

– If you want to install the client or a server on Red Hat versions of Linux, youmust install the following packages, which are included with the operatingsystem, before you install IBM Tivoli Directory Server:compat-gcccompat-gcc-c++compat-libstdc++compat-libstdc++-develglibc-develglibc-headersglibc-kernheaders

Note: You might need to upgrade to the latest patch level of these packages.See the Red Hat support site at http://rhn.redhat.com for patches forRed Hat Enterprise Linux.

– If you are installing on a Linux operating system, you might need tomanually specify some DB2 settings, such as preliminary kernel, operatingsystem and shell parameters, before installing IBM Tivoli Directory Server. Seethe DB2 documentation for instructions on setting these parameters:http://publib.boulder.ibm.com/infocenter/db2luw/v8//index.jsp

v On Linux on System z systems only

You must install the following packages before you install DB2:– Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 4

- compat-libstdc++-295-2.95.3-81.s390.rpm or higher version- compat-libstdc++-295-2.95.3-81.s390x.rpm or higher version- compat-libstdc++-33-3.2.3-47.3.s390.rpm or higher version- compat-libstdc++-33-3.2.3-47.3.s390x.rpm or higher version

– SUSE Linux Enterprise Server 9:- compat-2004.7.1-1.2.s390x.rpm or higher version- compat-32bit-9-200407011411.s390x.rpm or higher version

– SUSE Linux Enterprise Server 10:- compat-2006.1.25-11.2.s390x.rpm or higher version- compat-32bit-2006.1.25-11.2.s390x.rpm or higher version

v On Linux on System z systems, IBM Tivoli Directory Server requires a 64-bitkernel. To ensure that your system is set up correctly, enter the followingcommand:uname -m

If the result displays s390x, you are running a 64-bit kernel.If the result displays s390, you are not running a 64-bit kernel.


http://publib.boulder.ibm.com/infocenter/db2luw/v8//index.jsp

Installing using the installation wizardThe install_ldap_server installation wizard simplifies the setup of an IBM TivoliDirectory Server system by installing and configuring the following components inthe appropriate order:v IBM Global Security Kit (GSKit)v IBM DB2 Universal Database, Enterprise Server Editionv IBM Tivoli Directory Server (client, server, and proxy server)

For descriptions of configuration options and step-by-step instructions withillustrations, see “Installing the IBM Tivoli Directory Server (install_ldap_serverwizard)” on page 360.

Attention:

v The installation wizard cannot be used to upgrade an existing IBM TivoliDirectory Server. If Tivoli Directory Server is installed at a previous release level,or 6.1 maintenance level prior to 6.1.0-6, the installation wizard will report anerror. See IBM Tivoli Access Manager for e-business: Upgrade Guide for informationabout upgrading Tivoli Directory Server.In addition, on Linux on System z systems, if a 64-bit Tivoli Directory Serverclient package prior to level 6.1.0-6 is installed on the system, the installationwizard will fail. The downlevel 64-bit Tivoli Directory Server client packagemust be removed before running the install wizard.

v If you are installing on a Red Hat Enterprise Linux 5 operating system andSecurity-Enhanced Linux (SELinux) is enabled, you must disable it beforeinstalling using the installation wizard. Once you have completed installationand configuration, you can re-enable SELinux and continue to use it. If you donot want to disable SELinux, install using native utilities.

v If your system hangs after issuing the wizard command or if a Java errormessage occurs after issuing the wizard command, ensure that Java is correctlyinstalled.

To install and configure an IBM Tivoli Directory Server system using theinstall_ldap_server wizard, follow these steps.1. Ensure that all necessary operating system patches are installed. Also ensure

that you have reviewed the most-recent release information, including systemrequirements, disk space requirements, and known defects and limitations inthe IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge database.

2. Perform the preinstallation tasks as listed in “Preinstallation requirements” onpage 54.

3. To view status and messages in a language other than English (default), youmust install your language support package before running an installationwizard. For instructions, see “Installing language support packages for IBMTivoli Directory Server” on page 39.

4. On Windows systems only, exit from all running programs.5. If you choose, a self-signed SSL certificate can be generated and placed in a key

database file during installation. You can then use the generated keyfile toenable SSL support between your policy server and the IBM Tivoli DirectoryServer.


If you plan to enable SSL using a certificate obtained from a CertificateAuthority (CA), ensure that you copy the key database file containing thatcertificate to a directory on this system and specify that key database fileduring installation.

6. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manageris installed and can be located using the PATH environment variable beforerunning the installation wizard . For instructions, see page 318.

Note: To determine whether IBM Java Runtime 1.5.0 SR5 is already in the path,use the java –version command. If you have multiple versions of theJava Runtime Environment installed, only the first Java RuntimeEnvironment version encountered is displayed. If the correct versioncannot be found, an error occurs.

7. Do one of the following:v If installing on AIX, Linux, Solaris or HP-UX systems, run the

install_ldap_server program, located in the root directory on the IBM TivoliAccess Manager Directory Server (1 of 2) CD for your operating system.

v If installing on Windows, run the install_ldap_server program, located in theroot directory on the IBM Tivoli Access Manager Directory Server for Windows(1 of 3) CD.

The installation wizard begins by prompting you for configuration informationas described in “Installing the IBM Tivoli Directory Server (install_ldap_serverwizard)” on page 360. Supply the required configuration information, or acceptdefault values.

8. Compare the disk space that is required to install all of the IBM TivoliDirectory Server system components and prerequisites with the disk space thatis available. If there is sufficient space, continue the installation.The components are installed and configured without further intervention.

9. Information on configuring Tivoli Directory Server to use SSL security can befound in Chapter 23, “Enabling Secure Sockets Layer (SSL) security,” on page473. After the installation wizard completes, the password for the key databasefile can be changed using the iKeyman key management utility that is installedwith IBM Global Security Kit (GSKit). For more information, see “Setting upthe GSKit iKeyman utility” on page 315.

After you set up IBM Tivoli Directory Server for use with Tivoli Access Managerusing the install_ldap_server installation wizard, the next step is to set up thepolicy server. For instructions, see Chapter 4, “Setting up a policy server,” on page137.

Installing using native utilitiesThe following sections enable you to install the IBM Tivoli Directory Server using afamiliar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder.

Complete the instructions that apply to your operating system:v AIX on page 62v HP-UX on page 67v Linux on page 72v Solaris on page 78v Windows on page 83


Preinstallation requirements for native installationsBefore you install and configure Tivoli Directory Server using native utilities, youmust create a user ID on the system for the owner of the directory server instance.

When you create a directory server instance, a user ID on the operating systemmust exist for the directory server instance owner. For a full server, there must alsobe user IDs on the operating system for the owners of the database instance andthe database. You can use the same user ID for all three roles; if you do this, thedirectory server instance, the database instance, and the database owner all havethe same name.

If you use the Instance Administration Tool to create a directory server instance,you can create the directory server instance owner user ID through the tool.

If you use the command line to create the directory server instance, you can usethe idsadduser command to create the directory server instance owner user ID.This command creates a user ID that meets all requirements.

Use the following information to understand the directory server instance owner,database instance owner, and database owner roles before you create the user IDor IDs.

The roles are defined as follows:

Directory server instance ownerYou must have a user ID for the owner of the directory server instance.The user ID for the directory server instance owner is also the name of thedirectory server instance. This user has the authority to manage thedirectory server instance.

Database instance ownerThis user ID owns the database instance that is configured to be used bythe directory server instance. The database instance name and the databaseinstance owner name are the same. This user manages the databaseinstance. The directory server instance owner can also manage the databaseinstance. By default, this user ID is the same as the directory serverinstance owner ID.

Database ownerThis user ID owns the database that is used by the directory serverinstance to store the directory data. The database resides in the databaseinstance owned by the database instance owner. The directory serverinstance uses this user ID and its password to connect to the database.

Naming rules: The requirements in this section apply to the following:v The directory server instance name (the user ID that owns the directory server

instance).v The database instance name (the user ID that owns the database instance). This

is usually the same as the directory server instance name .v On AIX, Linux, Solaris, and HP-UX, the primary groups of the directory server

instance owner user ID and the database instance owner user ID.

These user and group IDs:v Can be no longer than 8 charactersv Cannot be any of the following:

– USERS


– ADMINS– GUESTS– PUBLIC– LOCAL– idsldap

v Cannot begin with any of the following:– IBM– SQL– SYS

v Cannot include accented charactersv Can include the following characters:

– A through Z– a through z– 0 through 9

v Must begin with one of the following characters:– A through Z– a through z

Additional restrictions for users and groups: In addition to the naming rules, besure that the following requirements are met:v On AIX, Linux, Solaris, and HP-UX systems:

– The root ID must be a member of the primary group of the directory serverinstance owner and the database instance owner.

– The root ID must be a member of the idsldap group.– The directory server instance owner and the database instance owner must be

members of the idsldap group.– The directory server instance owner and the database instance owner must

have home directories.– The specific permissions for the home directory of the directory server

instance owner must be as follows:- The user ownership is the directory server instance owner.- The group ownership is the directory server instance owner's primary

group.- The directory server instance owner and its primary group must have read,

write, and execute permissions to the home directory.– The directory server instance owner and its primary group must have read,

write, and execute access to the location where the database will be created.– If the directory server instance owner and the database instance owner for a

given directory server instance are different users, the directory serverinstance owner must be a member of the database instance owner's primarygroup.

– The database instance owner and the database owner for a given directoryserver instance must have the same primary group.

– For best results, the login shell of the directory server instance owner, thedatabase instance owner, and the database owner should be the Korn shellscript (/usr/bin/ksh).

– The password of the directory server instance owner, the database instanceowner, and the database owner must be set correctly and ready to use. Forexample, the password cannot be expired or waiting for a first-time validation


of any kind. (The best way to verify that the password is correctly set is totelnet to the same computer and successfully log in with that user ID andpassword.)

– When configuring the database, it is not necessary, but customary, to specifythe home directory of the database instance owner as the database location.However, if you specify some other location, the database instance owner'shome directory still must have 3 to 4 MB of space available. This is becauseDB2 creates links and adds files into the home directory of the databaseinstance owner even though the database itself is elsewhere. If you do nothave enough space in the home directory, you can either create enough spaceor change the database instance owner's home directory.

v On Windows systems,– The directory server instance owner and the database instance owner must be

members of the Administrators group.– The database instance owner must have the locale set to the correct locale for

the language in which you want server messages to be displayed. Ifnecessary, log in as the user and change the locale to the correct one.

Creating instance owners: examples: You can use the idsadduser command tocreate instance owners that meet the requirements for a directory server instanceowner.

For example:v The following command creates a new user on anAIX, Linux, Solaris, or HP-UX

system with user name JoeSmith. The primary group is employees, the homedirectory is /home/joe, and the password is joespw.idsadduser -u JoeSmith &endash;g employees &endash;l /home/joe -w joespw

v The following command creates a new user on a Windows system with username JoeSmith and password joespw. The user is a member of theAdministratorsgroup.idsadduser -u JoeSmith -w joespw

License terms for Tivoli Directory ServerTivoli Access Manager provides a limited-use license for Tivoli Directory Server.The license provides support for Tivoli Directory Server client and the TivoliDirectory Server full server components.

Tivoli Directory Server includes additional components that are not required byTivoli Access Manager. These optional components include the Tivoli DirectoryServer proxy server and Tivoli Directory Server White Pages. The limited-uselicense does not provide support for Tivoli Directory Server proxy server or TivoliDirectory Server White Pages.

To be entitled to support for these optional features, you must purchase a full-uselicense for Tivoli Directory Server. To obtain a full-use license, access the IBMPassport Advantage® Web site:http://www.ibm.com/software/passportadvantage

On the Web site, navigate to the Tivoli Directory Server page, and follow theinstructions for buying the product.


http://www.ibm.com/software/passportadvantage

AIX: Installing IBM Tivoli Directory ServerTo set up an IBM Tivoli Directory Server system on AIX using the installp utility,follow these steps.

Note: Install your registry server on a system separate from the policy server.1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure


3. Perform preinstallation tasks as listed in “Preinstallation requirements” onpage 54 and “Preinstallation requirements for native installations” on page 59.

4. Insert the IBM Tivoli Access Manager Directory Server for AIX (1 of 2) CD andmount it.

5. Install IBM DB2.a. Use the db2_install utility.

/CD1_mount_point/usr/sys/inst.images/db2/db2_install

b. When the db2_install utility prompts for a keyword, enter ESE.c. When the installation completes, verify that the installation was successful

by reviewing the contents of the log file:/tmp/db2_install_log.99999

The suffix 99999 will be replaced by a number that is unique to yourinstallation.

6. Apply the IBM DB2 license./db2_install_path/adm/db2licm -a /CD1_mount_point/common/db2ese.lic

For example:/opt/IBM/db2/V9.1/adm/db2licm -a /CD1_mount_point/common/db2ese.lic

To install IBM Tivoli Directory Server on a multiprocessor machine, DB2 hasspecial licensing that is based on the number of processors that will be used.In some cases, it might be necessary to run the DB2 command to force thelicensing to allow multiple processors; for example:/opt/IBM/db2/V9.1/adm/db2licm -n db2ese 101 force

where 101 is the default number of processors. If no number is specified, thelicense applies only for a single processor. If running this command producesthe following error, you an safely ignore it:The license policy specified does not apply to this product oris not supported.

7. Mount the IBM Tivoli Access Manager Directory Server for AIX (2 of 2) CD.8. Install the client packages of IBM Tivoli Directory Server. At a command

prompt, enter:installp -acgXd cd_mount_point/usr/sys/inst.images packages

Table 9 on page 63 lists the packages required for each client type. Install thepackages for your client in the order specified.To install multiple packages, separate the package names by a blank space.


Table 9. Client packages for AIX

Client Packages Package descriptions

32-bit client (noSSL)

1. idsldap.cltbase61

2. idsldap.clt32bit61

1. Base Client runtime and BaseClient SDK

2. 32-bit client (no SSL)

32-bit client (SSL) 1. idsldap.cltbase61


3. idsldap.clt_max_crypto32bit61



3. 32-bit client (SSL)












Java client idsldap.cltjava61 Java client required for X11support

Note: Full server versions require an X11 environment. For a client with noX11 requirements, install the 32-bit or 64-bit client as you would if yourequired an X11 environment.

9. Install the server packages of IBM Tivoli Directory Server. At a commandprompt, enter:installp -acgXd cd_mount_point/usr/sys/inst.images packages

Table 10 lists the packages required for each server type. Install the packagesfor your server in the order specified.To install multiple packages, separate the package names by a blank space.

Notes:

a. The 64-bit server (no SSL) is dependent on prior installation of the 64-bitclient (no SSL) packages.

b. The 64-bit server (SSL) is dependent on prior installation of the 64-bitclient (SSL) packages.

c. Both the 64-bit server (no SSL) and the 64-bit server (SSL) are dependenton prior installation of the Java client package for X11 support.

Table 10. Server packages for AIX

Server Packages Package description

64-bit Server (noSSL)

1. idsldap.srvbase64bit61

2. idsldap.srv64bit61

3. idsldap.msg61.en_US

1. Base Server (no SSL)

2. Directory Server 64-bit

3. English messages

64-bit Server(SSL)


2. idsldap.srv_max_cryptobase64bit61

3. idsldap.srv64bit61.



2. Base Server (SSL)

3. Directory Server 64-bit

4. English messages


10. Install and configure the Web Administration Tool package of IBM TivoliDirectory Server. You must also install an application server.Complete the following steps:a. Install the Web Administration Tool package for your deployment:

v Web Administration Tool (No SSL)installp –acgyYXd cd_mount_point/usr/sys/inst.images

idsldap.webadmin61

v Web Administration Tool (SSL)installp –acgyYXd cd_mount_point/usr/sys/inst.images

idsldap.webadmin_max_crypto61 idsldap.webadmin61

b. Install an application server such as WebSphere Application Server. See“AIX: Installing WebSphere Application Server” on page 333.

c. Configure the Web Administration Tool into the application server. See“Installing the Web Administration Tool into WebSphere” on page 344.

11. English messages are automatically installed with the IBM Tivoli DirectoryServer package. If you require a different language version of the message filesand documentation, install them from the IBM Tivoli Access Manager LanguageSupport for AIX CD. For instructions, see “Installing language supportpackages for IBM Tivoli Directory Server” on page 39.To see the language versions that are available, enter the following:installp -ld cd_mount_point/usr/sys/inst.images | grep idsldap

A list of installable IBM Tivoli Directory Server packages is displayed.12. When installation is completed, the system generates an installation summary.

Verify that the last column in the summary displays SUCCESS for all loadedfiles. You can also verify that IBM Tivoli Directory Server was installedsuccessfully by entering the following command:lslpp -aL idsldap.*

The output displayed lists all the filesets starting with idsldap. This listincludes the server, client, Web Administration Tool, HTML, and messagefilesets. For example:

idsldap.clt32bit61.rte6.1.0.6 C F Directory Server - 32 bit

Clientidsldap.clt64bit61.rte 6.1.0.6 C F Directory Server - 64 bit

Clientidsldap.clt_max_crypto32bit61.rte

6.1.0.6 C F Directory Server - 32 bitClient (SSL)

idsldap.clt_max_crypto64bit61.rte6.1.0.6 C F Directory Server - 64 bit

Client (SSL)idsldap.cltbase61.adt 6.1.0.6 C F Directory Server -

Base Clientidsldap.cltbase61.rte 6.1.0.6 C F Directory Server -

Base Clientidsldap.cltjava61.rte 6.1.0.6 C F Directory Server -

Java Clientidsldap.msg61.en_US 6.1.0.6 C F Directory Server -

Messages -U.S. English (en)

idsldap.srv64bit61.rte 6.1.0.6 C F Directory Server - 64 bitServer

idsldap.srvbase64bit61.rte6.1.0.6 C F Directory Server - Base

Serveridsldap.srv_max_cryptobase64bit61.rte


6.1.0.6 C F Directory Server - BaseServer (SSL)

idsldap.webadmin61.rte 6.1.0.6 C F Directory Server - WebAdministration

idsldap.webadmin_max_crypto61.rte6.1.0.6 C F Directory Server - Web

Administration (SSL)

13. Install IBM Global Security Kit (GSKit).v When your installation has only the client packages for Tivoli Directory

Server, install the 32-bit runtime package:installp -acgYXd cd_mount_point/usr/sys/inst.images gskta.rte

v When your installation has both the client and server packages for TivoliDirectory Server, install the 64-bit runtime package:installp-acgYXd cd_mount_point/usr/sys/inst.images gsksa.rte

14. Install IBM Tivoli Directory Integrator, if required for your deployment.IBM Tivoli Directory Integrator is required if you have installed a DirectoryServer and want to use any of the following features:v The idssupport tool

This tool gathers information from your system that you can supply to IBMSoftware Support if you encounter problems.

v The idslogmgmt toolv Simple Network Management Protocol (SNMP).v Active Directory synchronizationFor more information:v For IBM Tivoli Directory Integrator installation instructions, see the

installation information provided with the IBM Tivoli Directory IntegratorCD. The IBM Tivoli Directory Integrator CD is included with the IBM TivoliAccess Manager for e-business CD bundle .

v See the IBM Tivoli Directory Server Version 6.1 Problem Determination Guide forinformation on idssupport and idslogmgmt.

v See the IBM Tivoli Directory Server version 6.1 Administration Guide forinformation on SNMP and Active Directory synchronization.

15. Configure the server instance using the instance administration tool, idsxinst.For instructions about configuring the server instance using the instanceadministration tool, idsxinst, see “Creating an instance with the InstanceAdministration Tool” on page 87.

16. Define the LDAP administrator distinguished name (DN) and password andthen configure the database that will store the directory data. For instructions,see “Setting the administrator DN and password for a directory instance” onpage 96.

17. After completion of IBM Tivoli Directory Server installation, you mustconfigure IBM Tivoli Directory Server for use with Tivoli Access Manager. Forinstructions, see page 100.

18. Optionally, you can install the Tivoli Directory Server proxy server.

Note: You must obtain an additional license to use this feature. See “Licenseterms for Tivoli Directory Server” on page 61.

To install the proxy server, enter:installp -acgXd cd_mount_point/usr/sys/inst.images packages

Table 11 on page 66 lists the packages required for each proxy server type.Install the packages for your server in the order specified.


To install multiple packages, separate the package names by a blank space.

Table 11. Proxy server packages for AIX

Server Packages Package description

64-bit ProxyServer (no SSL)


2. idsldap.srvproxy64bit61



2. Proxy Server 64-bit

3. English messages

64-bit ProxyServer (SSL)


2. idsldap.srv_max_cryptobase64bit61

3. idsldap.srvproxy64bit61.



2. Base Server (SSL)

3. Proxy Server 64-bit

4. English messages

After you install the Tivoli Directory Server proxy server, see Chapter 25,“Setting up a Tivoli Directory Server proxy environment,” on page 535 for anexample scenario of the steps needed to setting up a Tivoli Directory Serverproxy environment when using Tivoli Access Manager.

19. Optionally, you can install the Tivoli Directory Server White Pages.


For installation requirements and instructions, see the IBM Tivoli DirectoryServer White Pages document.

After you set up IBM Tivoli Directory Server for use with Tivoli Access Manager,the next step is to set up the policy server. For instructions, see Chapter 4, “Settingup a policy server,” on page 137.


HP-UX: Installing IBM Tivoli Directory ServerTo set up an IBM Tivoli Directory Server system on HP-UX or HP-UX on Integrity,follow these steps.



3. Perform preinstallation tasks as listed in “Preinstallation requirements” onpage 54.

4. Insert the CD for your platform:v IBM Tivoli Access Manager Directory Server for HP-UX (1 of 2)

v IBM Tivoli Access Manager Directory Server for HP-UX on Integrity (1 of 2)



6. Install IBM DB2.a. Use the db2_install utility.

v For HP-UX:/cd-rom_mount-point/hp/db2/db2_install

v For HP-UX on Integrity:/cd-rom_mount-point/hp_ia64/db2/db2_install








8. Insert and mount the CD for your platform:


v IBM Tivoli Access Manager Directory Server for HP-UX (2 of 2)


9. Install the client packages of IBM Tivoli Directory Server.v HP-UX

swinstall -s /cd_mount_point/hp packages

v HP-UX on Integrityswinstall -s /cd_mount_point/hp_ia64 packages

Table 12 lists the packages required for each client type. Install the packagesfor your client in the order specified.

Notes:

a. The package names are the same for both HP-UX and HP-UX on Integrity.b. If you plan to install either the IBM Tivoli Directory Server full server or

proxy server, you must install the 64-bit client package.

Table 12. Client packages for HP-UX

Client type Packages Package descriptions

32-bit client 1. idsldap-cltbase61

2. idsldap-clt32bit61

3. idsldap-cltjava61

1. Base Client

2. 32-bit Client

3. Java Client




1. Base Client

2. 64-bit Client

3. Java Client

10. Install the server packages of IBM Tivoli Directory Server.v HP-UX



Table 13 lists the packages required for the server. Install the packages in theorder specified.

Notes:

a. The package names are the same for both HP-UX and HP-UX on Integrity.b. The IBM Tivoli Directory Server full server is dependent on prior

installation of the 64-bit client package.

Table 13. Server packages for HP-UX

Server type Packages Package descriptions

Full server 1. idsldap-srvbase64bit61

2. idsldap-srv64bit61

3. idsldap-msg61en

1. Base server

2. Full server

3. Messages U.S. English

11. Install and configure the Web Administration Tool package of IBM TivoliDirectory Server. You must also install an application server.Complete the following steps:a. Install the Web Administration Tool package:

v For HP-UXswinstall -s /cd_mount_point/hp idsldap-webadmin61


v For HP-UX on Integrityswinstall -s /cd_mount_point/hp_ia64 idsldap-webadmin61

b. Install an application server such as WebSphere Application Server. See“HP-UX: Installing WebSphere Application Server” on page 334.


12. Install IBM Global Security Kit (GSKit) for your platform.v HP-UX 32-bit

swinstall -s /cd_mount_point/hp gsk7bas

v HP-UX 64-bitswinstall -s /cd_mount_point/hp gsk7bas64

v HP-UX on Integrity 32-bitswinstall -s /cd_mount_point/hp_ia64 gsk7bas32


13. English messages are automatically installed with the IBM Tivoli DirectoryServer package. If you require a different language version of the messagefiles and documentation, install them from the IBM Tivoli Access ManagerLanguage Support for HP-UX or IBM Tivoli Access Manager Language Support forHP-UX on Integrity CD.







15. You might need to update kernel parameters in the /etc/system file beforeyou use the database.A utility called db2osconf is provided with some versions of DB2 for HP-UX.The db2osconf utility determines the correct kernel settings for yourcomputer. The command for configuring kernel parameters varies byoperating system, hardware, and DB2 version.For more information, see the DB2 documentation. You can also search DB2technotes for additional information.

16. Configure the server instance using the instance administration tool, idsxinst.



For instructions, see “Creating an instance with the Instance AdministrationTool” on page 87. For detailed information, see the IBM Tivoli Directory ServerInstallation and Configuration Guide.

17. Define the LDAP administrator DN and password and then configure thedatabase that will store the directory data. For instructions, see “Setting theadministrator DN and password for a directory instance” on page 96.


19. Use the IBM Global Security Kit (GSKit) iKeyman utility to enable SSLcommunication between your supported registry server and IBM TivoliDirectory Server clients. To do so, follow these steps:a. Set up the iKeyman utility. For instructions, see “Setting up the GSKit

iKeyman utility” on page 315.b. Enable SSL with a supported registry server. For instructions, see

Chapter 23, “Enabling Secure Sockets Layer (SSL) security,” on page 473.

Note: For more information about using the iKeyman utility, see the IBMGlobal Security Kit: Secure Sockets Layer Introduction and iKeyman User'sGuide.



To install the proxy server, enter:v HP-UX



Table 14 lists the packages required for the server. Install the packages in theorder specified.

Notes:

a. The package names are the same for both HP-UX and HP-UX on Integrity.b. The IBM Tivoli Directory Server proxy server is dependent on prior

installation of the 64-bit client package.

Table 14. Proxy server packages for HP-UX


Proxy server 1. idsldap-srvbase64bit61

2. srvproxy64bit61

3. idsldap-srvproxy64bit61

1. Base server

2. Proxy server

3. Messages U.S. English








Linux: Installing IBM Tivoli Directory ServerNote to Linux on System z users: You must first obtain access to the Linux rpmfiles which are located in the /CD_mount_point/linux_s390 directory on the IBMTivoli Access Manager Base for Linux on System z CD.

To install the IBM Tivoli Directory Server on a supported Linux system, followthese steps.




4. Insert and mount the CD for your platform:v IBM Tivoli Access Manager Directory Server for Linux on x86 (1 of 2)

v IBM Tivoli Access Manager Directory Server for Linux on System z (1 of 2)

v IBM Tivoli Access Manager Directory Server for Linux on POWER (1 of 2)

5. Install IBM DB2.a. Use the db2_install utility for your platform.

For example, when /mnt/cdrom is the mount point for your CD:v Linux on x86

/mnt/cdrom/linux_i386/db2/db2_install

v Linux on System z/mnt/cdrom/linux_s390/db2/db2_install

v Linux on POWER/mnt/cdrom/linux_ppc/db2/db2_install







where 101 is the default number of processors. If no number is specified, thelicense applies only for a single processor. If running this command producesthe following error, you an safely ignore it:


The license policy specified does not apply to this product oris not supported.




8. Install the client packages of IBM Tivoli Directory Server for your deployment.rpm -ihv packages


Note: On System z and POWER, when you intend to also install the server,install the 64-bit client because the server is 64-bit.

Table 15. Client packages for Linux platforms


Linux on x86, 32-bitclient

1. idsldap-cltbase61-6.1.0-6.i386.rpm

2. idsldap-clt32bit61-6.1.0-6.i386.rpm

3. idsldap-cltjava61-6.1.0-6.i386.rpm

1. Base client

2. 32-bit client

3. Java client

Linux on System z,32-bit client

1. idsldap-cltbase61-6.1.0-6.s390.rpm

2. idsldap-clt32bit61-6.1.0-6.s390.rpm

3. idsldap-cltjava61-6.1.0-6.s390.rpm

1. Base client

2. 32-bit client

3. Java client



2. idsldap-clt64bit61-6.1.0-6.s390x.rpm


1. Base client

2. 64-bit client

3. Java client

Linux on POWER,32-bit client

1. idsldap-cltbase61-6.1.0-6.ppc.rpm

2. idsldap-clt32bit61-6.1.0-6.ppc.rpm

3. idsldap-cltjava61-6.1.0-6.ppc.rpm

1. Base client

2. 32-bit client

3. Java client





1. Base client

2. 64-bit client

3. Java client

9. Install the server packages of IBM Tivoli Directory Server for yourdeployment.rpm -ihv packages

Table 16 on page 74 lists the packages required for each server type. Install thepackages for your server in the order specified.

Notes:

a. The Linux on x86 server is dependent on prior installation of the Linux onx86 32-bit client.

b. The Linux on System z server is dependent on prior installation of theLinux on System z 64-bit client.

c. The Linux on POWER server is dependent on prior installation of theLinux on POWER 64-bit client.


Table 16. Server packages for Linux platforms


Linux on x86 1. idsldap-srvbase32bit61-6.1.0-6.i386.rpm

2. idsldap-srv32bit61-6.1.0-6.i386.rpm

3. idsldap-msg61-en-6.1.0-6.i386.rpm

1. Base server

2. 32-bit server

3. English messages

Linux onSystem z

1. idsldap-srvbase64bit61-6.1.0-6.s390x.rpm

2. idsldap-srv64bit61-6.1.0-6.s390x.rpm

3. idsldap-msg61-en-6.1.0-6.s390.rpm

1. Base server

2. 64-bit server

3. English messages

Linux onPOWER

1. idsldap-srvbase64bit61-6.1.0-6.ppc64.rpm

2. idsldap-srv64bit61-6.1.0-6.ppc64.rpm

3. idsldap-msg61-en-6.1.0-6.ppc.rpm

1. Base server

2. 64-bit server

3. English messages

10. Install and configure the Web Administration Tool package of IBM TivoliDirectory Server. You must also install an application server.Complete the following steps:a. Install the Web Administration Tool package for your deployment.

v Linux on x86rpm -ihv idsldap-webadmin61-6.1.0-6.i386.rpm

v Linux on System zrpm -ihv idsldap-webadmin61-6.1.0-6.s390.rpm

v Linux on POWERrpm -ihv idsldap-webadmin61-6.1.0-6.ppc.rpm

b. Install an application server such as WebSphere Application Server. See“Linux: Installing WebSphere Application Server” on page 335.


11. Upgrade the IBM Global Security Kit (GSKit) package for your platform.v Linux on x86

rpm -Uhv gsk7bas-7.0-4.11.i386.rpm

v Linux on System z, 64-bitrpm -Uhv gsk7bas64-7.0-4.11.s390x.rpm

andrpm -Uhv gsk7bas-7.0-4.11.s390.rpm

v Linux on POWER, 32-bitrpm -Uhv gsk7bas-7.0-4.11.ppc32.rpm

v Linux on POWER, 64-bitrpm -Uhv gsk7bas64-7.0-4.11.ppc64.rpm

andrpm -Uhv gsk7bas-7.0-4.11.ppc32.rpm

12. English messages are automatically installed with the IBM Tivoli DirectoryServer package. If you require a different language version of the messagefiles and documentation, install them from the CD for your platform:v IBM Tivoli Access Manager Language Support for Linux on x86

v IBM Tivoli Access Manager Language Support for Linux on System z

v IBM Tivoli Access Manager Language Support for Linux on POWER


For instructions, see “Installing language support packages for IBM TivoliDirectory Server” on page 39.

13. Verify that the packages have been installed correctly:rpm -qa | grep idsldap

If the product has been successfully installed, the following is displayed:v For the 32-bit client on x86

idsldap-cltbase61-6.1.0-6idsldap-clt32bit61-6.1.0-6idsldap-cltjava61-6.1.0-6

v For the 64-bit client on System z or POWERidsldap-cltbase61-6.1.0-6idsldap-clt64bit61-6.1.0-6idsldap-cltjava61-6.1.0-6

v For the 32-bit full server on x86:idsldap-cltbase61-6.1.0-6idsldap-clt32bit61-6.1.0-6idsldap-cltjava61-6.1.0-66idsldap-srvbase32bit61-6.1.0-6idsldap-srv32bit61-6.1.0-6

v For the 64-bit full server on System z or POWER:idsldap-cltbase61-6.1.0-6idsldap-clt64bit61-6.1.0-6idsldap-cltjava61-6.1.0-6idsldap-srvbase64bit61-6.1.0-6idsldap-srv64bit61-6.1.0-6



v The idslogmgmt toolv Simple Network Management Protocol (SNMP)v Active Directory synchronizationFor more information:v For IBM Tivoli Directory Integrator installation instructions, see the




15. Configure the server instance using the instance administration tool, idsxinst.For instructions, see “Creating an instance with the Instance AdministrationTool” on page 87. For detailed information, see the IBM Tivoli Directory ServerInstallation and Configuration Guide.

16. Define the LDAP administrator DN and password and then configure thedatabase that will store the directory data. For instructions, see “Configuring adirectory server instance for IBM Tivoli Directory Server” on page 87.









To install the proxy server for your deployment, enter:rpm -ihv packages

Table 17 lists the packages required for each proxy server type. Install thepackages for your server in the order specified.

Notes:

a. The Linux on System z proxy server is dependent on prior installation ofthe Linux on System z 64-bit client.

b. The Linux on POWER proxy server is dependent on prior installation ofthe Linux on POWER 64-bit client.

Table 17. Proxy server packages for Linux platforms


Linux on x86 1. idsldap-srvbase32bit61-6.1.0-6.i386.rpm

2. idsldap-srvproxy32bit61-6.1.0-6.i386.rpm

3. idsldap-msg61.en-6.1.0-6.i386.rpm

1. Base server

2. 32-bit proxy server

3. English messages

Linux on System z 1. idsldap-srvbase64bit61-6.1.0-6.s390x.rpm

2. idsldap-srvproxy64bit61-6.1.0-6.s390x.rpm

3. idsldap-msg61.en-6.1.0-6.s390.rpm

1. Base server


3. English messages

Linux on POWER 1. idsldap-srvbase64bit61-6.1.0-6.ppc64.rpm

2. idsldap-srvproxy64bit61-6.1.0-6.ppc64.rpm

3. idsldap-msg61.en-6.1.0-6.ppc.rpm

1. Base server


3. English messages








Solaris: Installing IBM Tivoli Directory ServerTo set up an IBM Tivoli Directory Server system on Solaris using the pkgaddutility, follow these steps.

Attention: If you are installing on Solaris 10, using the -G option with thepkgadd utility is recommended. The -G option ensures that packages are added inthe current zone only.

Note: Install your registry server on a system separate from the policy server.1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Perform preinstallation tasks as listed in “Preinstallation requirements” onpage 54.

4. Mount the CD for your operating system:v IBM Tivoli Access Manager Directory Server for Solaris (1 of 2)

v IBM Tivoli Access Manager Directory Server for Solaris on x86_64 (1 of 2)

5. Install IBM DB2.a. Use the db2_install utility. Run the script from the directory for your

platform, where /cdrom/cdrom0 is the mount point for your CD:v Solaris

/cdrom/cdrom0/solaris/db2/db2_install

v Solaris on x86_64/cdrom/cdrom0/solaris_x86/db2/db2_install




6. Mount the next CD for your operating system:v IBM Tivoli Access Manager Directory Server for Solaris (2 of 2)



For example:/opt/ibm/db2/V9.1/adm/db2licm -a /CD2_mount_point/common/db2ese.lic

To install IBM Tivoli Directory Server on a multiprocessor machine, DB2 hasspecial licensing that is based on the number of processors that will be used.In some cases, it might be necessary to run the DB2 command to force thelicensing to allow multiple processors; for example:/opt/ibm/db2/V9.1/adm/db2licm -n db2ese 101 force

where 101 is the default number of processors. If no number is specified, thelicense applies only for a single processor. If running this command producesthe following error, you an safely ignore it:


The license policy specified does not apply to this product oris not supported.

8. Install the client packages of IBM Tivoli Directory Server for your platform:v Solaris

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefaultpackages

v Solaris on x86_64pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault

packages


Notes:

a. The package names are the same for both the Solaris and Solaris on x86operating systems.

b. During installation, you are asked if you want to use /opt as the basedirectory. If space permits, accept /opt as the base directory.

c. When you install client or server packages, the system might prompt youwith the following query: This package contains scripts which will beexecuted with super-user permission during the process of installingthe package. Continue with installation?

Type y to continue. These scripts create the Tivoli Directory Server user ID.

Table 18. Client packages for Solaris


32-bit client 1. IDSlbc61

2. IDSl32c61

3. IDSljc61

1. Base client

2. 32-bit client

3. Java client


2. IDSl64c61

3. IDSljc61

1. Base client

2. 32-bit client

3. Java client

9. Install the server packages of IBM Tivoli Directory Server for your platform:v Solaris



packages

Table 19 on page 80 lists the server packages. Install the packages in the orderspecified.

Notes:

a. The package names are the same for both Solaris platforms.b. During installation, you are asked if you want to use /opt as the base

directory. If space permits, accept /opt as the base directory.c. When you install client or server packages, the system might prompt you

with the following query: This package contains scripts which will beexecuted with super-user permission during the process of installingthe package. Continue with installation?



d. If you are installing a server package, you might also see the followingprompt: Do you want to install these as setuid and/or setgid files?

The programs need to be able to start daemons, run DB2 commands, andcreate the IBM Tivoli Directory Server DB2 instance user ID and group, sothey occasionally need to run as root. Type y to continue.

Table 19. Server packages for Solaris

Server Packages Package descriptions

64-bit server 1. IDSlbs61

2. IDSl64s61

3. IDSlen61

1. Base server

2. 64-bit server

3. English messages

10. Install and configure the Web Administration Tool package of IBM TivoliDirectory Server. You must also install an application server.Complete the following steps:a. Install the Web Administration Tool package for your deployment.

v Solarispkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault

IDSlweb61

v Solaris on x86_64pkgadd -d /cdrom/cdrom0/solaris_x86-a /cdrom/cdrom0/solaris_x86/pddefault

IDSlweb61

b. Install an application server such as WebSphere Application Server. See“Solaris: Installing WebSphere Application Server” on page 336.


11. Install IBM Global Security Kit (GSKit). Specify the package for yourenvironment:v Solaris 32-bit

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefaultgsk7bas

v Solaris 64-bitpkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault

gsk7bas64

v Solaris on x86_64 32-bitpkgadd -d /cdrom/cdrom0/solaris_x86-a /cdrom/cdrom0/solaris_x86/pddefault

gsk7bas


gsk7bas64

Note: After you install GSKit, no configuration is necessary.12. English messages are automatically installed with the IBM Tivoli Directory

Server package. If you require a different language version of the messagefiles and documentation, install them from the IBM Tivoli Access ManagerLanguage Support for Solaris CD. For instructions, see “Installing languagesupport packages for IBM Tivoli Directory Server” on page 39.

13. Install IBM Tivoli Directory Integrator, if required for your deployment.


IBM Tivoli Directory Integrator is required if you have installed a DirectoryServer and want to use any of the following features:v The idssupport tool






14. After you install, you might need to update kernel parameters in the/etc/system file before you use the database.A utility called db2osconf is provided with some versions of DB2 for Solaris.The db2osconf utility determines the correct kernel settings for yourcomputer. The command for configuring kernel parameters varies byoperating system, hardware, and DB2 version.For more information, see the DB2 documentation. You can also search DB2technotes for additional information.

15. Configure the server instance using the instance administration tool, idsxinst.For instructions, see “Creating an instance with the Instance AdministrationTool” on page 87. For detailed information, see the IBM Tivoli Directory ServerInstallation and Configuration Guide.

16. Define the LDAP administrator DN and password and then configure thedatabase that will store the directory data. For instructions, see “Configuring adirectory server instance for IBM Tivoli Directory Server” on page 87.








To install the proxy server packages for your platform:




packages

v Solaris on x86_64pkgadd -d /cdrom/cdrom0/solaris_x86-a /cdrom/cdrom0/solaris_x86/pddefault

packages

Table 20 lists the server packages. Install the packages in the order specified.

Notes:

a. The package names are the same for both Solaris platforms.b. The proxy server requires the 64-bit client package.

Table 20. Proxy server packages for Solaris

Server Packages Package descriptions

64-bit proxy server 1. IDSlbs61

2. IDSl64p61

3. IDSlen61

1. Base server

2. Proxy server

3. English messages







Windows: Installing IBM Tivoli Directory ServerTo install the IBM Tivoli Directory Server on Windows 2003, follow these steps.

Note: Install your registry server on a system separate from the policy server.1. Log on as any member of the Administrators group. (You are not required to

log on with the user ID that you created for the DB2 database owner.)2. Ensure that all necessary operating system patches are installed. Also ensure


3. Stop any programs that are running and close all windows. If you have openwindows, the initial installation window might be hidden behind otherwindows.

4. Insert the IBM Tivoli Access Manager Directory Server for Windows (2 of 3) CD.5. Change directory to:

<CD-drive>:windows\tds

6. Double-click the install_tds.bat icon.If you prefer, you can use the command line to begin installation and specifya temporary directory other than the one specified by the TEMP environmentvariable. To use this option, go to:<CD-drive>:windows\tds

and type the following at a command prompt:install_tds.bat -is:tempdirdirectory

where directory is the directory you want to use for temporary space. Be surethat you have at least 255 MB of free space in this directory. If you areinstalling any of the corequisite products ( WebSphere Application Server, orDB2) be sure that you also have 150 MB in the directory specified by theTEMP environment variable.For example:install_tds.bat -is:tempdir "c:\My Documents\temp"

The language window is displayed.

Note: If the installation program exits without displaying the languagewindow, it might be because there is not enough space in the directoryspecified by the TEMP environment variable or the directory youspecified for temporary space. Be sure that you have at least 255 MB offree space in this directory.

7. Select the language you want to use during the installation. Click OK.8. On the Welcome window, click Next.9. After reading the Software license agreement, select I accept both the IBM

and the non-IBM terms. Click Next.10. If you have any components already installed, they are displayed with their

corresponding version levels. Click Next.11. To install in the default directory, click Next. You can specify a different

directory by clicking Browse or typing the directory path you want. Thedirectory will be created if it does not exist. (The default installation directoryis C:\Program Files\IBM\LDAP\V6.1.)


Notes:

a. If you have already installed one or more language packs, the installationlocation is set to the path where you installed the language packs, and youare not asked where you want to install.

b. Be sure that the installation location is not the same as the path whereanother version of the client is installed.

c. Do not use special characters, such as hyphen (-) and period (.) in thename of the installation directory. For example, use ldapdir rather thanldap-dir or ldap.dir.

12. Click Custom and then click Next.13. A window showing the following components for installation is displayed:

Attention: Do not select Tivoli Directory Integrator. See step 24 on page 86for instructions on how to install Tivoli Directory Integrator.v Tivoli Global Security Kitv DB2 V9.1v Embedded WebSphere Application Serverv C Client 6.1v Java Client 6.1v Web Administration Tool 6.1v Proxy Server 6.1v Server 6.1This window also indicates the amount of disk space required and availableon the selected drive.Be sure the components you want to install are selected, and click Next.

14. If you selected the Web Administration Tool:v When the Web Administration Tool is installed, a Web application server is

required to run the tool, and Embedded WebSphere Application Server6.1.0.7 is installed and configured for you. If you want to use anotherWebSphere application server, you must select a Web application server.When Embedded WebSphere Application Server is installed and anapplication (such as the Web Administration tool) is installed intoEmbedded WebSphere Application Server, the Embedded WebSphereApplication Server server for that application is also installed as a service.

v The Web Administration Tool 6.1 requires a Web application server. If youselected Web Administration Tool 6.1 , but you did not select EmbeddedWebSphere Application Server, a window is displayed asking you tospecify a Web application server into which to deploy the application. Youcan do one of the following:– Click Detected WebSphere Application Servers and then select a

WebSphere Application Server that is installed on the system anddetected by the InstallShield GUI installation program. The applicationwill be deployed into this version of WebSphere Application Server.

– Click Custom location of WebSphere Application Server to specify apath to a version of WebSphere Application Server in a different location.The application will be deployed into this version of WebSphereApplication Server.

– Click Do not specify. I will manually deploy at a later time. You mustdeploy the application into a WebSphere Application Server before youcan use the application.


15. If you selected Server 6.1 but not DB2 V9.1 and there are multiple versions ofDB2 (such as versions 8 and 9) on the system, you are asked to select theversion of DB2 you want to use with Tivoli Directory Server 6.1.

16. If you selected DB2 V9.1, a window is displayed prompting you to enter aWindows user ID and password for the DB2 system ID. On the window:a. Type the user ID. This user ID must not be the user ID you intend to use

as the owner of the directory server instance.If you are not using an existing user ID, DB2 creates the user ID youspecify with the password you type. This is the preferred method.If you are using an existing Windows user ID, it must be a member of theAdministrators group.

b. Type the password, and then type the password again for verification. (Ifyou are using an existing Windows user ID, be sure that your password iscorrect. Otherwise, DB2 does not install correctly.)

c. Click Next.

Note: DB2 installs a version of GSKit that is a lower version than the versionrequired by Tivoli Directory Server. DB2 installs the lower-level versionof GSKit to the default location. Tivoli Directory Server installs therequired level of GSKit over the DB2-installed GSKit in the defaultlocation. If you want to install GSKit somewhere besides the defaultlocation, you must install GSKit manually to the desired location beforeinstalling DB2.

17. If you selected Proxy Server 6.1, you must obtain an additional license, inorder to use this feature. See “License terms for Tivoli Directory Server” onpage 61.

18. The installation program now has enough information to begin installing. Asummary window displays the components you selected and the locationswhere the selected components will be installed. Click Back to change any ofyour selections. Click Install to begin installation.If you are installing from CDs, you are prompted to insert different CDsduring the installation. Be sure to follow the instructions carefully and insertthe correct CDs.

Note: After installation has begun, do not try to cancel the installation. If youinadvertently cancel the installation, see the information aboutrecovering from a failed installation in the IBM Tivoli Directory Serverversion 6.1 Problem Determination Guide before you attempt to reinstall.

19. If you are asked if you want to restart your computer now or later, select theoption you want and click Finish.v You might need to restart your system to complete the Tivoli Directory

Server installation. If your computer is restarted, log in using the same userID that you used to install Tivoli Directory Server.

v If you installed DB2, the DB2 First Steps GUI might be started. You can gothrough the DB2 First Steps or close this GUI.

20. After completion of IBM Tivoli Directory Server configuration, you mustconfigure IBM Tivoli Directory Server for use with Tivoli Access Manager. Forinstructions, see page 100.

21. Use the IBM Global Security Kit (GSKit) iKeyman utility to enable SSLcommunication between your supported registry server and IBM TivoliDirectory Server clients. To do so, follow these steps:


a. Set up the iKeyman utility. For instructions, see “Setting up the GSKitiKeyman utility” on page 315.

b. Enable SSL with a supported registry server. For instructions, seeChapter 23, “Enabling Secure Sockets Layer (SSL) security,” on page 473.


22. Apply the IBM DB2 license. (Insert the IBM Tivoli Access Manager Base forWindows CD if needed.)path\db2licm -a drive\common\db2ese.lic

To install IBM Tivoli Directory Server on a multiprocessor machine, DB2 hasspecial licensing that is based on the number of processors that will be used.In some cases, it might be necessary to run the DB2 command to force thelicensing to allow multiple processors:path\db2licm -n db2ese 101 force





24. Install Tivoli Directory Integrator:Install IBM Tivoli Directory Integrator, ifrequired for your deployment.IBM Tivoli Directory Integrator is required if you have installed a DirectoryServer and want to use any of the following features:v The idssupport tool








Configuring a directory server instance for IBM TivoliDirectory Server

After you install the IBM Tivoli Directory Server components, you must performthe following tasks:1. Create a directory server instance2. Define the administrator DN and password for the instance3. Configure the database for a directory server instance4. Create a backup of the instance5. Configure a suffix for the instance

For complete IBM Tivoli Directory Server product documentation, visit:


The Tivoli Directory Server Instance Administration Tool is a graphical userinterface (GUI) tool that you can use to create and manage directory serverinstances. An instance can also be created and managed from the command line.

Creating an instance with the Instance Administration ToolYou can use the Instance Administration Tool to create an instance in differentways:v Create a default instance with a default name and other settings. (See“Creating

the default instance.”)v Create a new instance for which you specify all the settings. (See“Creating a new

instance for which you specify all settings” on page 89.)

Creating the default instance: You can create the default instance if you are notmigrating a directory server instance from a previous version and you want tocreate a new directory server instance with default settings. This option is notavailable if you have already created a default directory server instance; you cancreate only one default instance. The default directory server instance has thefollowing settings, which you cannot change:

On Windows systemsName: idsinstInstance location: c:\idsslapd-idsinstGroup name: AdministratorsAdministrator DN: cn=rootDatabase name: idsdb

On AIX, Linux, Solaris, and HP-UX systems:Name: idsinstInstance location: /home/idsinst. (On Solaris systems, this directory is/export/home/idsinst.)Group name: dbsysadmAdministrator DN: cn=rootDatabase name: idsdb

In addition, the o=sample suffix is created for the default directory server instance.You can add other suffixes later with the Configuration Tool or the idscfgsufcommand.

If these settings are too restrictive, choose another option.

To create the default instance:



1. On AIX, Linux, Solaris, and HP-UX systems, log on as root. On Windowssystems, log on with a user ID that is a member of the Administrators group.

2. If the Instance Administration Tool is not started, start it.v Windows

C:\Program Files\IBM\LDAP\V6.1\sbin\idsxinst

On Windows systems, you also can click Start → Programs → IBM TivoliDirectory Server 6.1 → Instance Administration Tool.

v AIX, Solaris, and HP-UX systems:/opt/IBM/ldap/V6.1/sbin/idsxinst

v Linux/opt/ibm/ldap/V6.1/sbin/idsxinst

3. Click Create.4. On the Create new directory server instance window:

a. Click Create default instance.b. Click Next.

5. On the Default instance details window, complete the following fields:

User passwordType the password for the system user, idsinst, that will own thedirectory server instance.

Encryption seedType a string of characters that will be used as an encryption seed.

The encryption seed must contain only printable ISO-8859-1 ASCIIcharacters with values in the range of 33 to 126, and must be aminimum of 12 and a maximum of 1016 characters in length. For moreinformation about what characters can be used, see the IBM DirectoryServer Version 6.1 Installation Guide.

This encryption seed is used to generate a set of Advanced EncryptionStandard (AES) secret key values. These values are stored in thedirectory server instance's directory key stash file and used to encryptand decrypt directory stored password and secretkey attributes.

Record the encryption seed in a secure location; you might need it ifyou export data to an LDIF file (the idsdb2ldif command) orregenerate the key stash file (the idsgendirksf command.)

Administrator DN passwordThe administrator DN for the default instance is cn=root. Type thepassword for the administrator DN. You must define a password.Passwords are case-sensitive. Double byte character set (DBCS)characters in the password are not valid.

Record the password in a secure location for future reference.Click Next.

6. In the Verify settings window, information is displayed about the options youspecified. To return to an earlier window and change information, click Back.To begin creating the directory server instance, click Finish.

7. The Results window is displayed, and messages are displayed while thedirectory server instance is being created. A completion message is displayedwhen instance creation is complete. Click OK to remove the message.

8. Click Close to close the window and return to the main window of theInstance Administration Tool.


9. If you have finished using the Instance Administration Tool, click Close to exitthe tool.

Note: After you create the default instance:v Start the server. See IBM Tivoli Directory Server Version 6.1 Installation Guide

for information about starting the server.v If you have installed and configured the Web Administration Tool, start

the WebSphere Application Server service or the Embedded WebSphereApplication Server service.– If you selected to use the Embedded WebSphere Application Server

service, see the IBM Tivoli Directory Server Version 6.1 Installation Guidefor more information about starting the WebSphere Application Serverservice.

– If you selected to use WebSphere Application Server, see theWebSphere Application Server documentation for more informationabout starting the WebSphere Application Server service:http://www-306.ibm.com/software/webservers/appserv/was/library/

Creating a new instance for which you specify all settings: To create a newinstance for which you specify all the settings with the Instance AdministrationTool:1. On AIX, Linux, Solaris, and HP-UX systems, log on as root. On Windows

systems, log on with a user ID that is a member of the Administrators group.2. If the Instance Administration Tool is not started, start it.

v WindowsC:\Program Files\IBM\LDAP\V6.1\sbin\idsxinst

On Windows systems, you also can click Start → Programs → IBM TivoliDirectory Server 6.1 → Instance Administration Tool.

v AIX, Solaris, and HP-UX systems:/opt/IBM/ldap/V6.1/sbin/idsxinst

v Linux/opt/ibm/ldap/V6.1/sbin/idsxinst

3. Click Create.4. On the Create a new directory server instance window, click Create a new

directory server instance.5. If you want the new directory server instance to be a proxy server instance,

select the Set up as proxy check box. A proxy server does not have anassociated database instance.

6. Click Next.7. On the Instance details window, complete the following fields:

User nameDo one of the following:v If the user you want to own the directory server instance is an

existing user on the system, select the system user ID of the userfrom the list. This name will also be the name of the directoryserver instance.If you want to change properties for the user, click Edit user. Onthe window that displays:


http://www-306.ibm.com/software/webservers/appserv/was/library/


a. If you want to change the user's password, type the newpassword in the Password field.

b. If you are on an AIX, Linux, Solaris, or HP-UX system and youwant to change the home directory for the user, type the newhome directory in the Home directory field. You can clickBrowse to locate the home directory.

c. If you are on an AIX, Linux, Solaris, or HP-UX system and youwant to change the user's primary group, type the new primarygroup in the Primary group field.

d. Click Edit to save your changes.v If you want to create a new system user ID for the owner of the

directory server instance, click Create user. On the window thatdisplays:a. Type a name for the user in the User Name field. This name

becomes the directory server instance name.The name of the new directory server instance must be unique;if there is already a directory server instance on the computerwith the same name, you will receive an error message.

b. Type the password for the user in the Password field.c. If you are on an AIX, Linux, Solaris, or HP-UX system:

1) Type the home directory for the user in the Home directoryfield. You can click Browse to locate the home directory.

2) Type the name of the user's primary group in the Primarygroup field.

d. Click Create to create the user.

Install locationType the location where the directory server instance files will bestored. Be sure that you have at least 30 MB of free disk space in thislocation.

On Windows systems, this location is a drive, such as C:. Thedirectory instance files will be stored on the drive you specify in the\idsslapd-instance_name directory. (instance_name is the name of thedirectory server instance.)

On AIX, Linux, Solaris, and HP-UX systems, the default location forthe instance files is in the directory instance owner's home directory,but you can specify a different path. Click Browse if you want toselect a location.

Encryption seed stringType a string of characters that will be used as an encryption seed.

The encryption seed must contain only printable ISO-8859-1 ASCIIcharacters with values in the range of 33 to 126, and must be aminimum of 12 and a maximum of 1016 characters in length. Formore information about what characters can be used, see the IBMDirectory Server Version 6.1 Installation Guide.

This encryption seed is used to generate a set of Advanced EncryptionStandard (AES) secret key values. These values are stored in thedirectory server instance's directory key stash file and used to encryptand decrypt directory stored password and secretkey attributes.


Record the encryption seed in a secure location; you might need it ifyou export data to an LDIF file (the idsdb2ldif command) orregenerate the key stash file (the idsgendirksf command.)

Confirm encryption seedType the encryption seed string again for confirmation.

Use encryption salt valueSelect this check box if you want to provide an encryption salt value.v If you are migrating and you want the directory server instance to

be cryptographically synchronized with the same directory serverinstances as the instance you are migrating, check this box and thencomplete the Encryption salt string and Confirm encryption saltstring fields.

v If you are creating a new directory server instance and you wantthe new directory server instance to be cryptographicallysynchronized with other directory server instances, check this boxand then specify the same encryption salt string that the otherdirectory server instances have.

If you clear the check box, the Instance Administration Tool generatesan encryption salt string value randomly.

Encryption salt stringIf you want to provide an encryption salt string, type the value.

The encryption salt is used, along with the encryption seed, togenerate two-way Advanced Encryption Standard (AES) encryptionkeys that are stored in key stash files. These values are used toencrypt and decrypt directory stored password and secretkeyattributes.

If you want to use replication, use a distributed directory, or importand export LDIF data between server instances, you can obtain betterperformance if the directory server instances have the same encryptionsalt value. Therefore, if the directory server instance you are creatingor migrating will be used in one of these ways, set the encryption saltvalue to the encryption salt value of the directory server instanceswith which it will be involved in these activities.

You can obtain the destination server's salt value by searching (usingthe ldapsearch utility) the destination server's 'cn=crypto,cn=localhost'entry. The attribute type is ibm-slapdCryptoSalt.

The encryption salt must contain only printable ISO-8859-1 ASCIIcharacters with values in the range of 33 to 126, and must be exactly12 characters in length.For more information about what characterscan be used, see the IBM Directory Server Version 6.1 Installation Guide.

Confirm encryption salt stringType the encryption salt string again for confirmation.

Instance descriptionOptionally, type a description of the directory server instance. Thisdescription is displayed in other windows to help identify theinstance.

Click Next.


8. If the DB2 instance details window is displayed, either accept the name that isdisplayed in the DB2 instance name field, or type or select a different namefor the DB2 instance, and then click Next.By default, the DB2 instance name is the same as the name of the directoryserver instance, but you can specify a different name for the DB2 instance. Ifyou specify a different name, there must be a system user ID by the samename. This name cannot be already associated with another directory serverinstance.

9. On the TCP/IP settings for multihomed hosts window, do one of thefollowing:v If you want the directory server instance to listen on all IP addresses, select

the Listen on all configured IP addresses check box.v If you want the directory server instance to listen on a particular set of IP

addresses that are configured on the computer, clear the Listen on allconfigured IP addresses check box. Then select the IP address or addressesin the list that you want the directory server instance to listen on.

Click Next.10. On the TCP/IP port settings window, complete the following fields:

Server port numberType the number of the port you want the server to use as its contactport. The number must be between 1 and 65535.

Server secure port numberType the number of the port you want the server to use as its secureport. The number must be between 1 and 65535.

Admin daemon port numberType the number of the port you want the administration daemon touse as its port. The number must be between 1 and 65535.

Admin daemon secure port numberType the number of the port you want the administration daemon touse as its secure port. The number must be between 1 and 65535.

Notes:

a. If you have two or more directory server instances listening on the sameIP address (or set of IP addresses), be sure that those directory serverinstances do not use any of the same port numbers.

b. On AIX, Linux, Solaris, and HP-UX systems, port numbers below 1000 canbe used only by root.

Click Next.11. If the Optional steps window is displayed:

a. Select Configure admin DN and password if you want to configure theadministrator DN and password for the directory server instance now.(The administrator DN and password are required for both proxy serversand full servers.)

b. Select Configure database if you want to configure the database for thedirectory server instance now. (A proxy server instance does not require adatabase.)When you configure the database, the Instance Administration Tool addsinformation about the database that will be used to store directory data tothe configuration file (ibmslapd.conf) for the directory server instance. Inaddition, if the database does not already exist, the InstanceAdministration Tool creates the database.


Click Next.

Note: You can use the Configuration Tool or the command line later if you donot want to set the administrator DN or configure the database now,but you cannot use the directory server instance until you have donethese steps.

12. If the Configure administrator DN and password window is displayed:a. In the Administrator DN field, type a valid DN (or accept the default DN,

cn=root).The administrator DN is the DN used by the administrator of the directoryserver instance. This administrator is the one user who has full access toall data in the directory.The default DN is cn=root. DNs are not case sensitive. If you areunfamiliar with LDAP DN format, or if for any other reason you do notwant to define a new DN, accept the default DN.

b. Type the password for the administrator DN in the AdministratorPassword field. You must define a password. Passwords are case-sensitive.Double byte character set (DBCS) characters in the password are not valid.Record the password in a secure location for future reference.

c. Retype the password in the Confirm password field.d. Click Next.

13. If the Configure database window is displayed:a. Type a valid DB2 administrator ID in the Database user name field. This

ID must already exist and must have the proper authority before you canconfigure the database.

Note: Before server startup, this user must have the locale set to thecorrect locale for the language in which you want server messagesto be displayed. If necessary, log in as the user and change thelocale to the correct one.

b. Type the password for the user in the Password field. Passwords arecase-sensitive.

Note: If you change the system password for the DB2 administrator, youcannot update it through the Instance Administration Tool. Youmust use the Configuration Tool or the idscfgdb command with the-w option. See the IBM Tivoli Directory Server Version 6.1 InstallationGuide for more information.

c. Type the name you want to give the DB2 database in the Database namefield. The name can be from 1 to 8 characters long.

d. Click Next.14. If the Database options window is displayed:

a. Type the location for the database in the Database install location field.For Windows platforms, this must be a drive letter. For non-Windowsplatforms, the location must be a directory name, such as /home/ldapdb.(You can click Browse to locate a directory.)Be sure that you have at least 80 MB of free hard disk space in the locationyou specify and that additional disk space is available to accommodategrowth as new entries are added to the directory.

b. In the Character-set option box:


1) Click the type of database you want to create. Click one of thefollowing:v Create a universal DB2 database (UTF-8/UCS-2) to create a UCS

Transformation Format (UTF-8) database, in which LDAP clients canstore UTF-8 character data.

v Create a local codepage DB2 database to create a database in thelocal code page.

Create a universal database if you plan to store data in multiplelanguages in the directory. A universal database is also most efficientbecause less data translation is needed. If you want to use languagetags, the database must be a UTF-8 database. For more informationabout UTF-8, see the IBM Tivoli Directory Server Version 6.1 InstallationGuide.

c. Click Next.15. In the Verify settings window, information is displayed about the options you

specified. To return to an earlier window and change information, click Back.To begin creating the directory server instance, click Finish.

16. The Results window is displayed, and messages are displayed while theinstance is being created. A completion message is displayed when instancecreation is complete. Click OK to remove the message.

17. Click Close to close the window and return to the main window of theInstance Administration Tool.


Note: After you set the administrator DN and password and, for a full server,configure the database:v Start the server. See IBM Tivoli Directory Server Version 6.1 Installation Guide

for instructions.v If you have installed and configured the Web Administration Tool, start

the WebSphere Application Server service or the Embedded WebSphereApplication Server service.– If you selected to use the Embedded WebSphere Application Server

service, see the IBM Tivoli Directory Server Version 6.1 Installation Guidefor instructions.

– If you selected to use WebSphere Application Server, see theWebSphere Application Server documentation for instructions:http://www-306.ibm.com/software/webservers/appserv/was/library/

Note: After you set the administrator DN and password and, for a full server,configure the database, see the IBM Tivoli Directory Server Version 6.1Installation Guide for information about:v Starting the serverv Starting the Embedded WebSphere Application Server service if you have

installed and configured the Web Administration Tool.

You can find information about using the Web Administration Tool in theIBM Tivoli Directory Server Version 6.1 Installation Guide.

Creating an instance with the command line: You can use the idsicrt commandto create an instance.




For example, using the idsicrt command:v To create a new directory server instance called myinst that has a port of 389, a

secure port of 636, an encryption seed of mysecretkey!, an encryption salt ofmysecretsalt, and a DB2 instance with the name myinst, issue the command:idsicrt -I myinst –p 389 –s 636 –emysecretkey! -g mysecretsalt

If the directory server instance already existed, this command would fail. If youdid not specify the encryption salt, the command would randomly generate anencryption salt. If you did not specify the encryption seed, you would beprompted for the seed. In the following example, you are prompted to enter anencryption seed. The encryption seed is not displayed on the command linewhen you enter it. After you type the encryption seed and press Enter, thecommand attempts to create the directory server instance.idsicrt-I myinst –p 389 –s 636

The response is:Enter encryption seed:

v To create the same instance so that it binds to a particular IP address, issue thecommand:idsicrt –I myinst –p 389 –s636 –e mysecretkey! -g mysecretsalt –i 1.9.86.566

v To create a new directory server instance called myinst that has a port of 389, asecure port of 636, an encryption seed of mysecretkey!, and a DB2 instance withthe name mydbin, use the following command:idsicrt -I myinst –p 389–s 636 –e mysecretkey! –t mydbin

In this case, the command will randomly generate an encryption salt value.

Note: After you create the directory server instance with the idsicrt command, usethe idsdnpw command to set the administrator DN and password. See“Using the command line” on page 96. If the directory server instance is afull server, configure the database using the idscfgdb command line utility.See “Configuring the database with the command line” on page 98.

See the IBM Tivoli Directory Server 6.1 Command Reference for more informationabout using the idsicrt commands.

Migrating an instanceYou can migrate a directory server instance from a previous version of IBM TivoliDirectory Server to a 6.1 directory server instance.

If you are migrating from a version that is before 6.0, you must have alreadybacked up the configuration and schema files.v To migrate a 6.0 directory server instance:

1. If the Instance Administration Tool is not started, start it.2. Select the 6.0 directory server instance you want to migrate in the list, and

click Migrate.3. In the Migrate directory server instance window, click Migrate.

Messages are displayed while the directory server instance is being migrated.A completion message is displayed when migration is complete. Click OK toremove the message.


Click Close to close the window and return to the main window of theInstance Administration Tool.If you have finished using the Instance Administration Tool, click Close toexit the tool.

v To migrate a directory server instance from a version before 6.0:1. If the Instance Administration Tool is not started, start it.2. Click Create.3. Click Migrate from a previous version of directory server. Then type the

path where you backed up the configuration and schema files from theprevious version and click Next.Messages are displayed while the directory server instance is being migrated.A completion message is displayed when migration is complete. Click OK toremove the message.

4. Click Close to close the window and return to the main window of theInstance Administration Tool.If you have finished using the Instance Administration Tool, click Close toexit the tool.

Setting the administrator DN and password for a directoryinstanceThe administrator DN and password associated with a directory server instancecan be set or changed using either the IBM Tivoli Directory Server ConfigurationTool or the command line.

If you configured the administrator DN and password during the creation of thedirectory server instance, as described in “Creating an instance with the InstanceAdministration Tool” on page 87, you can skip this section.

Using the Configuration Tool: To set or change the administrator DN andpassword associated with a directory server instance using the Configuration Tool:1. On UNIX and Linux systems, log on as root. On Windows systems, log on with

a user ID that is a member of the Administrators group.2. Start the Configuration Tool by entering the following command:

idsxcfg

3. Click Manage administrator DN in the navigation pane.4. Specify a valid DN, such as cn=root, in the Administrator DN field and click

OK.The administrator DN is the DN used by the administrator of the directoryserver instance. This administrator is the one user who has full access to alldata in the directory. If you are unfamiliar with X.500 format, or if for anyother reason you do not want to define a new DN, accept the default DN.

5. Click Manage administrator password in the navigation pane.6. Specify the password in both the Administrator password and Confirm

password fields. Click OK.Passwords are case-sensitive and cannot contain double byte character set(DBCS) characters. Record the password in a secure location for futurereference.

Using the command line: You can use the idsdnpw command to change theadministrator DN and password for a directory server instance. The command canbe run only when the directory server instance is not running. The primaryadministrator specifies an administrator password and, optionally, an administrator


DN, which the utility writes to the ibmslapd.conf file for the directory serverinstance. The administrator DN is set to cn=root by default.

For example:

To set the administrator DN to cn=myname and the password to secret on acomputer with only one directory server instance, issue the command:idsdnpw –u cn=myname –p secret

If the password is not specified, you are prompted for the password. The passwordis not displayed on the command line when you type it.

Note: If the administration password policy has been enabled, the administrator'spassword must conform to the administration password policyrequirements. See the IBM Tivoli Directory Server Version 6.1 AdministrationGuide for information about the password policy.

See the IBM Tivoli Directory Server Version 6.1 Command Reference for detailedinformation about the idsdnpw command.

Configuring the database for a directory instanceThe database associated with a directory server instance can be set using either theIBM Tivoli Directory Server Configuration Tool or the command line.

If you configured and created the database during the creation of the directoryserver instance, as described in “Creating an instance with the InstanceAdministration Tool” on page 87, you can skip this section.

When you configure the database, information about the database is added to theibmslapd.conf configuration file for the directory server instance. If the databasedoes not already exist, the database is created.

Before performing this task:

v Ensure that the directory server is stopped.v Verify that the DB2COMM environment variable is not set.

Note: This option is not available if you are configuring a proxy server or if youhave not installed the full server on the system.

Configuring the database with the Configuration Tool: To configure a databasefor the directory server instance:1. Stop the server if it is running.2. In the Configuration Tool, click Configure database in the task list on the left.3. If a database user name is requested:

a. Type a user ID in the Database user name field. This user ID owns thedatabase that is used by the directory instance, and the directory serverinstance uses this user ID to connect to the database. The user ID mustalready exist before you can configure the database.

b. Type a password for the user in the Password field. Passwords arecase-sensitive.


c. In the Database name field, type the name you want to give the DB2database that is used by the directory server instance to store directory data.The name can be from 1 to 8 characters long.

d. Click Next.4. If the database installation location is requested:

a. Type the location for the database in the Database install location field. ForWindows platforms, this location must be a drive letter. For AIX, Linux,Solaris, and HP-UX platforms, the location must be a directory name, suchas /home/ldapdb, and you can click Browse to locate the directory.Be sure that you have at least 80 MB of free hard disk space in the locationyou specify and that additional disk space is available to accommodategrowth as new entries are added to the directory.

b. Click the type of database you want to create. You can create a UCSTransformation Format (UTF-8) database, in which LDAP clients can storeUTF-8 character data, or a local code page database, which is a database inthe local code page.Create a universal database if you plan to store data in multiple languagesin the directory. A universal database is also most efficient because less datatranslation is needed. If you want to use language tags, the database mustbe a UTF-8 database.

c. Click Finish.5. Messages are displayed while the database is being configured. Click Close

when database configuration is complete.

Configuring the database with the command line: You can use the idscfgdbcommand to configure a database for a directory server instance.

This command cannot be used for a proxy server instance.

The idsicrt command must have already run successfully to create the databaseinstance. In addition, the database instance owner must be set up correctly.Otherwise, the command fails.

The directory server instance owner specifies a database administrator user ID, adatabase administrator password, the location to store the database, and the nameof the database. The database administrator ID specified must already exist on thesystem.

By using the -w option, you can reset the password for the database administratorand the change log database owner in the configuration file for the directory serverinstance.

After successfully creating the database, the command adds information about thedatabase to the ibmslapd.conf file of the directory server instance. The databaseand local loopback settings are created, if they do not exist. You can specifywhether to create the database as a local codepage database or as a UTF-8database, which is the default.

Attention:

1. Before configuring the database, be sure that the environment variableDB2COMM is not set.

2. The server must be stopped before you configure the database.

For example:


To configure a database called ldapdb for directory server instance ldapdb in thelocation /home/ldapdb with a DB2 database administrator ID of ldapdb whosepassword is secret, issue the command:idscfgdb -I ldapdb –a ldapdb–w secret –t ldapdb –l /home/ldapdb

If the password is not specified, you are prompted for the password. The passwordis not displayed on the command line when you type it.

See the IBM Tivoli Directory Server Version 6.1 Command Reference for detailedinformation about the idscfgdb command.

Creating a backup of a directory instanceAfter you create a directory server instance and configure the database, create abackup of the instance. The configuration and directory key stash files are archivedalong with the associated configuration and directory data. You can then restorethe key stash files, if necessary.

Using the Configuration Tool: To back up the database:1. On UNIX and Linux systems, log on as root. On Windows systems, log on with

a user ID that is a member of the Administrators group.2. Ensure that the directory server is stopped.3. Start the Configuration Tool by entering the following command:

idsxcfg

4. In the Configuration Tool, click Backup database from the navigation pane.5. In the Backup database window, in the Backup directory field, type the

directory path in which to back up all directory data and configuration settings.Or, click Browse to locate and select an existing directory path.

6. Select one of the following:v Create backup directory as needed if you want the directory to be created if

it does not exist.v Halt if backup directory is not found if you do not want the directory you

specified to be created. If this directory does not exist and you select thisoption, the database will not be backed up.

7. Click Backup.

Using the command line: You can use the idsdbback command to back up thedatabase. For information, see the IBM Tivoli Directory Server version 6.1 CommandReference.

Use the idsdbrestore command to restore a directory server instance from abackup copy.

Configuring a suffix for a directory instanceBefore adding a suffix, ensure that the directory server is stopped.

Using the Configuration Tool: To add a suffix for a directory server instanceusing the Configuration Tool, do the following.1. On UNIX and Linux systems, log on as root. On Windows systems, log on with

a user ID that is a member of the Administrators group.2. Ensure that the directory server is stopped.3. Start the Configuration Tool by entering the following command:

idsxcfg


4. In the Configuration Tool, click Manage suffixes in the navigation pane.This option is not available if you are configuring a proxy server or if you havenot installed the full server on the system.

5. In the Manage suffixes window, enter the suffix that you want to add in theSuffixDN field, and click Add.

6. When you have added all the suffixes you want, click OK.

Note: When you click Add, the suffix is added to the list in the current suffixDNs box. However, the suffix is not actually added to the directory untilyou click OK.

Using the command line: To add a suffix for a directory server instance using thecommand line:

Use the idscfgsuf command to configure a suffix for a directory server instance.The suffix is added to the directory server instance's ibmslapd.conf file.

When there is more than one directory server instance, you must specify the nameof the directory server instance.

For example:v To configure the suffix o=sample, enter:

idscfgsuf -so=sample

v To configure the suffix o=sample for the instance my_instance, enter:idscfgsuf -I my_instance -s o=sample

To unconfigure the suffix, use the idsucfgsuf comand.

For more information about idscfgsuf and idsucfgsuf, see the IBM Tivoli DirectoryServer Version 6.1 Command Reference.

Configuring IBM Tivoli Directory Server for Tivoli AccessManager

You can configure IBM Tivoli Directory Server as the Tivoli Access Managerregistry. You can configure IBM Tivoli Directory Server for Tivoli Access Managereither by using the Web Administration Tool or by using the command line.v “Using the Web Administration Tool” on page 101v “Using the command line” on page 104

Notes:

1. If you used the install_ldap_server wizard to install and configure the IBMTivoli Directory Server, skip the instructions in this section. The installationwizard configures the IBM Tivoli Directory Server automatically.

2. For complete IBM Tivoli Directory Server product documentation, see:




AttentionYou can use the Web Administration Tool or the command line to performconfiguration. The Web Administration Tool enables you to administer IBMTivoli Directory servers either locally or remotely.

The Web Administration Tool is backward-compatible and works with IBMTivoli Directory Server, Version 4.1, 5.1, 5.2 and 6.0. If you want to use theWeb Administration Tool but have not installed it yet, follow these steps.1. Install IBM WebSphere Application Server. For instructions, see page 333.2. Install the IBM Tivoli Directory Server Web Administration Tool and

configure this application into your WebSphere configuration. Forinstructions, see page 338.

Using the Web Administration ToolTo use the Web Administration Tool to configure IBM Tivoli Directory Server forTivoli Access Manager, follow these steps:1. Ensure that the IBM Tivoli Directory Server is installed and that the following

conditions are met:v You have set the administrator DN (cn=root) and password to be able to

start a given server. You were prompted for this information duringconfiguration of the IBM Tivoli Directory Server.

v You must have configured a database to be able to start a given server in astate other than configuration only mode.

v You must have the administration daemon running to be able to start, stop,or restart a given server remotely. To do so:– On UNIX or Linux systems, issue the following command:

ibmdiradm

– On Windows systems, click Start → Control Panel → Administrative Tools→ Services. Right-click IBM Directory Admin Daemon and then selectStart.

2. Start the Web Administration Tool. To do so, go to the directory where youinstalled WebSphere Application Server and issue one of the followingcommands:v On UNIX or Linux systems:

/opt/IBM/WebSphereAppServer/bin/startServer.sh server1

or/opt/WebSphere/AppServer/bin/startServer.sh server1

v On Windows systems:C:\Program Files\IBM\WebSphere\AppServer\bin\startServer.bat server1

3. To display the login page, open a Web browser and type the followingaddress:http://localhost:12100/IDSWebApp/IDSjsp/Login.jsp

where localhost is the host name or IP address of a system where the WebAdministration Tool is installed, and 12100 is the port configured for theWebSphere Application Server.The IBM Tivoli Directory Server Web Administration Tool login page isdisplayed.

4. Set up the Web Administration Tool:


v If you have already set up the Web Administration Tool, skip to step 7 onpage 103.

v If you have not set up the Web Administration Tool previously, follow thesesteps:a. From the IBM Tivoli Directory Server Web Administration Tool login

page, log in as the console administrator by specifying the default username and password as follows:

LDAP Hostname: Console AdminUsername: superadminPassword: secret

Click Login to continue. The IBM Tivoli Directory Server WebAdministration Tool console is displayed as follows:

Note: After initial setup of the Web Administration Tool, you will beable to log in to the console using the LDAP host name or IPaddress of your IBM Tivoli Directory Server machine.

b. Console administration tasks are displayed on the left. To add yourserver, select Manage console servers and then click the Add button inthe right pane.

c. From the Add server window, complete the following fields and thenclick OK.– Hostname: Type the host name or IP address of the machine where

IBM Tivoli Directory Server is installed.– Port: The port is already provided (389). If you changed this port

number during the configuration of the LDAP server, modify thisvalue accordingly.

– Administration port: The port is already provided (3538).– SSL enabled: Do not enable SSL at this time. After SSL has been

setup between the Web Administration Tool and the directory server,you can enable SSL.If you enable SSL without properly enabling SSL on the server, youwill not be able to log on and perform server administration tasks.


Information on enabling SSL can be found in Chapter 23, “EnablingSecure Sockets Layer (SSL) security,” on page 473.

The Manage console servers pane is displayed with the serverinformation.

5. Select Log out to log off the server.6. From the Logout successful window, click the re-login by clicking here link

to return to the IBM Tivoli Directory Server Web Administration login page.7. You are now ready to administer the server using this console. To do so,

follow these steps:a. Log in by selecting the LDAP host name or IP address for your machine

from the drop-down menu.b. Type the administration DN (cn=root is the default value).c. Type the associated DN password that you created during configuration of

the IBM Tivoli Directory Server and then click Login.The IBM Tivoli Directory Server Web Administration Tool console isdisplayed:

Note: Server management tasks vary depending upon the capabilities of theserver.

8. To verify that the IBM Tivoli Directory Server is running, click Serveradministration → View server status in the left navigation pane. If your serveris stopped, click Start/stop/restart server from the left navigation pane andthen click the Start button to start the server. A message is displayed when theserver successfully starts or stops.

9. To create a suffix, select Server Administration → Manage server properties →Suffixes from the left navigation pane. The Suffixes window is displayed.

10. To create the suffix where Tivoli Access Manager maintains its metadata, selectServer administration → Manager server properties from the left navigationpane. From the Manage server properties window, select the Suffixes tab.Type the desired suffix DN:

Note: The suffix DN is not case-sensitive.


v To use the default location for the metadata, type:secAuthority=Default

v To create a different location for the metadata, type:secAuthority=<domain_name>

where domain_name is the desired management domain name.v To specify a location for the metadata that is not a stand-alone suffix, make

sure desired location already exists in the LDAP server before specifying thelocation.

The suffix is displayed in the Current® suffix DNs table in the pane.11. Click Add.12. At this point, you can create additional suffixes to maintain user and group

definitions.

Note: For more information about how to add suffixes, click the Help icon inthe upper-right pane of the window. The maximum is 1000 charactersfor a suffix.

13. Click OK to save changes.14. When you have finished adding suffixes, select Server administration →

Start/stop/restart server from the left navigation pane and then click theRestart button to restart the server. A status message is displayed when theserver is restarted successfully.

15. Do one of the following:v If you did not add any suffixes other than secAuthority=Default, click

Logout to close the IBM Directory Server Web Administration Tool window.A directory entry for secAuthority=Default is automatically added whenthe policy server is configured.

v If you added suffixes other than secAuthority=Default, you must add anentry to the directory for each suffix. To do so, select Directorymanagement → Add an entry in the left navigation pane. When you havecompleted adding directory entries for the suffixes you created, click Finishand then click Logout to close the IBM Directory Server WebAdministration Tool window.

Note: If you enable SSL communication, the directory administration daemonmust be stopped and restarted for SSL to take effect.

Using the command lineTo configure IBM Tivoli Directory Server as your Tivoli Access Manager registry,follow these basic steps.

Note: For detailed information about adding suffixes and directory entries, consultthe IBM Tivoli Directory Server documentation.

1. Create the suffix where Tivoli Access Manager maintains its metadata asfollows:idscfgsuf -s "secAuthority=<domain_name>"

where domain_name is the desired management domain name.The default suffix is Default; for example:idscfgsuf -s "secAuthority=Default"


If you specify a location for the metadata that is not a stand-alone suffix, makesure the desired location already exists in the LDAP server before specifyingthe location.This suffix is added to the ibmslapd.conf file for the default instance. If youhave more than one instance, specify the instance name using the -I option.At this point, you can create additional suffixes to maintain user and groupdefinitions. For example:idscfgsuf -s "c=US"

2. Start the LDAP server as follows:

UNIX or Linuxibmdiradm&ibmslapd&

WindowsFrom the Services window, start the following services:IBM Tivoli Directory Server Admin Daemon V6.1 - instance_nameIBM Tivoli Directory Server Instance V6.1 - instance_name

3. Add entries for the suffixes you just created. For each new suffix (other thansecAuthority=Default), create a file, add suffix entry information, and then runthe idsldapadd command. For example, create a file named addcus with thefollowing contents:dn: c=usobjectclass: topobjectclass: countryc: us

Then run the following command:idsldapadd -h host -D cn=root -w pwd -v -f addcus

where:

host Specifies the host name or IP address of the LDAP system.

cn=rootThe default LDAP Administrator DN. If a different DN is used, specifyit here.

pwd The password for the LDAP Administrator specified.

After you set up the Tivoli Directory Server for use with Tivoli Access Manager,you can either set up a Tivoli Directory Server proxy server (see “Setting up IBMTivoli Directory Server” on page 54) or set up the policy server (see Chapter 4,“Setting up a policy server,” on page 137.)

Setting up IBM z/OS LDAP Server

This section describes the configuration steps necessary to prepare the LDAPserver on z/OS for Tivoli Access Manager. Particular emphasis is given toconfiguring Tivoli Access Manager against a IBM z/OS LDAP Server that has beenconfigured to use its native authentication facility. This native authenticationfacility uses a System Authorization Facility (SAF) registry.

These guidelines assume a new LDAP server instance dedicated to the TivoliAccess Manager registry. For more information, consult the LDAP ServerAdministration and Use manual for your particular release of z/OS. This documentis available through the z/OS library at:


http://www.ibm.com/servers/eserver/System z/zos/bkserv/

This section includes the following topics:v “Updating schema files”v “Adding suffixes”v “Configuring Tivoli Access Manager for LDAP”v “Native authentication user administration” on page 107

Updating schema filesYou must update the z/OS schema to support the current version of Tivoli AccessManager. This must be done following the application of the schema.user.ldif andschema.IBM.ldif files supplied with z/OS LDAP server. For instructions onapplying these schema files, see the IBM z/OS LDAP Server Administration and Usedocumentation at:


To apply the Tivoli Access Manager schema to the z/OS LDAP server, use theivrgy_tool utility. For instructions, see “ivrgy_tool” on page 569.

Adding suffixesTivoli Access Manager requires that you create a suffix which maintains TivoliAccess Manager metadata. You must add this suffix only once, when you firstconfigure the LDAP server. This suffix enables Tivoli Access Manager to easilylocate and manage the data. It also secures access to the data, avoiding integrity orcorruption problems.

For more information about management domains, and creating a location for themetadata, see “Tivoli Access Manager management domains” on page 138 and“Creating a management domain location (example)” on page 139.

To add suffixes to the LDAP server’s slapd.conf file, consult the LDAP ServerAdministration and Use manual at:


Note: Restart the LDAP server for changes to take effect.

If you decide to add suffixes after the Tivoli Access Manager policy server hasbeen configured, you must apply the appropriate ACLs to the newly created suffix.You can use the ivrgy-tool to apply the ACLs to the new suffix. For moreinformation about the ivrgy-tool, see “ivrgy_tool” on page 569.

See the z/OS LDAP Server Administration and Use Guide for details on updating thesecurity server configuration file.

Configuring Tivoli Access Manager for LDAPBy default, Tivoli Access Manager processes all defined LDAP suffixes. If there aresuffixes defined on the LDAP server that should not be used by Tivoli AccessManager, add them to the /access_mgr_install_dir/etc/ldap.conf file using theignore-suffix keyword when configuring Tivoli Access Manager for LDAP onz/OS.





For example:ignore-suffix = sysplex=UTCPLXJ8ignore-suffix = "o=Your Company"ignore-suffix = o=MQuser

In this example, the sysplex=UTCPLXJ8 suffix is used to access the z/OS SDBM(RACF®) database. The LDAP administrator ID used by Tivoli Access Managerduring configuration is not a RACF user ID on the z/OS system, and, therefore,does not have the authority to do SDBM searches. If this suffix was not added tothe ignore-suffix list, Tivoli Access Manager would receive a return code x’32’ -LDAP_INSUFFICIENT_ACCESS, during configuration.

The other suffixes in the list are used by other applications on z/OS, and can beignored by Tivoli Access Manager.

Note that Tivoli Access Manager supports LDAP failover and load-balancing forread operations. If you configured a replica server, you can provide the replica hostname to Tivoli Access Manager in the ldap.conf file, which is installed with TivoliAccess Manager in the etc subdirectory.

Native authentication user administrationThe majority of administrative tasks remain unchanged with the addition of nativeauthentication. Operations such as user create, user show, adding a user to anACL entry or group, and all user modify commands (except password) work thesame as Tivoli Access Manager configured against any other LDAP registry. Userscan change their own SAF passwords with the Web-based pkmspasswd utility.

Native authentication provides the added feature of many-to-one mapping ofTivoli Access Manager users to SAF user IDs. Multiple users can have the sameibm-nativeId, and all bind with the same password. For this reason, preventmany-to-one mapped users from changing the SAF password (otherwise there isan increased risk that users might inadvertently lock their peers out of theiraccounts).pdadmin sec_master> group modify SAFusers add user1pdadmin sec_master> acl create deny_pkmspdadmin sec_master> acl modify deny_pkms set group SAFusers Tpdadmin sec_master> acl attach /Webseal/server_name/pkmspasswd deny_pkms

Furthermore, there is no out-of-the-box administration command to set theibm-nativeId entry for a user. To that end, the following instructions assist themanagement of Tivoli Access Manager users with an associated nativeId.

The user create command does not change:pdadmin sec_master> user create user1 cn=user1,o=tivoli,c=us user1 user1 ChangeMe1pdadmin sec_master> user modify user1 account-valid yes

The password (ChangeMe1, in this example) is set to the user’s userpassword entryin LDAP, which has no effect with native authentication enabled. In productionenvironments, use the utility program provided with the z/OS LDAP Server toremove userpassword values from LDAP. This prevents password access if nativeauthentication is inadvertently disabled.

To set the ibm-nativeId entry for a user, create an ldif file, called a schema file,similar to the following:


dn: cn=user1,o=tivoli,c=uschangetype: modifyobjectclass: ibm-nativeAuthenticationibm-nativeId: SAF_username

You can load the ldif file using the ldapmodify command on z/OS as follows:ldapmodify -h host_name -p port -D bind_DN

-w bind_pwd -f schema_file

Note: to run the idsldapmodify from an Tivoli Directory Server client on adistributed system, the format of the ldif file changes slightly to:dn: cn=user1,o=tivoli,c=usobjectclass: inetOrgPersonobjectclass: ibm-nativeAuthenticationibm-nativeId: SAF_username

The SAF command to reset a user’s password is as follows:ALTUSER SAF_username PASSWORD(new_password)

In addition to resetting the password, the command marks the password asexpired, which requires the password to be changed during the next login. Ifdesired, the NOEXPIRED option can be added to the command to prevent thatbehavior.

Note: The SAF_username must be defined as a z/OS Unix System Services user.That is, the SAF_username must be defined on z/OS with an OMVSsegment. The following is an example of a SAF command to defineSAF_username as a UNIX System Services user:altuser SAF_username omvs(home(/u/SAF_username) program(/bin/sh) uid(123456))

Note that to use native authentication, you must turn off the auth-using-comparestanza entry. To do so, edit the [ldap] stanza of the ivmgrd.conf and webseald.conffile and change the line as follows:auth-using-compare = no

By default, authentications to LDAP are made with a compare operation, ratherthan a bind.

For more information on setting up native authentication, see the IBM z/OS LDAPServer Administration and Use documentation at:


After you configure the IBM z/OS LDAP Server for use with Tivoli AccessManager, the next step is to set up the policy server. For instructions, seeChapter 4, “Setting up a policy server,” on page 137.

Setting up Lotus DominoThis section contains the following topics:1. “Creating a Tivoli Access Manager administrative user for Domino (versions

6.5, 7.0.1, 7.0.2, and 8.0)” on page 1102. “Installing a Lotus Notes client on a Tivoli Access Manager system” on page

112



To configure an IBM Lotus Domino server as a registry for Tivoli Access Manager,follow these steps:

Note: Tivoli Access Manager using a Domino registry is supported only onWindows platforms because the Lotus Notes client is available only onsupported Windows platforms.

1. Ensure that you have reviewed and complied with the system requirementslisted in “Supported registries” on page 13.

2. Create a Tivoli Access Manager administrative user for Domino.For instructions, see “Creating a Tivoli Access Manager administrative user forDomino (versions 6.5, 7.0.1, 7.0.2, and 8.0)” on page 110.

3. Locate your Domino installation media and install the Domino server. Refer tothe Domino server installation documentation for instructions.

4. If a Tivoli Access Manager server is not installed on the Domino server system,Tivoli Access Manager does not require a Lotus Notes client to be on thatDomino server system. If a Tivoli Access Manager server is installed on theDomino server system, you will need the Lotus Notes client and the ID youwill want to use as the Tivoli Access Manager administrative ID. For Dominoserver administration, you will want to use the Domino server administrator IDfor the Domino Administration interface. Note that these two IDs might beequivalent. The Notes ID file on the Lotus Notes client system must havesufficient administrative rights (manager access) to perform Tivoli AccessManager functions such as create, modify, and delete databases as well ascreate, modify, and delete users and groups in the name and address book(NAB).

5. Make sure you install the Lotus Notes client prior to installing the AccessManager Runtime component. If not, locate your Domino installation mediaand install a Lotus Notes client on the Tivoli Access Manager server system.For instructions, see “Installing a Lotus Notes client on a Tivoli Access Managersystem” on page 112.

6. Ensure that these tasks were done when you installed the Domino server andLotus Notes client:v You named your Domino server (for example: domino1/Austin/IBM where

domino1 is the Domino server machine host name and the remainder is theDomino domain name).

v You created the Notes name and address book (NAB), which contains yourcontacts, groups, connections, and locations. This database is located in theLotus Domino data directory on your server.

v You installed the Lotus Notes client and created a Notes client password toallow you to access Notes databases on the Domino server.

7. If the Domino server is installed on a Windows system, then ensure that thefollowing environment variable is set on the Domino server system:NOTESNTSERVICE=1

This environment variable ensures that the Lotus Domino server, when runningas a Windows service, remains running after the user who started the servicelogs off the system.

After you configure Domino for use with Tivoli Access Manager, the next step is toset up the policy server. For instructions, see Chapter 4, “Setting up a policyserver,” on page 137.


Creating a Tivoli Access Manager administrative user forDomino (versions 6.5, 7.0.1, 7.0.2, and 8.0)

For Tivoli Access Manager systems to communicate with a Lotus Domino Version6.5, 7.0.1, 7.0.2 or 8.0 server, you must create and register a Tivoli Access Manageradministrative user for Domino. When creating the Tivoli Access Manageradministrative user for Domino, any user name can be used. You should disablemail for this user.

To create and register the Tivoli Access Manager administrative user for Domino,follow these steps:1. Make sure you have the following before you begin registration:

v Access to the certifier ID (.id file) and its passwordv Access to the Domino Directory database from the system you work onv Editor access or the UserCreator role in the Domino Directory on the

registration serverv Manager access to enable you to:

– Assign an access level to a user, group or database.– Add, update or delete users or groups in the address book.

2. From the Domino Administrative client, click the People & Groups tab.3. Select Domino Directories, and then select People.4. From the Tools pane, click People -> Register

5. Select the Domino server's certifier ID.The default location is: C:\Program Files\Lotus\Domino\Data

Note: Notes uses the certifier ID specified in Administration Preferences; or, ifnone is specified, the ID specified in the CertifierIDFile setting of theNOTES.INI file is used.

6. If prompted, type the certifier ID password that was set up during serverconfiguration and click OK. To change the certifier ID, click Cancel.

7. Select the Advanced check box and complete fields in the Basics pane. Forexample, enter information similar to the following for the Tivoli AccessManager administrative user:v First name: AMv Last name: Daemonsv Password: pwd

The name of the privileged user is not restricted; it can be anything that isvalid for the Domino server. In this example, AMDaemons is the identity ofTivoli Access Manager in Domino.

8. To disable Mail for that user, click on the Mail button. Select None in the Mailsystem drop-down list.

9. Click ID Info to make sure the Notes ID file is stored in the Domino directory.Select the check box to save the ID file to disk and click Register to add therequest to the registration queue.

10. If the registration does not start immediately, select the user name in theregistration queue and click Register All to register and add the user to theDomino server. The Tivoli Access Manager administration user requiresManager access (including delete) to the domain name and address book(NAB).A message is displayed indicating that the person was registered successfully.Click OK to remove the message dialog and then click Done.


At this time the new user's ID file is available in the directory you specified.11. To grant the Tivoli Access Manager administration user the permissions, click

the Files tab.12. Highlight your domain's address book, and select Tools -> Database ->

Manage ACL.... Click Add under the list of People, Servers, and Groups.13. Select the newly created Tivoli Access Manager administration user from the

Domain address book by clicking the person icon.14. Click on the Add button, then OK on the Names window, and then OK again

on the Add User window.This user can now be added to the access control list and the appropriateaccess level set by following the procedure described in “Adding a user to theaccess control list and set the access level.”

15. From the Domino Administrator, select Refresh from the View menu to verifythat the Tivoli Access Manager user was created in the Domino server.

16. The new user must be given the ability to create and delete databases on theserver. While logged on as the Domino administrator, do the following.a. Select the server Configuration tab.b. On the left side of the panel select Server and then Current server

document.c. At the top of the server document pane, click Edit Server.d. Click the Security tab of the edit panee. Scroll down to the Server Access section of the pane and add the name of

the new user to the Create databases & templates listf. Click Save and Close.

Determining if the Tivoli Access Manager ID has access to createa database on a serverLotus Notes lets you easily create databases. If you want to, you can use atemplate to create a database – that is, a file that contains forms and views, but notdocuments, or you can just use a blank template. You can create a database locally,or you can create a database on a server if you have the access to do so.1. Log on to the Domino server using the Tivoli Access Manager ID and

password.2. Open the Domino Directory database that lists the server you want to access.3. Click the Servers view in the Domino Directory, and then select the server.4. Double-click the selected server name to open the server document.5. Click the Security tab in the server document.6. In the Server Access section, check to see if your name or a group you are part

of is listed in the Create new databases field. If it is, then you can create adatabase on that server.

Adding a user to the access control list and set the access levelTo assign an access level to a user, you must have Manager access to the databaseand use the Domino Administrative client.1. Using the Domino Administrative client, open the directory database on the

server.This is the name and address book (NAB) on the server.

2. Choose File → Database → Access Control.3. Click Basics, and then click Add.


4. Enter the name of the person, server, or group (for example, the newly-createdTivoli Access Manager administrative user) to whom you are giving access, andthen click OK. You can click the person icon to pick a name from an addressbook.

5. Select the user just added in the displayed list of users. In the Attributessection, indicate in the User type field that the user is a Person and has the roleof Editor.

6. In the Access level list on the same panel, select the access level you want toassign to the user. In addition to the default access, mark the check boxgranting permission to delete documents. Refer to Access levels for a databaseand Additional privileges in the access control list for more details on accesslevels and privileges users can have. A Tivoli Access Manager user should haveEditor access to the NAB and be able to delete and replicate documents. Theroles should include being able to create and modify groups, and create andmodify users.

7. Click OK to apply your changes.

Defining an administration server for a databaseIf you define an administration server for your database, the server, through itsAdministration Process, updates names in the ACL (and Reader and Author fields)as those names are updated in the Domino Directory of the server. Theadministration server for a database is identified by a key next to the server nameif the server name is listed in the ACL. If you are not sure which server youshould enter as the administration server in the ACL, contact your administrator.1. Make sure that you have Manager access in the database ACL.2. Open the database.3. Choose File → Database → Access Control.4. Click Advanced.5. Select Server under Administration Server.6. Select a server from the Server list or type the hierarchical name of a server in

the Server field.7. From the Action list, select one of the following:

v Do not modify Names fields does not modify any fields with type Names inany document

v Modify all Readers and Authors fields only modifies those fields which areReader and Author. Note that Reader and Author are a subset of typeNames

v Modify all Names fields modifies all fields with type Names in alldocuments

For more information on Names, Reader, and Author fields, see the Lotus DominoDesigner 6 Help.

Installing a Lotus Notes client on a Tivoli Access Managersystem

To see what versions of Lotus Notes client that Tivoli Access Manager supports,refer to the IBM Tivoli Access Manager for e-business: Release Notes or Technotes inthe support knowledge database.

Note that you do not need to install the Lotus Notes client on the Domino serversystem. The Lotus Notes client is required only for the system on which a Tivoli


Access Manager runtime, using Domino as the user registry, is installed. Typically,the administration client is installed on the Domino server.

To install and configure a Lotus Notes client on the Domino server, follow thesegeneral steps:

Note:

1. If you already have a Lotus Notes ID file that is in use on another clientsystem, copy this binary file to the drive:\Lotus\Notes\data directory on yourlocal system.

Note: If you are uncertain about the name of the ID file you are currentlyusing, click File →Tools → User ID from the Lotus Notes client interfaceto locate the ID file name.

2. Run the Notes client setup file from the Lotus Notes or Domino CD forWindows and follow online instructions.

Note: Depending on the installation medium you are using, you might beprompted to install other program features. For Tivoli Access Managerinstallation, the Notes client is the only required feature.

3. From the Lotus Notes Installation window, select Typical and followinstructions. When the installation is complete, click Finish.

4. Launch the Lotus Notes program to perform configuration. For example, clickStart → Programs → Lotus Applications → Lotus Notes.

5. From the Lotus Notes Client Configuration window, click Next and completethe following information:v Select I want to connect to a Domino server and click Next.v Select Set up a connection to a local area network (LAN) and click Next.v Type the fully qualified name of your Domino server and click Next. This

can be a mail or passthru server, or some other server that knows who youare. For example, enter the following in the Domino server name field:domino1/Austin/IBM

v Do one of the following:– If you are provided the Lotus Notes ID file, select My Notes UserID has

been supplied to me in a file and either click Browse to locate the ID fileor type the fully qualified name of the ID file in the File name field. Forexample, type c:\notes\data\username.id.

– Select Use my name as identification and type the Tivoli Access Manageradministrative user ID (for example, AMDaemons) in the User name field.

Click Next to continue.6. If prompted for additional configuration information, you can accept the

default values. Click Finish to continue the Notes client configuration steps.7. If appropriate, select the Do not connect to an internet proxy server button.

A password prompt window opens when the Notes client can access theremote Domino server.

8. Enter the password for the Tivoli Access Manager administrative user. If thepassword is correct, the Notes client continues to finish the remainingconfiguration.When configuration is complete, the Notes ID file for the administrative user isinstalled in either the \notes\data directory on the local system if you have


been provided the Lotus Notes ID file (as described in step 5 on page 113), orinstalled in install_dir\Notes\Data if you selected the directory to install in.

Setting up Microsoft Active DirectoryTo set up Active Directory for Tivoli Access Manager, you must perform thefollowing tasks in this order:1. Create an Active Directory domain.2. Join an Active Directory domain.3. Create an Active Directory administrative user.4. Change Active Directory replication settings, if needed.

After you set up an Active Directory domain for use with Tivoli Access Manager,the next step is to set up the policy server on a Windows 2003 system. Forinstructions, see Chapter 4, “Setting up a policy server,” on page 137.

Active Directory considerationsIt is important to review the following information before configuring ActiveDirectory for Tivoli Access Manager:v Users created in Active Directory may have an associated primary group. The

Active Directory default primary group is Domain Users.But Active Directory does not add the primary group information to the user'smemberOf or the group's member attribute. This means that when Tivoli AccessManager queries for a list of members of a group, the result does not includeany members for whom the group is the primary group. Additionally, whenTivoli Access Manager queries for all the groups to which a user belongs, thequery result does not display the primary group of the user.For this reason, avoid using a Tivoli Access Manager group as the ActiveDirectory primary group for Tivoli Access Manager users.

v Tivoli Access Manager can be configured in an Active Directory single domainor multi-domain environment. For information about single domain ormulti-domain environments, see the Active Directory product documentation atthe following Web address:

http://www.microsoft.com/windowsserver2003/proddoc/v When Tivoli Access Manager is configured to use the Active Directory user

registry with multiple Active Directory domains, the policy server must beinstalled and configured only from the root Active Directory domain or a clientof that root domain.

v If Tivoli Access Manager is to be installed on a non-domain controller system,this system needs to join to the Active Directory domain where Tivoli AccessManager is to be configured.

v For dynamic group related information, see the Active Directory productdocumentation at these Web addresses:– http://msdn.microsoft.com/library/default.asp?url=/library/en-us/

dnnetserv/html/azmandynamgrps.asp– http://support.microsoft.com/default.aspx?scid=kb;en-us;322692– http://microsoft.com (search key: Azman)

v Microsoft supports two different types of Authorization Storages, ActiveDirectory and XML, that store application groups such as dynamic groups.However, Tivoli Access Manager limits support of dynamic groups only to the


http://www.microsoft.com/windowsserver2003/proddoc

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetserv/html/azmandynamgrps.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetserv/html/azmandynamgrps.asp

http://support.microsoft.com/default.aspx?scid+kb%3ben-us%3b322692

http://www.microsoft.com

Active Directory Authorization Stores of dynamic groups. Tivoli Access Managerdoes not support dynamic groups that are created in XML AuthorizationStorage.

v Tivoli Access Manager supports only the security global group.v To import an Active Directory user as a Tivoli Access Manager user, use the

Active Directory user’s login name as the user ID for the Tivoli Access Manageruser.

v If you installed and configured Tivoli Access Manager on a client of ActiveDirectory (for example, Tivoli Access Manager and Active Directory are ondifferent systems), the client system must join the domain. You must sign on tothe domain using the created Active Directory administrative user to performTivoli Access Manager configuration on the client system.

v When using SSL to communicate with the Active Directory server, the SSL portis limited by Active Directory to the default SSL port number of 636.

v If the Active Directory environment is behind a firewall, make sure thatMicrosoft-DS port 445 is open. For more information about the server messageblock (SMB) protocol over IP, refer to the following Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/base/microsoft_smb_protocol_authentication.asp

v The DNS in the network TCP/IP setting on the client system must be the sameas the domain controller’s network TCP/IP setting. You can use the root domaincontroller as the DNS server or you can use a separate DNS.

v When Tivoli Access Manager is configured to use Active Directory as the userregistry, the Global Catalog server must be running and accessible to TivoliAccess Manager servers. Active Directory also uses the Global Catalog server foruser authentication. The Global Catalog uses port 3268 for non-SSLauthentication and port 3269 for SSL authentication.For more information about Global Catalog requirements for user and computerlogon, see http://support.microsoft.com/kb/216970. For more information aboutGlobal Catalog ports, see http://support.microsoft.com/kb/179442.

Creating an Active Directory domainUse the Active Directory configuration wizard to promote your Windows serversystem to a domain controller. The act of creating a domain controller also createsan Active Directory domain.

Before you begin, you must decide if you want to create a domain controller for anew domain or create an additional domain controller for an existing domain. Ifyou plan to create a domain controller for a new domain, you must also answerwhether or not this new domain will be one of the following:v The first domain in a new forestv The first domain in a new domain tree in an existing forestv A child domain in an existing domain tree

Note: If the new domain name does not exist in Forward Lookup Zones in DNS, itmust be created as a new zone before you configure a new domaincontroller. For more information about domain controllers, domain trees,and forests, consult your Windows server documentation.

To create a domain or add an additional domain controller to an existing domain,follow these steps:




http://support.microsoft.com/kb/216970

http://support.microsoft.com/kb/179442

v “Joining an Active Directory domain”v “Creating an Active Directory administrative user” on page 118

Joining an Active Directory domainAfter you create an Active Directory domain, follow these steps to join a WindowsAdvanced Server to an Active Directory domain.

Note: Ensure that you are logged on as an administrator to the local system andhave a valid user name and password. Also ensure that the client and serversystems are in the same DNS before adding a system to the domain.

1. Right-click My Computer and then click Properties. The System Propertiesnotebook is displayed.

2. Click the Network Identification tab.

3. Click Properties. Under Member of, select Domain and type the name of thedomain that you want to join. Click OK to continue.


4. From the Domain Username And Password window, type a valid user nameand password and then click OK to join the system to the domain.

5. If the join operation is successful, a welcome window is displayed as shown.Click OK to continue.

6. A dialog is displayed indicating that the system needs to be rebooted. Click OKto continue.

7. The System Properties notebook is displayed, indicating that the join operationhas completed. Click OK to restart your system.


Note: After your system is restarted, ensure that you are signing into theActive Directory domain that you have just joined. Usually, the localdomain is the default domain in a Windows Login window.

Creating an Active Directory administrative userTo create an Active Directory administrative user for Tivoli Access Managerinitialization, follow these steps:1. On the Active Directory server system, select Start → Control Panel →

Administrative Tools → Active Directory → Users and Computers.2. Create a new user and add this new user to these groups: Administrators,

Domain Admins, Enterprise Admins, and Schema Admins. This user is anActive Directory user only, not an Tivoli Access Manager user. You can selectany name as the user login name, except sec_master, which is reserved for theTivoli Access Manager administrator.

The Enterprise Admins and the Schema Admins groups belong to the ActiveDirectory root domain. The Administrators group refers to the Administratorsgroup of the root domain, not to the secondary or child domain.

If you want Tivoli Access Manager to be configured using Activity Directory singledomain on an Active Directory secondary or child domain (non-root domain), youmust still add the user that you created to all those groups listed for Tivoli AccessManager to configure properly.

After the Tivoli Access Manager configuration is finished, you can remove theAdministrators, Enterprise Admins, and Schema Admins groups from the user’sgroup member list.


Changing Active Directory replication settingsWhen a domain controller writes a change to its local copy of the Active Directory,a timer is started that determines when the domain controller’s replication partnersshould be notified of the change. By default, this interval is 300 seconds (5minutes). When this interval elapses, the domain controller initiates a notificationto each intra-site replication partner that it has changes that need to be propagated.Another configurable parameter determines the number of seconds to pausebetween notifications. This parameter prevents simultaneous replies by thereplication partners. By default, this interval is 30 seconds. Both of these intervalscan be modified by editing the registry.

To modify the delay between the change to the Active Directory and firstreplication partner notification, use the Registry Editor to modify value data for theReplicator notify pause after modify (secs) DWORD value in the following registrykey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Attention: Use caution when modifying data using the Registry Editor. Incorrectuse can cause severe errors that might require you to reinstall your operatingsystem.

The default value data for the Replicator notify pause after modify (secs) DWORDvalue is 0x12c, which in hexadecimal format is 300 decimal (5 minutes).

To modify the notification delay between domain controllers, use the RegistryEditor to modify value data for the Replicator notify pause between DSAs (secs)DWORD value in the following registry key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

The default value data for the Replicator notify pause between DSAs (secs) DWORDvalue is 0x1e, which in hexadecimal format is 30 decimal (30 seconds).

Note: You must stop the policy server before editing the registry and then restartthe system afterwards.

During Active Directory multi-domain configuration, a data propagation delayoccurs with a default value of 5 minutes. A user or group, which was just createdin non-root domains, might not be visible when user list or group list commandsare issued. Similarly, a user or group, newly created in the primary root domaincontroller, might not be immediately visible in the secondary root domain. Byadjusting the values of Replicator notify pause after modify and Replicator notifypause between DSAs in the Windows system registry, you can change thebehavior to best fit your environment needs.

Setting up Microsoft Active Directory Application Mode (ADAM)Before you install Active Directory Application Mode (ADAM), read “Installingand configuring Active Directory Application Mode (ADAM) for Tivoli AccessManager (Overview)” on page 120, which provides a summary of important TivoliAccess Manager considerations and requirements when installing and configuringADAM.

For complete download, installation and configuration instructions, see the ADAMdocumentation at the following Web address:


http://www.microsoft.com/windowsserver2003/adam/default.mspx

This section contains the following topics:v “Installing and configuring Active Directory Application Mode (ADAM) for

Tivoli Access Manager (Overview)”v “Installing Access Manager with support for Active Directory Application Mode

(ADAM)”v “Configuring the Tivoli Access Manager schema for Active Directory Application

Mode (ADAM)” on page 121v “Configuring a default Tivoli Access Manager directory partition” on page 123v “Adding an administrator to the Tivoli Access Manager metadata directory

partition” on page 124v “Allowing anonymous bind” on page 126

Installing and configuring Active Directory Application Mode(ADAM) for Tivoli Access Manager (Overview)

The following overview provides guidelines for installing and configuring ActiveDirectory Application Mode (ADAM) to use as a user registry with Tivoli AccessManager:1. When installing ADAM, log on to the system using an account that belongs to

the local Administrators group. Use the Active Directory Application ModeSetup Wizard to configure your ADAM instance.

2. When you create an ADAM instance, you must specify an ADAM instancename which will be used to uniquely identify the instance and name theADAM service.

3. Specify the ports used for both non-SSL and SSL connection types within theADAM instance. Make note of the port numbers you specify because they mustbe entered when you configure Tivoli Access Manager.

4. On the Application Directory Partition pane of the Active Directory ApplicationMode Setup Wizard, create an application directory partition to contain theuser and group definitions that you use.Below the directory partition, you can create other Directory Information Tree(DIT) entries as needed.

5. On the Importing LDIF Files pane of the Active Directory Application ModeSetup Wizard, import the following LDIF files to update the schema used bythis instance of ADAM:v MS-InetOrgPerson.LDFv MS-User.LDFv MS-UserProxy.LDF

6. When you finish installing ADAM, ensure that the installation completedsuccessfully and did not contain any errors. adamsetup.log andadamsetup_loader.log contain information that can help you troubleshootADAM setup failure.

Installing Access Manager with support for Active DirectoryApplication Mode (ADAM)

The Tivoli Access Manager Active Directory Application Mode (ADAM) schemafile, tam-adamschema.ldf, is located in the following directories:v AIX: /opt/PolicyDirector/etcv Solaris: /opt/PolicyDirector/etc



v HP: /opt/PolicyDirector/etcv Linux: /opt/PolicyDirector/etcv Windows: install base\etc

Where install-base is the installation directory. The default directory isC:\Program Files\Tivoli\Policy Director.

Although tam-adamschema.ldf is installed as part of the Tivoli Access Managerruntime component on all platforms, the schema must be applied on the ADAMserver, which runs on a Windows platform only. If you use Tivoli Access Manageron a non-Windows platform when using ADAM, the schema definition file mustbe copied from the Tivoli Access Manager runtime installation to the Windowssystem on which ADAM is running.

Configuring the Tivoli Access Manager schema for ActiveDirectory Application Mode (ADAM)

Tivoli Access Manager defines its own set of LDAP entry types and attributes thatit uses to track user, group and policy information. These extensions to the basicLDAP server schema must be added to Active Directory Application Mode(ADAM) before configuring Access Manager.

After you install ADAM and configure the ADAM instance using the ActiveDirectory Application Mode Setup Wizard, the Tivoli Access Manager schemaextensions can be added to ADAM using the ldifde.exe command-line toolincluded with ADAM.

Prior to adding Tivoli Access Manager schema extensions, ensure that you havedefined inetOrgPerson and user schema definitions included with ADAM. If theinetOrgPerson and user schema extensions have not been added yet, they can alsobe added using the ldifde.exe command-line tool and should be done prior toadding the Access Manager schema.

To add inetOrgPerson and user schema extensions, use the following procedure.After you run these commands, the ADAM schema will include the ADAM,inetOrgPerson and user objectclasses and attribute definitions. If these schemaextensions have already been added, you can skip this procedure:1. Click Start > All Programs > ADAM > ADAM Tools Command Prompt.2. At the command prompt, type the following command and then press ENTER:

ldifde –i –f ms-inetorgperson.ldf –s servername:portnumber –k –j . –c“CN=Schema,CN=Configuration,DC=X” #schemaNamingContext

where servername represents the workstation name and portnumber is the LDAPconnection port of your ADAM instance. If ADAM is running on your localworkstation, you can also use localhost as the workstation name.

3. Type the following command, and then press ENTER:ldifde –i –f ms-user.ldf –s servername:portnumber –k –j . –c“CN=Schema,CN=Configuration,DC=X” #schemaNamingContext

where servername represents the workstation name and portnumber is the LDAPconnection port of your ADAM instance. If ADAM is running on your localworkstation, you can also use localhost as the workstation name.

After you have ensured that the ADAM schema includes the inetOrgPerson anduser definitions, add the Tivoli Access Manager schema extensions:


1. ClickStart > All Programs > ADAM > ADAM Tools Command Prompt.2. At the command prompt, type the following command and then press ENTER:

ldifde –i –e –f tam-adamschema.ldf –s servername:portnumber –k –j . –c“CN=Schema,CN=Configuration” #schemaNamingContext

where servername represents the workstation name and portnumber is the LDAPconnection port of your ADAM instance. If ADAM is running on your localworkstation, you can also use localhost as the workstation name. Thetam-adamschema.ldf file is included with the Tivoli Access Manager ADAMfeature.

Configuring Tivoli Access Manager location for Active DirectoryApplication Mode (ADAM)When the Tivoli Access Manager policy server is configured, the managementdomain is created. The management domain is the initial security domain.

Metadata used to track Tivoli Access Manager information about the domain iscreated and maintained in the user registry. When the policy server is configured,the administrator specifies the name of the management domain or uses thedefault name of Default.

The administrator also specifies the location in the registry where this metadata isstored by specifying the management domain location DN. The location specifiedmust already exist in the user registry. If the administrator chooses to use thedefault management domain location, the information is maintained in specificActive Directory Application Mode (ADAM) partition, which must be calledsecAuthority=<management_domain_name>

where management_domain_name is the management domain name specified. Forexample, if the default management domain name is used, the partition would becalled secAuthority=Default. If the administrator does not use the default locationand specifies the management domain location DN, any existing location withinthe ADAM registry may be used as long as it is a container object.

Note: You must choose a location DN within the same directory partition whereyou will store user and group information. This is required because ADAMrequires that the policy server must exist in the same directory partition inwhich the user and group information is maintained. The policy servercannot maintain user and group information outside the ADAM directorypartition in which the policy server itself is defined. For this reason, it isrecommended that the default management location not be chosen duringthe policy server configuration when ADAM is being used as the TivoliAccess Manager registry. Instead, it is recommended that you choose themanagement domain location within the ADAM partition in which youwish to maintain the user and groups which reflect your enterpriseorganizational structure.

Attention: If you chose the default management location during policy serverconfiguration, the option to permanently remove domain information from registrydeletes all data in the ADAM partition of the default domain managementlocation, including registry-specific data, when you unconfigure the Tivoli AccessManager. To retain registry-specific data, choose the management domain locationin the ADAM partition in which you want to maintain users and groups. Thedefault management location is the location for Tivoli Access Manager metadata.


Configuring a default Tivoli Access Manager directorypartition

By default, Tivoli Access Manager maintains its metadata information within aspecific Active Directory Application Mode (ADAM) directory partition (alsoknown as a naming context or suffix). This default Tivoli Access Manager metadatadirectory partition is called secAuthority=Default.

The partition must be created after the Access Manager schema extensions havebeen added to ADAM and before the Tivoli Access Manager Policy Server hasbeen configured. For more information about adding schema extensions, see“Configuring the Tivoli Access Manager schema for Active Directory ApplicationMode (ADAM)” on page 121.

To create the default Tivoli Access Manager metadata directory partition, use theADAM administration tool ldp.exe. This tool is installed as part of the ADAMadministration tool set. To use the ldp.exe tool, you must connect and bind to theADAM instance using the following procedure:

Note: You must choose a location DN within the same directory partition whereyou will store user and group information. This is required because ADAMrequires that the policy server must exist in the same directory partition inwhich user and group information is maintained. The policy server cannotmaintain user and group information outside the directory partition inwhich the policy server itself is defined.

1. Connect to the ADAM instance:a. Click Start > All Programs > ADAM > ADAM Tools Command Prompt.b. At the command prompt, type ldp and then press ENTER. The ldp window

is displayed.c. On the Connection menu, click Connect....

d. In the Server field, type the host or DNS name of the system runningADAM. When the ADAM instance is running locally, you can also typelocalhost for this field value.

e. In the Port field, type the LDAP or SSL port number for the ADAMinstance to which you want to connect. Then click OK. The ldp toolconnects to the ADAM instance and displays progress information obtainedfrom the root DSE in the pane on the right side of the window.

2. Bind to the ADAM instance:a. From the Connection menu, select Bind...

b. Do one of the following:v To bind using the credentials you are logged on with, click Bind as

currently logged on user.v To bind using a domain user account, click Bind with credentials. Type

the user name, password and domain name (or the workstation name ifyou are using a local workstation account) of the account that you wishto use and click OK.

v To bind using an ADAM user name and password, click Simple bind.Type the user name and password of the account you wish to use andclick OK.

v To bind using an advanced method such as NTLM, DPA, negotiate, ordigest, click Advanced (NEGOTIATE). Click Advanced. Select thedesired method, and set other options as needed. Click OK twice.


c. When you are finished specifying bind options, click OK. The ldp tool willbind to the ADAM instance using the method and credentials specified.

3. Add children:a. From the Browse menu, select Add child.b. In the Dn field, type secAuthority=Default as the distinguished name for

the new directory partition.c. In the Edit Entry field, type the following and then click ENTER.

v In the Attribute field, type ObjectClass.v In the Values field, type secAuthorityInfo.

d. In the Edit Entry field, type the following and then click ENTER.v In the Attribute field, type SecAuthority.v In the Values field, type Default.

e. In the Edit Entry field, type the following and then click ENTER.v In the Attribute field, type version.v In the Values field, type 6.0.

f. In the Edit Entry field, type the following and then click ENTER

v In the Attribute field, type cn

v In the Values field, type secAuthority

g. In the Edit Entry field, type the following and then click ENTER.v In the Attribute field, type instanceType.v In the Values field, type 5.

The set of attributes and values appear in the Entry List pane.h. Ensure the Synchronous option is selected and click Run. This will add the

required Access Manager metadata directory partition to the ADAMinstance. To verify that the partition has been properly added, you can usethe ADAM ADSI Edit tool to connect to and view the partition.

Configuring a non-default Tivoli Access Manager directorypartitionYou can choose a non-default Management Domain name and location DN. TheManagement Domain name must be unique within the LDAP server and thelocation DN must already exist. You will be prompted for this information duringinstallation of the policy server; see “Installing the policy server (install_ammgrwizard)” on page 369 or Chapter 22, “pdconfig options,” on page 447 forinstructions on how to set these parameters for the Access Manager Policy Server.

Adding an administrator to the Tivoli Access Managermetadata directory partition

After adding Tivoli Access Manager schema to the Active Directory ApplicationMode (ADAM) instance, and after the Tivoli Access Manager metadata directorylocation is added, you must add an ADAM user administrator for the Tivoli AccessManager metadata directory partition. The ADAM user has administrativeauthority for the Tivoli Access Manager metadata directory partition and isspecified as the LDAP administrator when Tivoli Access Manager is configured.

To create the ADAM user administrator of the Tivoli Access Manager metadatadirectory partition:


Note: The following example assumes that you accepted the default managementdomain and location. If you specified a different domain name or location,add the ADAM user administrator to the ADAM partition you specified.

1. Create the ADAM LDAP administrator:a. Click Start->All Programs->ADAM->ADAM ADSI Edit.b. In the console tree, click ADAM ADSI Edit.c. On the Action menu, click Connect To... The "Connection Settings" dialog

box appears.d. In the Connection name field, you can type a label under which this

connection will appear in the console tree of ADAM ADSI Edit. For thisconnection, type: secAuthority.

e. In the Server name field, type the host or DNS name of the system onwhich the ADAM instance is running. If the ADAM instance is on the localsystem, you can use localhost as the server name.

f. In the Port field, type the LDAP or SSL communication port in use by thisADAM instance.

Note: To list the port numbers used by ADAM instances, click Start->AllPrograms->ADAM->ADAM Tools Command Prompt and then at thecommand prompt, type:dsdbutil “list instances” quit

on the system where the ADAM instance is running.g. Under Connect to the following node, select Distinguished name (DN) or

naming context and enter “secAuthority=Default” for the defaultdistinguished name. If using a different directory partition, select thatpartition. This example assumes the default partition.

h. Under Connect using these credentials, click The account of the currentlylogged on user.

i. Click OK. secAuthority should now appear in the console tree.2. Select user attributes:

a. Expand the secAuthority tree by double-clicking secAuthority and thendouble click on SECAUTHORITY=DEFAULT.

b. Highlight and right click on the SECAUTHORITY=DEFAULT container,point to New, and then click Object...

c. Under Select a class, click user, and then click Next.d. For the value of the cn attribute, type the common name for the

administrator you wish to create. For example, type tam. Then click Next.e. Click More Attributes and select msDS-UserDontExpirePassword property

from the Select a property drop-down menu. Set the attribute value to Trueand click Set . Click OK. This will prevent the default password expirationtime policy from applying to this administrator. If you would prefer that thepassword policy apply to this administrator, then this property can be leftunset.

f. No additional attributes are required but if you wish to set additionalattributes, click More Attributes, select the attributes you wish to set andenter the values. When you are finished, click Finish. The user is createdwith a Distinguished Name (DN) of cn=tam,secAuthority=Default.

g. To set the administrator password, highlight and then right click on the useryou just created. Select Reset password...


h. In the "Reset Password" pane, enter and confirm the password you wish touse. When finished, click OK. Remember the user DN and password thatyou create because this will be specified as the LDAP Administrator DNand password when Access Manager is configured.

3. Add the user to the Administrators group for the partition:a. Within the SECAUTHORITY=DEFAULT directory partition, there are three

containers called CN=LostAndFound, CN=NTDSQuotas and CN=Roles.1) Highlight the CN=Roles container by single clicking on it. In the details

pane on the right side of the ADAM ADSI Edit tool, the groups withinthe Roles container will be displayed.

2) Highlight the CN=Administrators group by single clicking on it.3) Right click on the CN=Administrators group and select Properties. The

CN=Administrators Properties page is displayed.b. Under Attributes, scroll down to locate and click member and then click

Edit.c. Click Add ADAM Account.... Type the distinguished name of the

administrator user that you created in step 2f on page 125 into the DN fieldand click OK. The administrator user is added to the Administrators groupand is displayed as a member.

d. Click OK to complete the membership update. Click OK to close the"CN=Administrators Properties" page.

Allowing anonymous bindIn order for Tivoli Access Manager to be configured with Active DirectoryApplication Mode (ADAM), ADAM must be configured to allow anonymous bind.By default, ADAM does not allow anonymous bind. Access Manager configuration,however, uses anonymous bind to check on the validity of the configured LDAPhostname, port and SSL parameters.

If you want to disable anonymous bind during normal operation, the option canbe reset on the ADAM server once configuration is complete.

To allow anonymous bind to the ADAM instance, use the following procedure:1. Click Start->All Programs->ADAM->ADAM ADSI Edit.2. In the console tree, click ADAM ADSI Edit.3. From the Action menu, click Connect To... . The "Connection Settings" dialog

box appears.4. In the Connection name field, type: Configuration.5. In the Server name field, type the host or DNS name of the system on which

the ADAM instance is running. If the ADAM instance is on the local system,you can use localhost as the server name.

6. In the Port field, type the LDAP or SSL communication port in use by thisADAM instance.

Note: To list the port numbers used by ADAM instances, click Start->AllPrograms->ADAM->ADAM Tools Command Prompt. At thecommand prompt, type: dsdbutil “list instances” quit on thesystem where the ADAM instance is running.

7. Under Connect to the following node, select Well-known naming context:and choose Configuration from the pull down list.


8. Under Connect using these credentials, click The account of the currentlylogged on user. Click OK. Configuration should now appear in the consoletree.

9. Expand the Configuration subtree by double-clicking Configuration.10. Double-click CN=Configuration,CN={GUID}, where GUID was generated

when the configuration of the ADAM instance was performed.11. Double-click the CN=Services folder to expand it, then double-click

CN=Windows NT.12. Highlight and right-click CN=Directory Service and click Properties.13. Click dsHeuristics.14. Click Edit.15. Edit the value. Modify the seventh character (counting from the left) to 2. The

value should be similar to 0000002001001 in the String Attribute Editor. ClickOK.

16. Click OK. Anonymous bind is now allowed.

Setting up Novell eDirectoryBefore you begin, ensure that you have completed the basic server installation andconfiguration for Novell eDirectory and the ConsoleOne tool as described in theNovell product documentation at the following Web addresses:

This section contains the following topics:1. “Configuring the Novell eDirectory for Tivoli Access Manager”2. “When using Novell eDirectory” on page 1293. “Management domain location” on page 130

For Novell eDirectory, Version 8.7, see:

http://www.novell.com/documentation/lg/edir87/index.html


http://www.novell.com/documentation/lg/ndsedir86/index.html

In addition, ensure that you have reviewed and complied with the systemrequirements listed in “Supported registries” on page 13.

Configuring the Novell eDirectory for Tivoli Access ManagerIf you are installing a new Tivoli Access Manager secure domain, the Tivoli AccessManager schema is installed on the Novell eDirectory Server (NSD) automaticallywhen the Tivoli Access Manager policy server is configured. However, prior toconfiguring the policy server, there are several modifications to Novell eDirectorythat must first be performed using Novell’s ConsoleOne directory managementutility or iManager web-based administration console.

Note: The default Novell eDirectory schema assumes that the directory does notuse the X.500 objectclasses of inetOrgPerson or groupOfNames. By default,these classes are mapped into the eDirectory classes of User and Group,respectively. Because Tivoli Access Manager uses the inetOrgPerson andgroupOfNames objectclasses for creating its own users and groups,modifications to the default eDirectory schema are required.




You can configure the Novell eDirectory for Tivoli Access Manager using theNovell eDirectory ConsoleOne directory management utility or using the NovelliManager Web-based administration console.

To configure Novell eDirectory for Tivoli Access Manager using the NovelleDirectory ConsoleOne directory management utility, complete the following steps:1. Start the Novell ConsoleOne directory management utility.2. Select the organization object within your Novell eDirectory tree. A list of

objects is displayed on the right side of the ConsoleOne window.3. Right click the LDAP group object (not LDAP server), and click Properties

from the menu.4. Click the Class Map tab and the table of LDAP class names. The Novell

eDirectory class names are displayed.5. Delete the entries with LDAP classes of inetOrgPerson and groupOfNames.6. Click Apply, and then click Close.7. Click the Attribute Map tab and the table of LDAP attribute names. The

Novell eDirectory attribute names are displayed.8. Scroll through the table and find the Novell eDirectory attribute member. Check

the value of the corresponding LDAP attribute. If the LDAP attribute value ismember, then no change is needed. If the attribute is showing the default valueof uniqueMember, you need to modify it as follows.v Click Modify. The Attribute Mapping window is displayed.v Change the Primary LDAP Attribute field from uniqueMember to member.v Change the Secondary LDAP attribute field from member to uniqueMember.v In the Attribute window, click OK to accept the changes.

9. If you are using Solaris, proceed to the next step. If you are using WindowsNT®, you might have to add another mapping for the LDAP attributendsHomeDirectory as follows:v On the right hand side of the Attribute Mappings window, click Add . The

Attribute Mapping window repaints and is displayed again.v From the Novell eDirectory NSD Attribute field menu, click Home

Directory.v In the Primary LDAP Attribute field, click ndsHomeDirectory.v In the Attribute Mapping window, click OK to accept the changes.

10. In the Properties window, click OK.

To configure Novell eDirectory for Tivoli Access Manager using the NovelliManager Web-based administration console, complete the following steps1. Launch the iManager Web page and log in as the administrator for the Novell

eDirectory tree to be updated.2. Click the Roles and Tasks icon at the top of the iManager window to open

the Roles and Tasks view.3. In the Roles and Tasks navigation frame, expand the LDAP category.4. In the expanded list, click the LDAP Options task.5. On the LDAP Options page, click the LDAP Group listed.6. Click Class Map to display the Novell eDirectory class to LDAP class

mappings.7. Remove mappings to inetOrgPerson and groupOfNames.


v Scroll through the list and look for mappings of eDirectory classes to theLDAP class inetOrgPerson.

v If a mapping exists, select the row and click the Remove Mapping icon toremove the mapping.

v Click OK in the pop-up window to confirm the removal of the mapping.v Click Apply to apply the changes.v Repeat this step to remove a mapping for the LDAP class groupOfNames.

8. Click OK, to accept the changes that have been made.9. Repeat steps 3-5 to return to the LDAP Group page.

10. Click Attribute Map to access the Novell eDirectory attribute to LDAPattribute mappings.

11. Scroll through the table and find the Novell eDirectory attribute member.Check the value of the corresponding LDAP attribute. If the LDAP attributevalue is member, no change is needed. If the attribute is showing the defaultvalue of uniqueMember, you need to modify it as follows:v Select the row and click the View/Edit Mapping icon.v Change the Primary LDAP Attribute field from uniqueMember to member.v Change the Secondary LDAP attribute field from member to uniqueMember.v Click OK in the pop-up window to confirm the change.v Click Apply to apply the changes.

12. If you are using Solaris, proceed to the next step. If you are using WindowsNT, you might have to add another mapping for the LDAP attributendsHomeDirectory. To add another mapping for the LDAP attributendsHomeDirectory:v Click the Add Mapping icon in the right side of the window. A pop-up

window to define the mapping is displayed.v In the eDirectory Attribute field, select Home Directory.v In the Primary LDAP Attribute field, type ndsHomeDirectory.v Click OK to confirm the mapping and close the pop-up window.

13. Click OK in the Attribute Map window to accept the changes.

After you set up Novell eDirectory for use with Tivoli Access Manager, the nextstep is to set up the policy server. For instructions, see Chapter 4, “Setting up apolicy server,” on page 137.

When using Novell eDirectoryNovell eDirectory defines the objectclasses User and Group as part of its baseschema. Instances of these objectclasses are created by an eDirectory administratorwhen defining a user or a group respectively. Both of these objectclasses aredefined by eDirectory as leaf nodes. eDirectory adds an attributeX-NDS_NOT_CONTAINER ’1’ to each of these objectclass definitions that specifies thatthey are not container objects. Objects that are not specified as container objectscannot be defined beneath instances of these objectclasses.

Tivoli Access Manager requires the ability to append its own objects beneathpre-existing eDirectory users and groups in order to import them and make themusable by Tivoli Access Manager. When Tivoli Access Manager adds its ownobjectclass definitions to the eDirectory schema, it also redefines the eDirectoryUser and Group objectclasses to allow instances of these classes to be containerobjects. Novell eDirectory allows this change to its schema definition.


The following Novell eDirectory administrator actions will cause the Tivoli AccessManager modification to the User objectclass to be undone. The Group objectclass isnot affected.v Running the eDirectory database repair tool, ndsrepair using the rebuild

schema option.v Running Basic Repair from the iManager console and running local database

repair using the rebuild operational schema option.v Applying a patch update to Novell eDirectory.v Upgrading Novell eDirectory to a more recent version.

Should it be necessary to perform any of these operations after Tivoli AccessManager has been configured into the eDirectory server, run the following TivoliAccess Manager utility immediately to ensure that the definition of the Userobjectclass is restored.ivrgy_tool -h host -p port -D dn -w password schema

where:

host Specifies the LDAP server (Novell eDirectory) host name, which isrequired.

port Specifies the LDAP server (Novell eDirectory) port number.

dn Specifies the LDAP server (Novell eDirectory) bind distinguished name.

passwordSpecifies the LDAP server (Novell eDirectory) bind password.

schema Specifies the name of the Novell eDirectory schema file.

The ivrgy_tool.exe is located in the sbin subdirectory. For example:v On Windows systems: d:\Program Files\Tivoli\Policy Director\sbinv On UNIX or Linux systems: /opt/PolicyDirector/sbin

You must run this utility from the sbin directory because Tivoli Access Managerdoes not add the sbin directory to the system PATH. For more information aboutthis utility, see “ivrgy_tool” on page 569.

Management domain locationTivoli Access Manager permits you to specify a management domain locationwhich maintains Tivoli Access Manager metadata unless you use the defaultmanagement domain location. Create this location in the Novell eDirectory serverbefore configuring the Tivoli Access Manager policy server.

Tivoli Access Manager extends the Novell eDirectory schema to add Tivoli AccessManager metadata objectclasses and attributes. The secAuthorityInfo objectclass, aTivoli Access Manager-defined objectclass, is explicitly defined to be containedunder the following common objectclasses:v treeRoot

v container

v organization

v organizationalUnit

v domain

v country


The Novell eDirectory strictly enforces the containment rule. If you specify amanagement domain location with an objectclass other than the commonobjectclasses listed here, you must manually modify the schema file novschema.defto include the objectclass.

Note: You must modify the schema file before you configure the Tivoli AccessManager.

The complete Tivoli Access Manager Novell eDirectory schema file path is [TivoliAccess Manager installation directory]/etc/novschema.def. The following exampleillustrates how to modify the schema file.1. Open the schema file.2. Replace this portion:

dn: cn=schemachangetype: modifydelete: objectclassesobjectClasses: (

1.3.6.1.4.1.4228.1.8NAME ’secAuthorityInfo’DESC ’Security Authority Information’SUP ’eApplicationSystem’STRUCTURALMUST ( secAuthority $ version )X-NDS_NAMING ’secAuthority’X-NDS_CONTAINMENT ( ’treeRoot’ ))-add: objectclassesobjectClasses: (

1.3.6.1.4.1.4228.1.8NAME ’secAuthorityInfo’DESC ’Security Authority Information’SUP ’eApplicationSystem’STRUCTURALMUST ( secAuthority $ version )X-NDS_NAMING ’secAuthority’X-NDS_CONTAINMENT ( ’treeRoot’ ’container’ ’organization’’organizationalUnit’ ’domain’ ’country’))

withdn: cn=schemachangetype: modifydelete: objectclassesobjectClasses: (

1.3.6.1.4.1.4228.1.8NAME ’secAuthorityInfo’DESC ’Security Authority Information’SUP ’eApplicationSystem’STRUCTURALMUST ( secAuthority $ version )X-NDS_NAMING ’secAuthority’X-NDS_CONTAINMENT ( ’treeRoot’ ))-add: objectclassesobjectClasses: (

1.3.6.1.4.1.4228.1.8NAME ’secAuthorityInfo’DESC ’Security Authority Information’SUP ’eApplicationSystem’STRUCTURALMUST ( secAuthority $ version )


X-NDS_NAMING ’secAuthority’X-NDS_CONTAINMENT ( ’treeRoot’ ’container’ ’organization’

’organizationalUnit’ ’domain’ ’country’’your_object_class_goes_here’))

For more information about management domains and creating a location for themetadata, see “Tivoli Access Manager management domains” on page 138 and“Creating a management domain location (example)” on page 139.

Setting up the Sun Java System Directory ServerBefore you begin, ensure that you have completed the basic server installation andconfiguration as described in the Sun Java System Directory Server productdocumentation. For more information, see Sun documentation at the followingWeb address:


To configure the Sun Java System Directory Server for Tivoli Access Manager,follow these steps.

Notes:

1. For non-ASCII characters to be stored in attributes, you must disable the 7-bitcheck plug-in during configuration of the Directory Server. The default value ofthis plug-in is set to on.

2. The following procedure shows you how to configure Sun Java SystemDirectory Server 5.2 for Tivoli Access Manager.

1. Check that the Directory Server daemon, slapd-serverID is running (using theps command, or an equivalent command for your operating system).

2. Ensure that the Directory Server daemon (slapd-serverID) and theAdministration Server daemon (admin-serv) are running. If they are not, enterthe following commands to start them:v On UNIX or Linux systems:

% ServerRoot/slapd-serverID/start-slapd

% ServerRoot/start-admin

v On Window systems, use Services to start the Sun Java SystemAdministration Server and Sun Java System Directory Server services.

3. To start the console, enter one of the following:v On UNIX or Linux systems:

% ServerRoot/startconsole

v On Windows systems, select Start → Programs → Sun Java System ServerProducts → Sun Java System Server Console.

The Console Login window is displayed unless your configuration directory(o=NetscapeRoot directory) is stored in a separate instance of the Sun JavaSystem Directory Server. In this case, a window is displayed requesting youradministrator user DN, password, and the Web address of the AdministrationServer for that Directory Server.

4. Log in using the user ID and password for the LDAP administrator. Forexample, type cn=root and the appropriate password and then click OK.



The Sun ONE Server Console is displayed.5. Navigate through the tree in the left pane to find the system (qasun7) that is

hosting your Directory Server and click it to display its general properties.

6. Double-click the name of your directory server in the tree or click the Openbutton. The Directory Server Console for managing this directory serverinstance is displayed.

7. From the Configuration tab, right-click Data in the left pane and then selectNew Suffix.


Or, you can create a new suffix by clicking Data and then clicking New Suffixfrom the Object menu.

8. To create the management domain location that maintains Tivoli AccessManager data, type the suffix DN of the location; for example:secAuthority=Default. The name must be in the relative distinguished name(DN) format and consist of one attribute-value pair. If multiple attribute-valuepairs, separate the pairs by commas. The default location issecAuthority=Default. For more information about management domains,and creating a location for the metadata, see “Tivoli Access Managermanagement domains” on page 138 and “Creating a management domainlocation (example)” on page 139.

9. Change the name of the database when creating a new suffix.Attention: Do not accept the default value for the database name whencreating a new suffix. By default, the location of database files for this suffix ischosen automatically by the server. Also by default, the suffix will maintainonly the system indexes, no attributes will be encrypted, and replication willnot be configured. If you accept the default value, the Sun Java DirectoryServer stores the suffix under the Default database name, and your data willbe removed when the Sun Java Directory Server is restarted.

To modify the default value and select a different database name:v Click Options to see the Options window.


v Select the Use custom radio button.v Enter a database name, other than Default. Database names can only

contain ASCII (7-bit) alphanumeric characters, hyphens (-), andunderscores (_). For example, you might name the new databasesecAuthority.

v Choose another location for the directory that contains the database files, oraccept the default value.

v Click OK when you have configured all of the new suffix options. The NewSuffix window will show all the options that you chose.

v Click OK in the New Suffix window to create the new root suffix.

10. Expand the Data node to ensure that the suffix was created. If you chose tocreate a suffix to maintain user and group data, follow this procedure again tocreate another suffix either in the default database or in a new database. Forexample, you could create a suffix named o=tivoli,c=us in the samedatabase.

11. Do one of the following:v If you did not add any suffixes other than the management domain

location, configuration is complete. A directory entry for the managementdomain location is automatically added when the policy server isconfigured.

v If you added suffixes other than the management domain location, continueto step 12 to create directory entries for each new suffix.

12. Select the Directory tab and highlight the name of the server in the top of theleft pane.

13. Select Object → New Root Object. A list of new suffixes for which no entryyet exists is displayed as shown:

14. For each new suffix (other than secAuthority=Default), select the new suffix.The New Object window is displayed. Scroll down to find the entry type thatcorresponds to the suffix that you are creating. For example, you might selectorganization for the suffix named o=tivoli,c=us. Highlight the entry type


and click OK as shown:

15. From the Generic Editor window, enter a value for the entry. For theo=tivoli,c=us example, enter tivoli as the value for the organization objectand then click OK.

16. After you have created entries for each suffix that you added, select Console →Exit to close the console.

After you set up the Directory Server for use with Tivoli Access Manager, you canset up the policy server, as described in Chapter 4, “Setting up a policy server,” onpage 137.


Chapter 4. Setting up a policy server

This chapter provides information about installing and configuring the TivoliAccess Manager policy server system. You must install and configure only onepolicy server for each secure management domain. It is recommended that you setup the policy server on a system that is separate from your registry server.

You can set up this system using one of these installation methods:v “Installing using the installation wizard” on page 141v “Installing using native utilities” on page 142

Optional: On AIX systems only, you can also set up a standby policy server in theevent of a system failure. This capability requires additional software andhardware, including High Availability Cluster Multiprocessing (HACMP) software.For more information, see Chapter 24, “AIX: Setting up a standby policy server,”on page 511.

Notes:

1. Tivoli Access Manager does not consider the registry native password policieswhen creating server accounts during configuration. The registry nativepassword policies might cause server configuration failure. Beforeconfiguration, disable any registry native password policies, such as the registrydefault or global password policies. After configuration, set exceptions on theregistry so that the new server accounts are not affected by any registry nativepassword policies. Now you can enable the registry native password policies.


3. If you are installing on a Linux system and SELinux is enabled, you must runthe following commands in order to start the policy and authorization server:chcon -t textrel_shlib_t /usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7chcon -t textrel_shlib_t /opt/PolicyDirector/lib/libamzcars.sochcon -t textrel_shlib_t /usr/local/ibm/gsk7/lib/libgsk7krsw.sochcon -t textrel_shlib_t /opt/PolicyDirector/lib/libamcars.so

4. If you reinstall and reconfigure the Tivoli Access Manager policy server orinstall IBM WebSphere Application Server patches, you must unconfigure andreconfigure

LDAP data format selectionDuring the installation of the policy server, you are given the opportunity to selectwhat LDAP data format is to be used for user and group tracking information. Thetwo LDAP data formats available for user and group information are:

MinimalThis format is valid only for IBM Tivoli Access Manager version 6.0 orlater. Use of this format reduces the size of your user registry information


by storing minimal user and group tracking information. However,previous versions of Tivoli Access Manager and Tivoli Access Managerproducts do not support this format and cannot access the user and grouptracking information.v If there is no previous user registry information, as is the case with a

new installation, and this format is selected, fewer LDAP objects areused to maintain the user and group tracking information. However,versions earlier than Tivoli Access Manager 6.0 do not support thisformat and cannot access the user and group information.

v If upgrading all Tivoli Access Manager products to version 6.1.1 from aversion earlier than 6.0, the existing user registry information canoptionally be converted to use the minimal format for user and grouptracking information, if desired. The amldif2V6 tool converts userregistry information from the standard format to the minimal format.The amldif2V6 tool is available from the IBM Tivoli Access Manager fore-business Web site. Review the support documentation beforeconverting your user registry information.You can find technical support for the amldif2V6 tool at the IBM TivoliAccess Manager for e-business Web site.

http://www.ibm.com/software/tivoli/products/access-mgr-e-bus

StandardThis format, which is the same format used in versions of Tivoli AccessManager prior to 6.0, permits any version of Tivoli Access Manager to usethe user and group information in the LDAP registry.

If you have user registry information from a Tivoli Access Manager versionprior to version 6.1.1 and this format is selected, you do not need toconvert the user registry data to a different format.

If the user and group information in the LDAP registry is used by other TivoliAccess Manager products, such as IBM Tivoli Access Manager for OperatingSystems or IBM Tivoli Federated Identity Manager, the same LDAP data formatmust be used for all products.

Tivoli Access Manager management domainsIf you use LDAP as your user registry, Tivoli Access Manager provides for one ormore administrative domains. A domain consists of all the users, groups andresources that require protection along with the associated security policy used toprotect those resources.

Depending on the resource managers that are installed, resources can be anyphysical or logical entity, including objects such as files, directories, Web pages,printer and network services, and message queues. Any security policy that isimplemented in a domain affects only the objects in that domain. Users withauthority to perform tasks in one domain do not necessarily have the authority toperform those tasks in other domains.

The initial domain in an LDAP registry is called the management domain and iscreated when the policy server is configured. During policy server configuration,you will be prompted for the management domain name and the managementdomain location Distinguished Name (DN) within the LDAP Directory InformationTree (DIT) on the LDAP server where the information about the domain will bemaintained. See “Installing the policy server (install_ammgr wizard)” on page 369


http://www.ibm.com/software/tivoli/products/access-mgr-e-bus

or Chapter 22, “pdconfig options,” on page 447 for instructions on how to set theseparameters for the Access Manager policy server.

If the management domain location is not specified, the management domainlocation is assumed to be a stand-alone suffix on the LDAP server. Whether youuse the default location or specify a different location in the LDAP DIT, thelocation specified for the management domain must already exist unless the userregistry is Novell eDirectory. For Novell eDirectory, if you have not specified themanagement domain location, Tivoli Access Manager uses the root location as themanagement domain location. The root location is a domain location that does nothave a suffix. If you enter a specific location for the management domain, ensurethat the location you are specifying already exists.

When an Access Manager domain is created, including the initial managementdomain, an entry is created in the LDAP server called a secAuthorityInfo object.This object represents the Access Manager domain and is named using thesecAuthority attribute with the name of the domain as its value; for example:secAuthority=<domain_name>.

If you do not provide a different name, the default name of the managementdomain is Default, making the secAuthorityInfo object namesecAuthority=Default.

Creating a management domain location (example)If you wish to specify a non-default location for the management domain, you canuse any location within the LDAP DIT. For example, if the LDAP server isconfigured with a suffix of c=us, and the administrator specifies the managementdomain location DN as ou=austin,o=ibm,c=us this object may be created using afile containing the following LDIF:dn: c=usobjectClass: topobjectClass: countryc: US

dn: o=ibm,c=usobjectClass: topobjectClass: organizationo: IBM

dn: ou=austin,o=ibm,c=usobjectClass: topobjectClass: organizationalunitou: Austin

The object may then be created using the idsldapadd command-line utility asfollows:idsldapadd –h <ldap_hostname> -p <ldap_port> -D <ldap_admin_DN>-w <ldap_admin_pwd> -v –f example_DIT

where:v ldap_hostname is the hostname of the LDAP server.v ldap_port is the port of the LDAP server.v ldap_admin_DN is the Distinguished Name of the LDAP server administrator.v ldap_admin_pwd is the password of the LDAP server administrator.v example_DIT is the name of the file containing the LDIF.

Chapter 4. Setting up a policy server 139

Modify this example for the specific LDAP namespace appropriate for yourorganization.

Once the LDAP object has been created, you can specify it as the managementdomain location DN during policy server configuration. See “Installing the policyserver (install_ammgr wizard)” on page 369 or Chapter 22, “pdconfig options,” onpage 447 for instructions on how to set these parameters for the Access Managerpolicy server.

Password change does not work in a multidomain environmentA WebSEAL instance cannot change user passwords under all the followingconditions due to the absence of ACL settings required to search domain locations:v You configured the policy server in a nondefault location, that is a location other

than secAuthority=Default.v You create Tivoli Access Manager sub-domains under the new location.v You configured a WebSEAL instance in any of the new sub-domains.

Complete the following steps to set the proper ACL with the followingassumptions:v The management domain name is Default.v The Default domain is located in an LDAP suffix called O=IBM,C=US.v The subdomain names are Domain1, Domain2, and so on.1. Place the following in a file called aclEntry.ldif:

##------ START: Do not include this line -----##dn: secAuthority=Default,o=ibm,c=uschangetype: modifyadd: aclentryaclentry:group:cn=SecurityGroup,SecAuthority=Domain1,cn=SubDomains

,SecAuthority=Default,O=IBM,C=US,O=IBM,C=US:object:ad:normal:rwsc:sensitive:rwsc:critical:rwsc:system:rsc

aclentry:group:cn=SecurityGroup,SecAuthority=Domain2,cn=SubDomains,SecAuthority=Default,O=IBM,C=US,O=IBM,C=US:object:ad:normal:rwsc:sensitive:rwsc:critical:rwsc:system:rsc

##------ END: Do not include this line -------##

You must replace the management domain name Default, suffix O=IBM,C=US,and subdomains Domain1, Domain2, and so on, with the corresponding name ofthe current installation.

2. Update the ACL by running the following command:ldapmodify -h host -p port -D cn=root -w pwd -i aclEntry.ldif

Management domain location for an Active DirectoryApplication Mode (ADAM) registry

If Active Directory Application Mode (ADAM) is being used as the LDAP registry,you must choose a location DN within the same directory partition where you willstore user and group information. This is because ADAM has a restriction that thepolicy server must exist in the same directory partition in which user and groupinformation is maintained. The policy server cannot maintain user and groupinformation outside the directory partition in which the policy server itself isdefined.


Installing using the installation wizardThe install_ammgr installation wizard simplifies the setup of the Tivoli AccessManager Policy Server system by installing and configuring these components inthe appropriate order:v IBM Global Security Kit (GSKit)v IBM Tivoli Directory Server base client (as needed)v IBM Tivoli Directory Server 32-bit client (as needed)v Tivoli Security Utilitiesv Tivoli Access Manager Access Manager Licensev Tivoli Access Manager Access Manager Runtimev Tivoli Access Manager Access Manager Policy Server

Note: The installation wizard detects if a component is installed and does notattempt to reinstall it.

For descriptions of configuration options and step-by-step instructions withillustrations, see “Installing the policy server (install_ammgr wizard)” on page 369.

Attention:



To install and configure a policy server system using the install_ammgr wizard,follow these steps:1. Ensure that all necessary operating system patches are installed. Also ensure

that you have reviewed the most recent release information, including systemrequirements, disk space requirements, and known defects and limitations inthe IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge base.

2. Ensure that your registry server is set up, configured, and running (in normalmode) before installing the policy server.For more information on setting up the registry server, see Chapter 3, “Settingup the registry server,” on page 53.

3. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manageris installed and can be located using the PATH environment variable beforerunning the installation wizard. For instructions, see page 318.

4. To view status and messages in a language other than English, which is thedefault, install a language support package before running the installationwizard. For instructions, see “Installing language support packages for TivoliAccess Manager” on page 37.

5. On Windows systems only, exit from all running programs.6. Run the install_ammgr program, located in the root directory on the IBM Tivoli

Access Manager Base CD for the supported AIX, HP-UX, HP_UX on Integrity,Linux on x86, Linux on System z, Linux on POWER, Solaris, Solaris on x86_64,and Windows 2003 platforms.


The installation wizard begins by prompting you for configuration informationas described in “Installing the policy server (install_ammgr wizard)” on page369. Supply the required configuration information, or accept default values.

Note: Ensure that the Tivoli Access Manager policy server is configured with apassword that meets the minimum strength requirements and is not tooweak for use with your user registry. For example, Windows 2003 ActiveDirectory has more restrictive password requirements than previousversions of Active Directory. Make sure you understand your userregistry password policy before configuring the policy server.

7. Compare the disk space that is required to install all of the Tivoli AccessManager policy server system components and prerequisites with the diskspace that is available. If there is sufficient space, continue the installation.After reviewing the summary and accepting your installation selections andconfiguration choices, the components are installed and configured withoutfurther intervention.

This step completes the setup of the Tivoli Access Manager policy server system.To set up another Tivoli Access Manager system, follow the steps in the“Installation process” on page 21.

Installing using native utilities

These sections explain how to install Tivoli Access Manager software using afamiliar platform-specific utility. Unlike automated installation wizards, you mustmanually install packages for each component and any prerequisite software in theappropriate order. To configure software packages after installation, use thepdconfig utility.


AIX: Installing the policy serverThis procedure uses installp to install software packages and the pdconfig utilityto configure them.

To install the Tivoli Access Manager policy server system on AIX, follow thesesteps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure

that you have reviewed the most-recent release information, including systemrequirements, disk space requirements, and known defects and limitations. Seethe IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge base.

3. Ensure that your registry server is up and running (in normal mode) beforeinstalling the policy server.

4. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it.


5. Install IBM Global Security Kit (GSKit), if not already installed. Forinstructions, see page 312.

6. Install the IBM Tivoli Directory Server client, if not already installed. Forinstructions, see page 327.

7. Install the IBM Tivoli Security Utilities, if not already installed. Forinstructions, see page 323.

8. Install the Tivoli Access Manager packages:installp -acgYXd cd_mount_point/usr/sys/inst.images packages

where cd_mount_point is the directory where the CD is mounted and packagesare as follows:

PD.lic Specifies the Access Manager License package.

PD.RTE Specifies the Access Manager Runtime package.

PD.Mgr Specifies the Access Manager Policy Server package.

Attention: You must not configure the Access Manager Runtime until thepolicy server is installed.

9. Unmount the CD.10. To view status and messages in a language other than English, which is the

default, install your language support package before configuring packages.For instructions, see “Installing language support packages for Tivoli AccessManager” on page 37.

11. Configure the Tivoli Access Manager packages as follows:a. Start the configuration utility:

pdconfig

The Tivoli Access Manager Setup Menu is displayed.b. Type menu number 1 for Configure Package. The Tivoli Access Manager

Configuration Menu is displayed.c. Select the menu number of the package that you want to configure, one at

a time. Configure the Access Manager Runtime followed by the AccessManager Policy Server package.Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, seeChapter 22, “pdconfig options,” on page 447.When a message is displayed that indicates the package has beensuccessfully configured, press Enter to configure another package or selectthe x (Exit) option twice to close the configuration utility.


Note that configuration of the Tivoli Access Manager policy server creates a defaultSSL certificate authority file named pdcacert.b64. The SSL key file and certificateare created using FIPS approved algorithms.

After successful configuration of the Access Manager Policy Server component, amessage similar to the following is displayed:


Access Manager Policy Server configuration completed successfully.The Manager’s CA certificate is base64-encoded and saved in text file/var/PolicyDirector/keytab/pdcacert.b64You must distribute this file to each machine in your secure domain.It is needed for successful configuration.

For a Tivoli Access Manager runtime system to authenticate to Tivoli AccessManager servers, each runtime system will require a copy of this file. To obtainthis file, do one of the following:v During configuration of the Access Manager Runtime package (using the

pdconfig utility), select to download the pdcacert.b64 file automatically.v Manually copy the pdcacert.b64 file to the Tivoli Access Manager system before

configuring the Access Manager Runtime component.

HP-UX: Installing the policy serverThis procedure uses swinstall to install software packages and the pdconfig utilityto configure them.

To install a Tivoli Access Manager policy server system on an HP-UX or HP-UX onIntegrity system, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure



4. Insert the CD for your platform:v IBM Tivoli Access Manager Base for HP-UX

v IBM Tivoli Access Manager Base for HP-UX on Integrity






9. Install the Tivoli Access Manager packages:v For HP-UX:

swinstall -s /cd-rom/hp packages

where /cd-rom/hp is the directory and the packages are as follows:

PDlic Specifies the Access Manager License package.

PDRTE Specifies the Access Manager Runtime package.

PDMgr Specifies the Access Manager Policy Server package.v For HP-UX on Integrity:


swinstall -s /cd-rom/hp_ia64 packages

where /cd-rom/hp_ia64 is the directory and the packages are as follows:



PDMgr Specifies the Access Manager Policy Server package.


10. To view status and messages in a language other than English, which is thedefault, install your language support package before configuring packages.For instructions, see “Installing language support packages for Tivoli AccessManager” on page 37.

11. Configure the Access Manager Runtime followed by the Access ManagerPolicy Server package as follows:a. Start the configuration utility:

pdconfig



a time.Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, seeChapter 22, “pdconfig options,” on page 447.When a message is displayed that indicates the package has beensuccessfully configured, press Enter to configure another package or selectthe x (Exit) option twice to close the configuration utility.

12. Unmount the CD as follows:umount /cd-rom

where /cd-rom is the mount point.



After successful configuration of the Access Manager Policy Server component, amessage similar to the following is displayed:Access Manager Policy Server configuration completed successfully.The Manager’s CA certificate is base64-encoded and saved in text file/var/PolicyDirector/keytab/pdcacert.b64You must distribute this file to each machine in your secure domain.It is needed for successful configuration.

For a Tivoli Access Manager runtime system to authenticate to Tivoli AccessManager servers, each runtime system will require a copy of this file. To obtainthis file, do one of the following:


v During configuration of the Access Manager Runtime package (using thepdconfig utility), select to download the pdcacert.b64 file automatically.

v Manually copy the pdcacert.b64 file to the Tivoli Access Manager system beforeconfiguring the Access Manager Runtime component.

Linux: Installing the policy serverThis procedure uses rpm to install software packages and the pdconfig utility toconfigure them.

To install the Tivoli Access Manager policy server system on Linux, follow thesesteps.

Note to Linux on System z users: You must first obtain access to the Linux rpmfiles which are located in the /CD_mount_point/linux_s390 directory on the IBMTivoli Access Manager Base for Linux on System z CD.1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure



4. Insert the IBM Tivoli Access Manager Base for Linux on x86 , IBM Tivoli AccessManager Base for Linux on System z, or IBM Tivoli Access Manager Base for Linuxon POWER CD and mount it.





9. Install the Tivoli Access Manager packages:rpm -ihv packages


Linux on x86 Linux on System z Linux on POWER

Access ManagerLicense package

PDlic-PD-6.1.1.0-0.i386.rpm PDlic-PD-6.1.1.0-0.s390.rpm PDlic-PD-6.1.1.0-0.ppc.rpm

Access ManagerRuntime package

PDRTE-PD-6.1.1.0-0.i386.rpm PDRTE-PD-6.1.1.0-0.s390.rpm PDRTE-PD-6.1.1.0-0.ppc.rpm

Access Manager PolicyServer package

PDMgr-PD-6.1.1.0-0.i386.rpm PDMgr-PD-6.1.1.0-0.s390.rpm PDMgr-PD-6.1.1.0-0.ppc.rpm


10. Unmount the CD.


11. To view status and messages in a language other than English, which is thedefault, install your language support package before configuring packages. Forinstructions, see “Installing language support packages for Tivoli AccessManager” on page 37.


pdconfig



a time. Configure the Access Manager Runtime package followed by theAccess Manager Policy Server package.Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, seeChapter 22, “pdconfig options,” on page 447.When a message is displayed that indicates the package has beensuccessfully configured, press Enter to configure another package or selectthe x (Exit) option twice to close the configuration utility.







Solaris: Installing the policy serverThis procedure uses pkgadd to install software packages and the pdconfig utilityto configure them.


To install the Tivoli Access Manager policy server system on Solaris, follow thesesteps:


1. Log on as root.2. Ensure that you have reviewed the most-recent release information, including

system requirements, disk space requirements, known defects, and limitationsin the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge database.


4. Insert the CD for your platform:v IBM Tivoli Access Manager Base for Solaris

v IBM Tivoli Access Manager Base for Solaris on x86_64




8. Install these Tivoli Access Manager packages:v For Solaris:

pkgadd -d /cdrom/cdrom0/solaris-a /cdrom/cdrom0/solaris/pddefault packages

where:

/cdrom/cdrom0/solarisSpecifies the location of the package.

/cdrom/cdrom0/solaris/pddefaultSpecifies the location of the installation administrationscript.

and where the packages are as follows:



PDMgr Specifies the Access Manager Policy Server package.v For Solaris on x86_64:

pkgadd -d /cdrom/cdrom0/solaris_x86-a /cdrom/cdrom0/solaris_x86/pddefault packages

where:

/cdrom/cdrom0/solaris_x86Specifies the location of the package.

/cdrom/cdrom0/solaris_x86/pddefaultSpecifies the location of the installation administrationscript.




PDMgr Specifies the Access Manager Policy Server package.



When the installation process is complete for each package, the followingmessage is displayed:Installation of package successful.



pdconfig



a time. Configure the Access Manager Runtime, followed by the AccessManager Policy Server package.Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, seeChapter 22, “pdconfig options,” on page 447.When a message is displayed that indicates the package has beensuccessfully configured, press Enter to configure another package or selectthe x option twice to close the configuration utility.







Windows: Installing the policy serverThis procedure uses the setup.exe program to install software packages and thepdconfig utility to configure them.

To install the Tivoli Access Manager policy server system on Windows 2003, followthese steps:


1. Log on as a user with Administrator group privileges.2. Ensure that all necessary operating system patches are installed. Also ensure

that you have reviewed the most-recent release information, including systemrequirements, disk space requirements, and known defects and limitations inthe IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge base.



5. If using an LDAP-based user registry, install the IBM Tivoli Directory Serverclient, if it is not already installed. For instructions, see page 331.


7. Insert the IBM Tivoli Access Manager Base for Windows CD.8. Install the Tivoli Access Manager packages. To do so, run the setup.exe

program located in this directory:\windows\PolicyDirector\Disk Images\Disk1

Follow the online instructions and select to install the following packages:v Access Manager Licensev Access Manager Runtimev Access Manager Policy Server




pdconfig

The Access Manager Configuration window is displayed.b. Select the Access Manager Runtime package and click Configure.c. Select the Access Manager Policy Server package and click Configure.Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, seeChapter 22, “pdconfig options,” on page 447.



After successful configuration of the Access Manager Policy Server component, amessage similar to the following is displayed:


Access Manager Policy Server configuration completed successfully.The Manager’s CA certificate is base64-encoded and saved in text fileC:\PROGRA~1\Tivoli\POLICY~1\keytab\pdcacert.b64You must distribute this file to each machine in your secure domain.It is needed for successful configuration.






Chapter 5. Setting up an authorization server

This chapter provides information about installing and configuring a Tivoli AccessManager authorization server system.

You can set up this system using one of the following installation methods:v “Installing using the installation wizard” on page 154v “Installing using native utilities” on page 155

Notes:

1. Tivoli Access Manager does not consider the registry native password policieswhen creating server accounts during configuration. The registry nativepassword policies might cause server configuration failure. Beforeconfiguration, disable any registry native password policies, such as the registrydefault or global password policies. After configuration, set exceptions on theregistry so that the new server accounts are not affected by any registry nativepassword policies. Now you can enable the registry native password policies.

2. During Tivoli Access Manager configuration on Linux operating systems,scripts may fail to run, stating that /bin/ksh was not found. On certainversions of SUSE Linux Enterprise Server, Yast-based installation does notinstall the Korn shell at /bin/ksh. Install the pdksh rpm that matches thehardware on which you are installing Tivoli Access Manager. The appropriaterpm can be found on either the SUSE Linux Enterprise Server installationmedia, or downloaded from the SUSE Linux Enterprise Server or Novellsupport web sites.

3. If you are installing on a Linux system and SELinux is enabled, and you mustrun the following commands in order to start the policy and authorizationservers:chcon -t textrel_shlib_t /usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7chcon -t textrel_shlib_t /opt/PolicyDirector/lib/libamzcars.sochcon -t textrel_shlib_t /usr/local/ibm/gsk7/lib/libgsk7krsw.sochcon -t textrel_shlib_t /opt/PolicyDirector/lib/libamcars.so

4. Under both the following conditions, you must set [ldap] auth-using-compareto no in ivacld.conf after authorization server installation:v You are installing an authorization server on an upgraded version of Tivoli

Access Manager.v You are using the Tivoli Directory Server registry to install the authorization

server.The upgrade process does not automatically update the Tivoli Access ManagerACLEntry in Tivoli Directory Server to permit the authorization server to usethis method of authentication.Alternatively you can verify whether the ACLEntry is updated on each LDAPsuffix that under which Tivoli Access Manager accounts are stored. Theupdated ACLEntry is:ACLEntry=group:CN=IVACLD-SERVERS,CN=SECURITYGROUPS,SECAUTHORITY=DEFAULT:normal:rsc:system:rsc:at.userPassword:wc:at.secAcctValid:rwsc:at.secPwdFailCountTime:rwsc:at.secPwdFailures:rwsc:at.secPwdLastChanged:rwsc:at.secPwdLastFailed:rwsc:at.secPwdLastUsed:rwsc:at.secPwdUnlockTime:rwsc:at.secPwdValid:rwsc

Note the addition of at.userPassword:wc: to the access list.


Installing using the installation wizardThe install_amacld installation wizard simplifies the setup of a Tivoli AccessManager authorization server system by installing and configuring the followingcomponents in the appropriate order:v IBM Global Security Kit (GSKit)v IBM Tivoli Directory Server base client (as needed)v IBM Tivoli Directory Server 32-bit client (as needed)v Tivoli Security Utilitiesv Access Manager Licensev Access Manager Runtimev Access Manager Authorization Server

Note: The wizard detects if a component is installed and does not attempt toreinstall it.

Attention:



To install and configure an authorization server system using the install_amacldwizard, follow these steps:1. Ensure that all necessary operating system patches are installed. Also, ensure


2. Ensure that the registry server and policy server are up and running (in normalmode).

3. Ensure that IBM Java Runtime version 1.5.0 SR5 provided with Tivoli AccessManager is installed and can be located using the PATH environment variablebefore running the installation wizard. For instructions, see page 318.

4. To view status and messages in a language other than English, which is thedefault, install a language support package before running an installationwizard. For instructions, see “Installing language support packages for TivoliAccess Manager” on page 37.

5. On Windows systems only, exit from all running programs.6. Run the install_amacld program, located in the root directory on the IBM Tivoli

Access Manager Base CD for the supported AIX, HP-UX, HP-UX on Integrity,Solaris, Solaris on x86_64, Linux on x86, Linux on POWER, Linux on System z,and Windows 2003 platforms.The installation wizard begins by prompting you for configuration informationas described in “install_amacld” on page 392. Supply the required configurationinformation, or accept default values.


7. Compare the disk space that is required to install all of the Tivoli AccessManager authorization server system components and prerequisites with thedisk space that is available. If there is sufficient space, continue the installation.After reviewing the summary and accepting your installation selections andconfiguration choices, the components are installed and configured withoutfurther intervention.

This step completes the setup of a Tivoli Access Manager authorization serversystem. To set up another Tivoli Access Manager system, follow the steps in the“Installation process” on page 21.


The following sections enable you to install Tivoli Access Manager software usinga familiar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder. To configure software packages after installation, use the pdconfig utility.


AIX: Installing an authorization serverThe following procedure uses installp to install software packages and thepdconfig utility to configure them.

To install a Tivoli Access Manager authorization server system, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure


3. Ensure that the registry server and policy server are up and running (innormal mode).

4. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it.5. Install IBM Global Security Kit (GSKit), if not already installed. For

instructions, see page 312.6. If using an LDAP-based user registry, install the IBM Tivoli Directory Server

client, if not already installed. For instructions, see page 327.7. Install the IBM Tivoli Security Utilities, if not already installed. For

instructions, see page 323.8. Install the Tivoli Access Manager packages:

installp -acgYXd cd_mount_point/usr/sys/inst.images packages

where cd_mount_point is the directory where the CD is mounted and thepackages are as follows:


Chapter 5. Setting up an authorization server 155


PD.Acld Specifies the Access Manager Authorization Server package.9. Unmount the CD.


11. Configure the Access Manager Runtime package followed by the AccessManager Authorization Server package as follows:a. Start the configuration utility:

pdconfig



a time.Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, seeChapter 22, “pdconfig options,” on page 447.

When a message is displayed that indicates the package has been successfullyconfigured, press Enter to configure another package or select the x option twice toclose the configuration utility.


HP-UX: Installing an authorization serverThis procedure uses swinstall to install software packages and the pdconfig utilityto configure them.

To install a Tivoli Access Manager authorization server system, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure



4. Insert the CD for your operating system:v IBM Tivoli Access Manager Base for HP-UX






7. If using an LDAP-based user registry, install the IBM Tivoli Directory Serverclient, if not already installed. For instructions, see page 328.


9. Install the Tivoli Access Manager packages:v For HP_UX:


where /cd-rom/hp is the directory and packages are as follows:



PDAcld Specifies the Access Manager Authorization Server package.v For HP_UX on Integrity:


where /cd-rom/hp_ia64 is the directory and packages are as follows:



PDAcld Specifies the Access Manager Authorization Server package.10. Unmount the CD as follows:

umount /cd-rom

where /cd-rom is the directory where the CD is mounted.11. To view status and messages in a language other than English, which is the

default, install your language support package before configuring packages. Forinstructions, see “Installing language support packages for Tivoli AccessManager” on page 37.

12. Configure the Access Manager Runtime followed by the Access ManagerAuthorization Server package as follows:a. Start the configuration utility:

pdconfig



a time.Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, seeChapter 22, “pdconfig options,” on page 447.When a message is displayed that indicates the package has beensuccessfully configured, press Enter to configure another package or selectthe x option twice to close the configuration utility.



Linux: Installing an authorization serverThe following procedure uses rpm to install software packages and the pdconfigutility to configure them.

To install a Tivoli Access Manager authorization server system, follow these steps.




4. Insert the IBM Tivoli Access Manager Base for Linux on x86, IBM Tivoli AccessManager Base for Linux on POWER, or IBM Tivoli Access Manager Base for Linuxon System z CD and mount it.







Linux on x86 Linux on POWER Linux on System z


PDlic-PD-6.1.1.0-0.i386.rpm

PDlic-PD-6.1.1.0-0.ppc.rpm

PDlic-PD-6.1.1.0-0.s390.rpm


PDRTE-PD-6.1.1.0-0.i386.rpm

PDRTE-PD-6.1.1.0-0.ppc.rpm

PDRTE-PD-6.1.1.0-0.s390.rpm

Access ManagerAuthorizationServer package

PDAcld-PD-6.1.1.0-0.i386.rpm

PDAcld-PD-6.1.1.0-0.ppc.rpm

PDAcld-PD-6.1.1.0-0.s390.rpm




pdconfig







Solaris: Installing an authorization serverThe following procedure uses pkgadd to install software packages and thepdconfig utility to configure them.


To install a Tivoli Access Manager authorization server system, follow these steps:1. Log on as root.2. Ensure that you have reviewed the most-recent release information, including

system requirements, disk space requirements, known defects, and limitationsin the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge database.







8. Install the Tivoli Access Manager packages (one at a time):v For Solaris:


where:




and where packages are as follows:



PDAcld Specifies the Access Manager Authorization Server package.v For Solaris on x86_64


where:






PDAcld Specifies the Access Manager Authorization Server package.When the installation process is complete for each package, the followingmessage is displayed:Installation of package successful.


10. Configure the Access Manager Runtime followed by the Access ManagerAuthorization Server package as follows:a. Start the configuration utility:

pdconfig







Windows: Installing an authorization serverThe following procedure uses the setup.exe program to install software packagesand the pdconfig utility to configure them.

To install a Tivoli Access Manager authorization server system on Windows 2003,follow these steps:1. Log on as a user with Administrator group privileges.2. Ensure that all necessary operating system patches are installed. Also ensure



4. Insert the IBM Tivoli Access Manager Base for Windows CD.5. Install IBM Global Security Kit (GSKit), if not already installed. For


client, if it is not already installed. For instructions, see page 331.7. Install the IBM Tivoli Security Utilities, if not already installed. For

instructions, see page 326.8. Install the Tivoli Access Manager packages. To do so, run the setup.exe

program located in the following directory:\windows\PolicyDirector\Disk Images\Disk1

Follow the online instructions and select to install the following packages:v Access Manager Licensev Access Manager Runtimev Access Manager Authorization Server



pdconfig

The Access Manager Configuration window is displayed.b. Select the Access Manager Runtime package and click Configure.c. Select the Access Manager Authorization Server package and click

Configure.Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, seeChapter 22, “pdconfig options,” on page 447.




Chapter 6. Setting up a development system

This chapter provides information about installing and configuring a Tivoli AccessManager development (ADK) system.

You can set up this system using one of the following installation methods:v “Installing using the installation wizard”v “Installing using native utilities” on page 164

Note: During Tivoli Access Manager configuration on Linux operating systems,scripts may fail to run, stating that /bin/ksh was not found. On certainversions of SUSE Linux Enterprise Server, Yast-based installation does notinstall the Korn shell at /bin/ksh.

Install the pdksh rpm that matches the hardware on which you are installingTivoli Access Manager. The appropriate rpm can be found on either theSUSE Linux Enterprise Server installation media, or downloaded from theSUSE Linux Enterprise Server or Novell support web sites.

Installing using the installation wizardThe install_amadk installation wizard simplifies the setup of a Tivoli AccessManager development (ADK) system by installing and configuring the followingcomponents in the appropriate order:v IBM Global Security Kit (GSKit)v IBM Tivoli Directory Server base client (as needed)v IBM Tivoli Directory Server 32-bit client (as needed)v Tivoli Security Utilitiesv Tivoli Access Manager Access Manager Licensev Tivoli Access Manager Access Manager Runtimev Tivoli Access Manager Access Manager Application Development Kit


Attention:



To install and configure a development (ADK) system using the install_amadkwizard, follow these steps:1. Ensure that all necessary operating system patches are installed. Also, ensure

that you have reviewed the most-recent release information, including system


requirements, disk space requirements, and known defects and limitations. Seethe IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge database.




5. On Windows systems only, exit from all running programs.6. Run the install_amadk program, located in the root directory on the IBM Tivoli

Access Manager Base CD for the supported AIX, HP-UX, HP-UX on Integrity,Solaris, Solaris on x86_64, Linux on x86, Linux on System z, Linux on POWER,Windows 2003, Windows Vista and Windows XP platforms.The installation wizard begins by prompting you for configuration informationas described in “install_amadk” on page 396. Supply the required configurationinformation, or accept default values.

7. Compare the disk space that is required to install all of the Tivoli AccessManager development (ADK) system components and prerequisites with thedisk space that is available. If there is sufficient space, continue the installation.After reviewing the summary and accepting your installation selections andconfiguration choices, the components are installed and configured withoutfurther intervention.

This step completes the setup of a Tivoli Access Manager development (ADK)system. To set up another Tivoli Access Manager system, follow the steps in the“Installation process” on page 21.




AIX: Installing a development (ADK) systemThe following procedure uses installp to install software packages and thepdconfig utility to configure them.

To install a Tivoli Access Manager development (ADK) system, follow these steps:1. Log on as root.


2. Ensure that all necessary operating system patches are installed. Also, ensurethat you have reviewed the most-recent release information, including systemrequirements, disk space requirements, and known defects and limitations. Seethe IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge database.



instructions, see page 312.6. Install the IBM Tivoli Directory Server client, if not already installed. For

instructions, see page 327.7. Install the IBM Tivoli Security Utilities, if not already installed. For






PD.AuthADK Specifies the Access Manager Application Development Kitpackage.



11. Configure the Access Manager Runtime package as follows:a. Start the configuration utility:

pdconfig


Configuration Menu is displayed.c. Select the menu number of the package that you want to configure. For

assistance with configuration options, see Chapter 22, “pdconfig options,”on page 447.

When a message is displayed that indicates the package has been successfullyconfigured, select the x option twice to close the configuration utility.


HP-UX: Installing a development (ADK) systemThe following procedure uses swinstall to install software packages and thepdconfig utility to configure them.

To install a Tivoli Access Manager development (ADK) system, follow these steps:

Chapter 6. Setting up a development system 165

1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure



4. Insert the CD for your operating system:v IBM Tivoli Access Manager Base for HP-UX









where /cd-rom is the directory where the CD is mounted and packages are asfollows:



PDAuthADK Specifies the Access Manager Application Development Kitpackage.

v For HP on Integrity:swinstall -s /cd-rom/hp_ia64 packages






where /cd-rom is the mount point.11. To view status and messages in a language other than English, which is the


12. Configure the Access Manager Runtime component as follows:a. Start the configuration utility:


pdconfig



assistance with configuration options, see Chapter 22, “pdconfig options,”on page 447.When a message is displayed that indicates the package has beensuccessfully configured, select the x option twice to close the configurationutility.


Linux: Installing a development (ADK) systemThe following procedure uses rpm to install software packages and the pdconfigutility to configure them.

To install a Tivoli Access Manager development (ADK) system on Linux on x86,Linux on System z, or Linux on POWER, follow these steps.

















Access ManagerApplicationDevelopment Kitpackage

PDAuthADK-PD-6.1.1.0-0.i386.rpm

PDAuthADK-PD-6.1.1.0-0.s390.rpm

PDAuthADK-PD-6.1.1.0-0.ppc.rpm




pdconfig






Solaris: Installing a development (ADK) systemThe following procedure uses pkgadd to install software packages and thepdconfig utility to configure them.


To install a Tivoli Access Manager development (ADK) system, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure











where:



and packages are as follows:




v For Solaris on x86_64:pkgadd -d /cdrom/cdrom0/solaris_x86

-a /cdrom/cdrom0/solaris_x86/pddefault packages

where:










pdconfig







Windows: Installing a development (ADK) systemThe following procedure uses the setup.exe program to install software packagesand the pdconfig utility to configure them.

To install a Tivoli Access Manager development (ADK) system on Windows 2003,Windows Vista or Windows XP, follow these steps:1. Log on as a user with Administrator group privileges.2. Ensure that all necessary operating system patches are installed. Also ensure








Follow the online instructions and select to install the following packages:v Access Manager Licensev Access Manager Runtimev Access Manager Application Development Kit



pdconfig

The Access Manager Configuration window is displayed.


b. Select the Access Manager Runtime package and click Configure.For assistance with configuration options, see Chapter 22, “pdconfigoptions,” on page 447.When a message is displayed that indicates the package has beensuccessfully configured, click Close to exit the configuration utility.




Chapter 7. Setting up an Access Manager Runtime for Javasystem

This chapter provides information about installing and configuring AccessManager Runtime for Java.


Access Manager Runtime for Java configures additional security features into thespecified JRE.

Notes:

1. Access Manager Runtime for Java only supports the following Java runtimeenvironments (JREs):v IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Managerv The JRE provided with WebSphere Application Server 6.1.

2. If you reinstall and reconfigure the Tivoli Access Manager policy server, orinstall any IBM WebSphere Application Server patches, you must unconfigureand reconfigure Access Manager Runtime for Java.


Installing using the installation wizardThe install_amjrte installation wizard simplifies the setup of a Tivoli AccessManager Access Manager Runtime for Java by installing and configuring thefollowing components in the appropriate order:v Access Manager Licensev Access Manager Runtime for Java



Attention:



To install and configure Access Manager Runtime for Java using the install_amjrtewizard, follow these steps:1. Ensure that all necessary operating system patches are installed. Also, ensure


2. Ensure that either IBM Java Runtime 1.5.0 SR5 provided with Tivoli AccessManager or the JRE provided with WebSphere Application Server 6.1 isinstalled and can be located using the PATH environment variable beforerunning the installation wizard. For instructions on installing IBM Java Runtime1.5.0 SR5, see page 318.Access Manager Runtime for Java configures additional security features intothe specified JRE and only these two JREs are supported.

3. Ensure that the policy server is up and running.4. To view status and messages in a language other than English, which is the

default, install your language support package before running an installationwizard. For instructions, see “Installing language support packages for TivoliAccess Manager” on page 37.

5. On Windows systems only, exit from all running programs.6. Run the install_amjrte program, located in the root directory on the IBM Tivoli

Access Manager Base CD for the supported AIX, HP-UX, HP-UX on Integrity,Solaris, Solaris on x86_64, Linux on x86, Linux on System z, Linux on POWER,Windows 2003, Windows Vista and Windows XP platforms.The installation wizard begins by prompting you for configuration informationas described in “install_amjrte” on page 397. Supply the required configurationinformation, or accept default values.

7. Compare the disk space that is required to install the Access Manager Runtimefor Java component with the disk space that is available. If there is sufficientspace, continue the installation.After reviewing the summary and accepting your installation selections andconfiguration choices, the components are installed and configured withoutfurther intervention.

This step completes the setup of Tivoli Access Manager Access Manager Runtimefor Java. To set up another Tivoli Access Manager system, follow the steps in the“Installation process” on page 21.



The following sections enable you to install Tivoli Access Manager software usinga familiar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder. To configure software packages after installation, use the pdjrtecfg utility.

Note: If the Access Manager Runtime component is installed on this system, youcan use either the pdconfig or pdjrtecfg utility to configure the AccessManager Runtime for Java component.


AIX: Installing Access Manager Runtime for JavaThe following procedure uses installp to install Access Manager Runtime for Javaand the pdjrtecfg utility to configure it.1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure


3. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it.4. Install the Tivoli Access Manager packages:




PDJ.rte Specifies the Access Manager Runtime for Java package.5. Ensure that either IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access

Manager or the JRE provided with WebSphere Application Server 6.1 isinstalled. For instructions on installing IBM Java Runtime 1.5.0 SR5, see page318.Access Manager Runtime for Java configures additional security features intothe specified JRE and only these two JREs are supported.



8. To set up a Tivoli Access Manager Runtime for Java system with aconfiguration type of Full, ensure that both the policy server and registryserver are running. If the configuration type is standalone, this step is notrequired.

Chapter 7. Setting up an Access Manager Runtime for Java system 175

9. Before configuring the Access Manager Runtime for Java component, ensurethat either the IBM Java Runtime 1.5.0 SR5 provided with Tivoli AccessManager or the JRE provided with WebSphere Application Server 6.1 can belocated using the PATH environment variable.

10. To configure the Access Manager Runtime for Java component, change to the/opt/PolicyDirector/sbin directory and enter the following:./pdjrtecfg -action config -interactive

This step completes the setup of the Tivoli Access Manager Access ManagerRuntime for Java component. To set up another Tivoli Access Manager system,follow the steps in the “Installation process” on page 21.

HP-UX: Installing Access Manager Runtime for JavaThe following procedure uses swinstall to install the Tivoli Access ManagerRuntime for Java system and the pdjrtecfg utility to configure it.

To install and configure Access Manager Runtime for Java on HP-UX or HP-UX onIntegrity, follow these steps.1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure



v IBM Tivoli Access Manager Base for HP-UX on Integrity.4. Mount the CD using the HP-UX mount command. For example, enter the

following command:mount -F cdfs -o rr /dev/dsk/c0t0d0 /cd-rom


5. Install the Tivoli Access Manager packages:v For HP_UX:


where /cd-rom/hp is the installation directory to install the Access ManagerRuntime for Java package and packages are as follows:


PDJrte Specifies the Access Manager Runtime for Java package.v For HP-UX on Integrity:


where /cd-rom/hp_ia64 is the installation directory to install the AccessManager Runtime for Java package and packages are as follows:


PDJrte Specifies the Access Manager Runtime for Java package.6. Ensure that either IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access

Manager is installed. For instructions on installing IBM Java Runtime 1.5.0SR5, see page 319.


Access Manager Runtime for Java configures additional security features intothe specified JRE and only IBM Java Runtime 1.5.0 SR5 is supported onHP-UX systems.




9. To set up Access Manager Runtime for Java with a configuration type of Full,ensure that both the policy server and registry server are running. If theconfiguration type is standalone, this step is not required.




Linux: Installing Access Manager Runtime for JavaThe following procedure uses rpm to install the Tivoli Access Manager Runtime forJava system and the pdjrtecfg utility to configure it.

To install Access Manager Runtime for Java on Linux, follow these steps.





5. Install the Access Manager Runtime for Java package:rpm -ihv package

where package is one of the following:





Access ManagerRuntime for Javapackage

PDJrte-PD-6.1.1.0-0.i386.rpm PDJrte-PD-6.1.1.0-0.s390.rpm PDJrte-PD-6.1.1.0-0.ppc.rpm

6. Ensure that either IBM Java Runtime 1.5.0 SR5 provided with Tivoli AccessManager or the JRE provided with WebSphere Application Server 6.1 isinstalled. For instructions on installing IBM Java Runtime 1.5.0 SR5, see page320.Access Manager Runtime for Java configures additional security features intothe specified JRE and only these two JREs are supported.







Solaris: Installing Access Manager Runtime for JavaThe following procedure uses pkgadd to install the Access Manager Runtime forJava package and the pdjrtecfg utility to configure it.


To install and configure Access Manager Runtime for Java on Solaris, follow thesesteps.1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure





4. Install the Tivoli Access Manager packages:v For Solaris:


where


/cdrom/cdrom0/solaris/pddefaultSpecifies the location of the installation administration script.



PDJrte Specifies the Access Manager Runtime for Java package.v For Solaris on x86_64:


where


/cdrom/cdrom0/solaris_x86/pddefaultSpecifies the location of the installation administration script .



PDJrte Specifies the Access Manager Runtime for Java package.5. Ensure that either IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access

Manager or the JRE provided with WebSphere Application Server 6.1 isinstalled. For instructions on installing IBM Java Runtime 1.5.0 SR5, see page321.Access Manager Runtime for Java configures additional security features intothe specified JRE and only these two JREs are supported.







Windows: Installing Access Manager Runtime for JavaThe following procedure uses the setup.exe program to install the Access ManagerRuntime for Java package and the pdjrtecfg utility to configure it.

To install and configure a Tivoli Access Manager Runtime for Java system onWindows 2003, Windows Vista or Windows XP, follow these steps.1. Log on as a user with Administrator group privileges.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert the IBM Tivoli Access Manager Base for Windows CD.4. Install the Tivoli Access Manager packages. To do so, run the setup.exe file,

located in the following directory:\windows\PolicyDirector\Disk Images\Disk1

Follow the online instructions and select to install the following packages:v Access Manager Licensev Access Manager Runtime for Java

5. Ensure that either IBM Java Runtime 1.5.0 SR5 provided with Tivoli AccessManager or the JRE provided with WebSphere Application Server 6.1 isinstalled. For instructions on installing IBM Java Runtime 1.5.0 SR5, see page321.Access Manager Runtime for Java configures additional security features intothe specified JRE and only these two JREs are supported.



8. To configure the Access Manager Runtime for Java component, change to thec:\Program Files\Tivoli\Policy Director\sbin directory and enter the following:pdjrtecfg -action config -interactive



Chapter 8. Setting up a policy proxy server system

This chapter provides information about installing and configuring a Tivoli AccessManager policy proxy server system.


Notes:

1. Tivoli Access Manager does not consider the registry native password policieswhen creating server accounts during configuration. The registry nativepassword policies might cause server configuration failure. Duringconfiguration, disable the registry native policies, such as LDAP default orglobal policies, that might affect new server accounts. After you create theaccounts, set policies such that the accounts are not affected when you enablethe disabled policies. For LDAP registries, do not enable pwdMustChange duringconfiguration. You do not have to enable pwdMustChange after configurationbecause Tivoli Access Manager does not update server accounts. Ensure thatLDAP pwdMaxAge does not cause Tivoli Access Manager server accounts toexpire after configuration. Tivoli Access Manager generates strong passwordsthat are 8 - 20 characters long and contain at least one uppercase, onelowercase, and one number. But if the registry password policies are sufficientlyrestrictive, Tivoli Access Manager configuration might fail when setting thegenerated password. So disable the registry password policies duringconfiguration.

2. During Tivoli Access Manager configuration on Linux operating systems,scripts may fail to run, stating that /bin/ksh was not found. On certainversions of SUSE Linux Enterprise Server, Yast-based installation does notinstall the Korn shell at /bin/ksh. Install the pdksh rpm that matches thehardware on which you are installing Tivoli Access Manager. The appropriaterpm can be found on either the SUSE Linux Enterprise Server installationmedia, or downloaded from the SUSE Linux Enterprise Server or Novellsupport web sites.

Installing using the installation wizardThe install_amproxy installation wizard simplifies the setup of a Tivoli AccessManager policy proxy server system by installing and configuring the followingcomponents in the appropriate order:v IBM Global Security Kit (GSKit)v IBM Tivoli Directory Server base client (as needed)v IBM Tivoli Directory Server 32-bit client (as needed)v Tivoli Security Utilitiesv Tivoli Access Manager Access Manager Licensev Tivoli Access Manager Access Manager Runtimev Access Manager Policy Proxy Server



Attention:



To install and configure a policy proxy server system using the install_amproxywizard, follow these steps:1. Ensure that all necessary operating system patches are installed. Also, ensure





5. On Windows systems only, exit from all running programs.6. Run the install_amproxy program, located in the root directory on the IBM

Tivoli Access Manager Base CD for the supported AIX, HP-UX, HP-UX onIntegrity, Solaris, Solaris on x86_64, Linux on x86, Linux on POWER, Linux onSystem z, or Windows 2003 platforms.The installation wizard begins by prompting you for configuration informationas described in “install_amproxy” on page 404. Supply the requiredconfiguration information, or accept default values.

7. Compare the disk space that is required to install all of the Tivoli AccessManager policy proxy server components and prerequisites with the disk spacethat is available. If there is sufficient space, continue the installation.After reviewing the summary and accepting your installation selections andconfiguration choices, the components are installed and configured withoutfurther intervention.

This step completes the setup of a Tivoli Access Manager policy proxy serversystem. To set up another Tivoli Access Manager system, follow the steps in the“Installation process” on page 21.



Complete the instructions that apply to your operating system:


v AIX on page 183v HP-UX on page 184v Linux on page 185v Solaris on page 187v Windows on page 188

AIX: Installing a policy proxy serverThe following procedure uses installp to install software packages and thepdconfig utility to configure them.

To install a Tivoli Access Manager policy proxy server system, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure











PD.MgrProxy Specifies the Access Manager Proxy Policy Server package.9. To view status and messages in a language other than English, which is the


10. Configure the Access Manager Runtime followed by the Access ManagerPolicy Proxy Server package as follows:a. Start the configuration utility:

pdconfig



a time.

Chapter 8. Setting up a policy proxy server system 183

Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, seeChapter 22, “pdconfig options,” on page 447.



HP-UX: Installing a policy proxy serverThe following procedure uses swinstall to install software packages and thepdconfig utility to configure them.




4. Insert the CD for your operating systemv IBM Tivoli Access Manager Base for HP-UX


5. Mount the CD using the HP-UX mount command. For example, enter thefollowing:mount -F cdfs -o rr /dev/dsk/c0t0d0 /cd-rom







where /cd-rom/hp is the directory where the CD is mounted and packagesare as follows:



PDMgrPrxy Specifies the Access Manager Policy Proxy Server package.v For HP-UX on Integrity






PDMgrPrxy Specifies the Access Manager Policy Proxy Server package.10. Unmount the CD as follows:

umount /cd-rom




pdconfig





Linux: Installing a policy proxy serverThe following procedure uses rpm to install software packages and the pdconfigutility to configure them.

To install a Tivoli Access Manager policy proxy server system, follow these steps.





4. Insert the IBM Tivoli Access Manager Base for Linux on x86, IBM Tivoli AccessManager Base for Linux on POWER, or the IBM Tivoli Access Manager Base forLinux on System z CD and mount it.












Access Manager PolicyProxy Server package

PDMgrPrxy-PD-6.1.1.0-0.i386.rpm

PDMgrPrxy-PD-6.1.1.0-0.s390.rpm

PDMgrPrxy-PD-6.1.1.0-0.ppc.rpm




pdconfig







Solaris: Installing a policy proxy serverThe following procedure uses pkgadd to install software packages and thepdconfig utility to configure them.












where:






PDMgrPrxy Specifies the Access Manager Policy Proxy Server package.v For Solaris on x86_64


where:







PDMgrPrxy Specifies the Access Manager Policy Proxy Server package.When the installation process is complete for each package, the followingmessage is displayed:Installation of package successful.


10. Configure Access Manager Runtime followed by the Access Manager PolicyProxy Server package as follows:a. Start the configuration utility:

pdconfig






Windows: Installing a policy proxy serverThe following procedure uses the setup.exe program to install software packagesand the pdconfig utility to configure them.

To install a Tivoli Access Manager policy proxy server system on Windows 2003,follow these steps:1. Log on as a user with Administrator group privileges.2. Ensure that all necessary operating system patches are installed. Also, ensure









Follow the online instructions and select to install the following packages:v Access Manager Licensev Access Manager Runtimev Access Manager Policy Proxy Server


10. Configure the Access Manager Runtime package followed by the AccessManager Policy Proxy Server package as follows:a. Start the configuration utility:

pdconfig

The Access Manager Configuration window is displayed.b. Select the Access Manager Runtime package and click Configure.c. Select the Access Manager Policy Proxy Server package and click

Configure.Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, seeChapter 22, “pdconfig options,” on page 447.




Chapter 9. Setting up a runtime system

This chapter provides information about installing and configuring a Tivoli AccessManager runtime system.




Installing using the installation wizardThe install_amrte installation wizard simplifies the setup of a Tivoli AccessManager runtime system by installing and configuring the following componentsin the appropriate order:v IBM Global Security Kit (GSKit)v IBM Tivoli Directory Server base client (as needed)v IBM Tivoli Directory Server 32-bit client (as needed)v Tivoli Security Utilitiesv Tivoli Access Manager Access Manager Licensev Tivoli Access Manager Access Manager Runtime

Notes:

1. The wizard detects if a component is installed and does not attempt to reinstallit.

2. If you plan to implement a policy server system, use the install_ammgr utilityto install the runtime system. Do not use the install_amrte utility.

Attention:



To install and configure a runtime system using the install_amrte wizard, followthese steps:


1. Ensure that all necessary operating system patches are installed. Also, ensurethat you have reviewed the most-recent release information, including systemrequirements, disk space requirements, and known defects and limitations. Seethe IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge base.




5. On Windows systems only, exit from all running programs.6. Run the install_amrte program, located in the root directory on the IBM Tivoli

Access Manager Base CD for the supported AIX, HP-UX, HP-UX on Integrity,Solaris, Solaris on x86_64, Linux on x86, Linux on POWER, Linux on System z,and Windows 2003, Windows XP and Windows Vista platforms.The installation wizard begins by prompting you for configuration informationas described on page 378 (LDAP), page 382 (Active Directory), or page 389(Domino). Supply the required configuration information, or accept defaultvalues.

7. Compare the disk space that is required to install all of the Tivoli AccessManager runtime system components and prerequisites with the disk spacethat is available. If there is sufficient space, continue the installation.After reviewing the summary and accepting your installation selections andconfiguration choices, the components are installed and configured withoutfurther intervention.

This step completes the setup of a Tivoli Access Manager runtime system. To setup another Tivoli Access Manager system, follow the steps in the “Installationprocess” on page 21.





AIX: Installing Access Manager RuntimeThe following procedure uses installp to install software packages and thepdconfig utility to configure them.

To install the Tivoli Access Manager runtime system, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure










PD.RTE Specifies the Access Manager Runtime package.9. Unmount the CD



pdconfig

Chapter 9. Setting up a runtime system 193



a time. For assistance with configuration options, see Chapter 22, “pdconfigoptions,” on page 447.When a message is displayed that indicates the package has beensuccessfully configured, press Enter to configure another package or selectthe x option twice to close the configuration utility.


HP-UX: Installing Access Manager RuntimeThe following procedure uses swinstall to install software packages and thepdconfig utility to configure them.

To install Tivoli Access Manager on HP-UX or HP-UX on Integrity, follow thesesteps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure












where /cd-rom/hp is the directory where the CD is mounted and packagesare as follows:


PDRTE Specifies the Access Manager Runtime package.v For HP-UX on Integrity





PDRTE Specifies the Access Manager Runtime package.10. Unmount the CD as follows:

umount /cd-rom




pdconfig


Configuration Menu is displayed.Select the menu number of the package that you want to configure. Forassistance with configuration options, see Chapter 22, “pdconfig options,”on page 447.When a message is displayed that indicates the package has beensuccessfully configured, select the x option twice to close the configurationutility.


Linux: Installing Access Manager RuntimeThe following procedure uses rpm to install software packages and the pdconfigutility to configure them.

To install Tivoli Access Manager packages on Linux, follow these steps.

Note to Linux on System z users: You must first obtain access to the Linux rpmfiles which are located in the /CD_mount_point/linux_s390 directory on the IBMTivoli Access Manager Base for Linux on System z CD.1. Log on as root.2. Ensure that the registry server and policy server are up and running (in

normal mode).3. Insert the IBM Tivoli Access Manager Base for Linux on x86, IBM Tivoli Access

Manager Base for Linux on System z, or IBM Tivoli Access Manager Base for Linuxon POWER CD and mount it.
















pdconfig


Configuration Menu is displayed.



Starting Tivoli Access Manager components on SUSE LinuxEnterprise Server 10After you install Tivoli Access Manager on a SUSE Linux Enterprise Sever 10system, the components do not start automatically when you restart the system.You must complete the steps described here to start the components.1. Locate and remove the following files:

v /etc/init.d/rc0.d/K005pd

v /etc/init.d/rc3.d/S590pd

v /etc/init.d/rc5.d/S590pd

2. Enable editing of the /opt/PolicyDirector/bin/pd_start file by running thefollowing command:chmod +w /opt/PolicyDirector/bin/pd_start

3. Add the following lines after the first line in the /opt/PolicyDirector/bin/pd_start file:### BEGIN INIT INFO# Provides: pd# Required-Start: $network# Required-Stop:


# Default-Start: 3 5# Default-Stop:# Description: Script to start and stop Tivoli Access Manager.### END INIT INFO

4. Run the following command to enable Tivoli Access Manager servers to startduring system startup:chkconfig pd on

This command creates the following start and stop script links:lrwxrwxrwx 1 root root 5 Mar 15 16:11 /etc/init.d/rc3.d/K16pd -> ../pdlrwxrwxrwx 1 root root 5 Mar 15 16:11 /etc/init.d/rc3.d/S06pd -> ../pdlrwxrwxrwx 1 root root 5 Mar 15 16:11 /etc/init.d/rc5.d/K16pd -> ../pdlrwxrwxrwx 1 root root 5 Mar 15 16:11 /etc/init.d/rc5.d/S06pd -> ../pd

Notes:

1. Run the following command before uninstalling Tivoli Access Manager runtimefrom your computer:chkconfig pd off

2. If Tivoli Directory Server is installed on the same computer as Tivoli AccessManager, add Tivoli Directory Server to the # Required-Start: line of the/opt/PolicyDirector/bin/pd_start file.Run the following commands in this order:a. chkconfig pd off

b. chkconfig pd on

Running these commands ensures that the Tivoli Access Manager log files donot have messages indicating that the LDAP server has failed and recovered.

Solaris: Installing Access Manager RuntimeThe following procedure uses pkgadd to install software packages and thepdconfig utility to configure them.


To install a Tivoli Access Manager package, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure











where:





PDRTE Specifies the Access Manager Runtime package.v For Solaris on x86_64:


where:





PDRTE Specifies the Access Manager Runtime package.When the installation process is complete for each package, the followingmessage is displayed:Installation of package successful.



pdconfig







Windows: Installing Access Manager RuntimeThe following procedure uses the setup.exe program to install software packagesand the pdconfig utility to configure them.

To install a Tivoli Access Manager runtime system on Windows 2003, WindowsVista or Windows XP, follow these steps:1. Log on as any member of the Administrators group.2. Log on as a user with administrator privileges.3. Ensure that all necessary operating system patches are installed. Also, ensure







program located in this directory:\windows\PolicyDirector\Disk Images\Disk1

Follow the online instructions and select to install the following packages:v Access Manager Licensev Access Manager Runtime



pdconfig

The Access Manager Configuration window is displayed.b. Select the Access Manager Runtime package and click Configure.You are prompted for configuration options. For assistance with theseconfiguration options, see Chapter 22, “pdconfig options,” on page 447.




Chapter 10. Setting up a Web Portal Manager system

This chapter provides information about installing and configuring a Tivoli AccessManager Web Portal Manager (WPM) system.


Before you begin, review the following information:v During Tivoli Access Manager configuration on Linux operating systems, scripts

may fail to run, stating that /bin/ksh was not found. On certain versions ofSUSE Linux Enterprise Server, Yast-based installation does not install the Kornshell at /bin/ksh.Install the pdksh rpm that matches the hardware on which you are installingTivoli Access Manager. The appropriate rpm can be found on either the SUSELinux Enterprise Server installation media, or downloaded from the SUSE LinuxEnterprise Server or Novell support web sites.

v If any IBM WebSphere Application Server patches or fix packs are applied thatmodify the PD.jar file, then you must also unconfigure and reconfigure AccessManager Runtime for Java to use the PD.jar file shipped with Tivoli AccessManager 6.1.1.

v If you reinstall or reconfigure the Tivoli Access Manager policy server, you mustalso unconfigure and reconfigure the Access Manager Runtime for Javacomponent, which is a prerequisite component on a Web Portal Manager system.

v If security is enabled in WebSphere, you will be prompted for a Trust Store fileand an SSL Key file during Web Portal Manager installation. These files use the.jks format by default. If you wish to use files in the PKCS12 format, you mustmodify the soap.client.props file found in the following directory:<user_install_root>/properties

You can find the value of user_install_root by clicking Environment >WebSphere Variables in the WebSphere Administrative console for theWebSphere node on which the WebSphere Portal manager installation is beingrun.In the soap.client.props file, add the lines:com.ibm.ssl.keyStoreType=PKCS12com.ibm.ssl.trustStoreType=PKCS12

Note: You can verify that the Web Portal Manager configuration is using theintended soap.client.props file when running the amwpmcfg utility byusing the -debug option and checking the message:DEBUG: SOAP client props file =

Installing using the installation wizardThe install_amwpm installation wizard simplifies the setup of a Tivoli AccessManager Web Portal Manager system by installing and configuring the followingcomponents in the appropriate order:v IBM WebSphere Application Server, including IBM HTTP Server


v Access Manager Licensev Access Manager Runtime for Javav Access Manager Web Portal Manager

The Web Portal Manager installation wizard detects if a component is installed anddoes not attempt to reinstall it. If a compatible version of WebSphere ApplicationServer is detected by the wizard, you will be given the choice to use that versionor have the wizard install a new one. If you choose to use the existing WebSphereApplication Server, ensure you also have the plug-ins and HTTP server installedand working properly before continuing with the wizard. If you do not have aworking HTTP server, choose the native install method to install the Web PortalManager.

Attention:



To install and configure a Web Portal Manager system using the install_amwpmwizard, follow these steps.1. Ensure that all necessary operating system patches are installed. Also ensure



3. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manageris installed and can be located using the PATH environment variable beforerunning the installation wizard. For instructions on installing IBM JavaRuntime 1.5.0 SR5, see page 318.

4. Ensure that you have a supported Web browser installed on a system in yoursecure domain. Web Portal Manager supports:v Microsoft Internet Explorer 5.5, 6.0 and 7.50v Mozilla 1.7


6. On Windows systems only, exit from all running programs.7. Run the install_amwpm program, located in the root directory on the IBM

Tivoli Access Manager Base CD for AIX, HP-UX, PH-UX on Integrity, Linux onx86, Linux on System z, Linux on POWER, Solaris, Solaris on x86_64 andWindows 2003 platforms.The installation wizard begins by prompting you for configurationinformation as described in “install_amwpm” on page 439. Supply therequired configuration information, or accept default values.


If a compatible version of WebSphere Application Server is detected by thewizard, you will be given the choice to use that version or have the wizardinstall a new one. If you choose to use the existing WebSphere ApplicationServer, ensure you also have the plug-ins and HTTP server installed andworking properly before continuing with the wizard. If you do not have aworking HTTP server, choose the native install method to install the WebPortal Manager.

8. Compare the disk space that is required to install all of the Web PortalManager components and prerequisites with the disk space that is available. Ifthere is sufficient space, continue the installation.After reviewing the summary and accepting your installation selections andconfiguration choices, the components are installed and configured withoutfurther intervention.

9. If WebSphere Application Server was not installed by the install_amwpmprogram, stop and restart the server where Web Portal Manager was installed.For example, to restart server1:

AIX, HP-UX and HP-UX on Integrity/usr/WebSphere/AppServer/bin/stopServer.sh server1/usr/WebSphere/AppServer/bin/startServer.sh server1

Linux, Solaris and Solaris on x86_64/opt/IBM/WebSphere/AppServer/bin/stopServer.sh server1/opt/IBM/WebSphere/AppServer/bin/startServer.sh server1

WindowsC:\Program Files\IBM\WebSphere\AppServer\bin\stopServer.bat server1C:\Program Files\IBM\WebSphere\AppServer\bin\startServer.bat server1

10. To access the Web Portal Manager interface, enter the following address inyour Web browser:http://hostname:port/ibm/console

where hostname is the host name of the system and port where IBMWebSphere Application Server is running, and port is the port number beingused, such as 9060. For example:http://wpm14.example.com:9060/ibm/console

This step completes the setup of a Tivoli Access Manager Web Portal Managersystem. To set up another Tivoli Access Manager system, follow the steps in the“Installation process” on page 21. For information about Web Portal Manageradministration tasks, see the IBM Tivoli Access Manager for e-business: AdministrationGuide.

Note that Tivoli Access Manager does not provide a default certificate to enableWeb Portal Manager to have a secure connection between the browser and theHTTP server used by WebSphere Application Server. If you purchase a certificatefrom a qualified certificate authority (CA), configure it into the Web PortalManager environment.


The following sections enable you to install Tivoli Access Manager software usinga familiar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder. To configure software packages after installation, use the pdjrtecfg andamwpmcfg utilities as described in the following procedures.

Chapter 10. Setting up a Web Portal Manager system 203


AIX: Installing a Web Portal Manager systemThe following procedure uses installp to install software packages and thepdjrtecfg and amwpmcfg utilities to configure them.

To install a Tivoli Access Manager Web Portal Manager system on AIX, completethe following steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure



4. Ensure that you have a supported Web browser installed on a system in yoursecure domain. Web Portal Manager supports:v Microsoft Internet Explorer 5.5, 6.0 and 7.0v Mozilla 1.7

5. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manageris installed. For instructions, see page 318.

6. Install IBM WebSphere Application Server. For instructions, see page 333.7. Insert the IBM Tivoli Access Manager Base for AIX CD and mount it.8. Install the Tivoli Access Manager packages:




PDJ.rte Specifies the Access Manager Runtime for Java package.

PD.WPM Specifies the Access Manager Web Portal Manager package.

Note: These packages must be installed on the same system as IBMWebSphere Application Server.

9. Unmount the CD.10. Optional: You can use the IBM WebSphere Application Server setupCmdLine

script to reset environment variables, including the location of IBM JavaRuntime, before configuring Access Manager Runtime for Java and Web PortalManager.a. Run the which java command from the command line to show the default

PATH settings being used. For example, the command shows that Java iscurrently being run from the /usr/bin/java directory.


b. To update the PATH environment variable and reset the JAVA_HOMEvariable, edit the setupCmdLine.sh file and change the environmentvariable as needed.

c. Enter:. /opt/IBM/WebSphere/AppServer/bin/setupCmdLine.sh

Set the JAVA_HOME variable to the Java Runtime Environment that hasbeen configured for Access Manager Runtime for Java. The JAVA_HOMEvariable should be set to the top directory./opt/IBM/WebSphere/AppServer/java

11. To view status and messages for the Access Manager Runtime for Javacomponent in a language other than English, which is the default, install yourlanguage support package before configuring packages. For instructions, see“Installing language support packages for Tivoli Access Manager” on page 37.

12. Configure the Access Manager Runtime for Java component for use within theJava Runtime Environment installed with WebSphere. To do so, follow thesesteps:a. Stop the WebSphere Application Server and the IBM HTTP Server.b. Change to the /opt/PolicyDirector/sbin directory and enter the following

command:./pdjrtecfg -action config -interactive

c. Select the Full configuration type.d. Specify the Java Runtime Environment that was installed with IBM

WebSphere Application Server. For example:/opt/IBM/WebSphere/AppServer/java/jre

e. Specify the policy server host name, port, and domain.For more information about this utility, see “pdjrtecfg” on page 579.

13. Restart the WebSphere Application Server and the IBM HTTP Server.To restart the WebSphere Application Server, run the startServer.sh script,located in the /opt/IBM/WebSphere/AppServer/bin directory as follows:./stopServer.sh server1./startServer.sh server1

To restart the IBM HTTP Server, enter the following command:/opt/IBM/HTTPServer/bin/apachectl restart

Note: If you installed a registry server that does not use IBM HTTP Serverand you are installing Web Portal Manager on the same system, ensurethat the Web server ports are different. To change the IBM HTTP Serverdefault port, edit the /usr/HTTPServer/conf/httpd.conf file, changedefault port 80 to an unused port, such as 8080, and then restart theIBM HTTP Server.# Port: The port the standalone listens to.Port 8080

14. Configure the Access Manager Web Portal Manager package by running theamwpmcfg command, located in the /opt/PolicyDirector/sbin/ directory asfollows:./amwpmcfg -action config -interactive

Specify the necessary configuration parameters, such as IBM WebSphereApplication Server installation path, the policy server host name and portnumber, and the Tivoli Access Manager administrator ID and password.


For more information about this utility and all of its parameters, see“amwpmcfg” on page 557.




Note that Tivoli Access Manager does not provide a default certificate to enableWeb Portal Manager to have a secure connection between the browser and theHTTP server used by WebSphere Application Server. Purchase a CA certificate andthen configure it into the Web Portal Manager environment.

HP-UX: Installing a Web Portal Manager systemThe following procedure uses swinstall to install software packages and thepdjrtecfg and amwpmcfg utilities to configure them.

To install a Tivoli Access Manager Web Portal Manager system on HP-UX orHP-UX on Integrity, complete the following steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure



4. Ensure that you have a supported Web browser installed on a system in yoursecure domain. Web Portal Manager supports:v Microsoft Internet Explorer 5.5 and 6.0v Mozilla 1.7


6. Install IBM WebSphere Application Server. For instructions, see page 334.7. Insert the CD for your platform:

v IBM Tivoli Access Manager Base for HP-UX



where format specifies the device format, where /dev/dsk/c0t0d0 specifies theCD device, and /cd-rom specifies the mount point.

9. Install the Tivoli Access Manager packages:


v For HP-UX:swinstall -s /cd-rom/hp packages

where /cd-rom/hp specifies the directory and packages are as follows:


PDJrte Specifies the Access Manager Runtime for Java package.

PDWPM Specifies the Access Manager Web Portal Manager package.


v For HP-UX on Integrityswinstall -s /cd-rom/hp_ia64 packages

where /cd-rom/hp_ia64 specifies the directory and packages are as follows:






where /cd-rom is the mount point.11. Optional: You can use the IBM WebSphere setupCmdLine script to reset

environment variables, including the location of the Java RuntimeEnvironment, before configuring Access Manager Runtime for Java and WebPortal Manager.a. Run the which java command from the command line to show the default




Set the JAVA_HOME variable to the Java Runtime Environment that hasbeen configured for Access Manager Runtime for Java. The JAVA_HOMEvariable should be set to the top directory./opt/IBM/WebSphere/AppServer/java






WebSphere Application Server. For example:/usr/WebSphere/AppServer/java/jre


14. Restart the WebSphere Application Server and the IBM HTTP Server.To restart the WebSphere Application Server, run the startServer.sh script,located in the /usr/WebSphere/AppServer/bin directory as follows:./stopServer.sh server1./startServer.sh server1

To restart the IBM HTTP Server, enter the following command:/opt/IBMHTTPServer/apachectl restart

Note: If you installed a registry server that does not use IBM HTTP Serverand you are installing Web Portal Manager on the same system, ensurethat the Web server ports are different. To change the IBM HTTP Serverdefault port, edit the /opt/IBMHTTPServer/conf/httpd.conf file,change default port 80 to 8080 as shown, and then restart the IBMHTTP Server.# Port: The port the standalone listens to.Port 8080

15. Configure the Access Manager Web Portal Manager package:./amwpmcfg -action config -interactive

Specify the necessary configuration parameters, such as IBM WebSphereApplication Server installation path, the policy server host name and portnumber, and the Tivoli Access Manager administrator ID and password.For more information about this utility and all of its parameters, see“amwpmcfg” on page 557.





Linux: Installing a Web Portal Manager systemThe following procedure uses rpm to install software packages and the pdjrtecfgand amwpmcfg utilities to configure them.


To install a Tivoli Access Manager Web Portal Manager system on Linux, completethe following steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure





Note: If you configure Web Portal Manager against Java RuntimeEnvironments other than the Java Runtime Environment supported byTivoli Access Manager, the configuration might fail.

6. Install IBM WebSphere Application Server. For instructions, see page 335.7. Insert the IBM Tivoli Access Manager Base for Linux on x86, IBM Tivoli Access

Manager Base for Linux on System z, or IBM Tivoli Access Manager Base for Linuxon POWER CD and mount it.







Access ManagerRuntime for Javapackage

PDJrte-PD-6.1.1.0-0.i386.rpm PDJrte-PD-6.1.1.0-0.s390.rpm PDJrte-PD-6.1.1.0-0.ppc.rpm

Access Manager WebPortal Managerpackage

PDWPM-PD-6.1.1.0-0.i386.rpm PDWPM-PD-6.1.1.0-0.s390.rpm

PDWPM-PD-6.1.1.0-0.ppc.rpm


10. Unmount the CD.11. Optional: You can use the IBM WebSphere setupCmdLine script to reset

environment variables, including the location of the Java RuntimeEnvironment, before configuring Access Manager Runtime for Java and WebPortal Manager.a. Run the which java command from the command line to show the default





Set the JAVA_HOME variable to the Java Runtime Environment that hasbeen configured for Access Manager Runtime for Java. The JAVA_HOMEvariable should be set to the top directory./opt/WebSphere/AppServer/java





WebSphere Application Server. For example:/opt/WebSphere/AppServer/java/jre


14. Restart the WebSphere Application Server and the IBM HTTP Server.To restart the IBM WebSphere Application Server, run the startServer.sh script,located in the /opt/IBM/WebSphere/AppServer/bin directory as follows:./stopServer.sh server1./startServer.sh server1

To restart the IBM HTTP Server, enter the following command:/opt/IBM/HTTPServer/bin/apachectl restart


15. Configure the Access Manager Web Portal Manager package by running theamwpmcfg command, located in the /opt/PolicyDirector/sbin/ directory asfollows:./amwpmcfg -action config -interactive

Specify the necessary configuration parameters, such as IBM WebSphereApplication Server installation path, the policy server host name and portnumber, and the Tivoli Access Manager administrator ID and password.


For more information about this utility and all of its parameters, see“amwpmcfg” on page 557.





Solaris: Installing a Web Portal Manager systemThe following procedure uses pkgadd to install software packages and thepdjrtecfg and amwpmcfg utilities to configure them.


To install and configure a Web Portal Manager system on Solaris, follow thesesteps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure





6. Install IBM WebSphere Application Server. For instructions, see page 336.7. Insert the CD for your platform:

v IBM Tivoli Access Manager Base for Solaris





where:








v For Solaris on x86_64pkgadd -d /cdrom/cdrom0/solaris_x86


where:








9. Optional: You can use the IBM WebSphere setupCmdLine script to resetenvironment variables, including the location of the Java RuntimeEnvironment, before configuring Access Manager Runtime for Java and WebPortal Manager.a. Run the which java command from the command line to show the default




Set the JAVA_HOME variable to the Java Runtime Environment that hasbeen configured for Access Manager Runtime for Java. The JAVA_HOMEvariable should be set to the top directory./opt/WebSphere/AppServer/java






WebSphere Application Server. For example:/opt/WebSphere/AppServer/java/jre


12. Restart the WebSphere Application Server and the IBM HTTP Server.To restart the WebSphere Application Server, run the startServer.sh script,located in the /opt/WebSphere/AppServer/bin directory as follows:./stopServer.sh server1./startServer.sh server1

To restart the IBM HTTP Server, enter the following command:/opt/IBMHTTPServer/bin/apachectl restart


13. Configure the Access Manager Web Portal Manager package:./amwpmcfg -action config -interactive




This step completes the setup of a Tivoli Access Manager Web Portal Managersystem. To set up another Tivoli Access Manager system, follow the steps in the


“Installation process” on page 21. For information about Web Portal Manageradministration tasks, see the IBM Tivoli Access Manager for e-business: AdministrationGuide.


Windows: Installing a Web Portal Manager systemThe following procedure uses setup.exe to install software packages and thepdjrtecfg and amwpmcfg utilities to configure them.

To install and configure a Web Portal Manager system on Windows 2003, followthese steps:1. Log on as any member of the Administrators group.2. Ensure that all necessary operating system patches are installed. Also ensure





6. Install IBM WebSphere Application Server. See “Windows: InstallingWebSphere Application Server” on page 336.

7. Insert the IBM Tivoli Access Manager Base for Windows CD.8. Install the Tivoli Access Manager packages. To do so, run the setup.exe file

located in the following directory:\windows\PolicyDirector\Disk Images\Disk1

Follow the online instructions and select to install the following packages:v Access Manager Licensev Access Manager Runtime for Javav Access Manager Web Portal Manager


9. Optional: You can use the IBM WebSphere setupCmdLine script to resetenvironment variables, including the location of the Java RuntimeEnvironment, before configuring Access Manager Runtime for Java and WebPortal Manager.a. Run the which java command from the command line to show the default

PATH settings being used. For example, the command shows that Java iscurrently being run from the C:\Program Files\IBM\WebSphere\AppServer\java directory.


b. To update the PATH environment variable and reset the JAVA_HOMEvariable, edit the setupCmdLine.bat file and change the environmentvariable as needed.

c. Enter:C:\Program Files\IBM\WebSphere\AppServer\bin\setupCmdLine.bat

Set the JAVA_HOME variable to the Java Runtime Environment that hasbeen configured for Access Manager Runtime for Java. The JAVA_HOMEvariable should be set to the top directory.C:\Program Files\IBM\WebSphere\AppServer\java


11. Configure the Access Manager Runtime for Java component for use within theJava Runtime Environment installed with WebSphere. To do so, follow thesesteps:a. Stop the WebSphere Application Server and the IBM HTTP Server.b. Change to the install_dir\sbin directory (for example, C:\Program

Files\Tivoli\Policy Director\sbin), and enter the following command:pdjrtecfg -action config -interactive

c. Select the Full configuration type and click Next. For descriptions of theconfiguration options, click Help.

d. Specify the Java Runtime Environment that was installed with IBMWebSphere Application Server. For example:C:\Program Files\IBM\WebSphere\AppServer\java\jre

Click Next to continue.e. Specify the policy server host name, port, and domain. Click OK to start

configuration.f. When configuration has completed successfully, click OK to exit the

configuration utility.For more information about this utility, see “pdjrtecfg” on page 579.

12. Restart the IBM WebSphere Application Server and IBM HTTP Server. Forexample, select Start → Settings → Control Panel → Administrative Tools andthen double-click the Services icon to restart these servers.

Note: If you installed a registry server that does not use IBM HTTP Serverand you are installing Web Portal Manager on the same system, ensurethat the Web server ports are different. To change the IBM HTTP Serverdefault port, edit the C:\Program Files\IBMHTTPServer\conf\httpd.conf file, change default port 80 to 8080 as shown, and thenrestart the IBM HTTP Server.# Port: The port the standalone listens to.Port 8080

13. Configure the Access Manager Web Portal Manager package. To do so, followthese steps:a. Change to the install_dir\sbin directory (for example, C:\Program

Files\Tivoli\Policy Director\sbin), and enter the following command:amwpmcfg -action config -interactive



b. When configuration has completed successfully, click OK to exit theconfiguration utility.





Configuring WebSphere Application Server securityYou must configure the WebSphere Application Server security settings so that theWeb Portal Manager single sign-on works properly.

To configure the appropriate WebSphere Application Server security settings:1. To launch the IBM Integrated Solutions Console, select Start → All Programs →

IBM WebSphere Application Server <version> → Profiles → <profile name> →Administrative console.

2. Click Security→ Secure administration, applications and infrastructure.3. Expand Web security on the right to display:

v General settings

v single sign-on

v Trust association

4. Click General settings.5. Ensure that the Authenticate only when the URI is protected check box is

selected.6. Select the Use available authentication data when an unprotected URI is

accessed check box is selected.7. Click OK.


Part 3. Web security system installation

Chapter 11. Setting up the Access ManagerAttribute Retrieval Service . . . . . . . . 219Installing using the installation wizard . . . . . 219Installing using native utilities. . . . . . . . 220

AIX: Installing the Access Manager AttributeRetrieval Service . . . . . . . . . . . 220HP-UX: Installing the Access Manager AttributeRetrieval Service . . . . . . . . . . . 221Linux: Installing the Access Manager AttributeRetrieval Service . . . . . . . . . . . 222Solaris: Installing the Access Manager AttributeRetrieval Service . . . . . . . . . . . 223Windows: Installing the Access ManagerAttribute Retrieval Service . . . . . . . . 223

Chapter 12. Setting up the plug-in for EdgeServer . . . . . . . . . . . . . . . 225Preinstallation requirements . . . . . . . . 225AIX: Installing the plug-in for Edge Server . . . 226Red Hat Enterprise Linux: Installing the plug-in forEdge Server . . . . . . . . . . . . . . 227Solaris: Installing the plug-in for Edge Server. . . 228Windows: Installing the plug-in for Edge Server 230Overview of the plug-in for Edge Serverconfiguration . . . . . . . . . . . . . 231

Server configuration model . . . . . . . . 232Server configuration concepts . . . . . . . 233Object space configuration model. . . . . . 235Single sign-on configuration model . . . . . 236Configuration procedure summary . . . . . 237

Chapter 13. Setting up the plug-in for Webservers . . . . . . . . . . . . . . . 239Preinstallation requirements . . . . . . . . 239Installing using the installation wizard . . . . . 241Installing using native utilities. . . . . . . . 242

Installing the plug-in for Apache Web Server 242AIX: plug-in for Apache Web Server. . . . 242Linux on System z: plug-in for Apache WebServer . . . . . . . . . . . . . . 244Solaris: plug-in for Apache Web Server . . . 245

Installing the plug-in for IBM HTTP Server . . 247AIX: plug-in for IBM HTTP Server . . . . 247Linux: plug-in for IBM HTTP Server . . . 249Solaris: plug-in for IBM HTTP Server . . . 250Windows: plug-in for IBM HTTP Server . . 252

Installing the plug-in for Internet InformationServices . . . . . . . . . . . . . . 253Installing the plug-in for Sun Java System WebServer . . . . . . . . . . . . . . . 254

AIX: plug-in for Sun Java System Web Server 254Solaris: plug-in for Sun Java System WebServer . . . . . . . . . . . . . . 256

Chapter 14. Setting up a Web securitydevelopment system . . . . . . . . . . 259Installing using the installation wizard . . . . . 259Installing using native utilities. . . . . . . . 260

AIX: Installing a Web security development(ADK) system . . . . . . . . . . . . 261HP-UX: Installing a Web security development(ADK) system . . . . . . . . . . . . 262Linux: Installing a Web security development(ADK) system . . . . . . . . . . . . 263Solaris: Installing a Web security development(ADK) system . . . . . . . . . . . . 264Windows: Installing a Web securitydevelopment (ADK) system . . . . . . . 265

Chapter 15. Setting up WebSEAL . . . . . . 267Installing using the installation wizard . . . . . 267Installing using native utilities. . . . . . . . 269

AIX: Installing WebSEAL . . . . . . . . 269HP-UX: Installing WebSEAL . . . . . . . 270Linux: Installing WebSEAL . . . . . . . . 272Solaris: Installing WebSEAL . . . . . . . 273Windows: Installing WebSEAL . . . . . . 275



Chapter 11. Setting up the Access Manager Attribute RetrievalService

This chapter provides information about installing and configuring the TivoliAccess Manager Attribute Retrieval Service.




Installing using the installation wizardThe install_amwebars installation wizard simplifies the setup of the AccessManager Attribute Retrieval Service by installing and configuring the followingcomponents:v IBM WebSphere Application Server, including the IBM HTTP Serverv Access Manager Attribute Retrieval Service


Attention:



To install and configure the Access Manager Attribute Retrieval Service using theinstall_amwebars wizard, follow these steps.1. Ensure that all necessary operating system patches are installed. Also, ensure





4. On Windows systems only, exit from all running programs.5. Run the install_amwebars program, located in the root directory on the IBM

Tivoli Access Manager Web Security CD for AIX, HP-UX, Linux on x86, Linux onSystem z, Solaris, and Windows 2003 platforms. The install_amwebars programis not available for HP_UX on Integrity or Solaris on x86_64.The installation wizard begins by prompting you for configuration informationas described in “install_amwebars” on page 434. Supply the requiredconfiguration information, or accept default values.

6. Compare the disk space that is required to install all of the Access ManagerAttribute Retrieval Service components and prerequisites with the disk spacethat is available. If there is sufficient space, continue the installation.After reviewing the summary and accepting your installation selections andconfiguration choices, the components are installed and configured withoutfurther intervention.

This step completes the setup of the Access Manager Attribute Retrieval Service. Toset up another Tivoli Access Manager system, follow the steps in the “Installationprocess” on page 21.

For information about the Access Manager Attribute Retrieval Service, see the IBMTivoli Access Manager for e-business: WebSEAL Administration Guide.


The following sections enable you to install Tivoli Access Manager software usinga familiar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder.


AIX: Installing the Access Manager Attribute Retrieval ServiceThe following procedure uses installp to install software packages.

To install the Access Manager Attribute Retrieval Service on AIX, complete thefollowing steps:1. Log on as root.2. Ensure that the IBM Java Runtime version 1.5.0 SR5 provided with Tivoli

Access Manager is installed. For instructions, see page 318.3. Install IBM WebSphere Application Server. For instructions, see page 333.4. Insert the IBM Tivoli Access Manager Web Security for AIX CD and mount it.5. Install the following package:


installp -acgYXd cd_mount_point/usr/sys/inst.images PDWeb.ARS

where cd_mount_point is the directory where the CD is mounted andPDWeb.ARS is the Access Manager Attribute Retrieval Service package.

Note: This package must be installed on the same system as IBM WebSphereApplication Server.

6. Unmount CD7. To deploy the Access Manager Attribute Retrieval Service into the IBM

WebSphere Application Server environment, run the Deploy.sh file and followinstructions in the Readme.deploy file, located in the /opt/pdwebars/directory.

8. To configure WebSEAL to use the Access Manager Attribute Retrieval Service,see the IBM Tivoli Access Manager for e-business: WebSEAL Administration Guide.



HP-UX: Installing the Access Manager Attribute RetrievalService

The following procedure uses swinstall to install software packages.

To install the Access Manager Attribute Retrieval Service on HP-UX, complete thefollowing steps:1. Log on as root.2. Ensure that the IBM Java Runtime version 1.5.0 SR5 provided with Tivoli

Access Manager is installed. For instructions, see page 319.3. Install IBM WebSphere Application Server. For instructions, see page 334.4. Insert the IBM Tivoli Access Manager Web Security for HP-UX CD.5. Mount the CD using the HP-UX mount command. For example, enter the

following command:mount -F cdfs -o rr /dev/dsk/c0t0d0 /cd-rom


6. Install the following package:swinstall -s /cd-rom/hp PDWebARS

where /cd-rom/hp specifies the directory and PDWebARS specifies the AccessManager Attribute Retrieval Service package.



where /cd-rom is the mount point.8. To deploy the Access Manager Attribute Retrieval Service into the WebSphere

Application Server environment, run the Deploy.sh file and follow instructionsin the Readme.deploy file, located in the /opt/pdwebars/ directory.

Chapter 11. Setting up the Access Manager Attribute Retrieval Service 221




Linux: Installing the Access Manager Attribute RetrievalService

The following procedure uses rpm to install software packages.

To install the Access Manager Attribute Retrieval Service on Linux, complete thefollowing steps:1. Log on as root.2. Ensure that the IBM Java Runtime version 1.5.0 SR5 provided with Tivoli

Access Manager is installed. For instructions, see page 320.3. Install IBM WebSphere Application Server. For instructions, see page 335.4. Insert the IBM Tivoli Access Manager Web Security for Linux on x86 or IBM Tivoli

Access Manager Web Security for Linux on System z CD and mount it.5. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is the

mount point for your CD and distribution specifies linux_i386 for x86 orlinux_s390 for System z.

6. Install the following package:rpm -ihv package

where package is as follows:

Access Manager Attribute Retrieval Service

Linux on x86 PDWebARS-PD-6.1.1.0-0.i386.rpm

Linux on System z PDWebARS-PD-6.1.1.0-0.s390.rpm


7. Unmount the CD.8. To deploy the Access Manager Attribute Retrieval Service into the WebSphere

Application Server environment, run the Deploy.sh file and follow instructionsin the Readme.deploy file, located in the /opt/pdwebars/ directory.





Solaris: Installing the Access Manager Attribute RetrievalService

The following procedure uses pkgadd to install software packages.


To install the Access Manager Attribute Retrieval Service on Solaris, follow thesesteps:1. Log on as root.2. Ensure that the IBM Java Runtime version 1.5.0 SR5 provided with Tivoli

Access Manager is installed. For instructions, see page 321.

Note: If you configure the Access Manager Attribute Retrieval Service againstJava Runtime Environments other than the Java Runtime Environmentsupported by Tivoli Access Manager, the configuration might fail.

3. Install IBM WebSphere Application Server. For instructions, see page 336.4. Insert the IBM Tivoli Access Manager Web Security for Solaris CD.5. Install the following packages (one at a time):

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault PDWebARS

where:

-d /cdrom/cdrom0/solarisSpecifies the location of the package.

-a /cdrom/cdrom0/solaris/pddefaultSpecifies the location of the installation administration script.

and PDWebARS specifies the Access Manager Attribute Retrieval Service package.


6. To deploy the Access Manager Attribute Retrieval Service into the WebSphereApplication Server environment, run the Deploy.sh file and follow instructionsin the Readme.deploy file, located in the /opt/pdwebars/ directory.




Windows: Installing the Access Manager Attribute RetrievalService

The following procedure uses setup.exe to install software packages.

To install the Access Manager Attribute Retrieval Service on Windows 2003, followthese steps:1. Log on as a user with administrator privileges.

Chapter 11. Setting up the Access Manager Attribute Retrieval Service 223

2. Ensure that the IBM Java Runtime version 1.5.0 SR5 provided with TivoliAccess Manager is installed. For instructions, see page 321.

3. Install IBM WebSphere Application Server. See “Windows: Installing WebSphereApplication Server” on page 336.

4. Insert the IBM Tivoli Access Manager Web Security for Windows CD.5. Install the Access Manager Attribute Retrieval Service package. To do so, run

the setup.exe executable file located in the following directory:\windows\PolicyDirector\Disk Images\Disk1

Follow the online instructions to complete the installation.


6. To deploy the Access Manager Attribute Retrieval Service into the WebSphereApplication Server environment, run the Deploy.bat file and follow instructionsin the Readme.deploy file, located in the C:\Program Files\Tivoi\AMWebARS\directory.





Chapter 12. Setting up the plug-in for Edge Server

This chapter provides information about installing and configuring a Tivoli AccessManager plug-in for Edge Server system.

For more information about this Web Security system, see the IBM Tivoli AccessManager for e-business: Plug-in for Edge Server Administration Guide.

The Tivoli Access Manager plug-in for Edge Server system supports IBMWebSphere Edge Server and requires the following components and prerequisiteproducts:v IBM WebSphere Edge Serverv IBM Global Security Kit (GSKit)v IBM Tivoli Directory Server client (depending on the registry used) base and

32-bitv Tivoli Security Utilitiesv Access Manager Licensev Access Manager Runtimev Access Manager Web Security Runtimev Access Manager Plug-in for Edge Server

You can set up this system using the native installation method only. Aninstallation wizard is not available. To configure software packages afterinstallation, use the pdconfig utility.

Complete the instructions that apply to your operating system:v AIX on page 226v Red Hat Enterprise Linux on page 227v Solaris on page 228v Windows on page 230

This chapter also contains the following topics:v “Preinstallation requirements”v “Overview of the plug-in for Edge Server configuration” on page 231

For more information, see the IBM Tivoli Access Manager for e-business: Plug-in forEdge Server Administration Guide.

Preinstallation requirementsBefore you install and configure a Tivoli Access Manager plug-in for Edge Serversystem, ensure that the following requirements are met. These requirements areapplicable, regardless of which installation method you plan to use.v During Tivoli Access Manager configuration on Linux operating systems, scripts

may fail to run, stating that /bin/ksh was not found. On certain versions ofSUSE Linux Enterprise Server, Yast-based installation does not install the Kornshell at /bin/ksh.Install the pdksh rpm that matches the hardware on which you are installingTivoli Access Manager. The appropriate rpm can be found on either the SUSE


Linux Enterprise Server installation media, or downloaded from the SUSE LinuxEnterprise Server or Novell support web sites.

v Ensure that a Tivoli Access Manager registry server and the policy server are setup in your secure domain. For instructions on setting up these systems, seePart 2, “Base system installation,” on page 51.

v Ensure that Tivoli Access Manager supports the platform on which you arerunning your plug-in for Edge server.

v Ensure that all necessary operating system patches are installed. Also, ensurethat you have reviewed the most-recent release information, including systemrequirements, disk space requirements, and known defects and limitations. Seethe IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge base.

AIX: Installing the plug-in for Edge ServerThe following procedure uses installp to install software packages. To installAccess Manager Plug-in for Edge Server on AIX, follow these steps:1. Log in to the system as root.2. Ensure that you have met the requirements listed in “Preinstallation

requirements” on page 225.3. Insert the IBM Tivoli Access Manager Web Security for AIX CD and mount it.4. Install IBM Global Security Kit (GSKit), if not already installed. For



instructions, see page 323.7. Install the Tivoli Access Manager packages.

For AIX 5.x:installp -acgYXd cd_mount_point/usr/sys/inst.images packages




PDWeb.RTE Specifies the Access Manager Web Security Runtime package.

PDPlgES Specifies the Access Manager Plug-in for Edge Server package.8. Unmount the CD.9. To view status and messages in a language other than English, which is the


10. Configure the Access Manager Runtime followed by the Access ManagerPlug-in for Edge Server package as follows:a. Start the configuration utility:

pdconfig




c. Select the menu number of the package that you want to configure, one ata time. For assistance with configuration options, see Chapter 22,“pdconfig options,” on page 447.When a message appears indicating that the package has been successfullyconfigured, select the x option twice to close the configuration utility.

The configuration utility completes the following tasks:v Creates registry objects for the server.v Adds the server to the security groups, ivacld-servers and SecurityGroup.v Creates an SSL certificate.v Obtains an SSL-signed certificate from the Tivoli Access Manager policy server.v Configures the Edge Server caching proxy to use the plug-in for Edge Server by

setting directives in the Edge Server caching proxy configuration file,ibmproxy.conf.

v Restarts the Edge Server caching proxy process, ibmproxy.v Starts the plug-in for Edge Server object space manager utility, by using the

wesosm utility. This utility updates the Tivoli Access Manager object space tocreate a new object space container for the plug-in for Edge Server.

The configuration completes the setup of a Tivoli Access Manager plug-in for EdgeServer system. The Edge Server caching proxy is now running with the plug-in forEdge Server loaded. You can use the administrative user, sec_master, to access thecaching proxy’s home page.

Red Hat Enterprise Linux: Installing the plug-in for Edge ServerThe following procedure uses rpm to install software packages. To install AccessManager Plug-in for Edge Server on Red Hat Enterprise Linux, follow these steps.1. Log in to the system as root.2. Ensure that you have met the requirements listed in “Preinstallation

requirements” on page 225.3. Insert the IBM Tivoli Access Manager Web Security for Linux on x86 CD and

mount it.4. Change to the /mnt/cdrom/linux_i386 directory where /mnt/cdrom is the

mount point for your CD.5. Install IBM Global Security Kit (GSKit), if not already installed. For




rpm -ihv packages


Linux on x86

Access Manager License package PDlic-PD-6.1.1.0-0.i386.rpm

Access Manager Runtime package PDRTE-PD-6.1.1.0-0.i386.rpm

Access Manager Plug-in for EdgeServer package

PDPlgES-PD-6.1.1.0–0.i386.rpm

Chapter 12. Setting up the plug-in for Edge Server 227

Linux on x86

Access Manager Web SecurityRuntime package

PDWebRTE-PD-6.1.1.0–0.i386.rpm




pdconfig



a time. For assistance with configuration options, see Chapter 22, “pdconfigoptions,” on page 447.When a message appears indicating that the package has been successfullyconfigured, select the x option twice to close the configuration utility.





The configuration completes the setup of a Tivoli Access Manager plug-in for EdgeServer system. To set up another Tivoli Access Manager system, follow the steps inthe “Installation process” on page 21.

The Edge Server caching proxy is now running with the plug-in for Edge Serverloaded. You can use the administrative user, sec_master, to access the cachingproxy’s home page.

Solaris: Installing the plug-in for Edge ServerThe following procedure uses pkgadd to install software packages. To installAccess Manager Plug-in for Edge Server on Solaris, follow these steps:



1. Log on as root.2. Ensure that you have met the requirements listed in “Preinstallation

requirements” on page 225.3. Insert the IBM Tivoli Access Manager Web Security for Solaris CD.4. Install IBM Global Security Kit (GSKit), if not already installed. For instructions,

see page 314.5. Install the IBM Tivoli Directory Server client, if not already installed. For

instructions, see page 330.6. Install the IBM Tivoli Security Utilities, if not already installed. For instructions,

see page 325.7. Install the Tivoli Access Manager packages (one at a time):

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault packages

where:





PDRTESpecifies the Access Manager Runtime package.

PDWebRTESpecifies the Access Manager Web Security Runtime package.

PDPlgESSpecifies the Access Manager Plug-in for Edge Server package.



pdconfig


Configuration Menu is displayed.c. Select the menu number of the package that you want to configure, one at a

time. For assistance with configuration options, see Chapter 22, “pdconfigoptions,” on page 447.When a message appears indicating that the package has been successfullyconfigured, select the x option twice to close the configuration utility.

The configuration utility completes the following tasks:v Creates registry objects for the server.v Adds the server to the security groups, ivacld-servers and SecurityGroup.v Creates an SSL certificate.v Obtains an SSL-signed certificate from the Tivoli Access Manager policy server.


v Configures the Edge Server caching proxy to use the plug-in for Edge Server bysetting directives in the Edge Server caching proxy configuration file,ibmproxy.conf.





Windows: Installing the plug-in for Edge ServerThe following procedure uses the setup.exe program to install software packages.To install Access Manager Plug-in for Edge Server on Windows 2003, follow thesesteps:1. Log on as a user with Administrator group privileges.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Ensure that you have met the requirements listed in “Preinstallationrequirements” on page 225.

4. Insert the IBM Tivoli Access Manager Web Security for Windows CD.5. Install IBM Global Security Kit (GSKit), if not already installed. For




program, located in the following directory:\windows\PolicyDirector\Disk Images\Disk1

The Choose Setup Language dialog is displayed.9. Select the language that you want to use for the installation and click OK.

10. The Welcome dialog is displayed. Click Next to continue.11. Read the license agreement and click Yes if you agree to the terms.12. Select the following packages and click Next:

v Access Manager Licensev Access Manager Runtimev Access Manager Web Security Runtimev Access Manager Plug-in for Edge Server


13. Accept the default destination directory or click Browse to select a path toanother directory on the local system. If the directory does not exist, you mustconfirm that you want the directory created or specify a directory that exists.

14. To start copying files to the destination folder, click Next.15. Click Finish to exit the setup program.16. To view status and messages in a language other than English, which is the



pdconfig

The Access Manager Configuration window is displayed.b. Select the Access Manager Runtime package and click Configure.c. Select the Access Manager Plug-in for Edge Server package and click

Configure.For assistance with these configuration options, see Chapter 22, “pdconfigoptions,” on page 447.







Overview of the plug-in for Edge Server configurationThis overview explains configuration concepts, models, and procedures for theplug-in for Edge Server configuration:v “Server configuration model” on page 232v “Server configuration concepts” on page 233v “Object space configuration model” on page 235v “Single sign-on configuration model” on page 236v “Configuration procedure summary” on page 237


Server configuration modelThe plug-in for Edge Server provides authentication and authorization services forWeb servers within a secure domain by enforcing the security at the Edge Serverproxy, rather than at the Web server. By implementing the security enforcement atthe proxy, the plug-in centrally provides security services for all Web serverswithin the secure domain. When the Edge Server plug-in has established that aparticular user is authorized to access a requested resource, the request isforwarded to the Web server along with information about the user.

The content of a Web site might span multiple Web servers for reasons ofperformance and content distribution. While some Web servers might host content,others might host a variety of Web applications, each with different securityrequirements. For example, some servers might not require authentication, butother servers might require it. Each server requiring authentication might requirethat the user information be submitted in a unique format. While some securitysettings are common to all servers such as form session timeout and logging level,some are unique to each server such as login method and single sign-on. Becauseof this distributed nature, the plug-in needs to be able to provide security servicesfor multiple Web servers within a secure domain.

The plug-in secures distributed Web servers using the object-space-definitionconfiguration file, osdef.conf. This configuration file separates the configurationsettings for each protected Web server so that Web-server-specific configuration ispossible. There are three types of server definitions used in the configuration file,as shown in the following table.

Server definition Description

[Global] Settings listed under this stanza apply to all Web servers.There is only one instance of this stanza.

[Local] Settings listed under the [Local] stanza apply only to theEdge Server caching proxy. There is only one instance ofthis stanza.

[Remote: Tivoli AccessManager Object Space Name]

Settings listed under the [Remote:] stanza apply to externalor remote Web servers secured by the plug-in. There can bemultiple instances of this stanza.

With a few exceptions that are documented in the osdef.conf file, any setting canbe placed under any definition. For example, the form_session_timeout setting,can be placed beneath the [Global] stanza, or beneath a [Remote:] stanza asshown:[Global]login_method = formsform_login_file = /opt/pdweb-lite/samples/forms/welcome.htmlform_session_timeout = 10

[Remote: /ESproxy/reverse/anyother.com]domains = anyother.com

[Remote: /ESproxy/reverse/verysecure.com]domains = verysecure.comform_session_timeout = 1

In the above example, any user who logs in to verysecure.com is not allowed toremain idle for more than one minute; otherwise, the session expires. However, forany user who logs in to anyother.com and all other domains, the idle timeout is 10minutes because it is being set in the [Global] definition. With a few exceptions([SSO] settings), this model of inheritance can be used on any server setting in the


configuration file, as illustrated in Figure 1.

[Global]

[Local] [Remote 1]

Internal Tivoli AccessManager Plug-inDefault Values

[Remote N]

Using this model of inheritance, settings that are the same for each Web server donot need to be repeated under each server definition but can be listed onceunderneath the [Global] definition of the configuration file. For example, if allservers use the same form login file, then that setting will be listed in the [Global]definition.

Server configuration conceptsWith a basic understanding of the configuration file, it is easier to understand howthe plug-in enforces security using this configuration file. Whenever a request isreceived by the plug-in, it uses the following basic steps to authorize the user.1. If the user is already authenticated, for example, by a trusted gateway, accept

the user single sign-on information and proceed to step 4.2. Obtain the user identity based on one of the following login methods:

v For basic authentication and forms login, obtain the user ID and password.v For certificate login, obtain the certificate distinguished name.

3. Authenticate the user against the Tivoli Access Manager user registry.4. Authorize the user against the Tivoli Access Manager object space.5. Submit single sign-on information for the user.6. Forward the request to the corresponding Web server.

To execute these authorization steps, the plug-in must consult the configuration filefor configuration information about the request. Each step requires one or moresettings to be retrieved from the osdef.conf configuration file. For example, step 2requires the retrieval of the login_method setting.

To retrieve a setting for the request, the plug-in needs to first determine whichdefinition it should retrieve the setting from. It needs to correlate the request witha specific server definition in the configuration file. While the plug-in can enforcesecurity for both reverse and forward proxy requests, the plug-in does not considerwhether the request is a reverse or forward proxy request.

The domain name is the public identifier for the corresponding Web server hostingthe protected resource. In a reverse proxy scenario, this requires the creation ofaliases or public domain names on the plug-in system, as illustrated in Figure 2 onpage 234

Figure 1. Plug-in for Edge Server using model of inheritance


page 234.

Browser

Internal gateway

backend2..comHosts newnovels.com

backend3.comHosts newpoems.com

Internet

BrowserEdge Server

newbooks.com

Cachingproxy

Tivoli Access ManagerPlug-in

backend1.comHosts www.newbooks.comand newbooks.com

Web servers

www.newbooks.com

newpoems.comnewnovels.com

In this configuration, all requests for www.newbooks.com, newbooks.com,newnovels.com, and newpoems.com arrive at the Edge Server proxy and are securedby the plug-in. Using the domain name as the unique identifier for the request, theplug-in can now search the configuration file for the server definition that matchesthe domain name.

Consider the following osdef.conf configuration file:[Global]login_method = basic

# Definition 1[Remote: /ESproxy/reverse/newbooks.com]domains = newbooks.com *.newbooks.comlogin_method = formsroute = http://backend1.com

# Definition 2[Remote: /ESproxy/reverse/label2]domains = newnovels.comlogin_method = certificateroute = http://backend2.com

# Definition 3[Remote: /ESproxy/check_here/this_is_just_a_label]domains = newpoems.comroute = http://backend3.com

Consider the following requests where the plug-in determines the login method,object space location where the user is authorized, and destination Web serverwhere the request is forwarded:v If a user types the following URL, the plug-in matches the request to definition 1

because the domains setting contains the value, *.newbooks.com:http://www.newbooks.com/private.html

The login method is forms because it is explicitly set under this definition. Forthe authorization check, the domain name would be replaced with theauthorization string and the URL path would be appended. In this example, theauthorization check for read (r) permission would be performed at/ESproxy/reverse/newbooks.com/private.html. The request is forwarded tobackend1.com because of the route setting.

Figure 2. Creation of aliases on a plug-in system


v If a user types the following URL, the plug-in first performs a reverse DNSlookup on the IP address and would match the request to definition 2 becausethe domains setting contains the value, newnovels.com:

http://IP_address_of_newnovels.com/gifs/private.htmlThe login method is certificate because it is explicitly set under this definition.The authorization check for read (r) permission is performed at/ESproxy/reverse/label2/gifs/private.html. The request is forwarded tobackend2.com because of the route setting.

v If a user types the following URL, the plug-in would match the request todefinition 3 because the domains setting contains the value, newpoems.com:http://newpoems.com/logo.gif

The login method is basic because it is not explicitly set under this definitionand is retrieved from the [Global] definition. The authorization check for read (r)permission is performed at /ESproxy/check_here/this_is_just_a_label/logo.gif. The request is forwarded to backend3.com due to the route setting.

v If a user configures their browser to use Edge Server as a proxy and types thefollowing URL, the plug-in does not find a match for the request and uses the[Global] definition:http://internet.com/mail/logo.gifThe login method is basic. For the authorization check, the default forwardproxy template, /ESproxy/forward/domain/path is used. In this example, theauthorization check for read (r) permission is performed at /ESproxy/forward/internet.com/mail/logo.gif. Because this object might not exist in the objectspace, the effective permission is inherited from the ACL attached to/ESproxy/forward. The request is automatically forwarded to internet.combecause it was a forward proxy request. However, it is possible to create adefinition in the configuration file that performed an authorization check atanother location in the object space and forwards the internet.com requestelsewhere. The plug-in does not consider if the request is a forward or reverseproxy request. In both configurations, the request is handled in the samemanner.

Object space configuration modelWhen the plug-in performs an authorization check underneath a branch in theTivoli Access Manager object space, it maps the requested resource or URL to theobject space. For example, in server definition 1, the following mapping isperformed for the authorization check:URL Object: http://www.newbooks.com/private.htmlTivoli Access Manager Object: /ESproxy/reverse/newbooks.com/private.html

In order to apply access control to specific objects using Tivoli Access ManagerACLs, the object space must be structured in a manner where there is a directmapping between the set of objects that users request in their URLs and the set ofobjects provided by the Web server. The simplest case is a direct mapping betweenreferenced files in the URLs and actual files on the Web server, as illustrated:Tivoli Access Manager Object: /ESproxy/reverse/newbooks.com/server files/ESproxy/reverse/newbooks.com/private.html/ESproxy/reverse/newbooks.com/public.html/ESproxy/reverse/newbooks.com/gifs/ESproxy/reverse/newbooks.com/gifs/logo.gif

URL Object: http://www.newbooks.com/server files


http://www.newbooks.com/private.htmlhttp://www.newbooks.com/public.htmlhttp://www.newbooks.com/gifshttp://www.newbooks.com/gifs/logo.gif

The sample query_contents utility provides the wesosm utility with the paths ofall files on the Web server. The file information is copied into the object space sothat when the plug-in performs the authorization check, there is a direct mappingbetween the URL objects and server objects.

This model works well if the URL objects are always going to be physical files onthe destination Web server that the query_contents utility finds. In some cases, theset of URL objects might not correspond directly to physical files on the Webserver. In this case, the query_contents utility can be modified to return the virtualobjects that are served by the Web server as shown:Tivoli Access Manager Object: /ESproxy/reverse/newbooks.com/virtual objects/ESproxy/reverse/newbooks.com/object1/ESproxy/reverse/newbooks.com/object2/ESproxy/reverse/newbooks.com/object3/ESproxy/reverse/newbooks.com/object3/object3.1

URL Object: http://www.newbooks.com/virtual objectshttp://www.newbooks.com/object1http://www.newbooks.com/object2http://www.newbooks.com/object3http://www.newbooks.com/object3/object3.1

In this scenario, the objects served by the Web server do not correspond directly tophysical files on the Web server. However, the Web server understands what theseobjects are and knows how to retrieve them. As long as the query_contents utilitycan enumerate these virtual objects for the wesosm utility, the plug-in can performauthorization checks on these virtual objects.

The plug-in performs authorization checks by verifying the appropriatepermissions in the Tivoli Access Manager object space. It maps the URL to theobject space to determine the exact location to perform the authorization check. Inorder to apply ACLs on specific objects secured by the plug-in, it is necessary toensure that the set of objects represented in the object space corresponds to the setof objects represented in the URL requests for the secured Web server.

Single sign-on configuration modelThe plug-in supports single sign-on tokens that can be customized and are createdunderneath the [SSO] categories of the object space definition configuration file asindicated in the following table.

Server definition Description

[SSO] Settings listed under this definition are usedto define single sign-on tokens. There can bemultiple instances of this definition.

The settings listed in this definition are not related to the settings listed in the[Global], [Local], and [Remote] server definitions. For example, the trust_listsetting, is not valid underneath any server definition in the configuration file.However, by defining the single sign-on tokens in one place, they can be used asparameters to accept_sso and submit_sso, which are valid underneath the servercategories. The following example shows the definition of an iv-user token whichis needed by two Web servers:


[Remote: /ESproxy/reverse/newbooks.com]domains = newbooks.comaccept_sso = myssosubmit_sso = myssoroute = http://backend1.com

[Remote: /ESproxy/reverse/newnovels.com]domains = newnovels.comsubmit_sso = myssoroute = http://backend2.com

[SSO: mysso]name = iv-userformat = <userid>trust_basis = IP_Addresstrust_list = 0.0.0.0/0.0.0.0

In this example, the plug-in checks for the existence of the iv-user token from anyIP address that makes a request to newbooks.com. If the iv-user token is found, itextracts the user ID from the token and authorizes the user. The plug-in alsosubmits the iv-user token to the respective backend server for requests tonewbooks.com and newnovels.com.

Configuration procedure summaryThe plug-in for Edge Server provides a flexible framework to configure accesscontrol to the protected resources on your Web servers. It allows you to setserver-specific configuration items such as the login method, single sign-on token,and destination server. Settings that apply to each server need to only be set in oneplace and settings that are server-specific can be set for each respective server.

The general approach to configuring the plug-in is as follows:1. For a reverse proxy configuration, create an alias domain name on the plug-in

machine for each Web server that requires the authorization services.2. Create a corresponding [Remote] server definition for each respective server

and assign the alias domain name to that definition.3. Set server-specific settings underneath the definition for that server and set

global settings in the [Global] definition of the configuration file. It is sufficientto use the default internal plug-in values for most settings.

4. Run the wesosm utility to generate the object space and set the appropriateACLs in the Tivoli Access Manager object space for access control to that server.

Always restart the plug-in after making configuration changes. If you are unable todetermine the cause of a configuration error, check the event log file forinformation describing how the plug-in handled the request. Running the UNIXtail –f command on the event log file can help in observing events as they happenin real time. It is easier to determine the cause of the configuration problem afterobserving the event log.



Chapter 13. Setting up the plug-in for Web servers

This chapter provides information about the Access Manager Plug-in for WebServers component, an application that can be integrated with Web server softwareand runs in a Tivoli Access Manager secure domain.

IBM Tivoli Access Manager plug-in for Web servers supports these servers andplatforms:v Apache Web Server on AIX, Linux on System z, and Solarisv IBM HTTP Server on AIX, Linux on x86, Linux on System z, Solaris and

Windows 2003.v Internet Information Services on Windows 2003v Sun Java System Web Server on AIX and Solaris

See the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge base for more information about which versions of the Webservers are supported. For more information about these Web Security components,see the IBM Tivoli Access Manager for e-business: Plug-in for Web ServersAdministration Guide.

You can install a supported Web server plug-in using one of the followinginstallation methods:v “Installing using the installation wizard” on page 241v “Installing using native utilities” on page 242

This chapter also contains the following topics:v “Preinstallation requirements”v “Installing the plug-in for Internet Information Services” on page 253v “Installing the plug-in for Sun Java System Web Server” on page 254

Preinstallation requirementsBefore you install and configure the Access Manager Plug-in for Web Serverscomponent, ensure that the following requirements are met. These requirementsare applicable, regardless of which installation method you plan to use.v During Tivoli Access Manager configuration on Linux operating systems, scripts


v Ensure that a Tivoli Access Manager registry server and the policy server are setup in your secure domain. For instructions on setting up these systems, seePart 2, “Base system installation,” on page 51.

v Ensure that forward/reverse proxy is disabled in your Web server environment.v Ensure that your Web server is installed and configured on this system. In

addition, your Web server must be configured for SSL, client certificates, or bothif you intend to enable SSL communication.


v Ensure that Tivoli Access Manager supports the platform on which you arerunning your Web server.

v Ensure that all necessary operating system patches are installed. Also, ensurethat you have reviewed the most-recent release information, including systemrequirements, disk space requirements, and known defects and limitations. Seethe IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge base.

v Ensure that the Apache Web server has Dynamic Shared Objects (DSO) supportenabled, because the Tivoli Access Manager Plug-in for Apache Web Serverrequires DSO.

v For Solaris, ensure that the Apache modules have previously been compiledusing the GNU Compiler Collection (GCC) version 3.2 or higher to preventerrors.

v A valid Group ID is required in order to access the Apache Web Server using theplug-in. The default Group ID value of -1 in the Apache configuration file is notvalid. Prior to the configuration of the Tivoli Access Manager Plug-in for WebServers, you must change the Group ID value to a known system group in theGroup configuration entry of the Apache configuration file. This change isrequired only when running Apache on Red Hat Enterprise Linux 5.


Installing using the installation wizardAn installation wizard simplifies the setup of Access Manager Plug-in for WebServers by installing and configuring the following components in the appropriateorder:v IBM Global Security Kit (GSKit)v Tivoli Security Utilitiesv Access Manager Licensev Access Manager Runtimev Access Manager Web Security Runtimev Access Manager Plug-in for Web Serversv One of the following for the type of Web server being installed:

– Access Manager Plug-in for Apache Web Server– Access Manager Plug-in for IBM HTTP Server– Access Manager Plug-in for Sun Java System Web Server


Attention:



To install and configure a Tivoli Access Manager Web server plug-in using aninstallation wizard, follow these steps:1. Ensure that the hosting Web server is installed.2. Ensure that you have met the requirements listed in “Preinstallation

requirements” on page 239.3. Ensure that IBM Java Runtime 1.5.0 SR5 provided with Tivoli Access Manager

is installed. For instructions, see page 318.4. To view status and messages in a language other than English, which is the

default, install a language support package before running an installationwizard. For instructions, see “Installing language support packages for TivoliAccess Manager” on page 37.

5. On AIX systems, set the AIX Extended Shared Memory Support (EXTSHM)environment variable to ON prior to installing either the Access ManagerPlug-in for Apache Web Server component or the Access Manager Plug-in forIBM HTTP Server component. By default, AIX does not permit 32-bitapplications to attach to more than 11 shared memory segments per process.

6. Run the install_amwpi program, located in the root directory on the IBMTivoli Access Manager Web Security CD for the supported platforms.The installation wizard begins by prompting you for configurationinformation as described in “install_amwpi” on page 435. Supply the requiredconfiguration information, or accept default values.

Chapter 13. Setting up the plug-in for Web servers 241

7. Compare the disk space that is required to install all of the Tivoli AccessManager plug-in for Web Servers system components and prerequisites withthe disk space that is available. If there is sufficient space, continue theinstallation.After reviewing the summary and accepting your installation selections andconfiguration choices, the components are installed and configured withoutfurther intervention.

8. Restart your Web server after installation is completed.9. Customize the pdwebpi.conf file for your particular Web server. For

information, see the IBM Tivoli Access Manager for e-business: Plug-in for WebServers Administration Guide.

10. To start the plug-in for Web Servers, do one of the following tasks:v On UNIX and Linux systems, change to the /opt/pdwebpi/bin directory

and enter the following command:pdwebpi_start start

v On Windows systems, click Start → Control Panel → Administrative Tools →Services. Right-click on Access Manager Plug-in for Web Servers and thenselect Start.

This step completes the setup of a Tivoli Access Manager Web server plug-in. Toset up another Tivoli Access Manager system, follow the steps in the “Installationprocess” on page 21.

Installing using native utilitiesThe following sections enable you to install Tivoli Access Manager software usinga familiar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder. To configure software packages after installation, use the pdconfig utility.

Note: Alternatively, you can configure the Plug-in for Web Servers componentusing the pdwpicfg utility, which is called by the pdconfig utility. For moreinformation about this utility, see “pdwpicfg” on page 591.

Complete the instructions that apply to your Web server:v “Installing the plug-in for Apache Web Server”v “Installing the plug-in for IBM HTTP Server” on page 247v “Installing the plug-in for Internet Information Services” on page 253v “Installing the plug-in for Sun Java System Web Server” on page 254

Installing the plug-in for Apache Web ServerComplete the instructions that apply to your operating system:v AIX on page 242v Linux on System z on page 244v Solaris on page 245

For more information, see the IBM Tivoli Access Manager for e-business: Plug-in forWeb Servers Administration Guide.

AIX: plug-in for Apache Web ServerThe following procedure uses installp to install software packages and thepdconfig utility to configure them.


To install the Web server plug-in for Apache Web Server on AIX, follow thesesteps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure



4. Insert the IBM Tivoli Access Manager Web Security for AIX CD and mount it.5. Install IBM Global Security Kit (GSKit), if not already installed. For








PDWebRTE Specifies the Access Manager Web Security Runtime package.

PDWPI Specifies the Access Manager Plug-in for Web Servers package.

PDWPIapa Specifies the Access Manager Plug-in for Apache Web Serverpackage.

Note: These packages must be installed on the same system as the ApacheWeb Server.



11. Set the AIX Extended Shared Memory Support (EXTSHM) environmentvariable to ON prior to configuring the Access Manager Plug-in for ApacheWeb Server component and also prior to starting the plug-in for Apache WebServer proxy server or the Apache Web server. By default, AIX does notpermit 32-bit applications to attach to more than 11 shared memory segmentsper process.

12. Configure the Access Manager Runtime followed by the Access ManagerPlug-in for Web Servers package as follows:a. Start the configuration utility:

pdconfig




c. Select the menu number of the package that you want to configure, one ata time. For assistance with configuration options, see Chapter 22,“pdconfig options,” on page 447.When a message appears indicating that the package has been successfullyconfigured, select the x option twice to close the configuration utility.

13. Restart the Web server.14. Customize the pdwebpi.conf file for your particular Web server. For


15. To start the plug-in process, change to the /opt/pdwebpi/bin directory andenter the following command:pdwebpi_start start

This step completes the setup of the Tivoli Access Manager Web server plug-in forApache Server on AIX. To set up another Tivoli Access Manager system, follow thesteps in the “Installation process” on page 21.

Linux on System z: plug-in for Apache Web ServerThe following procedure uses rpm to install software packages and the pdconfigutility to configure them.

To install the Web server plug-in for Apache Web Server (31-bit only) for Linux onSystem z, complete the following steps.

Note to Linux on System z users: You must first obtain access to the Linux rpmfiles which are located in the /CD_mount_point/linux_s390 directory on the IBMTivoli Access Manager Web Security for Linux on System z CD.1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure



4. Insert IBM Tivoli Access Manager Web Security for Linux on System z CD andmount it.






Linux on System z

Access Manager License package PDlic-PD-6.1.1.0-0.s390.rpm

Access Manager Runtime package PDRTE-PD-6.1.1.0-0.s390.rpm


Access Manager Web Security Runtimepackage

PDWebRTE-PD-6.1.1.0-0.s390.rpm

Access Manager Plug-in for WebServers package

PDWPI-PD-6.1.1.0-0.s390.rpm

Access Manager Plug-in for ApacheWeb Server package

PDWPI-Apache-6.1.1.0-0.s390.rpm





pdconfig



a time. Configure the Access Manager Runtime followed by the AccessManager Plug-in for Web Servers package.

d. Depending on the package that you selected, you are prompted forconfiguration options. For assistance with configuration options, seeChapter 22, “pdconfig options,” on page 447.When a message appears indicating that the package has been successfullyconfigured, select the x option twice to close the configuration utility.




This step completes the setup of the Tivoli Access Manager Web server plug-in forApache Web Server for Linux on System z. To set up another Tivoli AccessManager system, follow the steps in the “Installation process” on page 21.

Solaris: plug-in for Apache Web ServerThe following procedure uses pkgadd to install software packages and thepdconfig utility to configure them.


To install the Web server plug-in for Apache Web Server on Solaris, complete thefollowing steps:1. Log on as root.


2. Ensure that all necessary operating system patches are installed. Also ensurethat you have reviewed the most-recent release information, including systemrequirements, disk space requirements, and known defects and limitations inthe IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge database.


4. Insert the IBM Tivoli Access Manager Web Security for Solaris CD.5. Install IBM Global Security Kit (GSKit), if not already installed. For



instructions, see page 325.8. Install the Tivoli Access Manager packages (one at a time):


where:








PDWPIapa Specifies the Access Manager Plug-in for Apache Web Serverpackage.



10. Set the shared memory kernel parameters to values that are larger than thedefault values. Add the following lines to the /etc/system file to increase theparameters to acceptable values:set shmsys:shminfo_shmmax=0x2000000set shmsys:shminfo_shmseg=256set shmsys:shminfo_shmmni=256

Restart your system for these changes to take affect.11. Configure the Tivoli Access Manager packages as follows:

a. Start the configuration utility:pdconfig




c. Select the menu number of the package that you want to configure, one ata time. Configure the Access Manager Runtime followed by the AccessManager Plug-in for Web Servers package.Depending on the package that you selected, you are prompted forconfiguration options. For assistance with configuration options, seeChapter 22, “pdconfig options,” on page 447.When a message appears indicating that the package has been successfullyconfigured, select the x option twice to close the configuration utility.




This step completes the setup of the Tivoli Access Manager Web server plug-in forApache Web Server on Solaris. To set up another Tivoli Access Manager system,follow the steps in the “Installation process” on page 21.

Installing the plug-in for IBM HTTP ServerComplete the instructions that apply to your operating system:v AIX on page 247v Linux on x86 and System z on page 249v Solaris on page 250v Windows on 252


AIX: plug-in for IBM HTTP ServerThe following procedure uses installp to install software packages and thepdconfig utility to configure them.

To install the Web server plug-in for IBM HTTP Server on AIX, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure













PD.WPI Specifies the Access Manager Plug-in for Web Servers package.

PD.WPIIHS Specifies the Access Manager Plug-in for IBM HTTP Serverpackage.

Note: These packages must be installed on the same system as IBM HTTPServer.

9. Unmount CD.10. To view status and messages in a language other than English, which is the


11. Set the EXTSHM environment variable to ON prior to configuring the AccessManager Plug-in for IBM HTTP Server component and prior to starting eitherthe plug-in for IBM HTTP Server proxy server or the IBM HTTP Server. Bydefault, AIX does not permit 32-bit applications to attach to more than 11shared memory segments per process.


pdconfig



a time. Configure the Access Manager Runtime followed by the AccessManager Plug-in for Web Servers package.Depending on the package that you selected, you are prompted forconfiguration options. For assistance with configuration options, seeChapter 22, “pdconfig options,” on page 447.When a message appears indicating that the package has been successfullyconfigured, select the x option twice to close the configuration utility.




This step completes the setup of the Tivoli Access Manager Web server plug-in forIBM HTTP Server on AIX. To set up another Tivoli Access Manager system, followthe steps in the “Installation process” on page 21.


Linux: plug-in for IBM HTTP ServerThe following procedure uses rpm to install software packages and the pdconfigutility to configure them.

To install the Web server plug-in for IBM HTTP Server for Linux on x86 and Linuxfor System z, complete the following steps.




4. Insert the IBM Tivoli Access Manager Web Security for Linux on x86 or IBM TivoliAccess Manager Web Security for Linux on System z CD and mount it.

5. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is themount point for your CD and distribution specifies linux_i386 for x86 orlinux_s390 for System z.






Linux on x86 Linux on System z

Access Manager Licensepackage

PDlic-PD-6.1.1.0-0.i386.rpm PDlic-PD-6.1.1.0-0.s390.rpm


PDRTE-PD-6.1.1.0-0.i386.rpm PDRTE-PD-6.1.1.0-0.s390.rpm

Access Manager WebSecurity Runtimepackage

PDWebRTE-PD-6.1.1.0-0.i386.rpm PDWebRTE-PD-6.1.1.0-0.s390.rpm

Access Manager Plug-infor Web Serverspackage

PDWPI-PD-6.1.1.0-0.i386.rpm PDWPI-PD-6.1.1.0-0.s390.rpm

Access Manager Plug-infor IBM HTTP WebServer package

PDWPI-IHS-6.1.1.0-0.i386.rpm PDWPI-IHS-6.1.1.0-0.s390.rpm


10. Unmount the CD.




pdconfig







This step completes the setup of the Tivoli Access Manager Web server plug-in forIBM HTTP Server on Linux. To set up another Tivoli Access Manager system,follow the steps in the “Installation process” on page 21.

Solaris: plug-in for IBM HTTP ServerThe following procedure uses pkgadd to install software packages and thepdconfig utility to configure them.


To install the Web server plug-in for IBM HTTP Server on Solaris, complete thefollowing steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure




instructions, see page 314.




8. Install the Tivoli Access Manager packages (one at a time):pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault packages

where:








PDWPIihs Specifies the Access Manager Plug-in for IBM HTTP Serverpackage.



10. Set the shared memory kernel parameters to values that are larger than thedefault values. Add the following lines to the /etc/system file to increase theparameters to acceptable values:set shmsys:shminfo_shmmax=0x2000000set shmsys:shminfo_shmseg=256set shmsys:shminfo_shmmni=256

Restart your system for these changes to take affect.11. Configure the Tivoli Access Manager packages as follows:

a. Start the configuration utility:pdconfig




12. Restart the Web server.


13. Customize the pdwebpi.conf file for your particular Web server. Forinformation, see the IBM Tivoli Access Manager for e-business: Plug-in for WebServers Administration Guide.


This step completes the setup of the Tivoli Access Manager Web server plug-in forIBM HTTP Server on Solaris. To set up another Tivoli Access Manager system,follow the steps in the “Installation process” on page 21.

Windows: plug-in for IBM HTTP ServerTo install plug-in for IBM HTTP Server on Windows 2003, follow these steps:1. Log on as any member of the Administrators group.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert the IBM Tivoli Access Manager Web Security for Windows and change tothe following directory on the drive where the CD is located:/windows/PolicyDirector/Disk Images/Disk1

4. Run the setup.exe program from this directory.5. Install the Tivoli Access Manager packages. To do so, run the setup.exe


The Choose Setup Language dialog is displayed.6. Select the language that you want to use for the installation and click OK.7. The Welcome window is displayed. Click Next to continue.8. Read the license agreement and click Yes if you agree to the terms.9. Select the following packages and click Next:

v Access Manager Licensev Access Manager Runtimev Access Manager Web Security Runtimev Access Manager Plug-in for Web Serversv Access Manager Plug-in for IBM HTTP Server

10. Click Next. The Choose Destination Location window is displayed.11. Accept the default destination directory or click Browse to select a path to

another directory on the local system. If the directory does not exist, you mustconfirm that you want the directory created or specify a directory that exists.

12. Click Next to install IBM HTTP Server. The Setup Complete window isdisplayed.

13. Click Finish to exit the installation program.14. Configure the Access Manager Runtime followed by the Access Manager

Plug-in for Web Servers package. To do so, click Start → Programs → IBMTivoli Access Manager → Configuration.For assistance with configuration options, see Chapter 22, “pdconfig options,”on page 447.


Note: You can also configure Tivoli Access Manager components by using thepdconfig utility from a command line.



This step completes the setup of the IBM HTTP Server.

Installing the plug-in for Internet Information ServicesThe Web server plug-in for Internet Information Services in available on supportedWindows platforms only.

The following procedure uses the setup.exe program to install software packagesand the pdconfig utility to configure them.

To install the Web server plug-in for Internet Information Services on Windows2003, follow these steps:1. Log on as any member of the Administrators group that has Administrator

privileges.2. Ensure that all necessary operating system patches are installed. Also ensure






7. Insert the IBM Tivoli Access Manager Web Security for Windows CD.8. Install the Tivoli Access Manager packages. To do so, run the setup.exe


The Choose Setup Language dialog is displayed.9. Select the language that you want to use for the installation and click OK.

10. The Welcome window is displayed. Click Next to continue.11. Read the license agreement and click Yes if you agree to the terms.12. Select the following packages and click Next:

v Access Manager Licensev Access Manager Runtimev Access Manager Web Security Runtimev Access Manager Plug-in for Web Servers

13. Accept the default destination directory or click Browse to select a path toanother directory on the local system. If the directory does not exist, you mustconfirm that you want the directory created or specify a directory that exists.


14. To start copying files to the destination folder, click Next.15. Click Finish to exit the setup program. Select to restart your computer for

changes to take effect.16. To view status and messages in a language other than English, which is the


17. You must configure IIS to use one of the default identities when runningTivoli Access Manager Plug-in for Microsoft Internet Information Services (IIS)on a Windows 2003 Domain Controller. Because of a limitation of theWindows 2003 operating system, using an identity other than the default useridentities will cause a 503 Service Unavailable error.

18. Configure the Access Manager Runtime followed by the Access ManagerPlug-in for Web Servers package. To do so, click Start → Programs → IBMTivoli Access Manager → Configuration.For assistance with configuration options, see Chapter 22, “pdconfig options,”on page 447.

Note: You can also configure Tivoli Access Manager components by using thepdconfig utility from a command line.



This step completes the setup of the Tivoli Access Manager Web server plug-in forIIS Web Server on Windows. To set up another Tivoli Access Manager system,follow the steps in the “Installation process” on page 21.

Installing the plug-in for Sun Java System Web ServerComplete the instructions that apply to your operating system:v AIX on page 254v Solaris on page 256


AIX: plug-in for Sun Java System Web ServerThe following procedure uses installp to install software packages and thepdconfig utility to configure them.

To install the Web server plug-in for Sun Java System Web Server on AIX, followthese steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure



4. Insert the IBM Tivoli Access Manager Web Security for AIX CD and mount it.










PD.WPI Specifies the Access Manager Plug-in for Web Servers package.

PD.WPIiPlanet Specifies the Access Manager Plug-in for Sun Java System WebServer package.

Note: These packages must be installed on the same system as the Sun JavaSystem Web Server.




pdconfig







This step completes the setup of the Tivoli Access Manager Web server plug-in forSun Java System Web Server on AIX. To set up another Tivoli Access Managersystem, follow the steps in the “Installation process” on page 21.


Solaris: plug-in for Sun Java System Web ServerThe following procedure uses pkgadd to install software packages and thepdconfig utility to configure them.


To install the Web server plug-in for Sun Java System Web Server on Solaris,complete the following steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure






instructions, see page 325.8. Install the Tivoli Access Manager packages (one at a time):


where:








PDWPIipl Specifies the Access Manager Plug-in for Sun Java System WebServer package.

Note: These packages must be installed on the same system as the Sun JavaSystem Web Server.



pdconfig








This step completes the setup of the Tivoli Access Manager Web server plug-in forSun Java System Web Server on Solaris. To set up another Tivoli Access Managersystem, follow the steps in the “Installation process” on page 21.



Chapter 14. Setting up a Web security development system

This chapter provides information about installing and configuring a Tivoli AccessManager Web security application development kit (ADK) system.

For more information about this Web security system, see the IBM Tivoli AccessManager for e-business: WebSEAL Administration Guide.




Installing using the installation wizardThe install_amwebadk installation wizard simplifies the setup of a Tivoli AccessManager Web security application development kit (ADK) system by installing andconfiguring the following components in the appropriate order:v IBM Global Security Kit (GSKit)v IBM Tivoli Directory Server base client (as needed)v IBM Tivoli Directory Server 32-bit client (as needed)v Tivoli Security Utilitiesv Access Manager Licensev Access Manager Runtimev Access Manager Web Security Runtimev Access Manager Application Development Kit (ADK)v Access Manager Web Security Application Development Kit (ADK)



Attention:



To install and configure a Tivoli Access Manager Web security development (ADK)system using the install_amwebadk wizard, follow these steps:1. Ensure that all necessary operating system patches are installed. Also, ensure





5. On Windows systems only, exit from all running programs.6. Run the install_amwebadk program, located in the root directory on the IBM

Tivoli Access Manager Web Security CD for the supported AIX, HP-UX, HP-UXon Integrity, Solaris, Solaris on x86_64 Linux on x86, Linux on System z, andWindows 2003 platforms.The installation wizard begins by prompting you for configuration informationas described in “install_amwebadk” on page 430. Supply the requiredconfiguration information, or accept default values.

7. Compare the disk space that is required to install all of the IBM TivoliDirectory Server system components and prerequisites with the disk space thatis available. If there is sufficient space, continue the installation.After reviewing the summary and accepting your installation selections andconfiguration choices, the components are installed and configured withoutfurther intervention.

This step completes the setup of a Tivoli Access Manager Web securitydevelopment (ADK) system. To set up another Tivoli Access Manager system,Follow the steps in the “Installation process” on page 21.


Complete the instructions that apply to your operating system:


v AIX on page 261v HP-UX on page 262v Linux on page 263v Solaris on page 264v Windows on page 265

AIX: Installing a Web security development (ADK) systemThe following procedure uses installp to install software packages and thepdconfig utility to configure them.

To install a Tivoli Access Manager Web security development (ADK) system onAIX, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure












PD.AuthADK Specifies the Access Manager Application Development Kitpackage.

PDWeb.ADK Specifies the Access Manager Web Services ApplicationDevelopment Kit package.

9. Unmount the CD10. To view status and messages in a language other than English, which is the



pdconfig

The Tivoli Access Manager Setup Menu is displayed.

Chapter 14. Setting up a Web security development system 261

b. Type menu number 1 for Configure Package. The Tivoli Access ManagerConfiguration Menu is displayed.


HP-UX: Installing a Web security development (ADK) systemThe following procedure uses swinstall to install software packages and thepdconfig utility to configure them.

To install a Tivoli Access Manager Web security development (ADK) system onHP-UX or HP-UX on Integrity, complete the following steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure



4. Insert the CD for your platform:v IBM Tivoli Access Manager Web Security for HP-UX

v IBM Tivoli Access Manager Web Security for HP-UX on Integrity

CD.5. Mount the CD using the HP-UX mount command. For example, enter the

following:mount -F cdfs -o rr /dev/dsk/c0t0d0 /cd-rom







v For HP-UX on Integrity:swinstall -s /cd-rom/hp_ia64 packages

where /cd-rom/hp or /cd-rom/hp_ia64 specifies the directory and packagesare as follows:




PDADK Specifies the Access Manager Application Development Kitpackage.


PDWebADK Specifies the Access Manager Web Services ApplicationDevelopment Kit package.





pdconfig




Linux: Installing a Web security development (ADK) systemThe following procedure uses rpm to install software packages and the pdconfigutility to configure them.

To install a Tivoli Access Manager Web security development (ADK) system onLinux, follow these steps.




4. Insert the IBM Tivoli Access Manager Web Security for Linux on x86 or the IBMTivoli Access Manager Web Security for Linux on System z CD and mount it.





9. Install the Tivoli Access Manager packages:


rpm -ihv packages





Access Manager Runtimepackage

PDRTE-PD-6.1.1.0-0.i386.rpm

PDRTE-PD-6.1.1.0-0.s390.rpm

PDRTE-PD-6.1.1.0-0.ppc.rpm

Access Manager WebSecurity Runtime package

PDWebRTE-PD-6.1.1.0-0.i386.rpm


PDWebRTE-PD-6.1.1.0-0.ppc.rpm

Access ManagerApplication DevelopmentKit package

PDAuthADK-PD-6.1.1.0-0.i386.rpm

PDAuthADK-PD-6.1.1.0-0.s390.rpm

PDAuthADK-PD-6.1.1.0-0.ppc.rpm

Access Manager WebServices ApplicationDevelopment Kit package

PDWebADK-PD-6.1.1.0-0.i386.rpm

PDWebADK-PD-6.1.1.0-0.s390.rpm

PDWebADK-PD-6.1.1.0-0.ppc.rpm




pdconfig




Solaris: Installing a Web security development (ADK) systemThe following procedure uses pkgadd to install software packages and thepdconfig utility to configure them.


To install a Tivoli Access Manager Web security development (ADK) system onSolaris or Solaris on x86_64, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure



4. Insert the CD for your platform:


v IBM Tivoli Access Manager Web Security for Solaris

v IBM Tivoli Access Manager Web Security for Solaris on x86_64

5. Install IBM Global Security Kit (GSKit), if not already installed. Forinstructions see page 314.

6. Install the IBM Tivoli Directory Server client, if not already installed. Forinstructions see page 330.






where -d /cdrom/cdrom0/solaris or -d /cdrom/cdrom0/solaris_x86 specifiesthe location of the package and where packages are as follows:




PDADK Specifies the Access Manager Application Development Kitpackage.

PDWebADK Specifies the Access Manager Web Services ApplicationDevelopment Kit package.

When a message queries Do you want to install these as setuid/setgid?,type Y and press Enter. When prompted to continue, type Y and press Enter.When the installation process is complete for each package, the followingmessage is displayed:Installation of packages successful.



pdconfig




Windows: Installing a Web security development (ADK)system

The following procedure uses the setup.exe program to install software packagesand the pdconfig utility to configure them.


To install and configure a Tivoli Access Manager Web security development (ADK)system on Windows 2003, follow these steps:1. Log on as a user with Administrator group privileges.2. Ensure that all necessary operating system patches are installed. Also ensure








Follow the online instructions and select to install the following packages:v Access Manager Licensev Access Manager Runtimev Access Manager Web Security Runtimev Access Manager Application Development Kitv Access Manager Web Security Application Development Kit



pdconfig

The Access Manager Configuration window is displayed.b. Select Access Manager Runtime and click Configure.Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, seeChapter 22, “pdconfig options,” on page 447.



Chapter 15. Setting up WebSEAL

This chapter provides information about installing and configuring a Tivoli AccessManager WebSEAL system.

For more information about this Web security system, see the IBM Tivoli AccessManager for e-business: WebSEAL Administration Guide.


Notes:


2. Before you install WebSEAL on an AIX system, make sure the xlC.rte andxlC.aix50.rte components are at the 8.0.0.4 level.

Installing using the installation wizardThe install_amweb installation wizard simplifies the setup of a Tivoli AccessManager WebSEAL system by installing and configuring the following componentsin the appropriate order:v IBM Global Security Kit (GSKit)v IBM Tivoli Directory Server client (as needed) base and 32-bitv Tivoli Security Utilitiesv Access Manager Licensev Tivoli Access Manager Access Manager Runtimev Tivoli Access Manager Access Manager Web Security Runtimev Tivoli Access Manager Access Manager WebSEAL

Attention:



Notes:

1. The wizard detects if a component is installed and does not attempt to reinstallit.


2. You can use the following browsers for the Access Manager WebSEAL interface.v Microsoft Internet Explorer for Windowsv Mozilla for UNIX or LinuxSee the IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge database for the most recent information about whichversions of the browsers are supported.

3. If you install WebSEAL on a system that also has Tivoli Access Manager forOperating Systems installed, be sure to add the WebSEAL admin user to theTivoli Access Manager for Operating Systems admin group.

To install and configure a Tivoli Access Manager WebSEAL system using theinstall_amweb wizard, follow these steps:1. Ensure that all necessary operating system patches are installed. Also ensure



3. Ensure that the Java Runtime Environment version 1.5.0 SR5 provided withTivoli Access Manager is installed and can be located using the PATHenvironment variable before running the installation wizard. For instructions,see page 318.

4. To view status and messages in a language other than English, which is thedefault, install a language support package before running an installationwizard. For instructions, see “Installing language support packages for TivoliAccess Manager” on page 37.If you install the language pack support package after configuring theWebSEAL instance, you must manually copy your language-specific .html filesinto the proper directories:a. Copy the language-specific .html files in the /opt/pdweb/html.tivoli/lib/

html/<lang> directory to the /opt/pdweb/www-default/lib/html/<lang>directory

b. Copy the language-specific .html files in the /opt/pdweb/html.tiovli/lib/errors/<lang> directory to the /opt/pdweb/www-default/lib/errors/<lang>directory

5. On Windows systems only, exit from all running programs.6. Run the install_amweb program, located in the root directory on the IBM Tivoli

Access Manager Web Security CD for the supported AIX, HP-UX, HP_UX onIntegrity, Linux on x86, Linux on System z, Solaris, Solaris on x86_64 andWindows 2003 platforms.The installation wizard begins by prompting you for configuration informationas described in “install_amweb” on page 424. Supply the required configurationinformation, or accept default values.

7. Compare the disk space that is required to install all of the Tivoli AccessManager WebSEAL system components and prerequisites with the disk spacethat is available. If there is sufficient space, continue the installation.After reviewing the summary and accepting your installation selections andconfiguration choices, the components are installed and configured withoutfurther intervention.


This step completes the setup of a Tivoli Access Manager WebSEAL system. To setup another Tivoli Access Manager system, follow the steps in the “Installationprocess” on page 21.

Note: The Tivoli Access Manager WebSEAL system supports multiple instances ofWebSEAL on each host computer. See the IBM Tivoli Access Manager fore-business: WebSEAL Administration Guide for information on configuringmultiple instances of WebSEAL.


Notes:

1. If you install WebSEAL on a system that also has Tivoli Access Manager forOperating Systems installed, be sure to add the WebSEAL admin user to theTivoli Access Manager for Operating Systems admin group.

2. Alternatively, you can configure the Access Manager WebSEAL componentusing the amwebcfg utility, which is called by the pdconfig utility. For moreinformation about this utility, see “amwebcfg” on page 552.


AIX: Installing WebSEALThe following procedure uses installp to install software packages and thepdconfig utility to configure them.

Attention: Before you install WebSEAL on an AIX system, make sure the xlC.rteand xlC.aix50.rte components are at the 8.0.0.4 level.

To install a Tivoli Access Manager WebSEAL system on AIX, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure






Chapter 15. Setting up WebSEAL 269





PD.RTESpecifies the Access Manager Runtime package.

PDWeb.RTESpecifies the Access Manager Web Security Runtime package.

PDWeb.WebSpecifies the Access Manager WebSEAL package.



11. Configure the Access Manager Runtime followed by the Access ManagerWebSEAL package as follows:a. Start the configuration utility:

pdconfig






HP-UX: Installing WebSEALThe following procedure uses swinstall to install software packages and thepdconfig utility to configure them.

To install a Tivoli Access Manager WebSEAL system on HP-UX or HP-UX onIntegrity, complete the following steps:


1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure



4. Insert the CD for your platform:v IBM Tivoli Access Manager Web Security for HP-UX

v IBM Tivoli Access Manager Web Security for HP-UX on Integrity








v For HP-UX on Integrity:swinstall -s /cd-rom/hp_ia64 packages

where /cd-rom/hp or /cd-rom/hp_ia64 specifies the directory and packagesare as follows:




PDWebSpecifies the Access Manager WebSEAL package.





pdconfig







Linux: Installing WebSEALThe following procedure uses rpm to install software packages and the pdconfigutility to configure them.

To install a Tivoli Access Manager WebSEAL on Linux on x86 or Linux on Systemz, follow these steps.




4. Insert the IBM Tivoli Access Manager Web Security for Linux on x86 or the IBMTivoli Access Manager Web Security for Linux on System z CD and mount it.













Access Manager WebSecurity Runtimepackage

PDWebRTE-PD-6.1.1.0-0.i386.rpm


Access ManagerWebSEAL package

PDWeb-PD-6.1.1.0-0.i386.rpm PDWeb-PD-6.1.1.0-0.s390.rpm




pdconfig






Solaris: Installing WebSEALThe following procedure uses pkgadd to install software packages and thepdconfig utility to configure them.



To install a Tivoli Access Manager WebSEAL system on Solaris or Solaris x86_64,follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure



4. Insert the CD for your platform:v IBM Tivoli Access Manager Web Security for Solaris

v IBM Tivoli Access Manager Web Security for Solaris on x86_64


6. If using an LDAP-based user registry, install the IBM Tivoli Directory Serverclient, if not already installed. For instructions see page 330.






where /cdrom/cdrom0/solaris or /cdrom/cdrom0/solaris_x86 specifies the locationof the package and packages are as follows:




PDWebSpecifies the Access Manager WebSEAL package.

When a message queries Do you want to install these as setuid/setgid,type Y and press Enter. When prompted to continue, type Y and press Enter.When the installation process is complete for each package, the followingmessage is displayed:Installation of packages successful.


10. Configure the Access Manager Runtime followed by the Access ManagerWebSEAL package, as follows:a. Start the configuration utility:

pdconfig

The Tivoli Access Manager Setup Menu is displayed.


b. Type menu number 1 for Configure Package. The Tivoli Access ManagerConfiguration Menu is displayed.

c. Select the menu number of the package that you want to configure, one ata time.Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, seeChapter 22, “pdconfig options,” on page 447.When a message is displayed that indicates the package has beensuccessfully configured, press Enter to configure another package or selectthe x option twice to close the configuration utility.



Windows: Installing WebSEALThe following procedure uses the setup.exe program to install software packagesand the pdconfig utility to configure them.

To install and configure a Tivoli Access Manager WebSEAL system on Windows2003, follow these steps:1. Log on as any member of the Administrators group.2. Ensure that all necessary operating system patches are installed. Also ensure








Follow the online instructions and select to install the following packages:v Access Manager Licensev Access Manager Runtimev Access Manager Web Security Runtimev Access Manager WebSEAL




pdconfig

The Access Manager Configuration window is displayed.b. Select the Access Manager Runtime package and click Configure.c. Select the Access Manager WebSEAL package and click Configure.Depending on the package that you selected, you are prompted forconfiguration options. For assistance with these configuration options, seeChapter 22, “pdconfig options,” on page 447.




Part 4. Session management system installation

Chapter 16. Setting up a session managementserver . . . . . . . . . . . . . . . 279Preinstallation requirements . . . . . . . . 280Installing using the installation wizard . . . . . 282Installing using native utilities. . . . . . . . 285

AIX: Installing a session management serversystem . . . . . . . . . . . . . . 285HP-UX: Installing a session management serversystem . . . . . . . . . . . . . . 286Linux: Installing a session management serversystem . . . . . . . . . . . . . . 287Solaris: Installing a session management serversystem . . . . . . . . . . . . . . 287Windows: Installing a session managementserver system . . . . . . . . . . . . 288

Creating the login history database . . . . . . 289Deploying the Integrated Solutions Consoleextension . . . . . . . . . . . . . . . 291Deploying the Session Management Serverapplication . . . . . . . . . . . . . . 291

Deploying using the smscfg utility . . . . . 291Deploying using Session Management ServerIntegrated Solutions Console (ISC) . . . . . 292

Configuring the session management server . . . 292Configuring the session management serverusing the smscfg utility . . . . . . . . . 292Configuring the session management serverusing the Integrated Solutions Console (ISC) . . 293

Chapter 17. Setting up the session managementcommand line. . . . . . . . . . . . . 295Preinstallation requirements . . . . . . . . 295Installing using the installation wizard . . . . . 296Installing using native utilities. . . . . . . . 298

AIX: Installing the session managementcommand line . . . . . . . . . . . . 298HP-UX: Installing the session managementcommand line . . . . . . . . . . . . 299Linux: Installing the session managementcommand line . . . . . . . . . . . . 301Solaris: Installing the session managementcommand line . . . . . . . . . . . . 302Windows: Installing the session managementcommand line . . . . . . . . . . . . 304



Chapter 16. Setting up a session management server

This chapter provides information about installing and configuring a Tivoli AccessManager session management server (SMS) system.

Before you begin, review the following information about the session managementserver:v The session management server is an optional component of Tivoli Access

Manager. It runs as a service of the IBM WebSphere Application Server.v The session management server can manage and monitor sessions across

dispersed, clustered Web servers.v If you want to set up and configure cluster members to be part of a node group

that represents a WebSphere eXtreme Scale zone, perform the task beforedeploying and configuring the SMS. For details, see the WebSphere eXtremeScale discussion in the IBM Tivoli Access Manager Session Management ServerAdministration Guide.

v Using the session management server allows the Access Manager WebSEAL andAccess Manager Plug-in for Web Servers components to share a unified view ofall current sessions. Session management server permits any authorized user tomonitor and administer user sessions.

v The session management server records a variety of session information,including: session inactivity and lifetime timeout information, login activity, andconcurrent login information. Also, the session management server recordssession statistics information, such as the number of users that are currentlylogged in.

v The extent of a session within the cluster is referred to as the session realm. Thesession management server can provide a seamless single sign-on experienceacross the session realm. Configure by adding or removing session realms.

v The session management server ensures that session policy remains consistentacross clusters of Web security servers. Replica sets within a session realm sharethe Tivoli Access Manager registry and policy database.

v To configure the session management server system, use the smscfg utility. Runthe command from the system where the session management server is installed.

v You can administer the session management server either by using any (or all)of the following tools:

pdadminIs installed as part of the Tivoli Access Manager Runtime package. Usethis interface to manage access control lists, groups, servers, users,objects, and other resources in your secure domain. You can alsoautomate certain management functions by writing scripts that usepdadmin commands.

pdsmsadminUses the SOAP protocol to communicate directly with a sessionmanagement server installed on WebSphere Application Server.

The session management server Integrated Solutions ConsoleA graphical user interface that resides on the WebSphere ApplicationServer, and is installed as an extension to the WebSphere ISC.

v WebSphere Application Server 6.1 includes version 6.0 of the Tivoli AccessManager runtime for Java. With the 6.0 version of the Tivoli Access Manager


runtime for Java, the session management server cannot be configured to usemultiple Tivoli Access Manager authorization servers. If you intend to configurethe session management server to use multiple authorization servers, first installand configure Tivoli Access Manager runtime for Java version 6.1 intoWebSphere Application Server

For more information about distributed sessions management, see the IBM TivoliAccess Manager for e-business: Shared Session Management Administration Guide.

You can set up this system using one of the following installation methods:v “Installing using the installation wizard” on page 282v “Installing using native utilities” on page 285

Following installation, you can perform the following tasks:v “Creating the login history database” on page 289v “Deploying the Integrated Solutions Console extension” on page 291v “Deploying the Session Management Server application” on page 291v “Configuring the session management server” on page 292

Preinstallation requirementsBefore you install and configure a Tivoli Access Manager session managementserver, you must perform the following preinstallation tasks (as required). Theserequirements are applicable, regardless of which installation method you plan touse.v During Tivoli Access Manager configuration on Linux operating systems, scripts


v When you deploy the session management server to a cluster, the ObjectGridtoolkit automatically deploys to handle the distribution and management ofsession data between the different nodes within the cluster. The installation ofthis toolkit requires approximately 600 MB of disk space on the partitions whichhold the WebSphere installation for each node. If you intend to deploy thesession management server to a cluster, ensure that you have adequate diskspace to install the ObjectGrid toolkit.

v If the IBM WebSphere Application Server is installed, the session managementserver can be run as a service. The IBM WebSphere Application Server can alsobe installed as a standalone server, and the session management server can bedeployed to an application server or to a cluster.

v A Tivoli Access Manager environment must exist before installing the sessionmanagement server.

v After installing the session management server, you must reconfigure the AccessManager WebSEAL, or Access Manager Plug-in for Web Servers (or both) to usethe session management server for managing sessions.

v The structure of your session realms and associated replica set must be plannedand mapped.


v Determine whether you want to have replicated session management serverinstances that provide failover capability and improved performance.

v If you want to administer the session management system using the pdaminutility, install and configure an instance of the Tivoli Access Managerauthorization server.

v If WebSphere Application Server is running as a non-root user on a UNIX orLinux system, the following steps must be performed:– As the root user, grant the WebSphere user write permission to the following

directories (and all subdirectories) in the WebSphere Application Server baseinstall directory:deploytooljavalib

These permissions can be removed after the session management server hasbeen configured.

– If Tivoli Common Directory is being enabled on the system for the first time,as the root user, create the following directories and grant the WebSphere userpermission to create subdirectories in them:/etc/ibm/var/ibm

– If Tivoli Common Directory is enabled, grant the WebSphere user write accessto the base logging directory, such as /var/ibm/tivoli/common.This permission can be removed after the session management server hasbeen configured.

– If Tivoli Common Directory is enabled, grant the WebSphere user write accessto the session management server logging subdirectory, CTGSM, in the baselogging directory.

v Decide if you wish to enable WebSphere global security to ensure thatadministration actions are secured.Information on enabling global security can be found in the WebSphereApplication Server information center at:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jspSpecifically, the Setting up and enabling security topic:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.doc/info/ae/ae/tsec_secsetupenable.html

v If WebSphere global security is enabled, create three groups in WebSphereApplication Server that can be used to manage the session management serverenvironment:– A group for administrators, for example: sms-administrators

– A group for delegators for example: sms-delegators

– A group for clients, for example: sms-clients

The names of the groups must follow the naming conventions of the userregistry used by WebSphere Application Server. You can use existing groups forthis purpose, if desired.

v Determine whether you want to enable Secure Sockets Layer (SSL) for sessionmanagement server communications. You can enable SSL between the TivoliAccess Manager servers in the replica set and the IBM WebSphere ApplicationServer where the session management server is installed.

Chapter 16. Setting up a session management server 281

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp



v If you plan to use Tivoli Access Manager certificates to authenticate with SMS,or if you want to use the Tivoli Access Manager sec_master user (or other usersand groups defined in the secAuthority=Default suffix) to administer SMS usingeither the session management command line or Integrated Solutions Console(ISC), then you must unconfigure the base DN in the LDAP user registry usedby WebSphere Application Server.Information on modifying the base DN for the WebSphere Application Serveruser registry can be found in the WebSphere Application Server informationcenter at:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jspSpecifically, the Configuring Lightweight Directory Access Protocol userregistries topic:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.base.doc/info/aes/ae/tsec_ldap.html

Installing using the installation wizardThe install_amsms installation wizard simplifies the setup of a Tivoli AccessManager session management server system by installing and configuring thefollowing components in the appropriate order:v IBM WebSphere Application Server (provided on separate CDs)v Access Manager Session Management Server


If IBM WebSphere Application Server is not already installed and configured onthe system, it can be installed as a standalone server during the wizard installation.Otherwise, the installation wizard permits you to use a previously installed IBMWebSphere Application Server, perhaps in a cluster environment. The defaultSOAP communications port number used by the installation wizard is 8879, whichis the default port number used by WebSphere Application Server NetworkDeployment.

Attention:



To install and configure a session management server system using theinstall_amsms wizard, follow these steps:1. Ensure that all necessary operating system patches are installed. Also, ensure









5. Because the installation wizard uses the IBM WebSphere Application Serverconsole, ensure that the console is functioning correctly. For example, if youenabled global security within the IBM WebSphere Application Server, thecorrect security information must also be provided for the console in thewas_install_root/profiles/default/properties/soap.client.props properties file.

6. To view status and messages in a language other than English, install alanguage support package before running an installation wizard. Forinstructions, see “Installing language support packages for Tivoli AccessManager” on page 37.

7. If the policy server has Federal Information Processing Standard (FIPS) modeenabled, then WebSphere Application Server must be installed and FIPSenabled before using the installation wizard.

8. If WebSphere security and Federal Information Processing Standard (FIPS)mode are enabled, run the IBM WebSphere Application Server setupCmdLinescript to set up the correct execution environment for the installation wizard.The setupCmdLine command is located in the bin directory associated withthe WebSphere Application Server profile you are using.

UNIX and Linux. ./setupCmdLine.sh

WindowssetupCmdLine.bat

9. On Windows systems only, exit from all running programs.10. Run the install_amsms program, located in the root directory on the IBM

Tivoli Access Manager Shared Session Management CD for the supported AIX,Linux on x86, Linux on System z, Solaris, and Windows 2003 platforms.The installation wizard begins by prompting you for configurationinformation as described on page 409. Supply the required configurationinformation, or accept default values.

11. Compare the disk space that is required to install all of the Tivoli AccessManager session management server system components and prerequisiteswith the disk space that is available. If there is sufficient space, continue theinstallation.After reviewing the summary and accepting your installation selections andconfiguration choices, the components are installed and configured withoutfurther intervention.

Note: During installation of the session management server:v The DSess.ear file will be deployed as an IBM WebSphere Application

Server application. Note that you cannot deploy the SessionManagement Server application in IBM WebSphere ApplicationServer under a different name. You can deploy only one instance ofthe Session Management Server application to the IBM WebSphereApplication Server if you install using the installation wizard.Additional instances of the Session Management Server applicationcan be deployed at a later stage using the smscfg utility.


v A warning message will be displayed regarding the implementationof custom permissions. This is expected WebSphere behavior anddoes not indicate that your application service has beencompromised. Installation should continue without further errors.

This step completes the setup of a Tivoli Access Manager session managementserver system. After installing the session management server, you must configurethe Access Manager WebSEAL, or Access Manager Plug-in for Web Servers (orboth) to use the session management server for managing sessions. See the IBMTivoli Access Manager for e-business: Shared Session Management Administration Guidefor detailed configuration information. To set up another Tivoli Access Managersystem, follow the steps in the “Installation process” on page 21.



The following sections enable you to install Tivoli Access Manager software usinga familiar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder. To configure software packages after installation, use the smscfg utility.

If you intend to administer the session management server from the command lineusing the pdadmin utility, a Tivoli Access Manager authorization server must beinstalled on the same system where you install the session management commandline.

The Access Manager Session Management Server component must be installed andconfigured before configuring the Access Manager Session Management CommandLine component.


AIX: Installing a session management server systemSetting up a session management server system is a 3-part process that consists ofinstallation, deployment to the application server or cluster, and configuration.

To install the Tivoli Access Manager session management server system, followthese steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure




5. Install the IBM WebSphere Application Server. For instructions, see page 333.6. Insert the IBM Tivoli Access Manager Shared Session Management for AIX CD and

mount it.7. Install the following Tivoli Access Manager packages:


where cd_mount_point is the directory where the CD is mounted and wherepackages are as follows:


PD.SMS Specifies the Access Manager Session Management Serverpackage.


8. Unmount the CD.9. If you are intending to use a DB2 database to store login history information,

you must create the database as described in “Creating the login historydatabase” on page 289.

After installing the session management server, continue with “Deploying theSession Management Server application” on page 291 and “Configuring the sessionmanagement server” on page 292.

HP-UX: Installing a session management server systemSetting up a session management server system is a 3-part process that consists ofinstallation, deployment to the application server or cluster, and configuration.

To install Tivoli Access Manager on HP-UX, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure




5. Install the IBM WebSphere Application Server. For instructions, see page 334.6. Insert the IBM Tivoli Access Manager Shared Session Management for HP-UX CD.7. Mount the CD using the HP-UX mount command. For example, enter the

following:mount -F cdfs -o rr /dev/dsk/c0t0d0 /cd-rom


8. Install the Tivoli Access Manager packages:swinstall -s /cd-rom/hp packages

where /cd-rom/hp is the directory and where packages are as follows:


PDSMS Specifies the Access Manager Session Management Serverpackage.


where /cd-rom is the mount point.10. If you are intending to use a DB2 database to store login history information,




Linux: Installing a session management server systemSetting up a session management server system is a 3-part process that consists ofinstallation, deployment to the application server or cluster, and configuration.


Note to Linux on System z users: You must first obtain access to the Linux rpmfiles which are located in the /CD_mount_point/linux_s390 directory on the IBMTivoli Access Manager Shared Session Management for Linux on System z CD.1. Log on as root.2. Ensure that the registry server and policy server are up and running (in normal

mode).3. Install the IBM WebSphere Application Server. For instructions, see page 335.4. Insert the IBM Tivoli Access Manager Shared Session Management for Linux on x86

CD or the IBM Tivoli Access Manager Shared Session Management for Linux onSystem z CD and mount it.







Access ManagerSession ManagementServer package

PDSMS-PD-6.1.1.0-0.i386.rpm PDSMS-PD-6.1.1.0-0.s390.rpm

7. Unmount the CD.8. If you are intending to use a DB2 database to store login history information,



Solaris: Installing a session management server systemThe following procedure uses pkgadd to install software packages.


Setting up a session management server system is a 3-part process that consists ofinstallation, deployment to the application server or cluster, and configuration.

To install a Tivoli Access Manager package, follow these steps:1. Log on as root.


2. Ensure that all necessary operating system patches are installed. Also, ensurethat you have reviewed the most-recent release information, including systemrequirements, disk space requirements, and known defects and limitations. Seethe IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge database.



5. Install the IBM WebSphere Application Server. For instructions, see page 336.6. Insert the IBM Tivoli Access Manager Shared Session Management for Solaris CD.7. Install the Tivoli Access Manager packages:


where:





PDSMS Specifies the Access Manager Session Management Serverpackage.


8. If you are intending to use a DB2 database to store login history information,you must create the database as described in “Creating the login historydatabase” on page 289.


Windows: Installing a session management server systemSetting up a session management server system is a 3-part process that consists ofinstallation, deployment to the application server or cluster, and configuration.

To install a Tivoli Access Manager session management server system on Windows2003 follow these steps:1. Log on as any member of the Administrators group.2. Ensure that all necessary operating system patches are installed. Also, ensure




5. Install the IBM WebSphere Application Server. For instructions, see page 336.


6. Insert the IBM Tivoli Access Manager Shared Session Management for Windows CD.7. Install the Access Manager Session Management Server package. To do so, run

the setup.exe program located in the following directory:\windows\PolicyDirector\Disk Images\Disk1

Follow the online instructions and select to install the following packages:v Access Manager Licensev Access Manager Session Management Server

8. If you are intending to use a DB2 database to store login history information,you must create the database as described in “Creating the login historydatabase.”


Creating the login history databaseIf you intend to use a DB2 database to store login history information, you mustcreate the database before deploying the Session Management Server application. Ifyou are not planning to use a DB2 database, continue with “Deploying the SessionManagement Server application” on page 291.

To create a DB2 database for login history information:1. A user on the DB2 database server system must own the DB2 database. Create

a user on the system and setup that user with a valid password. You mightchoose to indicate that the password never expires, if this is consistent withyour organization's security policy. For example, you might call this usertamloginuser.

2. Create a new database in DB2. For example, you might call the databaseTAMLOGIN. Configure the database to permit TCP/IP connections on port50000.

3. Open the DB2 Control Center and locate your database.4. Click User and Group Objects → DB Users and then click Add New User.5. Add the user and grant the authorities of Connect to database and Create

tables. Click OK.6. Configure WebSphere Application Server to access the database.

Information on performing this task can be found in the WebSphereApplication Server information center at:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jspSpecifically, the following topics:

Creating and configuring a JDBC provider and data sourcehttp://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tdat_tccrtprovds.html

Vendor-specific data sources minimum required settingshttp://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/topic/com.ibm.websphere.base.doc/info/aes/ae/rdat_minreq.html

7. Make the IBM DB2 JDBC driver available to WebSphere Application Server bycopying the db2jcc.jar and db2jcc_license_cu.jar files from the DB2 directorytree to the lib directory of your application server.



http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tdat_tccrtprovds.html



http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.base.doc/info/aes/ae/rdat_minreq.html

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.base.doc/info/aes/ae/rdat_minreq.html

UNIX and Linux/opt/IBM/WebSphere/AppServer/lib

WindowsC:\Program Files\IBM\WebSphere\AppServer\lib

8. Verify that the IBM JDBC driver works in WebSphere by changing to the libsubdirectory and entering the following command:java -classpath db2jcc.jar com.ibm.db2.jcc.DB2Jcc -version

9. Open the WebSphere Application Server administrative console and log in, ifnecessary.

10. Click Environment → WebSphere Variables.11. Set the DB2UNIVERSAL_JDBC_DRIVER_PATH variable to the directory where the

db2jcc.jar file is located. Save your changes.12. Log out of the WebSphere Application Server administrative console.13. Restart your application servers. If using WebSphere Application Server

Network Deployment, you also must restart the deployment manager andnode manager.

14. Open the WebSphere Application Server administrative console and log inagain.

15. Click Resources → JDBC Providers.16. In a single server environment, select your application server node; in

WebSphere Application Server Network Deployment, select your cluster.17. Click New to create a new JDBC provider. In the Database type field, select

DB2. In the Provider type field, select DB2 Universal JDBC Driver Provider. Inthe Implementation type field, select Connection pool data source. Click Nextto continue.

18. On the JDBC Providers Summary page, click Apply to accept the defaultsettings.Do not restart WebSphere Application Server at this time.

19. On the JDBC Providers page, select DB2 Universal JDBC Provider.20. Click Data sources and then click New to create a new data source and

specify the following information:

Database nameTAMLOGIN

Driver type4

Server namehost_name_of_DB2_system

Port number50000

21. Click Apply. You are returned to the previous page.22. On the JDBC Providers page, select DB2 Universal JDBC Driver DataSource.23. Click Related items and then click J2EE Connector Architecture (J2C)

authentication data entries.24. Click New to create a new authentication data entry and specify the following

information:

Alias logindbuser

User IDtamloginuser


Passwordpassword_for_tamloginuser

DescriptionAccess to TAM Login History Database

25. Click Apply. You are returned to the previous page.26. Return to the DB2 Universal JDBC Driver DataSource properties and under

Component managed authentication alias, select the logindb2user alias. ClickApply.

27. Log out of the WebSphere Application Server administrative console.28. Restart your application servers. If using WebSphere Application Server

Network Deployment, you also must restart the deployment manager andnode manager.

29. Open the WebSphere Application Server administrative console and log inagain.

30. Click Resources → JDBC Providers → DB2 Universal JDBC Driver Provider →Data Sources.

31. Select your data source and click Test connection. If the test is not successful,diagnose and correct the problem. Otherwise, continue with “Deploying theSession Management Server application.”

Deploying the Integrated Solutions Console extensionThe Integrated Solutions Console (ISC) Session Management Server extension is aGraphical User Interface (GUI) that allows you to deploy, configure and administerthe Session Management Server. After installing the session management serverusing native installation utilities, you can deploy the ISC using the smscfg utility.

Note: The instructions in this section assume you are running the smscfg utility ininteractive mode.

To deploy the ISC extension using the smscfg utility:1. Prior to running smscfg run the WebSphere setupCmdLine.bat or ".

./setupCmdLine.sh" script, depending on your operating system.2. Deploy ISC using the configuration utility:

smscfg -action deploy

3. When prompted, specify ISC as the instance name.

See the IBM Tivoli Access Manager for e-business: Shared Session ManagementAdministration Guide for more detailed deployment information.

Deploying the Session Management Server applicationAfter installing the session management server using native installation utilities,the DSess.ear file can be deployed using the smscfg utility or using the SessionManagement Server ISC.

Deploying using the smscfg utilityTo deploy the application using the smscfg utility:

Note: The instructions in this section assume you are running the smscfg utility ininteractive mode.


1. Prior to running smscfg run the WebSphere setupCmdLine.bat or "../setupCmdLine.sh" script, depending on your operating system.

2. Deploy the Session Management Server application using the configurationutility:smscfg -action deploy

See the IBM Tivoli Access Manager for e-business: Shared Session ManagementAdministration Guide for detailed deployment information.

Deploying using Session Management Server IntegratedSolutions Console (ISC)

To deploy an instance of the Session Management Server application using theSession Management Server Integrated Solutions Console (ISC):

Note: In order to use the ISC to deploy the Session Management Server, you mustfirst deploy the ISC extension. See “Deploying the Integrated SolutionsConsole extension” on page 291 for more information.

1. Log in to the session management server ISC as the Session ManagementServer administrator.

2. Select Tivoli Session Management Server > Deployment.3. In the Application name field, enter the name of the Session Management

Server application. This field is required.4. Enter the WebSphere Application Server cell element to deploy the Session

Management Server instance to in the Target field.5. In the Virtual host field, enter the web server virtual hosts that will service the

Session Management Server application instance.6. Enter the data source to use with the Session Management Server application

instance in the Data source field.7. When you are ready to deploy, click Deploy.

See the IBM Tivoli Access Manager for e-business: Shared Session ManagementAdministration Guide for detailed deployment information.

Configuring the session management serverAfter installing the session management server using native utilities and deployingthe DSess.ear application, you can configure the session management server usingthe smscfg utility or the Session Management Server Integrated Solutions Console(ISC).

Configuring the session management server using the smscfgutility

To configure the session management server using the smscfg utility, do thefollowing:1. Run the IBM WebSphere Application Server setupCmdLine script to set up the

correct execution environment for running the session management serverconfiguration tool. The setupCmdLine command is located in the IBMWebSphere Application Server bin directory of the profile you are using.



3. Configure the Access Manager Session Management Server package using theconfiguration utility:smscfg -action config

See the IBM Tivoli Access Manager for e-business: Shared Session ManagementAdministration Guide for detailed configuration information.

This step completes the setup of a Tivoli Access Manager session managementserver system. After configuration of the session management server, you mustconfigure the Access Manager WebSEAL, or Access Manager Plug-in for WebServers (or both) to use the session management server for managing sessions. Toset up another Tivoli Access Manager system, follow the steps in the “Installationprocess” on page 21.

Configuring the session management server using theIntegrated Solutions Console (ISC)

To configure the session management server using the Session Management ServerIntegrated Solutions Console (ISC), do the following:1. Configure session realms:

a. Log in to the Session Management Server ISC as the Session ManagementServer administrator.

b. Select Tivoli Session Management Server > Configuration.c. Select the Session Management Server instance you want to configure and

click Configure.

Note: If you have just deployed or started an instance and it doesn't appearin the list of Session Management Server instances, click Update SMSinstance list.

d. Select Session Realms.e. Select whether enforcement of session limit and displacement policy is

enabled.f. In the Session realm name field, enter the name of the session realm being

configured.g. Select the Limit maximum session for this session realm checkbox to limit

the maximum number of simultaneous sessions stored in this session realm.Enter the maximum number of simultaneous sessions to be stored in theMaximum sessions field.

h. When you have entered the session realm information, click Update sessionrealms. The session realm table is updated with the configuration valuesyou specified.

i. To create a replica set, select the session realm name from the Session realmname drop-down menu.

j. Specify the name of the replica set being configured in the Replica set namefield.

k. Click Update replica sets to update the replica set table with the replica setvalues you specified.

2. Click Database storage. If you want the Session Management Server to storesession information in a database select the Enable the database storage checkbox.

3. Click TAM integration. Specify whether Tivoli Access Manager integration isenabled. To enable Tivoli Access Manager integration, select the Enable TivoliAccess Manager integration check box.


4. Click Last login recording. Specify whether recording of last login informationis enabled. To enable recording of last login information, select the Enablerecording of last login information check box.

5. Click TCD logging. To configure Tivoli Common Directory (TCD) logging,specify the following information:v Select the Enable Tivoli Common Directory logging check box to enable

Tivoli Common Directory logging.v Specify a directory to use as the Tivoli Common Directory in the Log

directory field. If a Tivoli Common Directory has already been configured onthis machine, this value will not be used. The configured Tivoli CommonDirectory will be used instead.

6. Click Auditing. Specify whether auditing is enabled. To enable auditing, selectthe Enable auditing check box.

7. Click Timeouts. Specify the client idle timeout and key lifetime:v Enter the length of time, in seconds, after which a client is considered idle.

This only applies if the client is not actively requesting updates from theSession Management Server.

v Enter the number of days, calculated from the generation of a session signingkey, after which the Session Management Server will automatically generatea new session signing key.

8. Click Summary. Review the configuration options you have selected. Whenyou are ready to configure, click Finish.This step completes the setup of a Tivoli Access Manager session managementserver system. After configuration of the session management server, you mustconfigure the Access Manager WebSEAL, or Access Manager Plug-in for WebServers (or both) to use the session management server for managing sessions.To set up another Tivoli Access Manager system, follow the steps in the“Installation process” on page 21.See the IBM Tivoli Access Manager for e-business: Shared Session ManagementAdministration Guide for detailed configuration information.


Chapter 17. Setting up the session management commandline

This chapter provides information about installing and configuring a Tivoli AccessManager session management command line system.

To configure the session management command line system, use the pdsmsclicfgutility. If you wish to administer the session management server using thepdadmin utility, run the pdsmsclicfg command from the system hosting theauthorization server. The pdsmsclicfg utility writes to the host authorization serverconfiguration file, ivacld.conf

You can set up a session management command line system using one of thefollowing installation methods:v “Installing using the installation wizard” on page 296v “Installing using native utilities” on page 298

Preinstallation requirementsBefore you install and configure the Tivoli Access Manager session managementcommand line interface, you must perform the following preinstallation tasks (asrequired).v During Tivoli Access Manager configuration on Linux operating systems, scripts


v The configuration requires the name and port number of the Web server that isused to access the WebSphere Application Server that hosts the sessionmanagement server.

v Determine whether you want to enable Secure Sockets Layer (SSL) for sessionmanagement command line interface communications. You can enable SSLbetween the session management server and the Tivoli Access Managerauthorization server so that all pdadmin command communications are secure.

v If you plan to use the Tivoli Access Manager sec_master user (or other users andgroups defined in the secAuthority=Default suffix) to administer SMS using thesession management command line, then you must unconfigure the base DN inthe LDAP user registry used by WebSphere Application Server.Information on modifying the base DN for the WebSphere Application Serveruser registry can be found in the WebSphere Application Server informationcenter at:

http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jspSpecifically, the Configuring Lightweight Directory Access Protocol userregistries topic:




Installing using the installation wizardThe install_amsmscli installation wizard simplifies the setup of a Tivoli AccessManager session management command line system by installing and configuringthe following components in the appropriate order:v IBM Global Security Kit (GSKit)v IBM Tivoli Directory Server client base and 32-bit (depending on the registry

used)v Tivoli Security Utilitiesv Tivoli Access Manager Access Manager Licensev Tivoli Access Manager Access Manager Runtime (this package is installed only if

Tivoli Access Manager integration is selected).v Tivoli Access Manager Access Manager Authorization Server (this package is

installed only if Tivoli Access Manager integration is selected).v Tivoli Access Manager Access Manager Session Management Command Line


Attention:



To install and configure a session management command line system using theinstall_amsmscli wizard, follow these steps:1. Ensure that all necessary operating system patches are installed. Also, ensure






6. On Windows systems only, exit from all running programs.




7. Run the install_amsmscli program, located in the root directory on the IBMTivoli Access Manager Shared Session Management CD for the supported AIX,HP-UX, Solaris, Linux on x86, Linux on System z, and Windows 2003platforms. The install_amsmscli program is not available on HP-UX onIntegrity or Solaris on x86_64.The installation wizard begins by prompting you for configuration informationas described on page 420. Supply the required configuration information, oraccept default values.

8. Compare the disk space that is required to install all of the Tivoli AccessManager session management command line system components andprerequisites with the disk space that is available. If there is sufficient space,continue the installation.After reviewing the summary and accepting your installation selections andconfiguration choices, the components are installed and configured withoutfurther intervention.

This step completes the setup of a Tivoli Access Manager session managementcommand line system. To set up another Tivoli Access Manager system, follow thesteps in the “Installation process” on page 21.

Chapter 17. Setting up the session management command line 297


The following sections enable you to install Tivoli Access Manager software usinga familiar platform-specific utility. Unlike automated installation wizards, you mustmanually install each component and any prerequisite software in the appropriateorder.


Note: The Tivoli Access Manager Runtime (PD.RTE) and Tivoli Access ManagerAuthorization Server (PD.Acld) packages are required only if you want toadminister using the pdadmin utility.

AIX: Installing the session management command lineThe following procedure uses installp to install software packages and thepdsmsclicfg utility to configure them.

To install the Tivoli Access Manager session management command line system,follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure




5. Insert the IBM Tivoli Access Manager Shared Session Management for AIX CDand mount it.

6. Install IBM Global Security Kit (GSKit), if not already installed.. Forinstructions, see page 312.

7. If using an LDAP-based user registry, install the IBM Tivoli Directory Serverclient, if not already installed.. For instructions, see page 327.


9. Install the following Tivoli Access Manager packages:installp -acgYXd cd_mount_point/usr/sys/inst.images packages




PD.Acld Specifies the Access Manager Authorization Server package.


PD.SMSCLI Specifies the Access Manager Session Management CommandLine package.



12. Configure the Access Manager Runtime and Access Manager AuthorizationServer packages as follows:a. Start the configuration utility:

pdconfig



a time.When a message is displayed that indicates the package has beensuccessfully configured, press Enter to configure another package or selectthe x option twice to close the configuration utility.

13. Configure the Access Manager Session Management Command Line packageby running the pdsmsclicfg utility:pdsmsclicfg –action config

For assistance with additional configuration options, see “pdsmsclicfg” onpage 586.

14. You must manually start the authorization server that is hosting the sessionmanagement command line after configuration.


HP-UX: Installing the session management command lineThe following procedure uses swinstall to install software packages and thepdsmsclicfg utility to configure them.

To install Tivoli Access Manager on HP-UX, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure




5. Insert the IBM Tivoli Access Manager Shared Session Management for HP-UX CD.6. Mount the CD using the HP-UX mount command. For example, enter the

following:


mount -F cdfs -o rr /dev/dsk/c0t0d0 /cd-rom





10. Install the Tivoli Access Manager packages:swinstall -s /cd-rom/hp packages

where /cd-rom/hp is the directory and packages are as follows:



PDAcld Specifies the Access Manager Authorization Server package.

PDSMSCLI Specifies the Access Manager Session Management CommandLine package.





pdconfig


Configuration Menu is displayed.Select the menu number of the package that you want to configure.When a message is displayed that indicates the package has beensuccessfully configured, select the x option twice to close the configurationutility.






Linux: Installing the session management command lineThe following procedure uses rpm to install software packages and thepdsmsclicfg utility to configure them.


Note to Linux on System z users: You must first obtain access to the Linux rpmfiles which are located in the /CD_mount_point/linux_s390 directory on the IBMTivoli Access Manager Shared Session Management for Linux on System z CD.1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure




5. Insert the IBM Tivoli Access Manager Shared Session Management for Linux on x86CD or the IBM Tivoli Access Manager Shared Session Management for Linux onSystem z CD and mount it.










Access Manager Runtimepackage


Access Manager AuthorizationServer package

PDAcld-PD-6.1.1.0-0.i386.rpm PDAcld-PD-6.1.1.0-0.s390.rpm

Access Manager SessionManagement Command Linepackage

PDSMS-CLI-6.1.1.0-0.i386.rpm PDSMS-CLI-6.1.1.0-0.s390.rpm




pdconfig


Configuration Menu is displayed.Select the menu number of the package that you want to configure.When a message is displayed that indicates the package has beensuccessfully configured, select the x option twice to close the configurationutility.



14. Manually start the authorization server that is hosting the sessionmanagement command line after configuration.



Solaris: Installing the session management command lineThe following procedure uses pkgadd to install software packages and thepdsmsclicfg utility to configure them.


To install a Tivoli Access Manager package, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also, ensure




5. Install the Tivoli Access Manager authorization server and the Tivoli SecurityUtilities.

6. Insert the IBM Tivoli Access Manager Shared Session Management for Solaris CD.7. Install IBM Global Security Kit (GSKit), if not already installed. For





10. Install the Tivoli Access Manager packages:pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault packages

where:






PDAcld Specifies the Access Manager Authorization Server package.

PDSMSCLI Specifies the Access Manager Session Management CommandLine package.




pdconfig


Configuration Menu is displayed.c. Select the menu number of the package that you want to configure.







Windows: Installing the session management command lineThe following procedure uses the setup.exe program to install software packagesand the pdsmsclicfg utility to configure them.

To install a Tivoli Access Manager session management command line system onWindows 2003, follow these steps:1. Log on as a user with administrator privileges.2. Ensure that all necessary operating system patches are installed. Also, ensure




5. Insert the IBM Tivoli Access Manager Shared Session Management for WindowsCD.




9. Install the Tivoli Access Manager packages. To do so, run the setup.exeprogram located in the following directory:\windows\PolicyDirector\Disk Images\Disk1

Follow the online instructions and select to install the following packages:v Access Manager Licensev Access Manager Runtimev Access Manager Authorization Serverv Access Manager Session Management Command Line



pdconfig

The Access Manager Configuration window is displayed.b. Select the Access Manager Runtime and Access Manager Authorization

Serverpackages and click Configure.You are prompted for configuration options.







Part 5. Reference information

Chapter 18. Installing prerequisite products . . 311Installing the IBM Global Security Kit (GSKit) . . 311

AIX: Installing the IBM Global Security Kit(GSKit) . . . . . . . . . . . . . . 312HP-UX: Installing the IBM Global Security Kit(GSKit) . . . . . . . . . . . . . . 312Linux: Installing the IBM Global Security Kit(GSKit) . . . . . . . . . . . . . . 313Solaris: Installing the IBM Global Security Kit(GSKit) . . . . . . . . . . . . . . 314Windows: Installing the IBM Global Security Kit(GSKit) . . . . . . . . . . . . . . 315Setting up the GSKit iKeyman utility . . . . 315

Installing IBM Java Runtime . . . . . . . . 318AIX: Installing IBM Java Runtime . . . . . 318HP-UX: Installing IBM Java Runtime . . . . 319Linux: Installing IBM Java Runtime . . . . . 320Solaris: Installing IBM Java Runtime. . . . . 321Windows: Installing IBM Java Runtime . . . . 321

Installing the IBM Tivoli Security Utilities . . . . 323AIX: Installing the IBM Tivoli Security Utilities 323HP-UX: Installing IBM Tivoli Security Utilities 323Linux: Installing IBM Tivoli Security Utilities 324Solaris: Installing IBM Tivoli Security Utilities 325Windows: Installing IBM Tivoli Security Utilities 326

Installing the IBM Tivoli Directory Server client 327AIX: Installing the IBM Tivoli Directory Serverclient . . . . . . . . . . . . . . . 327HP-UX: Installing the IBM Tivoli DirectoryServer client . . . . . . . . . . . . . 328Linux: Installing the IBM Tivoli Directory Serverclient . . . . . . . . . . . . . . . 329Solaris: Installing the IBM Tivoli DirectoryServer client . . . . . . . . . . . . . 330Windows: Installing the IBM Tivoli DirectoryServer client . . . . . . . . . . . . . 331

Installing IBM WebSphere Application Server . . 333AIX: Installing WebSphere Application Server 333HP-UX: Installing WebSphere ApplicationServer . . . . . . . . . . . . . . . 334Linux: Installing WebSphere Application Server 335Solaris: Installing WebSphere Application Server 336Windows: Installing WebSphere ApplicationServer . . . . . . . . . . . . . . . 336

Installing the Web Administration Tool . . . . . 338AIX: Installing the Web Administration Tool . . 338HP-UX: Installing the Web Administration Tool 339Linux: Installing the Web Administration Tool 340Solaris: Installing the Web Administration Tool 341Windows: Installing the Web AdministrationTool . . . . . . . . . . . . . . . 342Installing the Web Administration Tool intoWebSphere . . . . . . . . . . . . . 344

Chapter 19. Uninstalling components . . . . 347Unconfiguring Tivoli Access Manager components 348

Unconfiguring IBM Tivoli Directory Server . . . 349Unconfiguring the database . . . . . . . 349

Using the Configuration Tool . . . . . . 349Using the command line . . . . . . . 349

Deleting a directory server instance . . . . . 350Using the Instance Administration Tool. . . 350Using the command line . . . . . . . 350

Removing packages . . . . . . . . . . . 351AIX: Removing packages . . . . . . . . 351

Removing DB2 . . . . . . . . . . . 352Removing WebSphere Application Server . . 352Removing IBM HTTP Server . . . . . . 352Removing plug-in for Web servers . . . . 353

HP-UX: Removing packages . . . . . . . 353Removing DB2 . . . . . . . . . . . 354Removing WebSphere Application Server . . 354Removing IBM HTTP Server . . . . . . 354Removing plug-in for Web servers . . . . 354

Linux: Removing packages . . . . . . . . 354Removing DB2 . . . . . . . . . . . 355Removing WebSphere Application Server . . 356Removing IBM HTTP Server . . . . . . 356Removing plug-in for Web servers . . . . 356

Solaris: Removing packages . . . . . . . 356Removing DB2 . . . . . . . . . . . 357Removing WebSphere Application Server . . 357Removing IBM HTTP Server . . . . . . 357Removing plug-in for Web servers . . . . 357

Windows: Removing packages . . . . . . 357Removing WebSphere Application Server . . 358Removing IBM HTTP Server . . . . . . 358Removing plug-in for Web servers . . . . 358

Chapter 20. Installation wizard scenarios . . . 359Installing the IBM Tivoli Directory Server(install_ldap_server wizard) . . . . . . . . 360

Pre-installation requirements . . . . . . . 360install_ldap_server scenario . . . . . . . 361

Installing the policy server (install_ammgr wizard) 369

Chapter 21. Installation wizard options . . . . 377Access Manager Runtime (LDAP) . . . . . . 378Access Manager Runtime (Active Directory) . . . 382Access Manager Runtime (Domino) . . . . . . 389install_amacld . . . . . . . . . . . . . 392install_amadk . . . . . . . . . . . . . 396install_amjrte . . . . . . . . . . . . . 397install_ammgr . . . . . . . . . . . . . 399install_amproxy . . . . . . . . . . . . 404install_amrte . . . . . . . . . . . . . 408install_amsms . . . . . . . . . . . . . 409install_amsmscli . . . . . . . . . . . . 420install_amweb . . . . . . . . . . . . . 424install_amwebadk . . . . . . . . . . . . 430install_amwebars . . . . . . . . . . . . 434install_amwpi . . . . . . . . . . . . . 435


install_amwpm . . . . . . . . . . . . . 439install_ldap_server . . . . . . . . . . . 442

Chapter 22. pdconfig options . . . . . . . 447Access Manager Runtime — LDAP . . . . . . 448Access Manager Runtime — Active Directory . . 451Access Manager Runtime — Domino . . . . . 455Access Manager Attribute Retrieval Service . . . 457Access Manager Authorization Server . . . . . 458Access Manager Runtime for Java . . . . . . 459Access Manager Plug-in for Edge Server . . . . 461Access Manager Plug-in for Web Servers on UNIX 462Access Manager Plug-in for Web Servers onWindows . . . . . . . . . . . . . . . 464Access Manager Policy Server . . . . . . . . 465Access Manager Policy Proxy Server . . . . . 467Access Manager Web Portal Manager . . . . . 468Access Manager WebSEAL . . . . . . . . . 471

Chapter 23. Enabling Secure Sockets Layer(SSL) security. . . . . . . . . . . . . 473Configuring IBM Tivoli Directory Server for SSLaccess . . . . . . . . . . . . . . . . 474

Creating the key database file . . . . . . . 474Requesting or creating a personal certificate . . 475Using certificates from a Certificate Authority(CA) . . . . . . . . . . . . . . . 475

Requesting a personal certificate from aCertificate Authority (CA) . . . . . . . 476Receiving a personal certificate from aCertificate Authority (CA) . . . . . . . 476Adding the signer certificate for theCertificate Authority (CA) . . . . . . . 477

Using self-signed certificates . . . . . . . 477Creating a self-signed certificate . . . . . 478Extracting the certificate . . . . . . . . 478

Configuring a key database file for TivoliDirectory Server . . . . . . . . . . . 479

Using the Web Administration Tool: . . . . 479Using the command line: . . . . . . . 479

Enabling SSL for Tivoli Directory Server . . . 480Using the Web Administration Tool: . . . . 480Using the command line: . . . . . . . 481

Verifying that SSL has been enabled on theserver . . . . . . . . . . . . . . . 482Enabling FIPS . . . . . . . . . . . . 483

Configuring IBM z/OS LDAP servers for SSLaccess . . . . . . . . . . . . . . . . 485

Setting the security options . . . . . . . . 485Creating a key database file . . . . . . . 486

Configuring Microsoft Active Directory for SSLaccess . . . . . . . . . . . . . . . . 488

Verifying that SSL is enabled on the ActiveDirectory server . . . . . . . . . . . 488Exporting the certificate from the ActiveDirectory server . . . . . . . . . . . 488Importing the certificate on the LDAP clientsystem . . . . . . . . . . . . . . 489Testing SSL access . . . . . . . . . . . 489

Configuring Active Directory Application Mode(ADAM) for SSL access . . . . . . . . . . 491

Setting up Active Directory Application Mode(ADAM) to use SSL (Example) . . . . . . 491

Configuring Access Manager SSL for usewith Active Directory Application Mode(ADAM) . . . . . . . . . . . . . 493Disabling SSL for Active DirectoryApplication Mode (ADAM) . . . . . . 494

Configuring Novell eDirectory server for SSLaccess . . . . . . . . . . . . . . . . 495

Creating an organizational certificate authorityobject . . . . . . . . . . . . . . . 495Creating a self-signed certificate . . . . . . 496Creating a server certificate for the LDAP server 496Enabling SSL . . . . . . . . . . . . 497Adding the self-signed CA certificate to the IBMkey file . . . . . . . . . . . . . . 497

Configuring Sun Java System Directory Server forSSL access . . . . . . . . . . . . . . 498

Obtaining a server certificate . . . . . . . 498Installing the server certificate . . . . . . . 499Enabling SSL access . . . . . . . . . . 499

Configuring the Tivoli Directory Server client forSSL access . . . . . . . . . . . . . . 501

Creating the key database file . . . . . . . 501Adding the signer certificate to the client keydatabase file . . . . . . . . . . . . . 502Configuring the client for SSL communications 503Testing SSL access from the client . . . . . 503

Configuring SSL for server and clientauthentication . . . . . . . . . . . . . 504

Creating the key database file on the client . . 504Requesting or creating a personal certificate onthe client . . . . . . . . . . . . . . 505Using certificates from a Certificate Authority(CA) on the client . . . . . . . . . . . 505

Requesting a personal certificate from aCertificate Authority (CA) . . . . . . . 505Receiving a personal certificate from aCertificate Authority (CA) . . . . . . . 506Adding the signer certificate for theCertificate Authority (CA) . . . . . . . 506

Using self-signed certificates on the client . . . 507Creating a self-signed certificate . . . . . 507Extracting the certificate . . . . . . . . 508

Adding the signer certificate to the server keydatabase file . . . . . . . . . . . . . 508Testing SSL access when using server and clientauthentication . . . . . . . . . . . . 509

Chapter 24. AIX: Setting up a standby policyserver . . . . . . . . . . . . . . . 511Preinstallation requirements . . . . . . . . 512HACMP environment scenario . . . . . . . 513

Example HACMP configuration . . . . . . 515Part 1: Overall HACMP cluster topology . . 516Part 2: Cluster resources within HACMPtopology . . . . . . . . . . . . . 518Part 3: Application server definition withinHACMP topology . . . . . . . . . . 522

Creating a standby policy server environment . . 523


Script: Setting UIDs for both the primary andstandby systems . . . . . . . . . . . 527Script: Linking files and directories on theprimary system. . . . . . . . . . . . 529Example: Verifying the primary serverdirectories, soft links, and permissions . . . . 530Script: Linking from the AIX system files to theshared directory on the standby system . . . 532Example: Verifying standby server directories,soft links and permissions . . . . . . . . 533

Chapter 25. Setting up a Tivoli Directory Serverproxy environment . . . . . . . . . . . 535Configuring the Tivoli Directory Server proxy . . 535

Type of configuration information . . . . . 536Synchronizing server instances . . . . . . 537Creating server instances . . . . . . . . 537Global administration group . . . . . . . 537

Creating a user entry for membership in theglobal administrators group . . . . . . 538Adding user entries to the globaladministration group . . . . . . . . . 538

Configuring the Tivoli Directory Server proxyserver . . . . . . . . . . . . . . . 538Adding back-end servers to the proxy server 539Partitioning to back-end servers . . . . . . 540

Synchronizing global policies . . . . . . 540Dividing the data into partitions . . . . . 541Assigning partition index values to theservers . . . . . . . . . . . . . 541Instantiating the suffix object . . . . . . 541

Setting up a proxy environment for TivoliAccess Manager . . . . . . . . . . . 542

Adding the Tivoli Access Manager suffix tothe proxy. . . . . . . . . . . . . 542

Configuring Tivoli Access Manager to use theproxy . . . . . . . . . . . . . . . . 543

Redirecting the policy server to the proxy . . . 544Setting access controls for the proxy . . . . . 545

Unconfiguring Tivoli Access Manager from theproxy . . . . . . . . . . . . . . . . 545

Chapter 26. Tivoli Access Manager utilities . . 547amauditcfg . . . . . . . . . . . . . . 548amwebcfg . . . . . . . . . . . . . . 552amwpmcfg . . . . . . . . . . . . . . 557bassslcfg . . . . . . . . . . . . . . . 561install_component . . . . . . . . . . . . 564ivrgy_tool . . . . . . . . . . . . . . 569mgrsslcfg . . . . . . . . . . . . . . . 572pdbackup . . . . . . . . . . . . . . 574pdconfig . . . . . . . . . . . . . . . 578pdjrtecfg . . . . . . . . . . . . . . . 579pdproxycfg . . . . . . . . . . . . . . 583pdsmsclicfg . . . . . . . . . . . . . . 586pdversion . . . . . . . . . . . . . . 589pdwpicfg . . . . . . . . . . . . . . . 591smscfg. . . . . . . . . . . . . . . . 594svrsslcfg . . . . . . . . . . . . . . . 601

Chapter 27. Using response files . . . . . . 607

Prerequisite systems . . . . . . . . . . . 607Base systems . . . . . . . . . . . . . 607Web security systems. . . . . . . . . . . 608Session management systems . . . . . . . . 609Response file template . . . . . . . . . . 609

Chapter 28. Using software package definitionfiles . . . . . . . . . . . . . . . . 621

Chapter 29. Tivoli Access Manager registryadapter for WebSphere federated repositories . 629Tivoli Access Manager registry adapter installation 629Configuring the Tivoli Access Manager registryadapter . . . . . . . . . . . . . . . 629

Configuring a Tivoli Access Manager adapter 629Configuring the adapter as a WebSphere customregistry . . . . . . . . . . . . . . 631

Troubleshooting WebSphere login failure . . . . 632Tivoli Access Manager registry adapter limitations 633

Part 5. Reference information 309


Chapter 18. Installing prerequisite products

Refer to the following information as instructed during installation of Tivoli AccessManager base and Web security systems in Part 2, “Base system installation,” onpage 51 and Part 3, “Web security system installation,” on page 217 of this guide.

This chapter contains the following sections:v “Installing the IBM Global Security Kit (GSKit)”v “Installing IBM Java Runtime” on page 318v “Installing the IBM Tivoli Security Utilities” on page 323v “Installing the IBM Tivoli Directory Server client” on page 327v “Installing IBM WebSphere Application Server” on page 333v “Installing the Web Administration Tool” on page 338



Installing the IBM Global Security Kit (GSKit)

IBM Global Security Kit (GSKit) provides Secure Sockets Layer (SSL) dataencryption between Tivoli Access Manager systems and supported registry servers.The GSKit package also installs the iKeyman key management utility (gsk7ikm),which you can use to create key databases, public-private key pairs, and certificaterequests.


For instructions on how to set up the GSKit iKeyman utility, see “Setting up theGSKit iKeyman utility” on page 315.

You can insert any of the IBM Tivoli Access Manager CDs where GSKit is requiredas a prerequisite for the installation wizard. Refer to information in “Componentsand prerequisites provided with Tivoli Access Manager systems” on page 15 for alist of components that require GSKit as a prerequisite.


AIX: Installing the IBM Global Security Kit (GSKit)To install IBM Global Security Kit (GSKit) on AIX, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert an IBM Tivoli Access Manager CD that provides GSKit for AIX andmount it.

4. Enter the following command to install the 32-bit runtime package:installp -acgYXd cd_mount_point/usr/sys/inst.images gskta.rte

where cd_mount_point is the directory where the CD is mounted.

Note: If you are installing GSKit on an IBM Tivoli Directory Server system,both the 32-bit and 64-bit runtime packages are required. To install the64-bit package, enter the following command:installp -acgYXd cd_mount_point/usr/sys/inst.images gsksa.rte

After you install GSKit, no configuration is necessary.

To set up the key management utility installed with GSKit, see instructions in“Setting up the GSKit iKeyman utility” on page 315. For more information, seeChapter 23, “Enabling Secure Sockets Layer (SSL) security,” on page 473 or theIBM Global Security Kit: Secure Sockets Layer Introduction and iKeyman User's Guide.

HP-UX: Installing the IBM Global Security Kit (GSKit)To install IBM Global Security Kit (GSKit) on HP-UX or HP-UX on Integrity, followthese steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert an IBM Tivoli Access Manager CD that provides GSKit for HP-UX orHP-UX on Integrity.



5. Install IBM Global Security Kit (GSKit) for your platform.Attention: If you are installing GSKit for a IBM Tivoli Directory Serversystem, both the 32-bit and 64-bit runtime packages are required. Only the64-bit package is provided on the IBM Tivoli Access Manager for e-businessIBMTivoli Access Manager Directory Server (2 of 2) CD.v HP-UX 32-bit

swinstall -s /cd_mount_point/hp gsk7bas

v HP-UX 64-bitswinstall -s /cd_mount_point/hp gsk7bas64


andswinstall -s /cd_mount_point/hp gsk7bas



andswinstall -s /cd_mount_point/hp_ia64 gsk7bas32





Linux: Installing the IBM Global Security Kit (GSKit)To install IBM Global Security Kit (GSKit) on Linux, follow these steps.

Note to Linux on System z users: You must first obtain access to the Linux rpmfiles from a IBM Tivoli Access Manager CD for Linux on System z. The rpm filesare located in the /CD_mount_point/linux_s390 directory of the CD.1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert an IBM Tivoli Access Manager CD that provides GSKit for Linux on x86,Linux on System z, or Linux on POWER and mount it.


5. Install the IBM Global Security Kit (GSKit) package for your platform.Attention: If you are installing GSKit for a IBM Tivoli Directory Serversystem, both the 32-bit and 64-bit runtime packages are required. Only the64-bit package is provided on the IBM Tivoli Access Manager for e-businessIBMTivoli Access Manager Directory Server (2 of 2) CD.v Linux on x86

rpm -ihv gsk7bas-7.0-4.11.i386.rpm

v Linux on System z, 32-bitrpm -ihv gsk7bas-7.0-4.11.s390.rpm

v Linux on System z, 64-bitrpm -ihv gsk7bas64-7.0-4.11.s390x.rpm

and

Chapter 18. Installing prerequisite products 313

rpm -ihv gsk7bas-7.0-4.11.s390.rpm

v Linux on POWER, 32-bitrpm -ihv gsk7bas-7.0-4.11.ppc32.rpm

v Linux on POWER, 64-bitrpm -ihv gsk7bas64-7.0-4.11.ppc64.rpm

andrpm -ihv gsk7bas-7.0-4.11.ppc32.rpm


Solaris: Installing the IBM Global Security Kit (GSKit)The following procedure uses pkgadd to install the software package.

Attention: If you are installing on Solaris 10, using the -G option with thepkgadd utility is recommended. The -G option ensures that the package is addedin the current zone only.

To install IBM Global Security Kit (GSKit) on Solaris, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert an IBM Tivoli Access Manager CD that provides GSKit for Solaris orSolaris x86_64 and mount it.

4. Install IBM Global Security Kit (GSKit). Specify the package for yourenvironment:Attention: If you are installing GSKit for a IBM Tivoli Directory Serversystem, both the 32-bit and 64-bit runtime packages are required. Only the64-bit package is provided on the IBM Tivoli Access Manager for e-businessIBMTivoli Access Manager Directory Server (2 of 2) CD.v Solaris 32-bit

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefaultgsk7bas

v Solaris 64-bitpkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault

gsk7bas64

andpkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefault

gsk7bas


gsk7bas

v Solaris on x86_64-bit


pkgadd -d /cdrom/cdrom0/solaris_x86-a /cdrom/cdrom0/solaris_x86/pddefault

gsk7bas64

andpkgadd -d /cdrom/cdrom0/solaris_x86-a /cdrom/cdrom0/solaris_x86/pddefault

gsk7bas

To set up the key management utility installed with GSKit, see instructions in“Setting up the GSKit iKeyman utility.” For more information, see Chapter 23,“Enabling Secure Sockets Layer (SSL) security,” on page 473 or the IBM GlobalSecurity Kit: Secure Sockets Layer Introduction and iKeyman User's Guide.

Windows: Installing the IBM Global Security Kit (GSKit)To install IBM Global Security Kit (GSKit) on Windows 2003 Windows XP, orWindows Vista follow these steps:1. Log on as any member of the Administrators group.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert an IBM Tivoli Access Manager CD that provides GSKit for Windows, andchange to the \windows\GSKit directory on the drive where the CD is located.

4. To install the IBM Global Security Kit (GSKit), enter the following command:setup PolicyDirector

5. Click Next. The Choose Destination Location window is displayed.6. Accept the default destination directory or click Browse to select a path to


7. Click Next to install GSKit. The Setup Complete window is displayed.8. Click Finish to exit the installation program.


To set up the key management utility installed with GSKit, see instructions in“Setting up the GSKit iKeyman utility.” For more information, see Chapter 23,“Enabling Secure Sockets Layer (SSL) security,” on page 473 or the IBM GlobalSecurity Kit: Secure Sockets Layer Introduction and iKeyman User's Guide.

Setting up the GSKit iKeyman utilityThe creation and handling of X.509 certificates and keys is performed using theIBM Global Security Kit (GSKit) key management utility, gsk7ikm, also referred toas iKeyman.

To enhance the security of your system when running the iKeyman utility, set upGSKit to support Certificate Management System (CMS) key database files beforeyou run the iKeyman utility.

Note: Do not configure iKeyman for any JRE that also is configured with AccessManager Runtime for Java. Configuration of iKeyman requires changes to


the java.security file associated with the Java Runtime Environment (JRE).These changes are not compatible with the requirements of the AccessManager Runtime for Java.

To enable support for CMS key database files in GSKit, follow these steps:1. Ensure that the following components are installed on your system:

v IBM Global Security Kit (GSKit)(For instructions, see “Installing the IBM Global Security Kit (GSKit)” onpage 311.)

v Java Runtime Environment (JRE)(For instructions, see “Installing IBM Java Runtime” on page 318.)

2. Ensure that the JAVA_HOME environment variable points to the directorywhere the IBM Java Runtime is installed.iKeyman uses the JAVA_HOME environment variable to find the location of theJRE that it is required to use when run. This variable must be set to point tothe JRE installation directory. The example below demonstrates how this maybe done. Replace the example location below with the install location of yourJRE.Windows example:set JAVA_HOME=c:\Program Files\IBM\Java15

UNIX Example:export JAVA_HOME=/usr/opt/IBMJava2-15

3. Download the unrestricted JCE policy files for your operating system. Note thatTivoli Access Manager Runtime for Java 1.5 uses 1.4 policy files. Download theunrestricted JCE policy files from the specified Web site:

AIX, Linux, and Windows systemshttps://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk

After authenticating, download the Unrestricted JCE Policy files forSDK 1.4.2 – Version 1.4.2 archive file.

HP-UX and Solaris systemshttp://java.sun.com/j2se/1.4.2/download.html#docs

In the Other Downloads section, download the Java CryptographyExtension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2archive file.

4. Remove gskikm.jar from $JAVA_HOME/jre/lib/ext5. Copy local_policy.jar to $JAVA_HOME/jre/lib/security6. Copy US_export_policy.jar to $JAVA_HOME/jre/lib/security7. Using a text editor, open $JAVA_HOME/jre/lib/security/java.security and add

the IBM CMS security provider and the IBM JCE FIPS security provider.

Note: The order in which you specify the security providers is important. Thesecurity providers are processed in numeric order. The first securityprovider that supports the encryption method being requested is used.On HP-UX and Solaris systems, the first provider must always besun.security.provider.Sun.


https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk

https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk

http://java.sun.com/j2se/1.4.2/download.html#docs

AIX, Linux, and Windows systems (with FIPS)security.provider.2=com.ibm.spi.IBMCMSProvidersecurity.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPSsecurity.provider.4=com.ibm.crypto.provider.IBMJCEsecurity.provider.5=com.ibm.security.jgss.IBMJGSSProvidersecurity.provider.6=com.ibm.security.cert.IBMCertPathsecurity.provider.7=com.ibm.security.sasl.IBMSASL

AIX, Linux, and Windows systems (without FIPS)security.provider.1=com.ibm.jsse2.IBMJSSEProvider2security.provider.2=com.ibm.spi.IBMCMSProvidersecurity.provider.3=com.ibm.crypto.provider.IBMJCEsecurity.provider.4=com.ibm.security.jgss.IBMJGSSProvidersecurity.provider.5=com.ibm.security.cert.IBMCertPathsecurity.provider.6=com.ibm.security.sasl.IBMSASL

HP-UX and Solaris systems (with FIPS)security.provider.1=com.ibm.security.jgss.IBMJGSSProvidersecurity.provider.2=sun.security.provider.Sunsecurity.provider.3=com.ibm.spi.IBMCMSProvidersecurity.provider.4=com.ibm.crypto.fips.provider.IBMJCEFIPSsecurity.provider.5=com.ibm.crypto.provider.IBMJCEsecurity.provider.6=com.ibm.jsse2.IBMJSSEProvider2security.provider.7=com.ibm.security.cert.IBMCertPathsecurity.provider.8=com.ibm.security.sasl.IBMSASLsecurity.provider.3=com.ibm.crypto.fips.provider.IBMJCEFIPS

HP-UX and Solaris systems (without FIPS)security.provider.1=com.ibm.security.jgss.IBMJGSSProvidersecurity.provider.2=sun.security.provider.Sunsecurity.provider.3=com.ibm.spi.IBMCMSProvidersecurity.provider.4=com.ibm.crypto.provider.IBMJCEsecurity.provider.5=com.ibm.jsse2.IBMJSSEProvider2security.provider.6=com.ibm.security.cert.IBMCertPathsecurity.provider.7=com.ibm.security.sasl.IBMSASL

8. Read the file located at $JAVA_HOME/README_FIRST.

To use the iKeyman utility to enable SSL with a supported registry server, seeChapter 23, “Enabling Secure Sockets Layer (SSL) security,” on page 473. Generalinformation on the iKeyman utility can be found in the IBM Global Security Kit:Secure Sockets Layer Introduction and iKeyman User's Guide.


Installing IBM Java Runtime

IBM Java Runtime 1.5.0 SR5 is required when using the Tivoli Access Managerinstallation wizards. IBM Java Runtime is provided with Tivoli Access Manager.

Access Manager Runtime for Java only supports the IBM Java Runtime 1.5.0 SR5provided with Tivoli Access Manager or the JRE provided with IBM WebSphereApplication Server.


You can insert any of the IBM Tivoli Access Manager CDs where IBM JavaRuntime is required as a prerequisite for the installation wizard.

AIX: Installing IBM Java RuntimeTo install IBM Java Runtime 1.5.0 SR5 on AIX, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert an IBM Tivoli Access Manager CD that provides IBM Java Runtime forAIX and mount it.

4. Install the following packages:installp -acgYXd cd_mount_point/usr/sys/inst.images packages


Java5.ext Specifies the IBM Java Runtime extensions package.

Java5.samplesSpecifies the IBM Java Runtime sample files package.

Java5.sdk Specifies the IBM Java Runtime software development kit(SDK) extensions package.

Java5.source Specifies the IBM Java Runtime source files package.5. Do one of the following tasks:

v Set the PATH environment variable. For example:export PATH=/usr/java5/jre/bin:$PATH

Note: To display whether IBM Java Runtime 1.5.0 SR5 is already in the path,use the java –version command.

v Set the JAVA_HOME environment variable to the path where you installedIBM Java Runtime. For example, using ksh, enter the following to defineJAVA_HOME:export JAVA_HOME=/usr/java5/jre


After you install IBM Java Runtime, no configuration is necessary.

HP-UX: Installing IBM Java RuntimeTo install IBM Java Runtime 1.5.0 SR5 on HP-UX or HP-UX on Integrity, followthese steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert an IBM Tivoli Access Manager CD that provides IBM Java Runtime forHP-UX or HP-UX on Integrity.


where rr specifies the Rock Ridge CD format, /dev/dsk/c0t0d0 specifies theCD device, and /cd-rom specifies the mount point.Note that specific patches are required before the HP-UX mount command canbe used. See the IBM Tivoli Access Manager for e-business: Release Notes.

5. Do one of the following:

Note: The installation wizards expect the JRE to be installed in the defaultlocation.

v If you plan to use the default installation path, set the PATH environmentvariable.export PATH=java_path:$PATH

For example:export PATH=/usr/java15/jre/bin:$PATH


v If you plan to use an installation path other than the default, set theJAVA_HOME environment variable to the path where you plan to installIBM Java Runtime. For example, enter the following to define JAVA_HOME:export JAVA_HOME=/usr/mypath/java15/jre

6. Install the IBM Java Runtime package:a. Enter: mkdir -p /usr/java15

b. Enter: cd /usr/java15

c. Enter:v HP-UX:

zcat cd_mount_point/hp/hpia32devhybrid-20070511a-sdk.tar.Z | tar -xvf -

v HP-UX on Integrity:zcat cd_mount_point/hp_ia64/hpuxdevhybrid-20070511a-sdk.tar.Z | tar -xvf -

where /cd_mount_point is the CD mount point and /cd_mount_point/hp is thedirectory.Note that you must have both the zcat file uncompress and the tar fileextraction utilities. Also, the directories for both utilities must be defined byyour PATH environment variable.


Note: The installation wizards expect the JRE to be installed in the defaultlocation.


where /cd-rom is the mount point.8. For the IBM Tivoli Directory Server, create the symbolic link for IBM Java

Runtime. Create the link after the IBM Tivoli Directory Server is installedln -s /usr/java15 /opt/IBM/ldap/V6.1/java


Linux: Installing IBM Java RuntimeTo install IBM Java Runtime 1.5.0 SR5 on Linux, follow these steps.

Note to Linux on System z users: You must first obtain access to the Linux rpmfiles from a IBM Tivoli Access Manager CD for Linux on System z. The rpm filesare located in the /CD_mount_point/linux_s390 directory of the CD.

Note to Red Hat Enterprise Linux 5 users: To install IBM Java Runtimesuccessfully on a Red Hat Enterprise Linux 5 system, the following compatibilitylibraries must also be installed:compat-libstdc++-33-3.2.3libXp-1.0.0-8.i386.rpm

1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert an IBM Tivoli Access Manager CD that provides IBM Java Runtime forLinux on x86, Linux on System z, or Linux on POWER and mount it.

4. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is themount point for your CD and distribution specifies linux_i386 for x86,linux_s390 for System z, or linux_ppc, for POWER.

5. Install the IBM Java Runtime package:

Note: Tivoli Access Manager is a 32-bit application and requires a 32-bit JavaRuntime package.

rpm -ihv package

where package is as follows:

Linux on x86 (32-bit and64-bit)

ibm-java2-i386-sdk-5.0-5.0.i386.rpm (32-bit)

Linux on POWER ibm-java2-ppc-sdk-5.0-5.0.ppc.rpmLinux on System z ibm-java2-s390-sdk-5.0-5.0.s390.rpm

6. Set the PATH environment variable:export PATH=jre_path:$PATH

For example, to ensure that the IBM Java Runtime is accessible through thePATH system variable, enter the following command:


export PATH=/opt/ibm/java2-s390-50/jre/bin:$PATH


Solaris: Installing IBM Java RuntimeTo install IBM Java Runtime 1.5.0 SR5 on Solaris, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert an IBM Tivoli Access Manager CD that provides IBM Java Runtime forSolaris or Solaris x86_64 and mount it.

4. Do one of the following:

Note: The installation wizards expect the JRE to be installed in the defaultlocation, which is used in the following example.

v Set the PATH environment variable.export PATH=java_path:$PATH

For example:export PATH=/usr/java15/jre/bin:$PATH


v If you plan to use an installation path other than the default, set theJAVA_HOME environment variable to the path where you plan to installIBM Java Runtime. For example, enter the following to define JAVA_HOME:export JAVA_HOME=/usr/mypath/java15/jre

5. Install the IBM Java Runtime package:a. Enter: mkdir -p /usr/java15

b. Enter: cd /usr/java15

c. Untar the package into the /usr/java15 directory:v For Solaris

zcat cd_mount_point/solaris/soldevhybrid-20070511-sdk.tar.Z | tar -xvf -

v For Solaris on x86_64zcat cd_mount_point/solaris_x86/

solx64hybrid-20070511-sdk.tar.Z | tar -xvf -

where /cd_mount_point is the CD mount point and /cd_mount_point/solaris or/cd_mount_point/solaris_x86 is the directory.Note that you must have both the zcat file uncompress and the tar fileextraction utilities. The utilities may need to be fully qualified if they cannot befound in the PATH environment variable.


Windows: Installing IBM Java RuntimeTo install IBM Java Runtime 1.5.0 SR5 on Windows, follow these steps:1. Log on as any member of the Administrators group.



3. Insert an IBM Tivoli Access Manager CD that provides the IBM Java Runtimefor Windows.

4. Enter the following command:cd_drive\windows\JDK\ibm-java2-sdk-50-win-i386.exe

Complete online instructions. When installation has completed, click Finish.5. Set the PATH environment variable:

set PATH=install_dir;%PATH%

For example, enter the following if you installed using the default installationdirectory for IBM Java Runtime 1.5.0 SR5:set PATH=C:\Program Files\IBM\Java50\jre\bin;%PATH%

6. If you plan to use the IBM Global Security Kit (GSKit) iKeyman utility, do thefollowing steps:a. Set the JAVA_HOME environment variable to the full path to your Java

installation. For example:set JAVA_HOME=c:\Program Files\IBM\Java50\jre

b. Add the GSKit bin and lib directories to the PATH variable. For example:set PATH="C:\Program Files\ibm\gsk7\bin";%PATH%set PATH="C:\Program Files\ibm\gsk7\lib";%PATH%



Installing the IBM Tivoli Security Utilities

The IBM Tivoli Security Utilities provides common utilities that are required byAccess Manager Runtime.


You can insert any of the IBM Tivoli Access Manager CDs where Access ManagerRuntime is required. Refer to information in “Components and prerequisitesprovided with Tivoli Access Manager systems” on page 15 for a list of componentsthat require Access Manager Runtime as a prerequisite.

AIX: Installing the IBM Tivoli Security UtilitiesTo install Tivoli Security Utilities on AIX, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert the IBM Tivoli Access Manager Base CD, the IBM Tivoli Access ManagerShared Session Management CD, or the IBM Tivoli Access Manager Web SecurityCD that provides Tivoli Security Utilities for AIX and mount it.

4. Enter the following command to install the package:installp -acgYXd cd_mount_point/usr/sys/inst.images TivSec.Utl

where cd_mount_point is the directory where the CD is mounted.Attention: You must install the Tivoli Security Utilities package first beforeinstalling the Access Manager Runtime package.

5. Unmount the CD.

After you install Tivoli Security Utilities, no configuration is necessary.

This step completes the setup of the Tivoli Security Utilities. To set up anotherTivoli Access Manager system, follow the steps in the “Installation process” onpage 21.

HP-UX: Installing IBM Tivoli Security UtilitiesTo install Tivoli Security Utilities on HP-UX or HP-UX on Integrity, follow thesesteps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure



3. Insert a CD that provides Tivoli Security Utilities for HP-UX or HP-UX onIntegrity:v IBM Tivoli Access Manager Base

v IBM Tivoli Access Manager Shared Session Management

v IBM Tivoli Access Manager Web Security



5. Enter the following command:v For HP-UX

swinstall -s /cd-rom/hp TivSecUtl

where /cd-rom/hp is the directory.v For HP-UX on Integrity

swinstall -s /cd-rom/hp_ia64 TivSecUtl

where /cd-rom/hp_ia64 is the directory.

Attention: You must install the Tivoli Security Utilities package first beforeinstalling the Access Manager Runtime package.





Linux: Installing IBM Tivoli Security UtilitiesTo install Tivoli Security Utilities on Linux, follow these steps.



3. Insert the IBM Tivoli Access Manager Base CD, the IBM Tivoli Access ManagerShared Session Management CD, or the IBM Tivoli Access Manager Web SecurityCD that provides Tivoli Security Utilities for Linux on x86, Linux on System z,or Linux on POWER and mount it.

4. Change to the /mnt/cdrom/distribution directory where /mnt/cdrom is themount point for your CD and distribution specifies linux_i386 for x86,linux_s390 for System z, or linux_ppc, for POWER.

5. Do one of the following installations:


v To install Tivoli Security Utilities in the default location:rpm -ih package

where package is as follows:– Linux on x86: TivSecUtl-TivSec-6.1.1.0-0.i386.rpm– Linux on System z: TivSecUtl-TivSec-6.1.1.0-0.s390.rpm– Linux on POWER: TivSecUtl-TivSec-6.1.1.0-0.ppc.rpm


6. Unmount the CD.



Solaris: Installing IBM Tivoli Security UtilitiesThe following procedure uses pkgadd to install the software package.

Attention: If you are installing on Solaris 10, using the -G option with thepkgadd utility is recommended. The -G option ensures the packages is added inthe current zone only.

To install Tivoli Security Utilities on Solaris, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert the IBM Tivoli Access Manager Base CD, the IBM Tivoli Access ManagerShared Session Management CD, or the IBM Tivoli Access Manager Web SecurityCD that provides Tivoli Security Utilities for Solaris or Solaris on x86_64 andmount it.

4. To install the Tivoli Security Utilities package, enter:v For Solaris:

pkgadd -d /cdrom/cdrom0/solaris -a /cdrom/cdrom0/solaris/pddefaultTivSecUtl

where /cdrom/cdrom0/solaris specifies the location of the package and/cdrom/cdrom0/solaris/pddefault specifies the location of the installationadministration script.

v For Solaris on x86_64:pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault

TivSecUtl

where /cdrom/cdrom0/solaris_x86 specifies the location of the package and/cdrom/cdrom0/solaris_x86/pddefault specifies the location of theinstallation administration script.





Windows: Installing IBM Tivoli Security UtilitiesTo install Tivoli Security Utilities on Windows 2003, Windows XP, or WindowsVista follow these steps:1. Log on as any member of the Administrators group.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert an IBM Tivoli Access Manager CD that provides Tivoli Security Utilitiesfor Windows and change to the following directory on the drive where the CDis located:\windows\TivSecUtl\Disk Images\Disk1

4. Run the setup.exe program from this directory.5. Click Next. The Choose Destination Location window is displayed.6. Accept the default destination directory or click Browse to select a path to


7. Click Next to install Tivoli Security Utilities. The Setup Complete window isdisplayed.

8. Select whether to restart the computer now or later and click Finish.




Installing the IBM Tivoli Directory Server client

The IBM Tivoli Directory Server client is included with IBM Tivoli Directory Serveron the IBM Tivoli Access Manager Directory Server CDs for supported platforms.

You must explicitly install the Tivoli Directory Server client on each system thatruns Tivoli Access Manager, with the following exceptions:v The Tivoli Access Manager system is a supported Windows system that is joined

to an Active Directory domain.v You are using Lotus Domino as your registry server.v You are setting up an Access Manager Runtime for Java, Access Manager Web

Portal Manager, Access Manager Attribute Retrieval Service, or Access Managersession management server.

Note: When an installation wizard is used to install a Tivoli Access Managercomponent which has the IBM Tivoli Directory Server client as aprerequisite, the client is automatically installed on that system.


You can insert any of the IBM Tivoli Access Manager CDs where IBM TivoliDirectory Server client is required as a prerequisite for the installation wizard.Refer to information in “Components and prerequisites provided with TivoliAccess Manager systems” on page 15 for a list of components that require IBMTivoli Directory Server client as a prerequisite.

Note: You can have multiple versions of the IBM Tivoli Directory Server client onthe same system.

AIX: Installing the IBM Tivoli Directory Server clientTo install the IBM Tivoli Directory Server client on AIX, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert an IBM Tivoli Access Manager CD that provides the IBM Tivoli DirectoryServer client for AIX and mount it.

4. Install the client packages of IBM Tivoli Directory Server. At a commandprompt, enter:installp -acgXd cd_mount_point/usr/sys/inst.images packages

Table 21 on page 328 lists the packages required for each client type. Install thepackages for your client in the order specified.To install multiple packages, separate the package names by a blank space.


Table 21. Client packages for AIX

Client Packages Package descriptions























Java client idsldap.cltjava61 Java client required for X11support

Note: Full server versions require an X11 environment. For a client with no X11requirements, install the 32-bit or 64-bit client as you would if yourequired an X11 environment.



After you install the IBM Tivoli Directory Server client, no configuration isnecessary.

HP-UX: Installing the IBM Tivoli Directory Server clientTo install the IBM Tivoli Directory Server client on HP-UX or HP-UX on Integrity,follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert the IBM Tivoli Access Manager CD that provides the IBM TivoliDirectory Server client for HP-UX or HP-UX on Integrity.



5. Install the client packages of IBM Tivoli Directory Server.v HP-UX




Table 22 lists the packages required for each client type. Install the packages foryour client in the order specified.

Notes:

a. The package names are the same for both HP-UX PA-RISC and HP-UX onIntegrity.

b. If you plan to install either the IBM Tivoli Directory Server full server orproxy server, you must install the 64-bit client package.

Table 22. Client packages for HP-UX





1. Base Client

2. 32-bit Client

3. Java Client




1. Base Client

2. 64-bit Client

3. Java Client




Linux: Installing the IBM Tivoli Directory Server clientTo install the IBM Tivoli Directory Server client for Linux on x86, Linux onPOWER, or Linux on System z, follow these steps.



3. Insert an IBM Tivoli Access Manager CD that provides the IBM Tivoli DirectoryServer client for Linux on x86, Linux on System z, or Linux on POWER andmount it.


5. Install the client packages of IBM Tivoli Directory Server for your deployment.rpm -ihv packages

Table 23 on page 330 lists the packages required for each client type. Install thepackages for your client in the order specified.


Note: On System z and POWER, when you intend to also install the server,install the 64-bit client because the server is 64-bit. Tivoli Access Managerfor e-business requires the 32-bit client. Both the 32-bit and 64-bit clientscan be installed on the same system.

Table 23. Client packages for Linux platforms


Linux on x86, 32-bitclient

1. idsldap-cltbase61-6.1.0-6.i386.rpm

2. idsldap-clt32bit61-6.1.0-6.i386.rpm

3. idsldap-cltjava61-6.1.0-6.i386.rpm

1. Base client

2. 32-bit client

3. Java client



2. idsldap-clt32bit61-6.1.0-6.s390.rpm

3. idsldap-cltjava616.1.0-6.s390.rpm

1. Base client

2. 32-bit client

3. Java client



2. idsldap-clt64bit61-6.1.0-6.s390x.rpm


1. Base client

2. 64-bit client

3. Java client





1. Base client

2. 32-bit client

3. Java client





1. Base client

2. 64-bit client

3. Java client

6. Unmount the CD.


Solaris: Installing the IBM Tivoli Directory Server clientThe following procedure uses pkgadd to install software packages and thepdconfig utility to configure them.


To install the IBM Tivoli Directory Server client on Solaris, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert a Tivoli Access Manager CD that provides the IBM Tivoli DirectoryServer client for Solaris or Solaris on x86_64 and mount it.

4. Install the client packages of IBM Tivoli Directory Server for your platform:v Solaris




packages

Table 24 lists the packages required for each client type. Install the packages foryour client in the order specified.

Notes:

a. The package names are the same for both Solaris platforms.b. During installation, you are asked if you want to use /opt as the base

directory. If space permits, accept /opt as the base directory.c. When you install client or server packages, the system might prompt you

with the following query: This package contains scripts which will beexecuted with super-user permission during the process of installingthe package. Continue with installation?


Table 24. Client packages for Solaris



2. IDSl32c61

3. IDSljc61

1. Base client

2. 32-bit client

3. Java client


2. IDSl64c61

3. IDSljc61

1. Base client

2. 32-bit client

3. Java client

5. During installation, you are asked if you want to use /opt as the base directory.If space permits, use /opt as the base installation directory. To accept /opt asthe base directory, press Enter.


Windows: Installing the IBM Tivoli Directory Server clientTo install the IBM Tivoli Directory Server client on Windows 2003, Windows Vistaor Windows XP, follow these steps:1. Log on as any member of the Administrators group.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert a IBM Tivoli Access Manager CD that provides the IBM Tivoli DirectoryServer client for Windows, and change to the \windows\tds directory on thedrive where the CD is located.

4. To install the IBM Tivoli Directory Server client, run the install_tds.bat file.The Choose Setup Language window is displayed.

5. Select the language that you want to use for the installation and click OK.6. The Welcome window is displayed. Click Next to continue.


7. Read the license agreement. Select to accept the terms and then click Next. Awindow is displayed that informs you of the packages that are already installedand if any action is required. If necessary, satisfy any requirements and clickNext.

8. Select to install the C Client 6.1 feature and then click Next.9. Review the configuration options that you selected. If you want to change any

of your selections, click Back. Click Next to begin the installation.



Installing IBM WebSphere Application ServerIBM WebSphere Application Server is included on the IBM Tivoli Access ManagerWebSphere Application Server CDs for the supported platforms.

WebSphere Application Server enables the support of these interfaces:v The Web Portal Manager interface, which is used to administer Tivoli Access

Manager.v The Web Administration Tool, which is used to administer IBM Tivoli Directory

Server.v The Access Manager Attribute Retrieval Service.

WebSphere Application Server is required on systems on which you plan to set upWeb Portal Manager or Web Administration Tool interfaces. Some WebSpheredocumentation is located on the IBM Tivoli Access Manager WebSphereApplication Server CD in the /WAS/docs directory. For additional informationabout IBM WebSphere Application Server, see:

http://www.ibm.com/software/webservers/appserv/infocenter.html


AIX: Installing WebSphere Application ServerTo install the IBM WebSphere Application Server on AIX, follow these steps.1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert the IBM Tivoli Access Manager WebSphere Application Server for AIX (1 of2) CD and mount it.

4. Change to the root directory on the drive where the CD is located.5. Enter the following command:

./WAS/install

Follow the directions provided by the installation wizard to install WebSphereApplication Server on the system.

6. Unmount the IBM Tivoli Access Manager WebSphere Application Server for AIX (1of 2) CD and remove it.

7. Insert the IBM Tivoli Access Manager WebSphere Application Server for AIX (2 of2) CD and mount it.


./IHS/install



Follow the directions provided by the installation wizard to install IBM HTTPServer on the system.

10. Enter the following command:./plugin/install

Follow the directions provided by the installation wizard to install the pluginfor your Web server on the system.

11. Unmount the CD.

HP-UX: Installing WebSphere Application ServerTo install WebSphere Application Server on HP-UX or HP-UX on Integrity, followthese steps.1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert the CD for your platform:v IBM Tivoli Access Manager WebSphere Application Server for HP-UX (1 of 2)

v IBM Tivoli Access Manager WebSphere Application Server for HP-UX onIntegrity (1 of 2)




./WAS/install


7. Unmount the IBM Tivoli Access Manager WebSphere Application Server forHP-UX (1 of 2) CD or the IBM Tivoli Access Manager WebSphere ApplicationServer for HP-UX on Integrity (1 of 2) CD as follows and remove it:umount /cd-rom

where /cd-rom is the mount point.8. Insert the CD for your platform and mount it:

v IBM Tivoli Access Manager WebSphere Application Server for HP-UX (2 of 2)

v IBM Tivoli Access Manager WebSphere Application Server for HP-UX onIntegrity (2 of 2)


./IHS/install







Linux: Installing WebSphere Application ServerTo install the WebSphere Application Server on Linux, follow these steps.

Note to Linux on System z users: You must first obtain access to the WebSphereCD images on your Linux system.1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert one of the following Linux CDs and mount it:v IBM Tivoli Access Manager WebSphere Application Server for Linux on x86 (1 of

2)

v IBM Tivoli Access Manager WebSphere Application Server for Linux on System z(1 of 2)

v IBM Tivoli Access Manager WebSphere Application Server for Linux on POWER(1 of 2)


./WAS/install


6. Unmount the Linux CD and remove it:7. Insert one of the following Linux CDs and mount it:

v IBM Tivoli Access Manager WebSphere Application Server for Linux on x86 (2 of2)

v IBM Tivoli Access Manager WebSphere Application Server for Linux on System z(2 of 2)

v IBM Tivoli Access Manager WebSphere Application Server for Linux on POWER(2 of 2)


./IHS/install




11. Unmount the CD.


Solaris: Installing WebSphere Application ServerTo install WebSphere Application Server on Solaris or Solaris on x86_64, followthese steps.1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Insert the CD for your platform:v IBM Tivoli Access Manager WebSphere Application Server for Solaris (1 of 2)

v IBM Tivoli Access Manager WebSphere Application Server for Solaris on x86_64(1 of 2)


./WAS/install


6. Remove the CD.7. Insert one of the following CDs and mount it:

v IBM Tivoli Access Manager WebSphere Application Server for Solaris (2 of 2)

v IBM Tivoli Access Manager WebSphere Application Server for Solaris on x86_64(2 of 2)


./IHS/install




11. Unmount the CD.

Windows: Installing WebSphere Application ServerTo install WebSphere Application Server on Windows, follow these steps.1. Log on as any member of the Administrators group.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Ensure that you have closed any running Windows programs.4. Insert the IBM Tivoli Access Manager WebSphere Application Server for Windows

(1 of 2) CD.5. Change to the root directory on the drive where the CD is located.6. Enter the following command:

\WAS\install.exe



7. Remove the IBM Tivoli Access Manager WebSphere Application Server forWindows (1 of 2) CD.

8. Insert the IBM Tivoli Access Manager WebSphere Application Server for Windows(2 of 2).


\IHS\install.exe


11. Enter the following command:\plugin\install.exe


12. Update WebSphere Application Server to the supported level.


Installing the Web Administration ToolThe Web Administration Tool is used to administer IBM Tivoli Directory Serverseither locally or remotely. You can install this interface at any time.

To install the Web Administration Tool application, follow the procedure for yourparticular platform.v AIX on page 338v HP-UX on page 339v Linux on page 340v Solaris on page 341v Windows on page 342

For information about installing the Web Administration Tool into WebSphere, see“Installing the Web Administration Tool into WebSphere” on page 344.v

Note: An application server is required. The IBM WebSphere Application Server isincluded with Tivoli Access Manager.

AIX: Installing the Web Administration ToolTo install the Web Administration Tool on AIX, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure


3. Ensure that system requirements for the Web Administration Tool are met. Forinformation, see page 11.

4. Ensure that the following servers are set up in your secure domain:v IBM Tivoli Directory Server or proxy serverv IBM WebSphere Application ServerFor instructions on installing these servers, see “Setting up IBM Tivoli DirectoryServer” on page 54 and “Installing IBM WebSphere Application Server” onpage 333.

5. Mount the IBM Tivoli Access Manager Directory Server for AIX (2 of 2) CD.6. Install and configure the Web Administration Tool package of IBM Tivoli

Directory Server.Complete the following steps:a. Install the Web Administration Tool package for your deployment:

v Web Administration Tool (No SSL)installp –acgyYXd cd_mount_point/usr/sys/inst.images

idsldap.webadmin61

v Web Administration Tool (SSL)installp –acgyYXd cd_mount_point/usr/sys/inst.images

idsldap.webadmin_max_crypto61 idsldap.webadmin61

Note: If you install the SSL package, the No SSL package is also required.


b. Configure the Web Administration Tool into the application server. See“Installing the Web Administration Tool into WebSphere” on page 344.

7. Unmount the CD.

This step completes the installation of the Web Administration Tool. To start theWeb Administration Tool, go to the directory where you installed WebSphereApplication Server and issue one of the following commands:/usr/WebSphere/AppServer/bin/startServer.sh server1


To log in to the console, open a Web browser and type the following address:http://localhost:12100/IDSWebApp/IDSjsp/Login.jsp

where localhost specifies the name or IP address of the host system where the WebAdministration Tool and WebSphere Application Server are installed. For moreinformation about using the Web Administration Tool, see the IBM Tivoli DirectoryServer Administration Guide at:


HP-UX: Installing the Web Administration ToolTo install the Web Administration Tool on HP-UX or HP-UX on Integrity, followthese steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure



4. Ensure that the following servers are set up in your secure domain:v IBM Tivoli Directory Server or proxy serverv IBM WebSphere Application ServerFor instructions on installing these servers, see “Setting up IBM Tivoli DirectoryServer” on page 54 and “HP-UX: Installing WebSphere Application Server” onpage 334.

5. Insert and mount the CD for your platform:v IBM Tivoli Access Manager Directory Server for HP-UX (2 of 2)




7. Install and configure the Web Administration Tool package of IBM TivoliDirectory Server.Complete the following steps:a. Install the Web Administration Tool package:



v For HP-UXswinstall -s /cd_mount_point/hp idsldap-webadmin61

v For HP-UX on Integrityswinstall -s /cd_mount_point/hp_ia64 idsldap-webadmin61









Linux: Installing the Web Administration ToolTo install the Web Administration Tool on Linux, follow these steps.

Note to Linux on System z users: You must first obtain access to the Linux rpmfiles which are located in the /CD_mount_point/linux_s390 directory on the IBMTivoli Access Manager Directory Server for Linux on System z CD.1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure










7. Install and configure the Web Administration Tool package of IBM TivoliDirectory Server.Complete the following steps:a. Install the Web Administration Tool package for your deployment.

v Linux on x86rpm -ihv idsldap-webadmin61-6.1.0-6.i386.rpm

v Linux on System zrpm -ihv idsldap-webadmin61-6.1.0-6.s390.rpm

v Linux on POWERrpm -ihv idsldap-webadmin61-6.1.0-6.ppc.rpm

b. Install an application server such as WebSphere Application Server. See“Linux: Installing WebSphere Application Server” on page 335.


8. Unmount the CD.






Solaris: Installing the Web Administration ToolThe following procedure uses pkgadd to install the software package.


To install the Web Administration Tool on Solaris, follow these steps:1. Log on as root.2. Ensure that all necessary operating system patches are installed. Also ensure

that you have reviewed the most-recent release information, including system



requirements, disk space requirements, and known defects and limitations inthe IBM Tivoli Access Manager for e-business: Release Notes or Technotes in thesupport knowledge database.



5. Insert the CD for your platform:v IBM Tivoli Access Manager Directory Server for Solaris (2 of 2)


6. Install and configure the Web Administration Tool package of IBM TivoliDirectory Server.Complete the following steps:a. Install the Web Administration Tool package for your deployment.


IDSlweb61

v Solaris on x86pkgadd -d /cdrom/cdrom0/solaris_x86 -a /cdrom/cdrom0/solaris_x86/pddefault

IDSlweb61


7. Install the Web Administration Tool into your WebSphere Application Serverconfiguration. For instructions, see page 344.






Windows: Installing the Web Administration ToolTo install the Web Administration Tool on Windows, follow these steps:1. Log on as any member of the Administrators group.





4. Ensure that the following servers are set up in your secure domain:v IBM Tivoli Directory Server or proxy serverv IBM WebSphere Application ServerFor instructions on installing these servers, see “Setting up IBM TivoliDirectory Server” on page 54 and “Installing IBM WebSphere ApplicationServer” on page 333.

5. Insert the IBM Tivoli Access Manager Directory Server for Windows (2 of 3) CD.6. Change directory to:

<CD-drive>:windows\tds

7. Double-click the install_tds.bat icon.The language window is displayed.

8. Select the language you want to use during the installation. Click OK.9. On the Welcome window, click Next.

10. After reading the Software license agreement, select I accept both the IBMand the non-IBM terms. Click Next.

11. If you have any components already installed, they are displayed with theircorresponding version levels. Click Next.

12. To install in the default directory, click Next. You can specify a differentdirectory by clicking Browse or typing the directory path you want. Thedirectory will be created if it does not exist.

13. Click Custom and then click Next.14. A window showing the following components for installation is displayed:

v Tivoli Global Security Kitv DB2 V9.1v Embedded WebSphere Application Serverv C Client 6.1v Java Client 6.1v Web Administration Tool 6.1v Proxy Server 6.1v Server 6.1Follow online instructions to complete the installation. Ensure that you selectWeb Administration Tool 6.1 and clear all other installation features.

This step completes the installation of the Web Administration Tool. To start theWeb Administration Tool, go to the directory where you installed WebSphereApplication Server and issue the following command:C:\Program Files\IBM\WebSphere\AppServer\bin\startServer.bat server1



where localhost specifies the name or IP address of the host system where the WebAdministration Tool and WebSphere Application Server are installed.

For more information about using the Web Administration Tool, see the IBM TivoliDirectory Server Administration Guide at:


Installing the Web Administration Tool into WebSphereAfter you install the Web Administration Tool package, you must install the WebAdministration Tool into WebSphere Application Server. To do so, use thefollowing instructions as a guide.

For complete information on installing an application into a WebSphereApplication Server configuration, see the IBM WebSphere Application Serverdocumentation at:v http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jspv http://www.ibm.com/software/webservers/appserv/infocenter.html

To install the Web Administration Tool into your WebSphere Application Serverconfiguration, follow these steps:1. Open the WebSphere Application Server Administrative Console. For example,

enter the following from a supported Web browser:http://hostname:9060/ibm/console

where hostname specifies the name or IP address of the system where the IBMWebSphere Application Server is installed.

2. Login to the console using a valid user ID and, if applicable, password.3. Click Applications → Install New Applications in the console navigation tree.

The first of two Preparing for application install pages is shown.4. On the first Preparing for application install page:

a. Specify the full path of the Web Administration Tool applicationstandalone IDSWebApp.war file as follows:1) On UNIX or Linux systems:

install_dir/idstools/IDSWebApp.war

where install_dir is the installation directory that you specified wheninstalling the Web Administration Tool. For example:/opt/IBM/ldap/V6.1

2) On Windows systems:install_dir/idstools/IDSWebApp.war

where install_dir is the installation directory that you specified wheninstalling the Web Administration Tool. For example: C:\ProgramFiles\IBM\LDAP\V6.1

b. In the Context Root field, specify the following command:/IDSWebApp

c. Click Next.5. Select whether to generate default bindings or accept the defaults, and click

Next. Using the default bindings causes any incomplete bindings in theapplication to be filled in with default values. Existing bindings are notaltered. You can customize the default values used in generating defaultbindings.The Install New Applications pages are displayed.





6. (Step 1: Provide options to perform the install) Ensure that the ApplicationName field contains IDSWebApp_war, accept the default values, and clickNext.

7. (Step 2: Map modules to servers) Select IBM Tivoli Directory Server WebApplication v2.0 as the Web Module and select Clusters and Servers andclick Apply.

8. Click Next.9. (Step 3: Map virtual hosts for web modules) Select IBM Tivoli Directory

Server Web Application v2.0 and click Next.10. (Step 4: Summary) Review installation options and click Finish.11. When the Save to Master Configuration page is displayed, click Save to save

the changes to your configuration. The application is registered with theadministrative configuration.

12. On the Enterprise Applications panel, select IDSWebApp_war and click Start.



Chapter 19. Uninstalling components

Uninstalling Tivoli Access Manager is a two-part process. You must firstunconfigure components and then remove Tivoli Access Manager packages.

This chapter provides the following sections:v “Unconfiguring Tivoli Access Manager components” on page 348v “Unconfiguring IBM Tivoli Directory Server” on page 349v “Removing packages” on page 351

AttentionDo not unconfigure the Access Manager Runtime component unless all TivoliAccess Manager applications installed on the system, such as WebSEAL andother Web server plug-ins, already have been unconfigured. Otherwise, theTivoli Access Manager application is left in an unusable state.

Unconfigure and remove the policy server system last.


Unconfiguring Tivoli Access Manager componentsBefore you remove Tivoli Access Manager packages, you must ensure that thecomponent is unconfigured (if needed). To do so, follow these steps.1. On UNIX or Linux, log on as root. On Windows, log on as a user with

Windows administrator privileges.2. To start the configuration utility, enter the following command:

pdconfig

Note: On Windows system, you also can select Start → Programs → AccessManager → Configuration.

The Access Manager Setup Menu is displayed.3. Unconfigure components in the following order:

a. Access Manager Attribute Retrieval Serviceb. Access Manager session management command line interface, or Access

Manager session management servicec. Access Manager Web Portal Manager, Access Manager WebSEAL, Access

Manager Plug-in for Edge Server, or Access Manager Plug-in for WebServers

d. Access Manager Authorization Servere. Access Manager Policy Proxy Server, standby Access Manager Policy Serverf. Access Manager Policy Serverg. Access Manager Runtime and Access Manager Runtime for JavaTo unconfigure a component on UNIX, type the number of the menu item forthe Tivoli Access Manager component. To unconfigure a component onWindows, select a component and then click Unconfigure. Repeat thisprocedure for each package that you want to unconfigure.

Notes:

a. If a component is not configured, then you can simply remove it.b. If you are using an LDAP user registry and are unconfiguring a policy

server or policy proxy server, you are prompted for the distinguished name(cn=root) and password of the LDAP Administrator.

c. When unconfiguring the policy server:v You are warned that configuration and authorization information for all

Tivoli Access Manager servers and applications installed in themanagement domain will be removed. To proceed, enter y.

v You are prompted whether you wish to permanently remove domaininformation from the registry. Enter y to remove all domain information,including user and group information. Enter n to remove domaininformation but retain user and group information so that the domain canbe recreated later if needed.

d. If you have either the Access Manager Runtime for Java or Web PortalManager installed, but not the Access Manager Runtime, use the/opt/PolicyDirector/sbin/pdjrtecfg utility to unconfigure Access ManagerRuntime for Java as follows:/opt/PolicyDirector/sbin/pdjrtecfg -action unconfig -interactive

and use the /opt/PolicyDirector/sbin/amwpmcfg utility to unconfigureAccess Manager Web Portal Manager as follows:/opt/PolicyDirector/sbin/amwpmcfg -action unconfig -interactive


Unconfiguring IBM Tivoli Directory ServerUnconfiguring IBM Tivoli Directory Server involves unconfiguring the databasefrom the directory server instance and removing the directory server instance. Backup your directory and any existing schema files before starting this procedure.

Unconfiguring the databaseThe database associated with a directory server instance can be unconfigured usingeither the Configuration Tool or the command line.

Using the Configuration ToolTo unconfigure the database associated with a directory server instance using theConfiguration Tool:1. On UNIX and Linux systems, log on as root. On Windows systems, log on with

a user ID that is a member of the Administrators group.2. Start the Configuration Tool by entering the following command:

idsxcfg

3. Click Unconfigure database in the navigation pane.4. In the Unconfigure Database window, select one of the following:

Unconfigure databaseRemoves information about the database from the configuration file forthe directory server instance. However, the database and its data areleft intact. This makes the database inaccessible to the directory serverinstance but does not destroy any data in the database.

Unconfigure and destroy databaseDeletes the database and its contents and removes information aboutthe database from the configuration file for the directory serverinstance.

5. Click Unconfigure. Click Yes to confirm the operation.

Using the command lineUse the idsucfgdb command to unconfigure a database for a directory serverinstance.

By default, idsucfgdb unconfigures the database from the ibmslapd.conf file butdoes not delete the database. You can optionally specify to delete the database also.

Note: On UNIX and Linux systems, log on as root. On Windows systems, log onwith a user ID that is a member of the Administrators group.

For example:v To unconfigure the database for directory server instance my_instance, enter the

command:idsucfgdb -n -I my_instance

Note: The -n option specifies not to prompt the user for confirmation beforeunconfiguring

v To unconfigure and delete the database for directory server instancemy_instance, enter the command:idsucfgdb –r –n -I myinstance

Chapter 19. Uninstalling components 349

Notes:

1. The -n option specifies not to prompt the user for confirmation beforeunconfiguring

2. The -r option specifies deletion of the database

See the IBM Tivoli Directory Server Version 6.1 Command Reference for detailedinformation about the idsucfgdb command.

Deleting a directory server instanceA directory server instance and its associated database instance can be deletedusing either the Instance Administration Tool or the command line.

Using the Instance Administration ToolTo delete a directory server instance, and optionally, its associated databaseinstance:1. On UNIX and Linux systems, log on as root. On Windows systems, log on with

a user ID that is a member of the Administrators group.2. Stop the directory instance, if it is running.3. Start the Instance Administration Tool, if it is not already running.

v On UNIX, Linux, or Windows systems, enter the following command:idsxinst

v On Windows systems, you also can click Start → Programs → IBM TivoliDirectory Server 6.1 → Instance Administration Tool.

4. In the IBM Tivoli Directory Server Instance Administration Tool window,select the instance to delete and click Delete....

5. In the Delete directory server instance window, select one of the followingoptions:

Delete directory server instance onlyTo remove the directory server instance but leave the database instanceintact.

Delete directory server instance and destroy associated database instanceTo remove both the directory server instance and the database instance.

6. Click Delete. Messages are displayed in the Task Messages pane as theoperation is performed.

7. Click Close after the operation completes to close the window and return to themain window of the Instance Administration Tool.


Using the command lineUse the idsidrop command to delete a directory server instance.1. On UNIX and Linux systems, log on as root. On Windows systems, log on with

a user ID that is a member of the Administrators group.2. Stop the directory instance to be removed.3. Enter the command to delete the instance. Provide the appropriate options for

the command.Examples:v To remove the directory server instance but retain the associated database

instance,idsidrop -I <instance_name>


v To remove a directory server instance and destroy the associated databaseinstanceidsidrop -I <instance_name> -r

v To unconfigure the associated database instance without removing adirectory server instanceidsidrop -I <instance_name>-R

See the IBM Tivoli Directory Server Version 6.1 Command Reference for informationabout the idsidrop command.

Removing packagesUninstalling Tivoli Access Manager is a two-part process. You must unconfigurecomponents and then remove them, unless instructed to do otherwise, such asduring the upgrade process.v AIX on page 351v HP-UX on page 353v Linux on page 354v Solaris on page 356v Windows on page 357

AIX: Removing packagesBefore removing packages, ensure that you stop all Tivoli Access Manager servicesand applications.

To remove components from an AIX system, follow these steps:1. Ensure that the components are unconfigured (if necessary). Follow the

instructions in “Unconfiguring Tivoli Access Manager components” on page348.

2. Enter the following command:installp -u -g packages

where packages specifies one or more of the following.

Note: Use the –g option only if you want dependent software for the specifiedpackage removed.

AIX Certificate and SSL Base RuntimeAcme ToolkitIBM Global Security Kit (GSKit)

gsksa.rtegskta.rte

IBM Tivoli Directory Server WebAdministration Tool (No SSL)

idsldap.webadmin61

IBM Tivoli Directory Server WebAdministration Tool (SSL)

idsldap.webadmin_max_crypto61

IBM Tivoli Directory Server clientbase, 32-bit client without SSL, 64-bit clientwithout SSL, 32-bit client with SSL, and64-bit client with SSL)

idsldap.cltbase61idsldap.clt32bit61idsldap.clt64bit61idsldap.clt_max_crypto32bit61idsldap.clt_max_crypto64bit61idsldap.cltjava61


IBM Tivoli Directory Server(64-bit server and 64-bit proxy serverwithout SSL, the 64-bit server and 64-bitproxy server with SSL, and Englishmessages)

idsldap.srv64bit61idsldap.srvproxy64bit61idsldap.srv_max_crypto64bit61idsldap.srv_max_cryptoproxy64bit61idsldap.msg61.en_USidsldap.ent61

Access Manager Application DevelopmentKit

PD.AuthADK

Access Manager Attribute Retrieval Service PDWeb.ARS

Access Manager Authorization Server PD.Acld

Access Manager License PD.lic

Access Manager Plug-in for IBM HTTPServer

PD.WPIIHS

Access Manager Plug-in for Sun JavaSystem Web Server

PD.WPIiPlanet

Access Manager Plug-in for Web Servers PD.WPI

Access Manager Policy Proxy Server PD.MgrPrxy

Access Manager Policy Server PD.Mgr

Access Manager Runtime PD.RTE

Access Manager Runtime for Java PDJ.rte


PD.SMSCLI


PD.SMS

Access Manager Web Portal Manager PD.WPM

Access Manager Web Security ADK PDWeb.ADK

Access Manager Web Security Runtime PDWeb.RTE

Access Manager WebSEAL PDWeb.Web

Tivoli Security Utilities TivSec.Utl

Removing DB2To remove DB2 from an AIX system:1. Log in as user with root authority.2. Change to the following directory:

db2_install_dir/installwhere db2_install_dir is the directory where DB2 is installed.

3. Run the following command:./db2_deinstall -a

Removing WebSphere Application ServerTo remove WebSphere Application Server from an AIX system, run the followingcommand from the command prompt:/usr/IBM/WebSphere/AppServer/uninstall/uninstall

Removing IBM HTTP ServerTo remove IBM HTTP Server from an AIX system, run the following commandfrom the command prompt:/http_server_Install_path/uninstall/uninstall


Removing plug-in for Web serversTo remove plug-in for Web servers from an AIX system, run the followingcommand from the command prompt:/WebSphere_Install_path/Plugins/uninstall/uninstall

HP-UX: Removing packagesBefore removing packages, ensure that you stop all Tivoli Access Manager servicesand applications.

To remove components from an HP-UX or HP-UX on Integrity system, followthese steps:1. Ensure that the components are unconfigured. Follow the instructions in

“Unconfiguring Tivoli Access Manager components” on page 348.2. Enter the following command:

swremove packages

where packages specifies one or more of the following component packages:

IBM gsk7 Runtime KitIBM Global Security Kit (GSKit)

HP-UX: gsk7bas

HP-UX on Integrity: gsk7bas32

HP-UX and HP-UX on Integrity:gsk7bas64

IBM Tivoli Directory Server Web AdministrationTool

idsldap-webadmin61

IBM Tivoli Directory Server client(base and 32-bit client or 64-bit client packages)

idsldap-cltbase61 andidsldap-clt32bit61 or idsldap-clt64bit61and idsldap-cltjava61

IBM Tivoli Directory Server(64-bit server and 64-bit proxy server packages)

idsldap-svr64bit61 andidsldap-srvproxy64bit61

Access Manager Application Development Kit PDAuthADK

Access Manager Attribute Retrieval Service PDWebARS (not on HP-UX Integrity)

Access Manager Authorization Server PDAcld

Access Manager License PDlic

Access Manager Policy Proxy Server PDMgrPrxy

Access Manager Policy Server PDMgr

Access Manager Runtime PDRTE

Access Manager Runtime for Java PDJrte


PDSMSCLI (not on HP-UX Integrity)

Access Manager Session Management Server PDSMS (not on HP-UX Integrity)

Access Manager Web Portal Manager PDWPM

Access Manager Web Security ADK PDWebADK

Access Manager Web Security Runtime PDWebRTE

Access Manager WebSEAL PDWeb

Tivoli Security Utilities TivSecUtl

A prompt is displayed indicating that the pre-removal script is being run. Eachfile is listed as it is removed.


Removing DB2To remove DB2 from an HP-UX or HP-UX on Integrity system:1. Log in as user with root authority.2. Change to the following directory:

db2_install_dir/installWhere db2_install_dir is the directory where DB2 isinstalled.


Removing WebSphere Application ServerTo remove WebSphere Application Server from an HP-UX system, run thefollowing command from the command prompt:/opt/IBM/WebSphere/AppServer/uninstall/uninstall

Removing IBM HTTP ServerTo remove IBM HTTP Server from an HP-UX system, run the following commandfrom the command prompt:/http_server_Install_path/uninstall/uninstall

Removing plug-in for Web serversTo remove plug-in for Web servers from an HP-UX system, run the followingcommand from the command prompt:/WebSphere_Install_path/Plugins/uninstall/uninstall

Linux: Removing packagesBefore removing packages, ensure that you stop all Tivoli Access Manager servicesand applications.

To remove components from a Linux system, follow these steps:1. Ensure that you have unconfigured components. Follow instructions in

“Unconfiguring Tivoli Access Manager components” on page 348.2. Enter the following command:

rpm -e packages

where packages specifies one or more of the following component packages:

IBM Global Security Kit (GSKit) (32-bitor 64-bit)

gsk7bas-7.0-4.11 or gsk7bas64-7.0-4.11

IBM Tivoli Directory Server WebAdministration Tool

idsldap.webadmin61-6.1.0-6

IBM Tivoli Directory Server client(base and 32-bit client or 64-bit clientpackages)

idsldap-cltbase61-6.1.0-6 andidsldap-clt32bit61-6.1.0-6 oridsldap-clt64bit61-6.1.0-6 andidsldap-cltjava61-6.1.0-6

IBM Tivoli Directory Server(32-bit server and 32-bit proxy serverpackages)

idsldap-srv32bit61-6.1.0-6 andidsldap-srvproxy32bit61-6.1.0-6idsldap-srvbase32bit61-6.1.0-6


idsldap-srv64bit61-6.1.0-6 andidsldap-srvproxy64bit61-6.1.0-6

Access Manager ApplicationDevelopment Kit

PDAuthADK-PD-6.1.1.0-0


Access Manager Attribute RetrievalService(Linux on System z and Linux on x86only)

PDWebARS-PD-6.1.1.0-0

Access Manager Authorization Server PDAcld-PD-6.1.1.0-0

Access Manager License PDlic-PD-6.1.1.0-0

Access Manager Plug-in for ApacheWeb Server(Linux on System z only)

PDWPI-Apache-6.1.1.0-0

Access Manager Plug-in for IBM HTTPServer(Linux on x86 and Linux on System z)

PDWPI-IHS-6.1.1.0-0

Access Manager Plug-in for WebServers(Linux on System z and Linux on x86)

PDWPI-PD-6.1.1.0-0

Access Manager Policy Proxy Server PDMgrPrxy-PD-6.1.1.0-0

Access Manager Policy Server PDMgr-PD-6.1.1.0-0

Access Manager Runtime PDRTE-PD-6.1.1.0-0

Access Manager Runtime for Java PDJrte-PD-6.1.1.0-0

Access Manager Session ManagementCommand Line(Linux on System z only)

PDSMS-CLI-6.1.1.0-0

Access Manager Session ManagementServer(Linux on System z only)

PDSMS-PD-6.1.1.0-0

Access Manager Web Portal Manager PDWPM-PD-6.1.1.0-0

Access Manager Web Security ADK(Linux on System z and Linux on x86only)

PDWebADK-PD-6.1.1.0-0

Access Manager Web Security Runtime(Linux on System z and Linux on x86only)

PDWebRTE-PD-6.1.1.0-0

Access Manager WebSEAL(Linux on System z and Linux on x86only)

PDWeb-PD-6.1.1.0-0

Tivoli Security Utilities TivSecUtl-TivSec-6.1.1.0-0

Note: Not all of the packages listed are available for each type of Linux (Linux onSystem z, Linux on x86, or Linux on POWER).

Removing DB2To remove DB2 from an Linux system:1. Log in as user with root authority.2. Change to the following directory:




Removing WebSphere Application ServerTo remove WebSphere Application Server from a Linux system, run the followingcommand from the command prompt:/opt/IBM/WebSphere/AppServer/uninstall/uninstall

Removing IBM HTTP ServerTo remove IBM HTTP Server from an Linux system, run the following commandfrom the command prompt:/http_server_Install_path/uninstall/uninstall

Removing plug-in for Web serversTo remove plug-in for Web servers from an Linux system, run the followingcommand from the command prompt:/WebSphere_Install_path/Plugins/uninstall/uninstall

Solaris: Removing packagesBefore removing packages, ensure that you stop all Tivoli Access Manager servicesand applications.

To remove components from a Solaris or Solaris on x86_64 system, follow thesesteps:1. Ensure that the components are unconfigured. To unconfigure components,

follow the instructions in “Unconfiguring Tivoli Access Manager components”on page 348.

2. To remove a package, enter the following command:pkgrm packages

where packages specifies one of the following component packages:

IBM Global Security Kit (GSKit) gsk7bas or gsk7bas64

IBM Tivoli Directory Server WebAdministration Tool

IDSlweb61

IBM Tivoli Directory Server client(base and 32-bit client or 64-bit clientpackages)

IDSl32c61 or IDSl64c61 and IDSlbc61 andIDSljc61


IDSlbs61 and IDSl64s61

Access Manager ApplicationDevelopment Kit

PDAuthADK

Access Manager Attribute RetrievalService

PDWebARS (not on Solaris on x86_64)

Access Manager Authorization Server PDAcld

Access Manager License PDlic

Access Manager Plug-in for Apache WebServer

PDWPIapa (not on Solaris x86_64)

Access Manager Plug-in for IBM HTTPServer

PDWPIihs (not on Solaris x86_64)

Access Manager plug-in for Sun JavaSystem Web Server

PDWPIipl (not on Solaris x86_64)

Access Manager Plug-in for Web Servers PDWPI (not on Solaris x86_64)

Access Manager Policy Proxy Server PDMgrPrxy


Access Manager Policy Server PDMgr

Access Manager Runtime PDRTE

Access Manager Runtime for Java PDJrte


PDSMSCLI (not on Solaris x86_64)


PDSMS (not on Solaris x86_64)

Access Manager Web Portal Manager PDWPM

Access Manager Web Security ADK PDWebADK

Access Manager Web Security Runtime PDWebRTE

Access Manager WebSEAL PDWeb

Tivoli Security Utilities TivSecUtl

3. When prompted to confirm the removal of these components, enter y.

A prompt is displayed indicating that the pre-removal script is being run. Each fileis listed as it is removed.

Removing DB2To remove DB2 from a Solaris or Solaris on x86_64 system:1. Log in as user with root authority.2. Change to the following directory:



Removing WebSphere Application ServerTo remove WebSphere Application Server from a Solaris system, run the followingcommand from the command prompt:/opt/IBM/WebSphere/AppServer/uninstall/uninstall

Removing IBM HTTP ServerTo remove IBM HTTP Server from an Solaris system, run the following commandfrom the command prompt:/http_server_Install_path/uninstall/uninstall

Removing plug-in for Web serversTo remove plug-in for Web servers from an Solaris system, run the followingcommand from the command prompt:/WebSphere_Install_path/Plugins/uninstall/uninstall

Windows: Removing packagesTo remove components from a Windows system, follow these steps:1. Log on as a user with Windows administrator privileges.2. Before removing packages, ensure that you stop all Tivoli Access Manager

services and applications.3. Select Start → Control Panel and then click Add/Remove Programs.4. Select one of the installed components and then click Remove.


You can select to uninstall the following Tivoli Access Manager packages:v IBM Tivoli Directory Server Web Administration Toolv IBM Tivoli Directory Serverv IBM DB2v Access Manager Application Development Kitv Access Manager Attribute Retrieval Servicev Access Manager Authorization Serverv Access Manager Licensev Access Manager for Plug-in for Internet Information Servicesv Access Manager Plug-in for Web Serversv Access Manager Policy Proxy Serverv Access Manager Policy Serverv Access Manager Session Management Command Linev Access Manager Session Management Serverv Access Manager Runtimev Access Manager Runtime for Javav Access Manager Web Portal Managerv Access Manager Web Security ADKv Access Manager Web Security Runtimev Access Manager WebSEALv Tivoli Security Utilities

5. Select another component from the list or click OK to exit the program.6. You cannot uninstall IBM Global Security Kit (GSKit) using the Add/Remove

Programs icon similar to the other Tivoli Access Manager components. Toremove GSKit from your system, enter the following command:isuninst -f"c:\Program Files\ibm\gsk7\gsk7bui.isu" PolicyDirector

where c:\Program Files\ibm\gsk7 is the fully-qualified path where thegsk7BUI.isu file is located.

Removing WebSphere Application ServerTo remove WebSphere Application Server from a Windows system, run thefollowing command from the command prompt:C:\Program Files\IBM\WebSphere\AppServer\uninstall\uninstall.exe

Removing IBM HTTP ServerTo remove IBM HTTP Server from an HP-UX system, run the following commandfrom the command prompt:/http_server_Install_path/uninstall/uninstall.exe

Removing plug-in for Web serversTo remove plug-in for Web servers from an Windows system, run the followingcommand from the command prompt:/WebSphere_Install_path/Plugins/uninstall/uninstall.exe


Chapter 20. Installation wizard scenarios

This chapter provides step-by-step instructions with illustrations on how to installand configure the following Tivoli Access Manager systems using installationwizards.v “Installing the IBM Tivoli Directory Server (install_ldap_server wizard)” on

page 360v “Installing the policy server (install_ammgr wizard)” on page 369

For descriptions of configuration option prompts, see Chapter 21, “Installationwizard options,” on page 377.


Installing the IBM Tivoli Directory Server (install_ldap_server wizard)The following scenario uses the install_ldap_server wizard to install and configureIBM Tivoli Directory Server as the Tivoli Access Manager registry. This programinstalls and configures all necessary software on your system, includingprerequisite products, Tivoli Access Manager components, and associated patches.Operating system patches are not installed.

Pre-installation requirementsv The installation wizard enables Secure Socket Layer (SSL) security. You can

choose to have the installation wizard automatically generate an SSL keydatabase file named am_key.kdb with a self-signed certificate for you, or use anSSL key database file that you have already created.For information on creating your own key database file and obtaining acertificate from a Certificate Authority (CA), see Chapter 23, “Enabling SecureSockets Layer (SSL) security,” on page 473.

v The install_ldap_server wizard creates a user for you. If you wish to create auser manually, you must perform the following pre-installation tasks (asrequired) before you install and configure IBM Tivoli Directory Server.– On UNIX or Linux platforms, the user must have a home directory and must

be the owner of the home directory.– Choose a directory where the DB2 database will be located. The installation

wizard will prompt for this directory under Directory server database home.- The group ownership of the DB2 database directory should be the DB2

group created when DB2 was installed. On AIX and Solaris, this group isusually named dbsysadm. For Linux on System z, this group is usuallynamed db2iadm1. For example, in the case of a user named ldapdb2, thedatabase directory should be owned by ldapdb2:dbsysadm on AIX andSolaris or by ldapdb2:db2iadm1 for Linux on System z.

There might be some groups that do not work correctly as the user’s primarygroup when configuring the database. For example, if the user’s primarygroup on Linux is users, problems might occur. For best results, use bin asthe group.

– The user root must be a member of the group chosen to own the DB2database directory. If root is not a member of this group, add root as amember of the group.

– For best results, the user’s login shell should be the Korn shell(/usr/bin/ksh).

– The user’s password must be set correctly and ready to use. For example, thepassword cannot be expired or waiting for a first-time validation of any kind.(The best way to verify that the password is correctly set is to telnet to thesame computer and successfully log in with that user ID and password.)

– When configuring the database, it is not necessary, but customary, to specifythe home directory of the user ID as the database location. However, if youspecify some other location, the user’s home directory still must have 3 to 4MB of space available. This space is required because DB2 creates links andadds files into the home directory of the instance owner (that is, the User)even though the database itself is located elsewhere. If you do not haveenough space in the home directory, you can either create enough space orspecify another directory as the home directory.


install_ldap_server scenarioTo install and configure IBM Tivoli Directory Server and its prerequisite software,follow these steps:1. Log on as root or as an administrative user.2. Insert the IBM Tivoli Access Manager Directory Server (1 of 2) CD for your UNIX

or Linux platform or IBM Tivoli Access Manager Directory Server (1 of 3) CD forWindows platforms.

3. Ensure that you have a supported JVM installed and that the path to the JVMis set. Otherwise, you will receive the following message during installation:A suitable JVM could not be found.Please run the installer again using the option -is:javahome <JAVA HOME DIR>

To install the supported JRE package included with Tivoli Access Manager, see“Installing IBM Java Runtime” on page 318.

4. To start the installation wizard, change to the root directory of the CD andenter the following:./install_ldap_server

5. Select the language that you want to use for the installation and click OK.

6. The Welcome screen is displayed. Click Next to continue.

7. Read the license agreement and select the I accept check box if you agree tothe terms. Click Next to continue.

8. Do one of the following:v Windows systems: The next panels prompt you to specify installation

directories for:IBM Global Security Kit (GSKit): C:\Program Files\IBM\gsktaIBM DB2: C:\Program Files\IBM\SQLLIB

Chapter 20. Installation wizard scenarios 361

IBM Tivoli Directory Server: C:\Program Files\IBM\LDAP\V6.1IBM Tivoli Directory Server client: C:\Program Files\IBM\LDAP\V6.1

Accept the default directories, or click Browse to select another directory.Click Next to continue.

v UNIX or Linux systems: Skip to step 9. The installation wizardautomatically installs IBM Global Security Kit (GSKit), IBM DB2, and theIBM Tivoli Directory Server in the following directories:– IBM Global Security Kit (GSKit) installation directory

AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gsktaHP-UX on Integrityv On 32-bit: /opt/ibm/gsk7_32v On 64-bit: /opt/ibm/gsk7_64HP-UX and Solaris: /opt/ibm/gsk7Linux: /usr/local/ibm/gsk7

– IBM DB2 installation directoryUNIX and Linux: /opt/IBM/db2/V9.1

– IBM Tivoli Directory Server installation directoryUNIX: /opt/IBM/ldap/V6.1Linux /opt/ibm/ldap/V6.1

– IBM Tivoli Directory Server client installation directoryUNIX: /opt/IBM/ldap/V6.1Linux /opt/ibm/ldap/V6.1

9. Complete the following fields about DB2 and then click Next to continue.

a. DB2 administrator ID (also used for the instance name) — Enter the DB2administrator ID for the DB2 database owner ID (for example, db2adminfor Windows or ldapdb2 for UNIX.


v The user ID can be no longer than 8 characters.v The identity that you create will be used for both the DB2 Administrator

ID and the DB2 database owner ID.v The user ID that you specify will own the database instance where the

DB2 database will exist.v On Windows platforms, the user must be a member of the

Administrators group and must be in the same domain as theAdministrator ID.

b. DB2 administrator password — Enter the DB2 administrator password forthe DB2 database owner ID.

c. On UNIX and Linux systems only: Group — Select a group to own theinstance, such as bin.

d. Select the Create the DB2 administrator if it does not already exist checkbox. You can choose to automatically create the DB2 administrator accountif it does not already exist. Otherwise, you must exit the installationwizard to create the account.

Note: On Windows systems, if the specified user does not exist, then theuser is automatically created regardless of whether the check box isselected or not.

e. Directory server database home — Enter a directory where the DB2database will be located. The default database home for Windows is theroot directory; for example, C: The default location for AIX, Linux on x86,Linux on System z, Linux on POWER, HP-UX or HP-UX on Integrity is/home/ldapdb2 and the default location for Solaris and Solaris on x86_64is /export/home/ldapdb2

Note: Be sure that you have at least 80 MB of free hard disk space in thelocation that you specify. Also, make sure that additional disk spaceis available to accommodate growth as new entries are added to thedirectory.

f. DB2 database name — Enter the name of the DB2 database. The databasename can be anything you choose. Or use the default DB2 database amdb.

g. Encryption seed — Enter the encryption seed that will be used to createthe key stash files for the IBM Tivoli Directory Server instance. Theencryption seed can contain printable ISO-8859-1 ASCII characters only,with values in the range of 33 to 126, such as a-z, A-Z, and 0-9. The seedmust be a minimum of 12 and a maximum of 1016 characters in length.For example: 0123456789012

10. Complete the following fields about the IBM Tivoli Directory Server and thenclick Next to continue.


a. Administrator ID — Type a valid IBM Tivoli Directory Serverdistinguished name (DN) or accept the default DN (cn=root). This DN isused by the LDAP administrator who has full access to all data in thedirectory.

Note: DNs are not case-sensitive. If you are unfamiliar with X.500 format,or if for any other reason you do not want to define a new DN,accept the default DN.

b. Administrator password — Create a password for the IBM TivoliDirectory Server administrator ID. Note that passwords are case-sensitive.

c. Password confirmation — Type the administrator password again forconfirmation.

d. User-defined suffix — Type a suffix to maintain user and group data. Forexample: o=ibm,c=us

e. Local host name — Type the fully qualified name or IP address of the hostsystem on which IBM Tivoli Directory Server will be located. For example:dana.tivoli.com

11. Secure Sockets Layer (SSL) security is always enabled when using theinstallation wizard. You can choose to have the installation wizard create anSSL key database file with a self-signed certificate, or you can specify thelocation and name of an existing SSL key database file to use. The defaultkeyfile name is am_key.kdb.


Complete the following fields:

Non-SSL portType the port number on which the LDAP server listens for requestsother than SSL requests. The default value is 389.

SSL portType the port number on which the LDAP server listens for SSLrequests. The default value is 636.

SSL key file with full pathType the fully qualified path where the existing SSL key database fileis located. The default value is:

WindowsC:\Program Files\IBM\LDAP\V6.1\lib\am_key.kdb

UNIX or Linux/opt/ibm/ldap/V6.1/lib/am_key.kdb

SSL key file passwordType the password that is associated with the specified SSL key file.The client key file password is set when the key file is first generated.

Password confirmationType the SSL key file password again to confirm it.

Certificate labelType the label for the SSL client certificate. This label is valid onlywhen SSL is being used and when the registry server has beenconfigured to require client authentication. Use a certificate label to


distinguish between multiple certificates within the SSL key file orwhen using a certificate other than the default certificate in the key file(for example: PDLDAP). Otherwise, leave this field blank.

Note: This label is not required during configuration of the policyserver or the authorization server. This value is required only ifthe server is configured to perform both server and clientauthentication during SSL establishment or if you want to use acertificate from a certificate authority (CA) in your key file.Typically, the IBM Tivoli Directory Server requires onlyserver-side certificates that were specified during the generationof the client .kdb file.

Create SSL key fileSelect the check box to create an SSL key file. The installation wizarduses IBM Global Security Kit (GSKit) to generate the certificate and theSSL key file.

Enable Federal Information Processing Standards (FIPS)Select the check box to enable Federal Information ProcessingStandards (FIPS). The installation wizard creates all key files andcertificates using FIPS-approved algorithms. When using a certificatefrom a certificate authority (CA), if FIPS enablement is required, makesure the certificate was generated with FIPS-approved algorithms. Byselecting this check box, the IBM Tivoli Directory Server will beconfigured to use the appropriate FIPS secure communicationsprotocol.

Click Next to continue.12. Review the summary that lists by disk drive (for Windows) or file systems

(for UNIX or Linux) the amount of disk space that is required to install theTivoli Directory Server component and the prerequisite components (if notalready installed), including space needed from symbolic links. Compare theamount of disk space required to the amount of disk space available. Ifsufficient space exists, click Next to continue.

13. Review the configuration options that you selected. If you want to change anyof your selections, click Back. Click Next to begin the installation.

Note: On Windows systems, you are prompted to intermittently restart yoursystem.


14. Monitor the installation and configuration of the IBM Tivoli Directory Serverand its prerequisite products.

15. When the restart panel is displayed, select to restart your computer now byclicking Next

Note: Some operating systems might not require you to restart yourcomputer.

.


16. After the restart, the Configuration Tool runs automatically to complete serverconfiguration. Continue to monitor the configuration process and click Finishwhen configuration has completed.

Note: If the installation process encounters any problems, consult theinstallation log file, msg_ldaps_install.log file, located in the followingdirectory:v On UNIX or Linux systems:

/tmp

v On Windows systems:%TEMP%

The installation wizard does not install the IBM Tivoli Directory Server WebAdministration Tool. If you wish to administer Tivoli Directory Servers locally orremotely using a GUI, you can install it as described in “Installing the WebAdministration Tool” on page 338.


Installing the policy server (install_ammgr wizard)After you have successfully installed your user registry, the next step is to set upthe Tivoli Access Manager policy server. The following scenario uses theinstall_ammgr wizard to install and configure the policy server using an LDAPtype of registry. This program installs and configures all necessary software onyour system, including Tivoli Access Manager components, related products, andassociated patches. Operating system patches are not installed.

Note: It is recommended that you set up your policy server system on a separatesystem than the registry server.

To install and configure the Tivoli Access Manager policy server using theinstall_ammgr wizard, follow these steps:1. Log on as root or as an administrative user.2. If you are installing on the Windows system, stop any programs that are

running and close all windows. If you have open windows, the initialInstallShield Wizard window might be hidden behind other windows.

3. Ensure that the registry server is up and running (in normal mode).4. Insert the IBM Tivoli Access Manager Base CD for your particular platform.5. If you are enabling Secure Sockets Layer (SSL) security between the policy

server and the registry server:v If the policy server is on the same system as the IBM Tivoli Directory

Server, skip to step 6.v Otherwise, manually copy the SSL key database file that you used to

configure the IBM Tivoli Directory Server to a directory on this system. Forexample, if you had the LDAP server installation wizard automaticallycreate the am_key.kdb key database file with a self-signed certificate, copythis file from the IBM Tivoli Directory Server system to a directory on thissystem.

Note: The self-signed certificate provided in the am_key.kdb key database fileacts as both a personal certificate and as a signer certificate and couldbe used to impersonate the server or for other malicious purposes. Usea certificate obtained from a Certificate Authority (CA) in productionenvironments, as described in Chapter 23, “Enabling Secure SocketsLayer (SSL) security,” on page 473.

6. To start the installation wizard, change to the root of the CD is located andenter the following:./install_ammgr

7. Select the language that you want to use for the installation and click OK.

8. The Welcome screen is displayed. Click Next to continue.


9. Read the license agreement and select the I accept check box if you agree tothe terms. Click Next to continue.

10. Select the type of user registry that you plan to use for Tivoli Access Manager.For example, select LDAP as the type of registry server that you want to use.Click Next to continue.

11. Specify the IBM Tivoli Security Utilities installation directory.

UNIX or Linux systems: Skip to step 12. The installation wizard automaticallyinstalls IBM Tivoli Security Utilities into the following installation directory:

/opt/IBM/Tivoli/SecUtilities12. Specify the Access Manager Runtime installation directory.


Access Manager Runtime installation directory for UNIX or Linux:/opt/PolicyDirector

13. Select whether to enable Tivoli Common Directory. Selecting the check boxmeans that you want to use the Tivoli Common Directory. If the check box isnot selected, Tivoli Access Manager will write its message and trace log datato default locations that are defined by the Tivoli Access Manager product.If the location of the Tivoli Common Directory has previously beenestablished on the system by the installation of another Tivoli application, thedirectory location will be displayed but it cannot be modified.

14. Do one of the following:v Windows systems: If not already installed, the next panels prompt you to

specify installation directories for IBM Global Security Kit (GSKit), IBMDB2, and the IBM Tivoli Directory Server client. Accept the defaultdirectories or click Browse to select another directory. Click Next tocontinue.

v UNIX or Linux systems: Skip to step 15. The installation wizardautomatically installs IBM Global Security Kit (GSKit), IBM DB2, and theIBM Tivoli Directory Server client in the following directories:– IBM Global Security Kit (GSKit) installation directory

AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gsktaHP-UX and Solaris on x86_64: /opt/ibm/gsk7HP-UX on Integrityv On 32-bit: /opt/ibm/gsk7_32v On 64-bit: /opt/ibm/gsk7_64Linux: /usr/local/ibm/gsk7

– IBM Tivoli Directory Server client installation directory forAIX, HP-UX, HP-UX on Integrity, Solaris and Solaris on x86_64:/opt/IBM/ldap/V6.1Linux: /opt/ibm/ldap/V6.1

15. Complete the following fields for the LDAP server and click Next.


v LDAP server host name — Type the host name of the LDAP server.v LDAP server port — The LDAP server port is already provided (389). If

you changed this port number during configuration of the LDAP server,modify this value accordingly.

16. You are prompted to enable Secure Sockets Layer (SSL) with the registryserver. For security purposes, select this check box and click Next and you areprompted for the SSL options listed in step 17.

17. If you selected to enable SSL, complete the following fields and select Next.

v SSL key file with full path — Type the fully qualified path where theexisting SSL key database file is located.If using the SSL key database file containing a self-signed certificate thatwas generated by the installation wizard, copy the key database file fromthe LDAP server to this system and specify that location here.

v SSL key file password — Type the password that is associated with thespecified SSL key file.


v Certificate label — Type the label for the SSL client certificate. This label isrequired only when SSL is being used and when the registry server hasbeen configured to require server and client authentication. A certificatelabel is used to distinguish between multiple certificates within the SSL keyfile or when using a certificate other than the default certificate in the keyfile (for example: PDLDAP). Otherwise, leave this field blank.

v SSL port — The port number on which the registry server listens for SSLrequests. SSL communication takes place between policy server and theregistry server. Use the default port number, 636, which isserver-dependent, or modify the port number, if needed.

18. Complete the following fields and click Next.

v IBM Tivoli Access Manager administrator password — Create anadministrator password for the security master ID (sec_master). You canuse the administrator ID to define your own administrative IDs, groups,and their capabilities.

Note: When creating Tivoli Access Manager passwords, make sure that thepassword meets the minimum strength requirements of theunderlying operating system. Otherwise, you will have tounconfigure and reconfigure the policy server with a password thatis valid for both Tivoli Access Manager and the operating system.

v Password confirmation — Type the password again for confirmation.v Policy server SSL port — The SSL port number is already provided (7135).

Modify the port number if needed.v SSL certificate lifecycle (days) — Type the number of days that the SSL

certificate file is valid. The default number of days is 1460 (4 years).v SSL connection timeout (seconds) — Type the duration (in seconds) that an

SSL connection waits for a response before timing out. The default numberof seconds is 7200.

19. Specify the LDAP administrator and Management Domain information andclick Next.


v LDAP administrator DN — Type the LDAP administrator distinguishedname or accept the default value (cn=root).

v LDAP administrator password — Type the password associated with theLDAP administrator DN.

v Management domain name — Type the name of the management domain.The initial administrative domain created when the policy server isconfigured is the management domain. The management domain namemust be unique within the LDAP server. The name must be analphanumeric string up to 64 characters long and is case-insensitive.

v LDAP management domain location DN — The distinguished name of thelocation within the LDAP server where the Access Manager metadata willbe stored. By default, the management domain information will be stored inits own suffix using the following format:secAuthority=<management_domain_name>. Whether the distinguished nameis specified or the default is used, the location must already exist in theLDAP server.

For more information about management domains, see “Tivoli AccessManager management domains” on page 138.

20. Select one of the following types of formats for LDAP objects that are used tomaintain the user and group tracking information and click Next.


The types of format include:

MinimalThis format is valid only for IBM Tivoli Access Manager Version 6.0 orlater. Use this format if you want to reduce the size of your userregistry information by using minimal user and group trackinginformation.

StandardThis format can be used with any version of IBM Tivoli AccessManager.

Click Help for an explanation of the differences between the two formats.21. Select whether to enable Federal Information Processing Standards (FIPS).

Select the check box to enable FIPS. The installation wizard creates all keysand certificates using FIPS-approved algorithms. When using a certificate froma certificate authority (CA), if FIPS enablement is required, make sure thecertificate was generated with FIPS-approved algorithms. By selecting thischeck box, the IBM Tivoli Directory Server will be configured to use theappropriate FIPS secure communications protocol.

22. Review the summary that lists by disk drive (for Windows) or file systems(for UNIX or Linux) the amount of disk space that is required to install theTivoli Access Manager component and the prerequisite components (if notalready installed), including space needed from symbolic links. Then comparethe amount of disk space required to the amount of disk space available. Ifsufficient space exists, click Next to continue.


23. Review the configuration options that you selected. If you want to change anyof your selections, click Back. Click Next to begin the installation.

24. Monitor the installation and configuration of the policy server and itsprerequisite products.

Windows systemsWhen prompted to restart your system, click Next. After your system isrestarted, the installation wizard is displayed. Specify your language andclick Next. When policy server configuration has completed, click Finishto exit the installation wizard.

After configuring the policy server, you can set up additional Tivoli AccessManager systems in the management domain. For a list of Tivoli Access Managersystems, see “Components and prerequisites provided with Tivoli Access Managersystems” on page 15.


Chapter 21. Installation wizard options

This chapter describes configuration options that you are prompted for usinginstallation wizards. Configuration options are included for the followinginstallation wizards:v “Access Manager Runtime (LDAP)” on page 378v “Access Manager Runtime (Active Directory)” on page 382v “Access Manager Runtime (Domino)” on page 389v “install_amacld” on page 392v “install_amadk” on page 396v “install_amjrte” on page 397v “install_ammgr” on page 399v “install_amproxy” on page 404v “install_amrte” on page 408v “install_amsms” on page 409v “install_amsmscli” on page 420v “install_amweb” on page 424v “install_amwebadk” on page 430v “install_amwebars” on page 434v “install_amwpi” on page 435v “install_amwpm” on page 439v “install_ldap_server” on page 442


Access Manager Runtime (LDAP)Table 25 lists configuration options for the Access Manager Runtime package whenusing an LDAP registry. You are prompted for these options during configurationof a Tivoli Access Manager system that requires this installation component. Youare also prompted for these options when using the install_amrte installationwizard as instructed in “Installing using the installation wizard” on page 191.

Note: You might not see all of the configuration options if a runtime orprerequisite component has already been installed or if you are notconfiguring for SSL.

Table 25. Access Manager Runtime options — LDAP. * indicates a required option.

Configuration Options Default Value

Registry * Specifies the type of registry server that must be set up forTivoli Access Manager. Select LDAP, which is the default.

Directory name *(for the IBM GlobalSecurity Kit (GSKit) —prompted on Windowsonly)

Specifies the IBM Global Security Kit (GSKit) installationdirectory. The default directory is:

C:\Program Files\ibm\gsk7

Although you will be prompted for the installation directoryon Windows systems only, non-Windows systems have thefollowing default installation directories:

v AIX: /usr/opt/ibm/gsksa and /usr/opt/ibm/gskta

v HP-UX on Integrity

– On 32-bit: /opt/ibm/gsk7_32


v HP-UX and Solaris: /opt/ibm/gsk7

v Linux: /usr/local/ibm/gsk7

Directory name *(for the IBM TivoliDirectory Server client —prompted on Windowsonly)

Specifies the IBM Tivoli Directory Server client installationdirectory. The default directory is:

C:\Program Files\IBM\LDAP\V6.1


v UNIX and Linux: /usr/ldap

v HP-UX and Solaris: /opt/IBM/ldap/V6.1

Directory name *(for the IBM TivoliSecurity Utilities —prompted on Windowsonly)

Specifies the IBM Tivoli Security Utilities installation directory.The default directory is:

C:\Program Files\Tivoli\TivSecUtl


v UNIX and Linux: /opt/IBM/Tivoli/SecUtilities


Table 25. Access Manager Runtime options — LDAP (continued). * indicates a requiredoption.


Directory name *(for the Access ManagerRuntime —prompted on Windowsonly)

Specifies the Access Manager Runtime installation directory.The default directory is:

C:\Program Files\Tivoli\Policy Director


v UNIX or Linux: /opt/PolicyDirector

Enable Tivoli CommonDirectory for logging

Select whether to enable Tivoli Common Directory. Selectingthe check box means that you want to use the Tivoli CommonDirectory. If the check box is not selected, Tivoli AccessManager will write its message and trace log data to defaultlocations that are defined by the Tivoli Access Managerproduct.

Directory name *(for Tivoli CommonDirectory)

Specifies the fully qualified path for the Tivoli CommonDirectory.

v If the location of the Tivoli Common Directory haspreviously been established on the system by theinstallation of another Tivoli application, the directorylocation will be displayed in the field but it cannot bemodified.

v If the location of the Tivoli Common Directory has notpreviously been established on the system, you can specifyits location.

If Tivoli Common Directory is enabled and the directorylocation has not been previously established, the defaultcommon directory name is:

v Windows: C:\Program Files\ibm\tivoli\common

v UNIX or Linux: /var/ibm/tivoli/common

Beneath the Tivoli Common Directory, each Tivoli productstores its information in a product-specific subdirectory. Eachproduct-specific directory is named with a 3-characteridentifier. For example, for IBM Tivoli Access Manager:tivoli_common_dir/HPD

See the IBM Tivoli Access Manager for e-business: TroubleshootingGuide for complete list of 3-character identifiers.

If Tivoli Common Directory is not enabled, Tivoli AccessManager will write its message and trace log data to thefollowing location:

v Windows: C:\Program Files\Tivoli\Policy Director\log

v UNIX or Linux: /var/PolicyDirector/log

Chapter 21. Installation wizard options 379



Policy server host name * Specifies the host name or IP address of the Tivoli AccessManager policy server (pdmgrd). The policy server managesthe policy database (sometimes referred to as masterauthorization database), updates the database replicas whenevera change is made to the master database, and replicates thepolicy information throughout the domains. The policy serveralso maintains location information about other resourcemanagers operating in the domain. There must be at least onepolicy server defined for each domain. You can specify thefully qualified host name with or without the domainextension. Examples:

pdmgrpdmgr.tivoli.com

Policy server SSL port * Specifies the port number on which the policy server listensfor SSL requests. The default port number is 7135.

Policy server CA certificatefile

Specifies the name of the policy server certificate file that isused by the certificate authority (CA), which is the TivoliAccess Manager certificate authority (PDCA). Configuration ofthe Tivoli Access Manager policy server creates and saves adefault SSL base64-encoded, certificate authority file namedpdcacert.b64. Note that the SSL key file and certificate arecreated using FIPS approved algorithms.

To obtain this file, do one of the following tasks:

v During configuration of Access Manager Runtime, if youleave this field blank, the pdcacert.b64 file will beautomatically downloaded.

v Manually copy the pdcacert.b64 file to the Tivoli AccessManager system before configuring the Access ManagerRuntime component. You must distribute this file to eachmachine in your secure domain. It is needed for successfulconfiguration.

The default location is:

v Windows: C:\Program Files\Tivoli\PolicyDirector\keytab\pdcacert.b64

v UNIX or Linux: /var/Policy Director/keytab/pdcacert.b64

Domain * Specifies the name of the Tivoli Access Manager defaultdomain, which is known as the management domain. Thisdomain is created when the policy server is configured. Thedefault domain enforces security policies for authentication,authorization, and access control. Any security policy that isimplemented in a domain affects only those objects in thatdomain. Users with authority to perform tasks in one domaindo not necessarily have authority to perform those tasks inother domains. The default value is Default, which indicatesthe management domain.

LDAP server host name * Specifies the host name or IP address of the LDAP type ofregistry server. You can specify the fully qualified host namewith or without the domain extension. Examples: ldapserveror ldapserver.tivoli.com

LDAP server port * Specifies the port number on which the LDAP type of registryserver listens for requests. The default port number is 389.




Enable SSL with theregistry server(prompted on Windowsonly)

Specifies whether to enable encrypted Secure Sockets Layer(SSL) connections with an LDAP server.Note: You must first configure the LDAP server for SSLaccess.

Default: enabled (check box is selected)

On Windows only, you can enable SSL with the LDAP server. If SSL is enabled, you areprompted for the next four values:

SSL key file with full path*

Specifies the fully qualified path where the existing SSL clientkey file is located. The key file holds the client-side certificatesthat are used in SSL communication. The file extension isalways .kdb.

Copy the SSL key file from the registry server system to anydirectory on your local system.

SSL key file password * The existing password that is associated with the specified SSLkey file. The client key file password was set when the key filewas first created. Change this password by using the IBMGlobal Security Kit (GSKit) utility gsk7ikm. If changed,remember this password.

Certificate label Specifies the label for the SSL client certificate. This label isvalid only when SSL is being used and when the LDAP serverhas been configured to require client authentication. Forexample: PDLDAP.

Use a certificate label to distinguish between multiplecertificates within the SSL key file or when using a certificateother than the default certificate in the key file. Otherwise,leave this field blank.

SSL port * Specifies the port number on which the LDAP server listensfor SSL requests. The default port number is 636.


Access Manager Runtime (Active Directory)Table 26 lists configuration options for the Access Manager Runtime componentwhen using an Active Directory registry. You are prompted for these optionsduring configuration of a Tivoli Access Manager system that requires thisinstallation component. You are also prompted for these options when using theinstall_amrte installation wizard as instructed in “Installing using the installationwizard” on page 191.

Active Directory users can run Tivoli Access Manager on all Windows, UNIX orLinux platforms currently supported in the Tivoli Access Manager product (withthe exception of Windows NT).

UNIX or Linux platforms make use of the IBM Tivoli Directory Server client tocommunicate with Active Directory. This LDAP client is also used on the Windowsplatform where the Active Directory domain of the local host is different from theActive Directory domain where the policy server is to be configured.


Table 26. Access Manager Runtime options — Active Directory. * indicates a requiredoption.

Configuration Options Description

Registry * Specifies the type of registry server set up for TivoliAccess Manager. Select Active Directory.

Directory name *(for the IBM Global Security Kit(GSKit) —prompted on Windows only)



Although you will be prompted for the installationdirectory on Windows systems only, non-Windowssystems have the following default installationdirectories:







Directory name *(for the IBM Tivoli DirectoryServer client —prompted on Windows only)

Specifies the IBM Tivoli Directory Server clientinstallation directory. The default directory is:

C:\Program Files\ibm\LDAP


v AIX and Linux: /usr/ldap

v HP-UX and Solaris: /opt/IBM/V6.1


Table 26. Access Manager Runtime options — Active Directory (continued). * indicates arequired option.


Directory name *(for the IBM Tivoli SecurityUtilities —prompted on Windows only)

Specifies the IBM Tivoli Security Utilities installationdirectory. The default directory is:C:\ProgramFiles\Tivoli\TivSecUtl



Directory name *(for the Access Manager Runtime—prompted on Windows only)

Specifies the Access Manager Runtime installationdirectory. The default directory is:



v UNIX or Linux:/opt/PolicyDirector

Enable Tivoli Common Directoryfor Logging

Select whether to enable Tivoli Common Directory.Selecting the check box means that you want to use theTivoli Common Directory. If the check box is notselected, Tivoli Access Manager will write its messageand trace log data to default locations that are definedby the Tivoli Access Manager product.




Directory name *(for Tivoli Common Directory)



v If the location of the Tivoli Common Directory hasnot previously been established on the system, youcan specify its location.




Beneath the Tivoli Common Directory, each Tivoliproduct stores its information in a product-specificsubdirectory. Each product-specific directory is namedwith a 3-character identifier. For example, for IBM TivoliAccess Manager: tivoli_common_dir/HPD

See the IBM Tivoli Access Manager for e-business:Troubleshooting Guide for a complete list of 3-characteridentifiers.


v Windows: C:\Program Files\Tivoli\PolicyDirector\log


Active Directory administratorID

Specifies the identifier for the administrator account ofthe Microsoft Active Directory domain. Thisadministrator ID was created when the Microsoft ActiveDirectory domain was created. This administrator IDshould have been added to the groups ofAdministrators, Domain Administrators, enterpriseAdministrators, and Schema Administrators. Note thatthis administrator user account is for a Microsoft ActiveDirectory user only, and not for a Tivoli Access Manageruser.

Active Directory administratorpassword

Specifies the password for the Microsoft ActiveDirectory domain administrator ID. This administratorpassword was created when you created your MicrosoftActive Directory administrator account.




Policy server host name * Specifies the host name or IP address of the TivoliAccess Manager policy server (pdmgrd). The policyserver manages the policy database (sometimes referredto as master authorization database), updates the databasereplicas whenever a change is made to the masterdatabase, and replicates the policy informationthroughout the domains. The policy server alsomaintains location information about other resourcemanagers operating in the domain. There must be atleast one policy server defined for each domain.Example:

pdmgr.tivoli.com

Note: If you are using Active Directory as your registry,a fully-qualified host name is required.

Policy server SSL port * Specifies the port number on which the Tivoli AccessManager policy server listens for SSL requests. Thedefault port number is 7135.

Policy server CA certificate file Specifies the name of the policy server certificate filethat is used by the certificate authority (CA), which isthe Tivoli Access Manager certificate authority (PDCA).Configuration of the Tivoli Access Manager policyserver creates and saves a default SSL base64-encoded,certificate authority file named pdcacert.b64. Note thatthe SSL key file and certificate are created using FIPSapproved algorithms.


v During configuration of Access Manager Runtime, ifyou leave this field blank, the pdcacert.b64 file will beautomatically downloaded.

v Manually copy the pdcacert.b64 file to the TivoliAccess Manager system before configuring the AccessManager Runtime component. You must distributethis file to each machine in your secure domain. It isneeded for successful configuration.




Local host name * The installation wizard detects and fills in the host name ofyour system.

Specifies the fully qualified name or IP address of thehost system on which the registry server is to belocated. For example: dana.tivoli.com




Active Directory host name * Specifies the host name of the Microsoft ActiveDirectory domain controller server. A Domain NameService (DNS) automatically translates an MicrosoftActive Directory host name into the corresponding IPaddress whenever you use a domain name. Forexample:

adserver.tivoli.com

Note: If you are using Active Directory as your registry,a fully-qualified host name is required.

Active Directory domain * Specifies the name of the Microsoft Active Directoryroot (primary) domain. When a single Active Directorydomain is configured, it can specify the name of theMicrosoft Active Directory secondary domain.

This name is domain-dependent, based on what youselect during runtime configuration of Tivoli AccessManager. The domain information is necessary onlywhen your user registry is Microsoft Active Directoryand when you configure the use of multiple MicrosoftActive Directory domains. Forexample:dc=tivoli,dc=com

Configure to multiple ActiveDirectory domains

Select the check box to configure multiple ActiveDirectory domains. If not selected, Tivoli AccessManager is configured to a single domain. An exampleof multiple Microsoft Active Directory domains is aTivoli Access Manager single domain with multipleMicrosoft Active Directory domains.

When configured for multiple Microsoft ActiveDirectory domains, the command line displays theTivoli Access Manager administrator ID (the default issec_master) as secmaster@domain_name

Default: not enabled (Tivoli Access Manager isconfigured for a single domain).

Enable encrypted connections(prompted on Windows only)

Specifies whether encryption communication toMicrosoft Active Directory should be used. When thecheck box is selected, Kerberos is used in the MicrosoftActive Directory Service Interface (ADSI) to encryptdata in the connection to the Microsoft Active Directoryserver. This setting is equivalent to enabling an SSLconnection in an environment other than Windows or inan environment on Windows where systems do notbelong to Active Directory domains where the TivoliAccess Manager policy server is configured.

Default: not enabled (Tivoli Access Manager is notconfigured for encryption).




Enable SSL with the registryserver

Specifies whether to enable encrypted Secure SocketsLayer (SSL) connections between the LDAP client andthe registry server (Active Directory server). The checkbox will be selected automatically if the Enableencrypted connections check box is selected and ifinstalling on a UNIX system or on systems that do notbelong to an Active Directory domain where the TivoliAccess Manager policy server is configured.Note: You must first set up the registry server for SSLaccess before you set up the client.

Select the check box to enable SSL communications toprotect information, such as user passwords and privatedata. However, SSL is not required for Tivoli AccessManager to operate. SSL allows the data transmitted tobe encrypted to provide data privacy and integrity.

Default: not enabled (The check box is not selected)

If SSL with the registry server is enabled, you are prompted for the next four values:

SSL key file with full path * Specifies the fully qualified path where the existing SSLclient key file is located. The key file holds theclient-side certificates that are used in SSLcommunication. The file extension is always .kdb.

This key file must be obtained using the IBM GlobalSecurity Kit (GSKit) gsk7ikm utility and the ActiveDirectory server CA certificate.

Copy the SSL key file from the registry server system toany directory on your local system.

SSL key file password * The existing password that is associated with thespecified SSL key file. The client key file password wasset when the key file was first created. Change thispassword by using the IBM Global Security Kit (GSKit)utility gsk7ikm. If changed, remember this password.

Certificate label Specifies the label for the SSL client certificate. This labelis valid only when SSL is being used and when theLDAP server has been configured to require clientauthentication. For example: PDLDAP.

Use a certificate label to distinguish between multiplecertificates within the SSL key file or when using acertificate other than the default certificate in the keyfile. Otherwise, leave this field blank.

SSL port * Specifies the port number on which the registry serverlistens for SSL requests. The default port number is 636.




Access Manager data locationdistinguished name *

Specifies the distinguished name that is used byMicrosoft Active Directory to indicate where you wantto store Tivoli Access Manager data. The default value isthe input value for Active Directory Domain. Forexample: ou=myou,dc=tivoli,dc=com

If Tivoli Access Manager is configured using multipleActive Directory domains, this value is automatically setto the value of the Active Directory primary domain.Note that this field is only prompted for input when thecheck box is not selected for Configure to MultipleActive Directory Domains.

Make sure that the distinguished name is alreadycreated and exists for the Active Directory Server.

The default value is the Microsoft Active Directoryprimary domain name.


Access Manager Runtime (Domino)Table 27 lists configuration options for the Access Manager Runtime componentwhen using a Domino registry (Windows only). You are prompted for theseoptions during configuration of a Tivoli Access Manager system, which requiresthis installation component. You are also prompted for these options when usingthe install_amrte installation wizard as instructed in “Installing using theinstallation wizard” on page 191.


Table 27. Access Manager Runtime options — Domino. * indicates a required option.


Registry * Specifies the type of registry server set up for Tivoli AccessManager. Select Domino..

Directory name *(for the IBM GlobalSecurity Kit (GSKit)) —prompted on Windowsonly)



Directory name *(for the IBM Tivoli SecurityUtilities —prompted on Windowsonly)





Directory name *(for the Access Managerruntime —prompted on Windowsonly)

Specifies the Access Manager Runtime installation directory.The default directory is: C:\Program Files\Tivoli\PolicyDirector




Table 27. Access Manager Runtime options — Domino (continued). * indicates a requiredoption.


Directory name * Specifies the fully qualified path for the Tivoli CommonDirectory.







See the IBM Tivoli Access Manager for e-business: TroubleshootingGuide for a complete list of 3-character identifiers.




Policy server host name * Specifies the host name or IP address of the Tivoli AccessManager policy server (pdmgrd). The policy server managesthe policy database (sometimes referred to by its originalname of master authorization database), updates the databasereplicas whenever a change is made to the master database,and replicates the policy information throughout the domains.The policy server also maintains location information aboutother resource managers operating in the domain. There mustbe at least one policy server defined for each domain. You canspecify the fully qualified host name with or without thedomain extension. Examples:


Policy server SSL port * Specifies the port number on which the Tivoli Access Managerpolicy server listens for SSL requests. The default port numberis 7135.


Table 27. Access Manager Runtime options — Domino (continued). * indicates a requiredoption.









v UNIX: /var/Policy Director/keytab/pdcacert.b64

Domino host name * Specifies the fully qualified name of the IBM Lotus Dominoserver. For example:

domino1/Austin/Tivoli

Notes client password * Specifies the password that is associated with the Notes clientsoftware administrative user’s ID file located on the IBMLotus Domino server.Note: The Notes ID must be associated with a Tivoli AccessManager administrative ID with sufficient rights to add,modify, and deleted users and groups in the Notes addressbook (NAB) as well as to create, modify, and deleted theTivoli Access Manager metadata database on the server.

Notes address bookdatabase name *

Specifies the IBM Lotus Notes name and address book (NAB),which contains your contacts, connections, locations, andPersonal Address Book data. This database is located in theIBM Lotus Domino directory on your server. The database filename is set at configuration time and cannot be changed. Thefile name extension must always be .nsf. The file nameconforms to the underlying operating system file namingconventions of the IBM Lotus Domino server. The defaultvalue is names.nsf.

Tivoli Access Managerdatabase name *

Specifies the name of the metadata database located on theIBM Lotus Domino server that is associated with Tivoli AccessManager data. The default value is PDMdata.nsf.


install_amacldTable 28 lists additional options prompted for during installation using theinstall_amacld wizard as instructed in “Installing using the installation wizard” onpage 154.


Table 28. install_amacld configuration options. * indicates a required option.


Registry * Select to specify the type of registry server set up for TivoliAccess Manager. The default value is LDAP. The valid typesof registry servers supported by Tivoli Access Manager are:

v LDAP — To install the IBM Tivoli Directory Server userregistry.

v Active Directory — To install the Microsoft ActiveDirectory Server user registry.

v Domino — To install the IBM Lotus Domino Server userregistry.

The Tivoli Access Manager authorization server installationwizard (install_amacld) first prompts you for Access ManagerRuntime configuration options based on the type of registryserver. For descriptions of these configuration options, see oneof the following runtimes:

v “Access Manager Runtime (LDAP)” on page 378

v “Access Manager Runtime (Active Directory)” on page 382

v “Access Manager Runtime (Domino)” on page 389


Specifies the IBM Tivoli Directory Server client installationdirectory. The default directory is:

Windows: C:\Program Files\ibm\LDAP




Directory name *(for the IBM TivoliSecurity Utilities —prompted on Windowsonly)






Table 28. install_amacld configuration options (continued). * indicates a required option.


Directory name *(for Access ManagerRuntime —prompted on Windowsonly)


C:\Program Files\Tivoli\Policy DirectorAlthough you will beprompted for the installation directory on Windows systemsonly, non-Windows systems have the following defaultinstallation directories:

v UNIX or Linux: /opt/PolicyDirector


Select to enable Tivoli Common Directory—a central locationon systems running Tivoli software for storing files, such astrace and message logs.





If Tivoli Common Directory is enabled and the directorylocation has not been previously established, the defaultcommon directories are:








Policy server host name * Specifies the host name or IP address of the Tivoli AccessManager policy server (pdmgrd). The policy server managesthe policy database (sometimes referred to by its originalname of master authorization database), updates the databasereplicas whenever a change is made to the master database,and replicates the policy information throughout the domains.The policy server also maintains location information aboutother resource managers operating in the domain. There mustbe at least one policy server defined for each domain. Forexample:














Domain * Specifies the name of the Tivoli Access Manager defaultdomain, which is known as the management domain. Thisdomain is created when the policy server is configured. Thedefault domain enforces security policies for authentication,authorization, and access control. Any security policy that isimplemented in a domain affects only those objects in thatdomain. Users with authority to perform tasks in one domaindo not necessarily have authority to perform those tasks inother domains. The default domain name is Default.

Tivoli Access Manageradministrator ID *

Specifies the identifier for the existing administrator accountof the Tivoli Access Manager management domain. Theadministrator ID was created when the Tivoli Access Managerpolicy server was first configured. The default administratorID is sec_master.

Tivoli Access Manageradministrator password *

Specifies the password for the existing Tivoli Access Manageradministrator ID. This administrator password was createdwhen you created the Tivoli Access Manager administratoraccount.

Local host name * The installation wizard detects and fills in the host name ofyour system. Specifies the fully qualified name or IP addressof the host system on which the Tivoli Access Managerauthorization server is to be located. For example:dana.tivoli.com

Administration requestport *

Specifies the port number on which the authorization server islistening for administration type of requests. Use the defaultport number value, which is server-dependent. The defaultport number for the Tivoli Access Manager authorizationserver is 7137.




Authorization request port*

Specifies the port number on which the authorization server islistening for authorization type of requests. Use the defaultport number value, which is server-dependent. The defaultport number for the Tivoli Access Manager authorizationserver is 7136.


Specifies whether to enable encrypted Secure Sockets Layer(SSL) communication between the Tivoli Access Managerauthorization server and the registry server.Note: You must first configure the registry server for SSLaccess.


Enable the use of e-mailaddress as user ID

Enables the use of an email address as the userPrincipalnameuser ID.

Global Catalog server hostname (Active DirectoryLDAP mode only)

Specifies the Active Directory host name for the GlobalCatalog Server.

Global Catalog server port(Active Directory LDAPmode only)

Specifies the Active Directory Global Catalog port. Fornon-SSL enablement, the default is 3268. For SSL enablement,the default is 3269.

On UNIX only, you can enable SSL with the registry server. If SSL is enabled, you areprompted for the next four values:



Copy the SSL key file from the registry server system to anydirectory on your local system and specify the path and fullname using this option.

SSL key file password * The existing password that is associated with the specifiedSSL key file. The client key file password was set when thekey file was first created. Change this password by using theIBM Global Security Kit (GSKit) utility gsk7ikm. If changed,remember this password.





install_amadkThe Access Manager Development (ADK) system wizard (install_amadk) promptsyou for Access Manager Runtime configuration options based on the type ofregistry server. For descriptions of these configuration options, see one of thefollowing runtimes:v “Access Manager Runtime (LDAP)” on page 378v “Access Manager Runtime (Active Directory)” on page 382v “Access Manager Runtime (Domino)” on page 389

There are no ADK-specific configuration options.


install_amjrteTable 29 lists configuration option descriptions for an Access Manager Runtime forJava system. You are prompted for these options during configuration using theinstall_amjrte installation wizard as instructed in Chapter 7, “Setting up an AccessManager Runtime for Java system,” on page 173.


Table 29. install_amjrte configuration options. * indicates a required option.


Directory name *(prompted on Windowsonly)

Specifies the Access Manager Runtime for Java directory. Thedefault directory is: C:\Program Files\Tivoli\Policy Director

















Table 29. install_amjrte configuration options (continued). * indicates a required option.


Policy server host name * Specifies the host name or IP address of the Tivoli AccessManager policy server. The policy server manages the policydatabase (sometimes referred to by its original name of masterauthorization database), updates the database replicas whenevera change is made to the master database, and replicates thepolicy information throughout the domains. The policy serveralso maintains location information about other resourcemanagers operating in the domain. There must be at least onepolicy server defined for each domain. Examples:



JRE directory * Specifies the fully qualified path of the Java RuntimeEnvironment (JRE) that is being configured for Tivoli AccessManager. The path is the JRE that was installed and includedwith the server you are installing.

The default JRE directory location is server dependent and isalso server-version dependent. The default JRE directory valueis the $JAVA_HOME environment variable. If you installed usingthe -is:javahome option, the path shown is that specified asthe javahome option.


install_ammgrThe Tivoli Access Manager policy server installation wizard (install_ammgr) firstprompts you for Access Manager Runtime configuration options based on the typeof registry server. For descriptions of these configuration options, see one of thefollowing runtimes:v “Access Manager Runtime (LDAP)” on page 378v “Access Manager Runtime (Active Directory)” on page 382v “Access Manager Runtime (Domino)” on page 389

Table 30 lists additional options prompted for during installation using theinstall_ammgr wizard as instructed in “Installing using the installation wizard” onpage 141.

Notes:

1. Depending on whether you are installing on a Windows, UNIX or Linuxplatform, you might be prompted for these options in a different order thanlisted.

2. You might not see all of the configuration options if a runtime or prerequisitecomponent has already been installed or if you are not configuring for SSL.

Table 30. install_ammgr configuration options. * indicates a required option.


Registry * Select to specify the type of registry server that has been setup for Tivoli Access Manager. The default value is LDAP. Thevalid types of registry servers supported by Tivoli AccessManager are:

v LDAP — To install the IBM Tivoli Directory Server userregistry.

v Active Directory — To install the Microsoft ActiveDirectory Server user registry.

v Domino — To install the IBM Lotus Domino Server userregistry.

The Tivoli Access Manager policy server installation wizard(install_ammgr) first prompts you for Access ManagerRuntime configuration options based on the type of registryserver. For descriptions of these configuration options, see oneof the following runtimes:





Table 30. install_ammgr configuration options (continued). * indicates a required option.



Specifies the IBM Global Security Kit (GSKit) installationdirectory if not already installed. The default directory is:










Specifies the IBM Tivoli Directory Server client installationdirectory if not already installed. The default directory is:





Directory name *(for the IBM Tivoli SecurityUtilities—prompted on Windowsonly)






Specifies the Access Manager Runtime installation directory ifnot already installed. The default directory is: C:\ProgramFiles\Tivoli\Policy Director




















LDAP server host name * Specifies the host name or IP address of the registry server.You can specify the fully qualified host name with or withoutthe domain extension. Examples: registryserver orregistryserver.tivoli.com

LDAP server port * Specifies the port number on which the registry server listensfor requests. The default port number is 389.

Enable SSL with theregistry server

Specifies whether to enable encrypted Secure Sockets Layer(SSL) communication between the Tivoli Access Managerpolicy server and the registry server.Note: You must first configure the registry server for SSLaccess. Default: enabled (check box is selected)

Tivoli Access Manageradministratorpassword *

Specifies the password for the Tivoli Access Manageradministrator ID.

Tivoli Access Managerpasswordconfirmation *

Specifies the Tivoli Access Manager administrator passwordagain for confirmation.


SSL certificate lifecycle(days) *

Specifies the number of days that the SSL certificate file isvalid. The default number of days is 1460 (4 years).




SSL connection timeout(seconds) *

Specifies the duration (in seconds) that an SSL connectionwaits for a response before timing out. The default number ofseconds is 7200.

Enable Federal InformationProcessing Standards(FIPS)

Select the check box to enable Federal Information ProcessingStandards (FIPS). The installation wizard creates all keys andcertificates using FIPS-approved algorithms. When using acertificate from a certificate authority (CA), if FIPS enablementis required, make sure the certificate was generated withFIPS-approved algorithms. By selecting this check box, theIBM Tivoli Directory Server will be configured to use theappropriate FIPS secure communications protocol.

Default: not enabled (The check box is not selected.)

You can enable SSL with the registry server. If SSL is enabled, you are prompted for thenext four values:



Copy the SSL key file from the registry server system to anydirectory on your local system and set the key file and pathusing this option.





If you enable SSL with an LDAP server, you are also prompted for the following twovalues:

LDAP administrator DN * Specifies the distinguished name of the LDAP administrator.The default name is cn=root.

LDAP administratorpassword *

Specifies the password associated with the LDAPadministrator DN.




Management domain name The name of the management domain. The initialadministrative domain created when the policy server isconfigured is the management domain. The managementdomain name must be unique within the LDAP server. Thename must be an alphanumeric string up to 64 characterslong and is case-insensitive.

The default is Default.

For more information about management domains, see “TivoliAccess Manager management domains” on page 138.

LDAP managementdomain name location DN

The distinguished name of the location within the LDAPserver where the Access Manager metadata will be stored. Bydefault, the management domain information will be stored inits own suffix using the formatsecAuthority=<management_domain_name>. Whether thedistinguished name is specified or the default is used, thelocation must already exist in the LDAP server.

For more information about management domains, see “TivoliAccess Manager management domains” on page 138.


install_amproxyTable 31 lists additional options prompted for during installation using theinstall_amproxy wizard as instructed in “Installing using the installation wizard”on page 181.


Table 31. install_amproxy configuration options. * indicates a required option.


Registry * Select to specify the type of registry server that has been setup for Tivoli Access Manager. LDAP is the default.

The Tivoli Access Manager policy proxy server installationwizard (install_amproxy) first prompts you for AccessManager Runtime configuration options based on the type ofregistry server. For descriptions of these configurationoptions, see one of the following runtimes:





















Specifies the IBM Tivoli Security Utilities installationdirectory. The default directory is:





Table 31. install_amproxy configuration options (continued). * indicates a required option.



Specifies the Access Manager Runtime installation directory ifnot already installed. The default directory is:C:\ProgramFiles\Tivoli\Policy Director
























Specifies the name of the policy server certificate file that isused by the certificate authority (CA), which is the TivoliAccess Manager certificate authority (PDCA). Configurationof the Tivoli Access Manager policy server creates and saves adefault SSL base64-encoded, certificate authority file namedpdcacert.b64. Note that the SSL key file and certificate arecreated using FIPS approved algorithms.








Registry server host name * Specifies the host name or IP address of the registry server.You can specify the fully qualified host name with or withoutthe domain extension. Examples: registryserver orregistryserver.tivoli.com

Registry server port * Specifies the port number on which the registry server listensfor requests. The default port number is 389.


Specifies the administrator identifier of the Tivoli AccessManager management domain. The default administrator IDis sec_master.






Local host name * The installation wizard detects and fills in the host name of yoursystem.

Specifies the fully qualified name or IP address of the hostsystem on which the policy proxy server is to be located. Forexample: dana.tivoli.com

Administration request port*

Specifies the administration request port. The default portnumber is 7137.

Proxy request port * Specifies the authorization request port number. The defaultport number is 7138.


Specifies whether to enable encrypted Secure Sockets Layer(SSL) communication between the Tivoli Access Managerpolicy proxy server and the registry server.Note: You must first configure the registry server for SSLaccess.


On Windows only, you can enable SSL with the registry server. If SSL is enabled, youare prompted for the next four values:

SSL key file with full path * Specifies the fully qualified path where the existing SSL clientkey file is located. The key file holds the client-sidecertificates that are used in SSL communication. The fileextension is always .kdb.

Copy the SSL key file from the registry server system to anydirectory on your local system and set the key file and pathusing this option.


Certificate label Specifies the label for the SSL client certificate. This label isvalid only when SSL is being used and when the LDAPserver has been configured to require client authentication.For example: PDLDAP.


SSL port * Specifies the port number on which the registry server listensfor SSL requests. The default port number is 636.


install_amrteThe Tivoli Access Manager runtime system wizard (install_amrte) prompts you forAccess Manager Runtime configuration options based on the type of registryserver. For descriptions of these configuration options, see one of the followingruntimes:v “Access Manager Runtime (LDAP)” on page 378v “Access Manager Runtime (Active Directory)” on page 382v “Access Manager Runtime (Domino)” on page 389



install_amsmsTable 32 lists additional options prompted for during installation using theinstall_amsms wizard as instructed in “Installing using the installation wizard” onpage 282.

Notes:


2. If the policy server has Federal Information Processing Standard (FIPS) modeenabled, then WebSphere Application Server must be installed and FIPSenabled before using this installation wizard.

Table 32. install_amsms configuration options. * indicates a required option.













Select whether to enable Tivoli Common Directory. Selectingthe check box means that you want to use the TivoliCommon Directory. If the check box is not selected, TivoliAccess Manager will write its message and trace log data todefault locations that are defined by the Tivoli AccessManager product.


Table 32. install_amsms configuration options (continued). * indicates a required option.












Directory name *(for the Access ManagerSession Management Server—prompted on Windowsonly)

Specifies the session management server installation directory.The default directory is:

C:\Program Files\Tivoli\PDSMS


v UNIX or Linux: /opt/Tivoli/PDSMS

Enable integration withTivoli Access Manager

Select the check box to enable Tivoli Access Managerintegration. Enabling Tivoli Access Manager integration isrequired to support the credential refresh administrationfunction and the auditing of events that are specific to TivoliAccess Manager. Also, when integration is enabled, the TivoliAccess Manager SSL certificates are available for use. Ifenabled, you will be prompted for further Tivoli AccessManager configuration information.

Default: enabled (The check box is selected.)

Enable enforcement ofsession limit anddisplacement policy

Select the check box to enable enforcement of the sessionlimit and displacement policy. Enabling of this option isrequired to support the ability to limit the number ofconcurrent sessions for a user, and to limit the total numberof sessions within a session realm.





Client idle timeout(seconds) *

The length of time in seconds that the connection betweenthe session management server and client application waitsbefore timing out. Match the client idle timeout value withthe session inactivity timeout value as set in the Tivoli AccessManager WebSEAL or Web security plug-in configuration. Avalid timeout value is any positive integer number. Becausethere is no maximum timeout number of seconds, use a valuethat is reasonable length of time to wait for a connection. Avalue of zero is not allowed.

Default: 600 seconds (10 minutes)

Key lifecycle (days) * Specifies the length of time in days that the current TivoliAccess Manager session management server key remainsactive and valid, before it expires. The key lifetime settingcontrols how frequently this key is automatically refreshed.The key is used to prevent forgery of session cookies anddenial of service (DoS) attacks on the session managementserver. A valid key lifetime value is any positive integernumber. Because there is no maximum lifetime number ofdays, use a value that is reasonable number of days beforeexpiration occurs. A value of zero disables automatic keyrefresh.

Default: 180 days

IBM WebSphereApplication Server hostname *

Specifies the host name or IP address of the host system onwhich IBM WebSphere Application Server is located. Ifdeploying to a cluster, make sure the host name is for an IBMWebSphere Application Server that is located in the cluster.You can specify the host name with or without the domainextension. The dot (.) cannot be the last character of the hostname. Examples:

wasserver1.tivoli.comwasserver1

IBM WebSphereApplication Server port *

Specifies the port number on which the application serverlistens for SOAP administration requests. Change this valueto the port number used by your WebSphere ApplicationServer.

The default port number is 8879, which is the default forWebSphere Application Server Network Deployment.

Enable SSL with the IBMWebSphere ApplicationServer

Select the check box to enable SSL communication with theIBM WebSphere Application Server for the configurationsession only. SSL communication is used only for obtaininginstallation configuration information from the IBMWebSphere Application Server. The SSL configuration sessionallows the data, which is transmitted between the sessionmanagement server and the IBM WebSphere ApplicationServer, to be encrypted to provide data privacy and integrityduring configuration.

Default: enabled (The check box is selected)




IBM WebSphereApplication Serveradministrator ID *

Specifies the identifier for an existing administrator accountfor the IBM WebSphere Application Server. All administratorIDs must follow the IBM WebSphere Application Servernaming policy. The administrator ID is an alphanumericstring. The string might be case-sensitive or case-insensitive,depending on the registry that is configured for IBMWebSphere Application Server.

IBM WebSphereApplication Serveradministrator password *

Specifies the existing password for the specified IBMWebSphere Application Server administrator ID. Thisadministrator password was created when you created theIBM WebSphere Application Server administrator account.

Trust store file with fullpath *

Specifies the fully qualified path where the existing truststore file is located. Use the trust store file to handleserver-side certificates that are used in SSL communication.The trust store file verifies the certificate presented by theserver. The signer of the SSL certificate must be recognized asa trusted certificate authority (CA). Any file extension can beused, but the file extension normally relates to the type oftrust store file format. For example, for a Java Key Store (JKS)file format: c:\keytab\mytrust.jks

Trust store file password * Specifies the existing password that protects the SSL truststore file if a secure connection with the IBM WebSphereApplication Server is being used. The trust store filepassword was set when the trust store file was first created.For example: WebAS

SSL key file with full path * Specifies the fully qualified path where the existing key file islocated. The key file holds the client-side certificates that areused in SSL communication. The key file is used whencommunicating with the Tivoli Access Manager sessionmanagement server. Any file extension can be used, but thefile extension normally relates to the type of key file format.For example, for a Java Key Store (JKS) file format:c:\keytab\mykeys.jks

SSL key file password * Specifies the existing password that is associated with thespecified client key file. The key file password was set whenthe key file was first created.

Application servers andclusters

Select the existing application server or cluster where theTivoli Access Manager session management server Webservice is to be deployed. The types of deployment that arerecognized by IBM WebSphere Application Server are:

v A cluster—Specify the existing cluster to which the sessionmanagement server Web service will be deployed.

v A single application server—Specify the existingapplication server to which the session management serverWeb service will be deployed.

Select at least one application server or cluster from the listdisplayed.




Storage type * Specifies the data sources configured in the IBM WebSphereApplication Server that can be used by the sessionmanagement server for storing session data. The IBMWebSphere Application Server is queried for the storagetypes. All the JDBC storage types that are currentlyconfigured for the IBM WebSphere Application Server aredisplayed. For example: DB2 Data Source

The storage type selected will be used by the sessionmanagement server for storing last login data.Note: The Memory storage type is for testing anddemonstration purposes only.

If the session management server has been configured with adata source for the session data storage type, the only datasource available for storing login data will be the same asthat specified for session data. The Memory storage type canstill be used for login data when a data source has beenspecified for the session data storage type.

Select one of the storage types displayed.

Enable database storage ofsession data

Specifies whether to store session data to the selected JDBCdata source. This option is only available if you are notdeploying to a clustered WebSphere Application Serverenvironment. By default, this option is disabled.

Directory name *(for IBM WebSphereApplicationServer — prompted onWindows only)

Specifies the location of the existing IBM WebSphereApplication Server installation. The default directory is:

C:\Program Files\IBM\WebSphere\AppServer


v AIX: /usr/IBM/WebSphere/AppServer

v HP-UX, Linux and Solaris: /opt/IBM/WebSphere/AppServer




New replica set * Specifies the name for the replica set to be used by the TivoliAccess Manager session management server. A replica set is acollection of replicated Web security servers (Tivoli AccessManagerWebSEAL or Web server plug-ins).

To create and name a new replica set, type the name, andthen click Add replica set. Repeat the procedure until youhave created all the new replica set names that you want toadd.

Commas cannot be used for the replica set name. Replica setsand session realms cannot have the same name.

The replica set names that are defined must match the namesthat are being used by the Web security server (Tivoli AccessManager WebSEAL or Web server plug-in) configurationsettings

v For WebSEAL virtual host junctions, the replica set is thevirtual host name of the junction or the replica set namethat was specified with the -z option when the junctionwas created).

v For WebSEAL normal junctions, the replica set is specifiedin the WebSEAL configuration file. The default value isdefault.

v For the Web server plug-ins, the replica set is specified inthe Web server plug-in configuration file. The defaultreplica set name is the name of the virtual host.

Session realms * Select a session realm for the defined replica set from the listby highlighting the session realm name. If there are nosession realms, the field will display the default value -norealm-Note: If you do not need these capabilities, session realms donot need to be defined.

The replica set can belong to a session realm. A session realmis a collection of replica sets. Session realms are used toprovide single sign-on (SSO), session administration, andsession policy enforcement across a number of replica sets.

Replica sets * Displays a list of all the names of replica sets that have beendefined. At least one replica set must be defined.

To undo the replica set definition, highlight the replica setname to select it, and then click Remove replica set. Repeatthe procedure until you have removed all the replica setnames that you want to undo.




New session realm * Specifies the name for the newly created session realm to beused by the session management server. A session realm is acollection of replica sets. A replica set is a collection ofreplicated Web security servers (Tivoli Access ManagerWebSEAL or Web server plug-ins). Session realms are used toprovide single sign-on (SSO), session administration, andsession policy enforcement across a number of replica sets.Commas cannot be used for the session realm name. Sessionrealms and replica sets cannot have the same name.Note: If you do not need these capabilities, sessions realmsdo not need to be defined.

To add a new session realm, type the name of the sessionrealm in the Realm field, and then enter the maximumnumber of concurrent logins allowed for the session realm inthe Limit field.

The session realm name is an alphanumeric, case-insensitivestring. String values should be characters that are part of thelocal code set. Commas cannot be used for the session realmname. Session realms and replica sets cannot have the samename.

If no limit is specified, an unlimited number of concurrentlogins will be allowed for the session realm.

When you have entered the desired realm name and limit,click Add session realm to add the new session realm.Repeat the procedure until you have created and named allthe new session realms that you want to add.

Session realms * Displays a list of all the names of session realms that havebeen created. To undo the creation and naming of the sessionrealm from the list, highlight the session realm name to selectit, and then click Remove session realm. Repeat theprocedure until you have removed all the session realmnames.

Enable recording of lastlogin

Select the check box to record session management server lastlogin data. Last login data includes the date and time of thelast login (from the current browser) and the number offailed login attempts since the last successful login before thecurrent login. This data can be displayed on a browser, ifrequired. When enabled, you will be prompted for furtherdatabase table name and recording configuration information.

Default: enabled (The check box is selected)




Storage type * Specifies the data sources configured in the IBM WebSphereApplication Server that can be used by the sessionmanagement server for storing session data. The IBMWebSphere Application Server is queried for the storagetypes. All the JDBC storage types that are currentlyconfigured for the IBM WebSphere Application Server aredisplayed. For example, DB2 Data Source

The storage type selected will be used by the sessionmanagement server for storing last login data.Note: The Memory storage type is for testing anddemonstration purposes only.

If the session management server has been configured with adata source for the session data storage type, the only datasource available for storing login data will be the same asthat specified for session data. The Memory storage type canstill be used for login data when a data source has beenspecified for the session data storage type.

Database table name * Specifies the name of the database table that will be used forrecording the last login data. Last login data includes thedate and time of the last login (from the current browser) andthe number of failed login attempts since the last successfullogin before the current login. Accept the default databasetable name or create another name. The name is analphanumeric, case-insensitive string. String values should bevalid characters that are part of the local code set. The defaultname is AMSMSUSERINFOTABLE

Memory cache maximumnumber of entries *

Specifies the default maximum number of entries that will bestored in memory. The default value is 5000

Last login path Specifies the server-side path for the last login .jsp file. Thedefault value is lastLogin.jsp.

Last login file with full path*

Specifies the fully qualified path where the login file islocated. A login file is a dynamic Web page that is customizedto be displayed when a user logs in. The user’s last logindata can be displayed. The login file can be named any validname but the default file name is lastLogin.jsp. The set ofcharacters that are permitted in a file name can bedetermined by the file system and by the local code set. ForWindows, file names cannot contain these characters: abackward slash (\), a colon (:), a question mark (?), or doublequotation marks (").

The default fully qualified path is:

v UNIX or Linux: SMS_install_dir/etc/lastLogin.jsp

v Windows: SMS_install_dir\etc\lastLogin.jsp




Policy server host name * Specifies the existing host name or IP address of the TivoliAccess Manager policy server (or policy proxy server). Thepolicy server manages the policy database (sometimesreferred to by its original name of master authorizationdatabase), updates the database replicas whenever a change ismade to the master database, and replicates the policyinformation throughout the domains. The policy server alsomaintains location information about the resource managersoperating in the domain. There must be at least one policyserver defined for each domain. The dot (.) cannot be the lastcharacter of the host name. Examples:


Policy server SSL port * Specifies the port number on which the policy server listensfor SSL requests. Use the default port number, which isserver-dependent. The default port number is 7135

Tivoli Access Managerdomain *

Specifies the name of an existing Tivoli Access Managerdomain. A domain consists of all the resources that requireprotection along with the associated security policy that isused to protect those resources. A resource can be anyphysical or logical entity, including objects such as files,directories, Web pages, printer and network services, andmessage queues. The default domain enforces securitypolicies for authentication, authorization, and access control.Any security policy that is implemented in a domain affectsonly those objects in that domain. Users with authority toperform tasks in one domain do not necessarily haveauthority to perform those tasks in other domains. Thedefault domain name is Default


Specifies the identifier for an existing administrator accountfor the Tivoli Access Manager domain. The defaultadministrator ID is sec_master


Specifies the password that is associated with the specifiedTivoli Access Manager administrator ID. This administratorpassword was created when you created the administratoraccount. Basic authentication requires the Tivoli AccessManager administrator to enter a valid user name andpassword before access to a secure online resource can begranted.

New rule Specifies the administrator's ability to refresh IBM TivoliAccess Manager credentials.

Enter the credential attribute for which you want to create acredential refresh rule in the Pattern field; for example,tagvalue_last_refresh_time.

To refresh the credential attribute if it is updated during asession, select the refresh radio button. To retain the attributeif it is updated during a session, select the preserve radiobutton. Click Add rule to add the credential rule.

The order of credential rules in the credential list isimportant. The first credential rule takes precedence over anysubsequent rule.




Remove rule Specifies whether to remove a credential refresh rule, select itand click Remove rule.

Use existing Tivoliauthorization server

Specifies whether to use an existing Tivoli authorizationserver. When enabled, you will be required to supply theauthorization server host name and port. When disabled, youwill be prompted for further information which is required toinstall a new authorization server. By default, this option isenabled.

Authorization server hostname*

Specifies the existing fully qualified host name or IP addressof the authorization server to be used by IBM Tivoli AccessManager. The host name value is an alphanumeric,case-insensitive string. String values should be characters thatare part of the local code set. The dot (.) cannot be the lastcharacter of the host name. Examples: pdacld orpdacld.tivoli.com

Authorization server SSLport*

Specifies the port number on which the authorization serveris listening for SSL requests. A valid port number is anypositive number that is allowed by TCP/IP and that is notcurrently being used by another server. Use the default portnumber, which is server-dependent. The default port number7136.

Components* Specifies the Session Management Server components whichare to be deployed to the IBM WebSphere Application Server.

The valid components are:

v An instance of the Session Management Server application.This component provides the web service interface for theSession Management Server.

v An instance of the Session Management Serverconfiguration and administration console. This componentis deployed to the Integrated Solutions Console for theIBM WebSphere Application Server. It can be used toconfigure and administer Session Management Serverinstances.

Enable recording ofauditing information

Select the check box to enable the recording of auditinginformation. When enabled, you will be prompted for aproperties file which contains the auditing configurationinformation.

Default: The check box is not selected (disabled).

Auditing properties filewith full path

Specifies the fully qualified path where the properties file forthe auditing configuration is located. The fully qualified pathand file name value represents an alphanumeric string. Stringvalues should be characters that are part of the local code set.The set of characters that are permitted in a file name can bedetermined by the file system and by the local code set. ForWindows, file names cannot contain these characters: abackward slash (\), a colon (:), a question mark (?), or doublequotation marks (").

To specify the auditing properties file, perform one of thefollowing tasks:

v Type a new fully qualified path location.

v Browse for and choose an existing properties file.




Integration with TivoliAccess Manager enabled

Select the check box if IBM Tivoli Access Manager integrationwith the deployed Session Management Server has beenenabled.

Default: The check box is selected (enabled).

Tivoli Access Manageradministrator ID

Specifies the identifier for an existing administrator accountfor the IBM Tivoli Access Manager domain. Theadministrator ID is an alphanumeric, case-insensitive string.String values should be characters that are part of the localcode set.

Default: sec_master

Tivoli Access Manageradministrator password

Specifies the password that is associated with the specifiedIBM Tivoli Access Manager administrator ID. Thisadministrator password was created when you created theadministrator account. Basic authentication requires the IBMTivoli Access Manager administrator to enter a valid username and password before access to a secure online resourcecan be granted. The administrator password is analphanumeric, case-sensitive string. String values should becharacters that are part of the local code set.


install_amsmscliTable 33 lists additional options prompted for during installation using theinstall_amsmscli wizard as instructed in “Installing using the installation wizard”on page 282.


Table 33. install_amsmscli configuration options. * indicates a required option.





























Table 33. install_amsmscli configuration options (continued). * indicates a required option.




Enable integration withTivoli Access Manager

Select the check box to enable IBM Tivoli Access Managerintegration. Enabling IBM Tivoli Access Manager integrationwill make administration available through the IBM TivoliAccess Manager Administration framework. This frameworkincludes a command line utility, pdadmin, as well as the IBMTivoli Access Manager Administration API. If enabled, youwill be prompted for further IBM Tivoli Access Managerconfiguration information.













Directory name *(for the Access ManagerSession ManagementCommand Line —prompted on Windowsonly)

Specifies the Tivoli Access Manager session managementcommand line installation directory. The default directory is:

C:\Program Files\Tivoli\PDSMSAlthough you will beprompted for the installation directory on Windows systemsonly, non-Windows systems have the following defaultinstallation directories:

v UNIX or Linux:/opt/PolicyDirector/PDSMS




Web service host and port * Specifies the host name and port number for the Tivoli AccessManager session management server (SMS) Web service. Forexample: sms.ibm.com:8080

To specify the host and port information, use the form:hostname:port_number

To specify multiple host names and port numbers, use theform: hostname1:port_number1,hostname2:port_number2...

Enable SSL with the SMSWeb service

Select the check box to enable SSL communication. You canenable SSL to protect information, such as user passwordsand private data. However, SSL is not required for TivoliAccess Manager to operate. SSL allows the data, which istransmitted between the Tivoli Access Manager sessionmanagement command line and the SMS Web service, to beencrypted to provide data privacy and integrity.






Specifies the fully qualified path where the existing SSL clientkey file is located. The key file holds the client-sidecertificates that are used in SSL communication. The key fileis used when communicating with the IBM Tivoli AccessManager session management server. The file extension isalways .kdb. For example: c:\keytab\mykeys.kdb

If you plan to enable SSL, copy the SSL key file to anydirectory on your local system. This key file must be obtained(copied) from the Web service, such as IBM WebSphereApplication Server.

SSL stash file with full path*

Specifies the fully qualified path where the existing SSL clientkey stash file is located. Typically, the stash file has the samelocation and file name as the key file. The file extension isalways .sth. For example: c:\keytab\mykeys.sth

If a password stash file is associated with the key file, thepassword is obtained from the password stash file. A stashfile can be used by some applications so that the applicationdoes not have to know the password to use the key file.

Certificate label Specifies the label for the SSL client certificate. This label isvalid only when SSL is being used and when the Web servicehas been configured to require client authentication. Thecertificate label is any alphanumeric, case-sensitive string thatyou choose. String values should be characters that are part ofthe local code set. For example: PDSMS



install_amwebTable 34 lists additional options prompted for during installation using theinstall_amweb wizard as instructed in “Installing using the installation wizard” onpage 267.


Table 34. install_amweb configuration options. * indicates a required option.



The Tivoli Access Manager WebSEAL installation wizard(install_amweb) first prompts you for Access ManagerRuntime configuration options based on the type of registryserver. For descriptions of these configuration options, seeone of the following runtimes:




Directory name *(for the IBM Global SecurityKit (GSKit) —prompted on Windowsonly)






















Table 34. install_amweb configuration options (continued). * indicates a required option.








Select whether to enable Tivoli Common Directory. Selectingthe check box means that you want to use the TivoliCommon Directory. If the check box is not selected, TivoliAccess Manager will write its message and trace log data todefault locations that are defined by the Tivoli AccessManager product.















Policy server host name * Specifies the host name or IP address of the Tivoli AccessManager policy server (pdmgrd). The policy server managesthe policy database (sometimes referred to by its originalname of master authorization database), updates the databasereplicas whenever a change is made to the master database,and replicates the policy information throughout thedomains. The policy server also maintains locationinformation about other resource managers operating in thedomain. There must be at least one policy server defined foreach domain. For example:




Specifies the name of the policy server certificate file that isused by the certificate authority (CA), which is the TivoliAccess Manager certificate authority (PDCA). Configurationof the Tivoli Access Manager policy server creates and savesa default SSL base64-encoded, certificate authority file namedpdcacert.b64. Note that the SSL key file and certificate arecreated using FIPS approved algorithms.







Domain * Specifies the name of the Tivoli Access Manager defaultdomain, which is known as the management domain. Thisdomain is created when the policy server is configured. Thedefault domain enforces security policies for authentication,authorization, and access control. Any security policy that isimplemented in a domain affects only those objects in thatdomain. Users with authority to perform tasks in onedomain do not necessarily have authority to perform thosetasks in other domains. The default domain name is Default.








Directory name *(for the Web securityruntime —prompted on Windowsonly)

Specifies the Web security runtime installation directory. Thedefault directory is:

C:\Program Files\Tivoli\PDWebRTE


v UNIX or Linux: /opt/pdwebrte

Directory name *(for WebSEAL —prompted on Windowsonly)

Specifies the WebSEAL installation directory. The defaultdirectory is:

C:\Program Files\Tivoli\PDWeb


v UNIX or Linux: /opt/pdweb

WebSEAL instance name * Specifies the fully qualified host name that is used by thepolicy server to contact the Tivoli Access Manager WebSEALinstance. The instance name must not exceed 20 characters.The default instance name is default (lowercase).

Enable logical networkinterface

Select the check box to use a logical network interface and tobe prompted for the IP address of the logical networkinterface. If not selected, Tivoli Access Manager is notconfigured for the logical network interface (the defaultvalue).

IP address Specifies the IP address for the Tivoli Access ManagerWebSEAL instance when using a logical network interface.Note that Tivoli Access Manager does not support prefixnotation for a netmask.Note: Both the IPv4 and IPv6 formats can be used for IPaddresses. Refer to the Request for Comment standard todetermine what constitutes a valid representation of an IPv6address.

WebSEAL host name * Specifies the fully qualified local host name of the machineon which WebSEAL will run. For example:webseal1.tivoli.com

WebSEAL listening port * Specifies the port number on which WebSEAL listens forrequests. The default WebSEAL listening port number is7234.


Specifies the administrator identifier of the Tivoli AccessManager management domain. The default administrator IDis sec_master.



Enable HTTP access Specifies whether to enable HTTP access. If selected, you willbe prompted to specify the HTTP port number. HTTP accessis enabled by default.




Enable HTTPS access Specifies whether to enable HTTPS access. If selected, youwill be prompted to specify the HTTPS port number. HTTPSaccess is enabled by default.

HTTP port * Specifies the port number on which HTTP access is allowed.The default port number is 80.

HTTPS port * Specifies the port number on which HTTPS access is allowed.The default port number is 443.

Web Document rootdirectory *

Specifies the root directory where Web document resourceswill be created and secured by Tivoli Access ManagerWebSEAL. When the first WebSEAL instance is configured,the default server instance name is default. When no valuefor the root directory is supplied, the default directory pathincludes the default instance name, prefixed by www-. Thedefault directories are:

v UNIX or Linux: /opt/pdweb/www-default/docs

v Windows: C:\Progam Files\Tivoli\PDWeb\\www-default\docs

Enable SSL with the LDAPserver

Select the check box to enable encrypted Secure SocketsLayer (SSL) connections with the LDAP server.Note: You must first configure the registry server for SSLaccess.





You can enable SSL with the registry server. If SSL is enabled, you are prompted for thenext four values:

SSL key file with full path * Specifies the fully qualified path where the existing SSL clientkey file is located. The key file holds the client-sidecertificates that are used in SSL communication. The fileextension is always .kdb.

The SSL key file and password are usable if the registryserver has been installed and configured using theinstall_ldap_server installation wizard. If the SSL key file hasbeen generated by the installation wizard, the full path andkey file name is either C:\Program Files\IBM\LDAP\V6.1\lib\am_key.kdb or the path and SSL key file name that wasspecified.

If enabling SSL using an existing SSL key file, copy the SSLkey file from the registry server system to any directory onyour local system.


Certificate label Specifies the label for the SSL client certificate. This label isvalid only when SSL is being used and when the LDAPserver has been configured to require client authentication.For example: PDLDAP.




install_amwebadkTable 35 lists additional options prompted for during installation using theinstall_amwebadk wizard as instructed in “Installing using the installationwizard” on page 259.


Table 35. install_amwebadk configuration options. * indicates a required option.



The Tivoli Access Manager Web Security development (ADK)system wizard (install_amwebadk) first prompts you forAccess Manager Runtime configuration options based on thetype of registry server. For descriptions of these configurationoptions, see one of the following runtimes:

























Table 35. install_amwebadk configuration options (continued). * indicates a required option.




























Specifies the name of the policy server certificate file that isused by the certificate authority (CA), which is the TivoliAccess Manager certificate authority (PDCA). Configurationof the Tivoli Access Manager policy server creates and saves adefault SSL base64-encoded, certificate authority file namedpdcacert.b64. Note that the SSL key file and certificate arecreated using FIPS approved algorithms.















Directory name *(for the Web securityruntime —prompted on Windowsonly)

Specifies the Web security runtime installation directory. Thedefault directory is:



v UNIX or Linux: /opt/pdwebrte


install_amwebarsTable 36 lists configuration option descriptions for a Tivoli Access ManagerAttribute Retrieval Service system. You are prompted for these options duringconfiguration using the install_amwebars installation wizard as instructed in“Installing using the installation wizard” on page 219.


Table 36. install_amwebars configuration options. * indicates a required option.


Directory name *(for IBM HTTP Server —prompted on Windowsonly)

Specifies the IBM HTTP Server installation directory. Thedefault installation directory is: C:\ProgramFiles\IBMHttpServer


v AIX: /usr/IBM/HTTPServer

v All other UNIX or Linux platforms: /opt/IBM/HTTPServer

Directory name *(for WebSphereApplication Server —prompted on Windowsonly)

Specifies the WebSphere Application installation directory. Thedefault installation directory is: C:\ProgramFiles\IBM\WebSphere\AppServer


v AIX: /usr/IBM/WebSphere/AppServer

v All other UNIX or Linux platforms: /opt/IBM/WebSphere/AppServer

Node name * Specifies the WebSphere node name that is used foradministration. This name must be unique within its group ofnodes (cell). The node host name is the DNS name or IPaddress of your local system. For example:wasserver1.tivoli.com or wasserver1


Specifies the fully qualified local host name or IP address ofthe host machine on which the Access Manager AttributeRetrieval Service is to run. For example: dana.tivoli.com

Local administrator ID * Specifies the identifier for the administrator account of thelocal host system on which you are logged on. On UNIX orLinux, this is root; on Windows, this is Administrator.

Local administratorpassword *

Specifies the password for the administrator account of thelocal host system. This administrator password was createdwhen you created your operating system administratoraccount.

Directory name * (forTivoli Access ManagerAttribute Retrieval Service— prompted on Windowsonly)

Specifies the installation directory for the Access ManagerAttribute Retrieval Service component. The default installationdirectory is: c:\Program Files\Tivoli\PDWebARS


install_amwpiThe installation wizard for the Tivoli Access Manager plug-in for Web servers(install_amwpi) first prompts you for Access Manager Runtime configurationoptions based on the type of registry server.

Table 37 lists additional options prompted for during installation using theinstall_amwpi wizard as instructed in “Installing using the installation wizard” onpage 241.

Note: You might not see all of the configuration options if a runtime orprerequisite component has already been installed or if you are notconfiguring for Secure Sockets Layer (SSL).

Table 37. install_amwpi configuration options. * indicates a required option.




Policy server host name * Specifies the host name or IP address of the Tivoli AccessManager policy server. The policy server manages the policydatabase (sometimes referred to by its original name of masterauthorization database), updates the database replicas whenevera change is made to the master database, and replicates thepolicy information throughout the domains. The policy serveralso maintains location information about other resourcemanagers operating in the domain. There must be at least onepolicy server defined for each domain. For example:


Policy server port * Specifies the port number on which the policy server listensfor requests. The default port number is 7135.

Directory name *(for Plug-ins for WebServer Plug-in for IIS —prompted on Windowsonly)

Specifies the directory where you want to install the TivoliAccess Manager plug-in for Web servers. The defaultinstallation directory is:C:\Program Files\Tivoli\PDWebPI


v UNIX or Linux: /opt/PDWebPI/bin

Directory name *(for Web Security Runtime— prompted on Windowsonly)

Specifies the directory where the Access Manager WebSecurity Runtime is installed. The default installationdirectory for Windows is:



v UNIX or Linux: /opt/PDWebRTE


Specifies the identifier for an existing administrator accountfor the Tivoli Access Manager domain. The defaultadministrator ID is sec_master.


Table 37. install_amwpi configuration options (continued). * indicates a required option.



Specifies the password for the specified Tivoli AccessManager administrator ID. This administrator password wascreated when the administrator account was created. Basicauthentication requires the Tivoli Access Manageradministrator to enter a valid user name and password beforeaccess to a secure online resource can be granted.


Specifies the fully qualified name or IP address of the hostsystem. When multiple host names are used, this fielddetermines which host name is to be used by Tivoli AccessManager. The dot (.) cannot be the last character of the hostname. For example: dana.tivoli.com


















Web server Choose the type of Web server to be used with the TivoliAccess Manager plug-in for Web servers. The list displayeddepends on the installation platform. Select one Web serverfrom the list displayed.

The Tivoli Access Manager plug-in for Web servers supportsthese servers and platforms:

v IBM HTTP Server

v Apache Web Server

v Sun Java System Web Server

v Microsoft Internet Information Services

Note: The Web server selected must already be installed andconfigured.

Web server configurationdirectory with full path *

Specifies either the directory that contains the Web serverconfiguration file or the Sun Java System Web Serversinstallation root directory, depending on the type of Webserver to be installed. The set of characters permitted in adirectory or file name can be determined by the file systemand by the local code set.

The default locations depend on the installation platform. Thedefault directories are:

v Apache Web Server on AIX, Linux (System z), or Solaris:/usr/local/apache/conf

v IBM HTTP Server on AIX: /usr/HTTPServer/conf

v IBM HTTP Server on Linux (x86 or System z):/opt/IBMHTTPServer/conf

v IBM HTTP Server on Solaris: /opt/IBMHTTPD/conf

v Sun Java System Web Server on AIX and Solaris:/opt/SUNWwbsvr

Enable SSL with theregistry server

Select the check box to enable SSL communication. You canenable SSL to protect information, such as user passwordsand private data. However, SSL is not required for TivoliAccess Manager to operate. SSL allows the data, which istransmitted between the IBM Tivoli Access Manager plug-infor Web servers and the registry server, to be encrypted toprovide data privacy and integrity.Note: You must first configure the registry server for SSLaccess.Default: enabled (The check box is selected.)

If SSL is enabled, you are prompted for the following values:


Specifies the fully qualified path where the existing SSL clientkey file is located. Use the SSL key file to handle certificatesthat are used in SSL communication with the registry server.The signer of the SSL certificate must be recognized as atrusted certificate authority in the client key database. Anyfile extension can be used, but the file extension is normally.kdb. For example: c:\keytab\mykeys.kdb

If you plan to enable SSL, copy the SSL key file to anydirectory on your local system. This key file must be obtained(copied) from the registry server.




SSL key file password * Specifies the password that is associated with the existing SSLkey file. Remember this password if the gsk7ikm utility isused to change the SSL key file password.

Certificate label Specifies the label for the SSL client certificate. This label isvalid only when SSL is being used and when the LDAPserver has been configured to require client authentication.For example: DANASSLKEY.


SSL port * Specifies the port number on which the registry server listensfor SSL requests. SSL communication takes place between theIBM Tivoli Access Manager Web server and the registryserver. A valid SSL port number is any positive number thatis allowed by TCP/IP but is not currently being used byanother application. The default port number is 636.


install_amwpmTable 38 lists configuration option descriptions for a Tivoli Access Manager WebPortal Manager system. You are prompted for these options during configurationusing the install_amwpm installation wizard as instructed in “Installing using theinstallation wizard” on page 201.


Table 38. install_amwpm configuration options. * indicates a required option.


Directory name *(for IBM HTTP Server —prompted on Windowsonly)

Specifies the IBM HTTP Server installation directory. Thedefault directory is:

C:\Program Files\IBM HTTP Server


v AIX: /usr/HTTPServer

v HP-UX , Linux and Solaris: /opt/IBMHTTPServer

Directory name *(for IBM WebSphereApplicationServer — prompted onWindows only) *

Specifies the IBM WebSphere Application Server installationdirectory. The default directory is:

C:\Program Files\IBM\WebSphere\AppServer


v AIX: /usr/WebSphere/AppServer

v HP-UX, Linux and Solaris: /opt/ IBM/WebSphere/AppServer

If a compatible version of WebSphere Application Server isdetected by the wizard, you will be given the choice to usethat version or have the wizard install a new one. If youchoose to use the existing WebSphere Application Server,ensure you also have the plug-ins and HTTP server installedand working properly before continuing with the wizard. Ifyou do not have a working HTTP server, choose the nativeinstall method to install the Web Portal Manager.

Node name * Specifies the WebSphere node name that is used foradministration. This name must be unique within its group ofnodes (cell). The host name is the Distinguished Name Server(DNS) name or IP address of your local system.


Specifies the fully qualified name or IP address of the hostsystem on which the Web Portal Manager is to be located. Forexample: dana.tivoli.com

Local administrator ID * Specifies the administrator identifier with which you arelogged on to your local system. (On UNIX or Linux, this isroot; on Windows, this is Administrator)


Table 38. install_amwpm configuration options (continued). * indicates a required option.


Local administratorpassword *

Specifies the password of the local administrator ID.

Directory name *(prompted on Windowsonly)

Specifies the Access Manager Runtime for Java directory. Thedefault directory is:



v UNIX and Linux: /opt/PolicyDirector

Policy server host name * Specifies the host name or IP address of the Tivoli AccessManager policy server (pdmgrd). The policy server managesthe policy database (sometimes referred to by its original nameof master authorization database), updates the database replicaswhenever a change is made to the master database, andreplicates the policy information throughout the domains. Thepolicy server also maintains location information about otherresource managers operating in the domain. There must be atleast one policy server defined for each domain.

Examples:


Note: You are prompted for this option twice duringconfiguration.

Policy server SSL port * Specifies the port number on which the policy server listensfor SSL requests. The default port number is 7135.Note: You are prompted for this option twice duringconfiguration.

JRE directory * Specifies the fully qualified path of the Java RuntimeEnvironment (JRE) that is being configured for Tivoli AccessManager. The path is the JRE that was installed withWebSphere Application Server.

Policy server administratorID *

Specifies the administrator identifier of the Tivoli AccessManager management domain. The default policy serveradministrative ID is sec_master.

Policy server administratorpassword *


Tivoli Access Managerdomain *

Specifies the name of the Tivoli Access Manager domain. Thedefault domain name is Default, which indicates themanagement domain.

Web server * Specifies the Web server which is used by WebSphereApplication Server, either IBM HTTP Server or MicrosoftInternet Information Services.

This Access Managerdomain contains anauthorization server

Indicates that the Tivoli Access Manager authorization serveris to be configured.

Enable SSL with the IBMWebSphere ApplicationServer

Indicates that Secure Sockets Layer (SSL) security is to beenabled between Web Portal Manager and IBM WebSphereApplication Server.


Table 38. install_amwpm configuration options (continued). * indicates a required option.


Authorization server hostname *

Specifies the host name or IP address of the Tivoli AccessManager authorization server.

Authorization server port*

Specifies the port number used by the authorization server.The default port number is 7136.

IBM WebSphereApplication Serveradministrator ID *

Specifies the ID of the IBM WebSphere Application Serveradministrator.

IBM WebSphereApplication Serveradministrator password *

Specifies the password for the IBM WebSphere ApplicationServer administrator.

Trust store file with fullpath *

Specifies the fully qualified path where the existing trust storefile is located.

Trust store file password * Specifies the password for the trust store file.


Specifies the fully qualified path to the existing SSL key file.The key file holds the client-side certificates used in SSLcommunications.

SSL keyfile password * Specifies the password associated with the SSL key file.

Host name * Specifies the host name or IP address of the IBM WebSphereApplication Server.

Port * Specifies the soap port used by the IBM WebSphereApplication Server. The default port number is 8880.Note: Change this value only if the server is alreadyconfigured to use a different port number. This process doesnot attempt to set this value for the server.

Application server orcluster name *

Specifies the name of the application server or cluster whereWeb Portal Manager is to be deployed.

Web server name Specifies the name of the Web server.


install_ldap_serverTable 39 lists configuration options for IBM Tivoli Directory Server and itsprerequisite software.

Notes:

1. Depending on whether you are installing on a Windows, UNIX, or Linuxplatform, you might be prompted for these options in a different sequence thanlisted.


Table 39. install_ldap_server configuration options.. * indicates a required option.


Directory name *(for the IBM GlobalSecurity Kit (GSKit) —prompted onWindows only)










Directory name *(for IBM DB2 — promptedonWindows only)

Specifies the IBM DB2 installation directory. The defaultdirectory is:

C:\Program Files\IBM\SQLLIB


v UNIX or Linux: /opt/IBM/db2/V9.1

Directory name *(for IBM Tivoli DirectoryServer — promptedon Windows only)

Specifies the IBM Tivoli Directory Server installation directory.The default directory is:

C:\Program Files\IBM\LDAP


v UNIX or Linux: opt/IBM/ldap/V6.1


Table 39. install_ldap_server configuration options. (continued). * indicates a requiredoption.


DB2 administrator ID(also used for the instancename) *

Specifies the identifier of the DB2 database owner ID(administrator) and also used as the LDAP server instance.The administrator ID owns the database instance where theDB2 database exists. The identity will be used for both theDB2 administrator ID and the DB2 database owner ID.

On Windows platforms, the user must be a member of theAdministrators group and must be in the same domain as theadministrator ID. On UNIX or Linux platforms, the user musthave a home directory and must be the owner of the homedirectory.

For example, ldapdb2 (UNIX) or db2admin (Windows). Forguidelines, see “Preinstallation requirements” on page 54.

DB2 administratorpassword *

Specifies the password for the DB2 database owner ID thatyou created when you configured IBM DB2. The passwordmust be set correctly and ready to use.

Group for the DB2administrator (UNIX)

A list of the names of all the existing groups that the user rootis currently a member of. The default group is bin.

Create the DB2administrator if it does notalready exist

Prior to installation, you can create a DB2 database owner ID.If the check box is not selected, the DB2 administrator usermust already exist. Or, you must exit the installation wizard tocreate the account.

Select the check box to specify whether the installation wizardshould automatically create the DB2 administrator account.


Directory server databasehome *

Specifies the fully qualified path where the DB2 database willbe located.

v Windows: C:

v AIX and HP-UX: /home/ldapdb2

v Linux: /home/ldapdb2

v Solaris: /export/home/ldapdb2

DB2 database name * Specifies the name of the DB2 database. The database namecan be anything you choose. The default is amdb.




Encryption seed Specifies the seed that is used to create the key stash files forthe IBM Tivoli Directory Server instance. This encryption seedis used to generate a set of Advanced Encryption Standard(AES) secret key values. These values are stored in the IBMTivoli Directory Server instance key stash file and are used toencrypt and decrypt the IBM Tivoli Directory Server storedpassword and IBM Tivoli Directory Server secretkeyattributes.

The seed can be anything you choose. The encryption seedmust contain only printable ISO-8859-1 ASCII characters withvalues in the range of 33 to 126, such as a-z, A-Z, and 0-9. Formore specific information about what characters can be used,see the IBM Tivoli Directory Server installation andconfiguration documentation. The seed must be a minimum of12 and a maximum of 1016 characters in length. For example:0123456789012

Record the encryption seed in a secure location; you mightneed it if you export data to an LDIF file or regenerate the keystash file.

Administrator ID * Specifies the administrator's distinguished name (DN), whichas created when you configured the LDAP server. Theadministrator DN is the DN that is used by the administratorof the directory. This administrator is the one user who hasfull access to all data in the directory. The ID is also referredto as the bind DN. The default administrator ID is cn=root.

Administrator password * Creates a new password for the LDAP administrator ID.

Password confirmation *(prompted on Windowsonly)

Specifies the LDAP administrator ID password again forconfirmation.

User-defined suffix Specifies a suffix to maintain user and group data. Forexample:o=ibm,c=us

Minimal Specifies a type of format for LDAP objects that are used tomaintain the user and group tracking information. This formatis valid only for IBM Tivoli Access Manager Version 6.0 orlater. Use this format if you want to reduce the size of youruser registry information by using minimal user and grouptracking information.

Standard Specifies a type of format for LDAP objects that are used tomaintain the user and group tracking information. This formatis valid only for IBM Tivoli Access Manager Version 6.0 orlater. Use this format if you want to reduce the size of youruser registry information by using minimal user and grouptracking information.


Specifies the fully qualified name or IP address of the hostsystem on which the LDAP server is to be located. Forexample: dana.tivoli.com




Non-SSL port * Specifies the port number on which the LDAP server listens.The default port number is 389.



Specifies the fully qualified path where the existing SSL clientkey file is located or, if the Create SSL key file check box isselected, where the newly created SSL key file will be located.The key file holds the client-side certificates that are used inSSL communication. The file extension is always .kdb.

If the SSL key file is created automatically by the installationwizard, the full path and key file name is either C:\ProgramFiles\IBM\LDAP\V6.1\lib\am_key.kdb or any path and SSLkey file name that you choose.

SSL key file password * Specifies the existing password that is associated with thespecified SSL key file. The client key file password was setwhen the key file was first created. Change this password byusing the IBM Global Security Kit (GSKit) utility gsk7ikm. Ifchanged, remember this password.



Create SSL key file Select the check box to create an SSL key file. The key fileholds the client-side certificates that are used in SSLcommunication. The installation wizard uses IBM GlobalSecurity Kit (GSKit) to generate the certificate and the SSL keyfile.

Default: enabled (The check box is selected).

Enable Federal InformationProcessing Standards(FIPS)

Select the check box to enable Federal Information ProcessingStandards (FIPS). The installation wizard creates all keys andcertificates using FIPS-approved algorithms. When using acertificate from a certificate authority (CA), if FIPS enablementis required, make sure the certificate was generated withFIPS-approved algorithms. By selecting this check box, theIBM Tivoli Directory Server will be configured to use theappropriate FIPS secure communications protocol.

Default: not enabled (The check box is not selected.)



Chapter 22. pdconfig options

This section lists descriptions of options that you are prompted for duringconfiguration of Tivoli Access Manager components using the pdconfig utility.Depending on whether you are installing on a Windows, UNIX, or Linux platform,you might be prompted for these options in a different sequence than listed.

Tivoli Access Manager packages that require configuration are as follows:v “Access Manager Runtime — LDAP” on page 448v “Access Manager Runtime — Active Directory” on page 451v “Access Manager Runtime — Domino” on page 455v “Access Manager Attribute Retrieval Service” on page 457v “Access Manager Authorization Server” on page 458v “Access Manager Runtime for Java” on page 459v “Access Manager Plug-in for Edge Server” on page 461v “Access Manager Plug-in for Web Servers on UNIX” on page 462v “Access Manager Plug-in for Web Servers on Windows” on page 464v “Access Manager Policy Server” on page 465v “Access Manager Policy Proxy Server” on page 467v “Access Manager Web Portal Manager” on page 468v “Access Manager WebSEAL” on page 471


Access Manager Runtime — LDAPTable 40 lists options prompted for during configuration of the Access ManagerRuntime package using an LDAP registry.

Table 40. Access Manager Runtime configuration options – LDAP. * indicates a requiredoption.

Configuration option Description

Will the policy server be installed onthis machine

Indicates whether the policy server will beinstalled on the same machine.

Enable Tivoli Common Directory forlogging

Select to enable Tivoli Common Directory—acentral location on systems running Tivoli softwarefor storing files, such as trace and message logs.

Directory Name(for Tivoli Common Directory)

Specifies the fully qualified path for the TivoliCommon Directory.

v If the location of the Tivoli Common Directoryhas previously been established on the systemby the installation of another Tivoli application,the directory location will be displayed in thefield but it cannot be modified.

v If the location of the Tivoli Common Directoryhas not previously been established on thesystem, you can specify its location.

If Tivoli Common Directory is enabled and thedirectory location has not been previouslyestablished, the default common directory namesare:



Beneath the Tivoli Common Directory, each Tivoliproduct stores its information in a product-specificsubdirectory. Each product-specific directory isnamed with a 3-character identifier. For example,for IBM Tivoli Access Manager:tivoli_common_dir/HPD

See the IBM Tivoli Access Manager for e-business:Troubleshooting Guide for a complete list of3-character identifiers.

If Tivoli Common Directory is not enabled, TivoliAccess Manager will write its message and tracelog data to the following location:



Registry Specifies the type of registry server to be set up forTivoli Access Manager. Select LDAP.

LDAP server host name Specifies the host name or IP address of the LDAPtype of registry server. You can specify the fullyqualified host name with or without the domainextension. Examples: ldapserver orldapserver.tivoli.com


Table 40. Access Manager Runtime configuration options – LDAP (continued). * indicates arequired option.


LDAP server port Specifies the port number on which the LDAPtype of registry server listens. The default portnumber is 389.

If the Tivoli Access Manager policy server is not installed on the same system as theAccess Manager Runtime, you are prompted for the next two values:

Policy server host name Specifies the host name or IP address of the TivoliAccess Manager policy server (pdmgrd). Thepolicy server manages the policy database(sometimes referred to as master authorizationdatabase), updates the database replicas whenever achange is made to the master database, andreplicates the policy information throughout thedomains. The policy server also maintains locationinformation about other resource managersoperating in the domain. There must be at leastone policy server defined for each domain. Youcan specify the fully qualified host name with orwithout the domain extension. Examples:


Policy server SSL port Specifies the port number on which the policyserver listens for SSL requests. The default portnumber is 7135.

Domain Specifies the name of the Tivoli Access Managerdefault domain, which is also known as themanagement domain. This domain is created whenthe policy server is configured. The default domainenforces security policies for authentication,authorization, and access control. Any securitypolicy that is implemented in a domain affectsonly those objects in that domain. Users withauthority to perform tasks in one domain do notnecessarily have authority to perform those tasksin other domains. The default value is Default,which indicates the management domain.

On systems other than Windows, you can enable SSL connections between this TivoliAccess Manager runtime system and the LDAP server. If selected, you are prompted forthe next values:

Non-SSL port * Specifies the port number on which the LDAPserver listens. The default port number is 389.

Port number * Specifies the port number on which the LDAPserver listens for SSL requests. The default portnumber is 636.

Chapter 22. pdconfig options 449

Table 40. Access Manager Runtime configuration options – LDAP (continued). * indicates arequired option.


Key file with full path * Specifies the fully qualified path where the existingSSL client key file is located or, if the Create SSLkey file check box is selected, where the newlycreated SSL key file will be located. The key fileholds the client-side certificates that are used inSSL communication. The file extension is always.kdb.

Copy the SSL key file to any directory on yourlocal system. This key file must be obtained(copied) from the LDAP server.

Key file password Specifies the existing password that is associatedwith the specified SSL key file. The client key filepassword was set when the key file was firstcreated. Change this password by using the IBMGlobal Security Kit (GSKit) utility gsk7ikm. Ifchanged, remember this password.

Certificate label Specifies the label for the SSL client certificate. Thislabel is valid only when SSL is being used andwhen the LDAP server has been configured torequire client authentication. For example: PDLDAP.

Use a certificate label to distinguish betweenmultiple certificates within the SSL key file orwhen using a certificate other than the defaultcertificate in the key file. Otherwise, leave thisfield blank.

Create SSL key file Select the check box to create an SSL key file. Thekey file holds the client-side certificates that areused in SSL communication. The installationwizard uses IBM Global Security Kit (GSKit) togenerate the certificate and the SSL key file.

Default: enabled (The check box is selected).

Enable Federal Information ProcessingStandards (FIPS)

Select the check box to enable Federal InformationProcessing Standards (FIPS). The installationwizard creates all keys and certificates usingFIPS-approved algorithms. When using acertificate from a certificate authority (CA), if FIPSenablement is required, make sure the certificatewas generated with FIPS-approved algorithms. Byselecting this check box, the IBM Tivoli DirectoryServer will be configured to use the appropriateFIPS secure communications protocol.Note: All runtimes must set their configurations tomatch whether or not FIPS is enabled. Theruntimes cannot be mixed.

Default: not enabled (The check box is notselected).


Access Manager Runtime — Active DirectoryTable 41 lists options prompted for during configuration of the Access ManagerRuntime package using an Active Directory registry.

Table 41. Access Manager Runtime configuration options – Active Directory. * indicates arequired option.


Registry Specifies the type of registry server to be set up forTivoli Access Manager. Select Active Directory.

Configure to Multiple ActiveDirectory Domains

Select the check box to configure multiple ActiveDirectory domains. If not selected, Tivoli AccessManager is configured to a single domain.

An example of multiple Microsoft Active Directorydomain is an Tivoli Access Manager single domainwith multiple Microsoft Active Directory domains.

When configured for multiple Microsoft ActiveDirectory domains, the command line displays theTivoli Access Manager administrator ID (the defaultis sec_master) as secmaster@domain_name

Default: not enabled (Tivoli Access Manager isconfigured to a single domain.)

Active Directory host name * Specifies the Active Directory domain controllerserver name. For example:

adserver.tivoli.com

Active Directory domain Specifies the Active Directory domain name. Ifconfigured to multiple domains, the name will bedisplayed automatically. For example:dc=tivoli,dc=com

Enable encrypted connections Specifies whether encryption communication toMicrosoft Active Directory should be used. Whenthe check box is selected, Kerberos is used in theMicrosoft Active Directory Service Interface (ADSI)to encrypt data in the connection to the MicrosoftActive Directory server. This setting is equivalent toenabling an SSL connection in a systemenvironment that uses the LDAP client tocommunicate with the Active Directory server.

The default value is not enabled (Tivoli AccessManager is not configured for encryption)

Specify the location of the Access Manager Policy Server. If you select Access ManagerPolicy Server is installed on another machine, you are prompted for the host name andlistening port values:


Table 41. Access Manager Runtime configuration options – Active Directory (continued). *indicates a required option.


Host name Specifies the host name or IP address of the TivoliAccess Manager policy server (pdmgrd). The policyserver manages the policy database (sometimesreferred to as master authorization database), updatesthe database replicas whenever a change is made tothe master database, and replicates the policyinformation throughout the domains. The policyserver also maintains location information aboutother resource managers operating in the domain.There must be at least one policy server defined foreach domain. You can specify the fully qualifiedhost name with or without the domain extension.You can specify the fully qualified host name withor without the domain extension. Examples:


Listening port Specifies the port number on which the TivoliAccess Manager policy server listens for SSLrequests. The default port number is 7135.

On systems where LDAP client is used to communicate with the Active DirectoryServer, you can enable SSL connections between the LDAP client and the ActiveDirectory server. If Enable encrypted connections is selected, you are prompted for thenext four values:

Port number Specifies the port number on which the registryserver listens for SSL requests. The default portnumber is 636.

Key file with full path Specifies the fully qualified path where the existingSSL client key file is located or, if the Create SSLkey file check box is selected, where the newlycreated SSL key file will be located. The key fileholds the client-side certificates that are used in SSLcommunication. The file extension is always .kdb.

This key file must be obtained using the gsk7ikmutility and the Active Directory server CAcertificate.

If the SSL key file is created automatically by theinstallation wizard, the full path and key file nameis either C:\Program Files\IBM\LDAP\V6.1\lib\am_key.kdb or any path and SSL key file name thatyou choose.

If enabling SSL using an existing SSL key file,manually copy the SSL key file to any directory onyour local system. This key file must be obtained(copied) from the LDAP server.




Certificate label Specifies the label for the SSL client certificate. Thislabel is valid only when SSL is being used andwhen the LDAP server has been configured torequire client authentication. For example: PDLDAP.

Use a certificate label to distinguish betweenmultiple certificates within the SSL key file or whenusing a certificate other than the default certificatein the key file. Otherwise, leave this field blank.


Active Directory Administrator ID Specifies the identifier for the administrator accountof the Microsoft Active Directory domain. Thisadministrator ID was created when the MicrosoftActive Directory domain was created. Thisadministrator ID should have been added to thegroups of Administrators, Domain Administrators,enterprise Administrators, and SchemaAdministrators. Note that this administrator useraccount is for a Microsoft Active Directory useronly, and not for a Tivoli Access Manager user.

Active Directory AdministratorPassword

Specifies the password for the Microsoft ActiveDirectory domain administrator ID. Thisadministrator password was created when youcreated your Microsoft Active Directoryadministrator account.

Enable the use of e-mail address asuser ID

Enables the use of an email address as theuserPrincipalname user ID.

Global Catalog server host name(Active Directory LDAP mode only)

Specifies the Active Directory host name for theGlobal Catalog Server.

Global Catalog server port (ActiveDirectory LDAP mode only)

Specifies the Active Directory Global Catalog port.For non-SSL enablement, the default is 3268. ForSSL enablement, the default is 3269.

Access Manager data locationdistinguished name

Specifies the distinguished name that is used byMicrosoft Active Directory to indicate where youwant to store Tivoli Access Manager data. Thedefault value is the input value for Active DirectoryDomain. For example: dc=tivoli,dc=com

If Tivoli Access Manager is configured usingmultiple Active Directory domains, this value isautomatically set to the value of the ActiveDirectory primary domain. Note that this field isonly prompted for input when the check box is notselected for Configure to Multiple Active DirectoryDomains.


Select to enable Tivoli Common Directory—a centrallocation on systems running Tivoli software forstoring files, such as trace and message logs.




Directory Name(for Tivoli Common Directory)

Specifies the fully qualified path for the TivoliCommon Directory.

v If the location of the Tivoli Common Directoryhas previously been established on the system bythe installation of another Tivoli application, thedirectory location will be displayed in the fieldbut it cannot be modified.


If Tivoli Common Directory is enabled and thedirectory location has not been previouslyestablished, the default common directory namesare:





If Tivoli Common Directory is not enabled, TivoliAccess Manager will write its message and trace logdata to the following location:



Directory name Specifies the log directory for the first Tivolisoftware product installed.

The first time you configure Tivoli CommonDirectory, you can specify the directory where youwant the log files to be located. Afterward, you canconfigure Tivoli software to use this directory.

If you are using Active Directory as your registry, an activedir.conf file is created inthe following directory:%PD_INSTALL_DIR%\etc

where PD_INSTALL_DIR is the directory where Tivoli Access Manager is installedand C:\Program Files\Tivoli\Policy Director is the default Windows directory.


Access Manager Runtime — DominoTable 42 lists options prompted for during configuration of the Access ManagerRuntime package using a Lotus Domino registry.

Table 42. Access Manager Runtime configuration options – Domino configuration options. *indicates a required option.


Registry Specifies the type of registry server to be set up forTivoli Access Manager. Select Domino.

Domino server name Specifies the fully qualified name of the IBM LotusDomino server. For example:

domino1/Austin/Tivoli

Notes client password Specifies the password associated with the Notesclient software administrative user’s ID file locatedon the IBM Lotus Domino server

Access Manager database name Specifies the name of the database located on theIBM Lotus Domino server that is associated withTivoli Access Manager data. The default value isPDMdata.nsf.

Directory Name Specifies the fully qualified path for the TivoliCommon Directory.



If Tivoli Common Directory is enabled and thedirectory location has not been previouslyestablished, the default common directory name is:









Table 42. Access Manager Runtime configuration options – Domino configurationoptions (continued). * indicates a required option.



Select the check box to enable Tivoli CommonDirectory—a central location on systems runningTivoli software for storing files, such as trace andmessage logs.

Specify the location of the Access Manager Policy Server. If you select Access ManagerPolicy Server is installed on another machine, you are prompted for the host name andlistening port values:

Host name Specifies the host name or IP address of the TivoliAccess Manager policy server (pdmgrd). The policyserver manages the policy database (sometimesreferred to by its original name of masterauthorization database), updates the database replicaswhenever a change is made to the master database,and replicates the policy information throughoutthe domains. The policy server also maintainslocation information about other resource managersoperating in the domain. There must be at least onepolicy server defined for each domain. Examples:


Listening port Specifies the port number on which the TivoliAccess Manager policy server listens for SSLrequests. The default port number is 7135.

Notes address book database name The IBM Lotus Notes name and address book(NAB) located in the IBM Lotus Domino directoryon your server. The database file name is set atconfiguration time and cannot be changed.

Default: names.nsf


Access Manager Attribute Retrieval ServiceTable 43 lists options prompted for during configuration of the Access ManagerAttribute Retrieval Service package.

Table 43. Access Manager Attribute Retrieval Service. * indicates a required option.


Node Name Specifies the WebSphere node name that is usedfor administration. This name must be uniquewithin its group of nodes (cell). The host name isthe DNS name or IP address of your local system.

Local Host Name Specifies the fully qualified name of the hostsystem on which the Access Manager AttributeRetrieval Service will be located.

Local Admin ID Specifies the administrator ID with which you arelogged on. (On UNIX or Linux, this is root; onWindows, this is Administrator).

Local Admin Password Specifies the password of the local administrator.


Access Manager Authorization ServerTable 44 lists options prompted for during configuration of the Access ManagerAuthorization Server package.

Note: Configure the Access Manager Runtime package before configuring theAccess Manager Authorization Server package.

Table 44. Access Manager Authorization Server configuration options. * indicates a requiredoption.


Domain Specifies the domain name. The default value isDefault, which indicates the management domain.Do not change this value.

Policy server host name Specifies the host name used by the policy serverto contact this server. The default value is the hostname of the local system.

Policy server port Specifies the port number on which the policyserver listens for requests. The default port numberis 7135.

Tivoli Access Manager administrator(or Administrator ID for domainDefault)

Specifies the identifier for the Tivoli AccessManager administrator of the management domain.The default administrator ID is sec_master. Do notchange this value.

Password Specifies the password for the Tivoli AccessManager administrator ID.

Local host name Specifies the fully qualified name of the hostsystem on which the authorization server will belocated.

Administration request port Specifies the administration request port. Thedefault port is 7137.

Authorization request port Specifies the authorization request port number.The default port number is 7136.


Access Manager Runtime for JavaTable 45 lists options prompted for during configuration of the Access ManagerRuntime for Java package.

Table 45. Access Manager Runtime for Java configuration options. * indicates a requiredoption.


Configuration type To configure Access Manager Runtime for Java foruse within the current Java Runtime Environment(JRE), select a configuration type:

Full: Select if you are configuring Web PortalManager or enabling Java applications to manageand use Tivoli Access Manager security.

Stand-alone: Select if you are a developer usingRuntime for Java classes. You are not prompted forpolicy server information.

Full path of the Java RuntimeEnvironment to configure for TivoliAccess Manager

Specifies the path to IBM Java Runtime 1.4.2provided with Tivoli Access Manager. For example:

/usr/java15/jre

If you are installing a Web Portal Manager system,ensure that you specify the Java RuntimeEnvironment installed with IBM WebSphereApplication Server. For example:

/usr/WebSphere/AppServer/java/jre

Host name of the Access Managerpolicy server machine

Specifies the fully qualified host name of the policyserver. For example:

pdmgr.tivoli.com

Port number of the Access Managerpolicy server machine

Specifies the port number on which the policyserver listens for SSL requests. The default portnumber is 7135.

Access Manager Policy Server domaininformation

null


Select to enable Tivoli Common Directory—acentral location on systems running Tivoli softwarefor storing files, such as trace and message logs.


Table 45. Access Manager Runtime for Java configuration options (continued). * indicates arequired option.


Directory name Specifies the fully qualified path for the TivoliCommon Directory.



If Tivoli Common Directory is enabled and thedirectory location has not been previouslyestablished, the default common directory name is:









Access Manager Plug-in for Edge ServerTable 46 lists options prompted for during configuration of the Access ManagerPlug-in for Edge Server package. An installation wizard is not available.

Table 46. Access Manager Plug-in for Edge Server configuration options. * indicates arequired option.


Port for Web Traffic Express® Specifies the port number for the Edge Servercaching proxy. The default port is 80.Note: The Edge Server caching proxy isdeprecated.

Access Manager administrator userID

Specifies the identifier for the Tivoli AccessManager administrator of the management domain.The default administrator ID is sec_master.

Access Manager administrator userID password

Specifies the password for the Tivoli AccessManager administrator ID.

Note: On Windows systems, configuration of this plug-in for an Active Directoryregistry server requires an administrator password for the configuration toolto perform successfully.


Access Manager Plug-in for Web Servers on UNIXTable 47 lists configuration options for the plug-in for Web Servers on UNIXplatforms.

Table 47. Plug-in for Web Servers on UNIX. * indicates a required option.


Full path name to the directorycontaining the Web serverconfiguration file

Specifies the default installation path of the Webserver. Accept this path or enter a new one.Note: For the Sun Java System Web Server, you areprompted for the root installation directory of theSun Java System Web Server.

Which virtual hosts are to beprotected

Specifies the menu choice number or you can enterx to exit.

You have three options:

v If you want only one virtual host protected bythe plug-in, enter the number that relates to thevirtual host in the displayed list.

v To secure more than one virtual host, entervalues that relate to the positions of the virtualhosts in the displayed list. Separate the enterednumbers by spaces.

v Enter all to have the plug-in protect all theknown virtual hosts on the server.

Access Manager administrative userID

Specifies the identifier for the Tivoli AccessManager administrator of the management domain.The default administrator ID is sec_master. ForActive Directory Multiple Domain, this issec_master@domain_name.

Access Manager administrative userID password


Port number on which to listen forauthorization policy updates

An authorization update is the transfer of policyinformation delta packets from the authorizationpolicy server during the application operation.Enter the port number to listen for authorizationupdates or accept the default value of 7237.

For LDAP registries on UNIX only, you are prompted whether to enable SSLcommunication.

Enable SSL communication betweenthe Tivoli Access Manager Plug-in forWeb Servers authorization server andthe LDAP server

Enabling SSL is not necessary in environmentswhere the Web server and registry server arelocated in the same secure network. If you can besure of the integrity and security of data sentbetween the Web server and your registry, choosingnot to use SSL improves network bandwidth byremoving the security overhead.

If you enable SSL between the Tivoli Access Manager Plug-in for Web Serversauthorization server and the LDAP server, you are prompted for the next four values:


Table 47. Plug-in for Web Servers on UNIX (continued). * indicates a required option.


Location of the LDAP SSL client keyfile

Specifies where you want the client key file to beplaced. The default location is /usr/ldap/lib/ldapkey.kdb.Note: When Tivoli Access Manager Plug-in forWeb servers is installed on the same machine asthe policy server and configured with SSL to LDAP,the LDAP client file cannot be shared.UNIX filepermissions are essential for protecting files fromunauthorized access. The LDAP client key file canbe shared if the permissions allow Plug-in usersaccess to the file.

SSL client certificate label Specifies the label in the client LDAP key databasefile of the client certificate to be sent to the server.

This label is required only if the server isconfigured to require client authentication duringSSL establishment or if you want to use anon-default certificate in your key file.

Typically, the LDAP server requires onlyserver-side certificates that were specified duringcreation of the client .kdb file. If the SSL client keyfile label is not required, leave this field blank.

LDAP SSL client key file password Specifies the existing password that is associatedwith the specified SSL key file. The client key filepassword was set when the key file was firstcreated. Change this password by using the IBMGlobal Security Kit (GSKit) utility gsk7ikm. Ifchanged, remember this password.

LDAP server SSL port number * Specifies the port number on which the LDAPserver listens for SSL requests. The default portnumber is 636.


Access Manager Plug-in for Web Servers on WindowsTable 48 lists configuration options for the plug-in for Web Servers on Windowsplatforms.

Table 48. Plug-in for Web Servers on Windows. * indicates a required option.


Which virtual hosts are to beprotected

Specifies a list of virtual hosts that are to beprotected. Select from the list to indicate whichvirtual hosts that you want to protect.

Access Manager administrative userID *

Specifies the identifier for the Tivoli AccessManager administrator of the management domain.The default administrator ID is sec_master. ForActive Directory Multiple Domain, this issec_master@domain_name.

Access Manager administrative userID password *


Port number on which to listen forauthorization policy updates *

Specifies the port number to listen forauthorization updates. n authorization update isthe transfer of policy information delta packetsfrom the authorization policy server during theapplication operation. The default value is 7237.


Access Manager Policy ServerNotes:

1. You are prompted to configure the Access Manager Runtime package beforeconfiguring the Access Manager Policy Server package.

2. If you reconfigure the Tivoli Access Manager policy server, you must alsoreconfigure Access Manager Runtime or Access Manager Runtime for Java touse the certificates for the new policy server.

3. The policy server is not supported on UNIX or Linux platforms for ActiveDirectory or Domino registry servers.

Table 49. Access Manager Policy Server configuration options. * indicates a requiredoption.


Access Manager administrator ID * Specifies the identifier for the Tivoli AccessManager administrator of the management domain.The default administrator ID is sec_master. ForActive Directory Multiple Domain, this issec_master@domain_name.

Access Manager administratorpassword *


Confirm password * Specify the Tivoli Access Manager administrativeID password again for confirmation.

Policy server SSL port * Specifies the port number on which the policyserver listens for SSL requests. The default portnumber is 7135.

SSL certificate lifecycle * Specifies the number of days that the SSL certificatefile is valid. The default number of days is 365.

SSL connection timeout * Specifies the duration (in seconds) that an SSLconnection waits for a response before timing out.The default number of seconds is 7200.

Enable Federal InformationProcessing Standards (FIPS)

Select the check box to enable Federal InformationProcessing Standards (FIPS). The installation wizardcreates all keys and certificates usingFIPS-approved algorithms. When using a certificatefrom a certificate authority (CA), if FIPSenablement is required, make sure the certificatewas generated with FIPS-approved algorithms. Byselecting this check box, the IBM Tivoli DirectoryServer will be configured to use the appropriateFIPS secure communications protocol.Note: All runtimes must set their configurations tomatch whether or not FIPS is enabled. Theruntimes cannot be mixed.

Default: not enabled (The check box is notselected).


Table 49. Access Manager Policy Server configuration options (continued). * indicates arequired option.


Management domain name The name of the management domain. The initialadministrative domain created when the policyserver is configured is the management domain.The management domain name must be uniquewithin the LDAP server. The name must be analphanumeric string up to 64 characters long and iscase-insensitive.

The default is Default.

LDAP management domain locationDN

The distinguished name of the location within theLDAP server where the Access Manager metadatawill be stored. By default, the management domaininformation will be stored in its own suffix usingthe formatsecAuthority=<management_domain_name>. Whetherthe distinguished name is specified or the default isused, the location must already exist in the LDAPserver.


Access Manager Policy Proxy ServerTable 50 lists options prompted for during configuration of the Access ManagerPolicy Proxy Server package.

Note: Configure the Access Manager Runtime package before configuring theAccess Manager Policy Proxy Server package.

Table 50. Access Manager Policy Proxy Server configuration options. * indicates a requiredoption.


Policy server host name * Specifies the fully qualified host name of the policyserver. For example:

pdmgr.tivoli.com

Policy server port * Specifies the port number on which the policyserver listens for requests. The default port numberis 7135.

Administrator ID * Specifies the identifier for the Tivoli AccessManager administrator of the management domain.The default administrator ID is sec_master. ForActive Directory Multiple Domain, this issec_master@domain_name.

Password * Specifies the password for the Tivoli AccessManager administrator ID.

Local host name * Specifies the fully qualified name of the hostsystem on which the policy proxy server will belocated. For example:

pdproxy.tivoli.com

Administration request port * Specifies the administration request port. Thedefault port is 7139.

Proxy request port * Specifies the proxy request port. The default port is7138.


Access Manager Web Portal ManagerTable 51 lists options prompted for during configuration of the Access ManagerWeb Portal Manager package.

Table 51. Access Manager Web Portal Manager configuration options. * indicates arequired option.


Full path *(IBM WebSphere Application Serverinstallation directory)

Specifies the existing IBM WebSphere ApplicationServer installation directory. Type the existing fullyqualified path location for one of the followingtypes of IBM WebSphere Application Servers:

v If clustering, specify the information for theexisting IBM WebSphere Application Servernetwork deployment.

v If a single server, specify the information for theexisting IBM WebSphere Application Server

Default: C:\Program Files\IBM\WebSphere\AppServer

Host name *(IBM WebSphere Application Server)

Specifies the host name or IP address for one of thefollowing types of IBM WebSphere ApplicationServers:



For example: was01

Port *(IBM WebSphere Application Server)

Specifies the port number, on which the IBMWebSphere Application Server listens for SOAPadministration requests, for one of the followingtypes of IBM WebSphere Application Servers:



Use the default port number, which is serverdependent.

The default IBM WebSphere Application Serverport number is 8880.Note: Change this value only if the server isalready configured to use a different port number.This process will not attempt to set this value forthe server.

Enable SSL with the IBM WebSphereApplication Server

Select the check for Secure Sockets Layer (SSL)communication to the existing IBM WebSphereApplication Server.

Default: not enabled (The check box is notselected.)


Table 51. Access Manager Web Portal Manager configuration options (continued). *indicates a required option.


IBM WebSphere Application Serveradministrator ID *

Specifies the identifier for an administrator accountfor the existing IBM WebSphere Application Server.All administrator IDs must follow the IBMWebSphere Application Server naming policy.

IBM WebSphere Application Serveradministrator password *

Specifies the password for the specified existingIBM WebSphere Application Server administratorID. This administrator password was created whenyou created the IBM WebSphere Application Serveradministrator account.

SSL trust store file with full path * Specifies the fully qualified path where the existingtrust store file is located. Use the trust store file tohandle server-side certificates that are used in SSLcommunication. The trust store file verifies thecertificate presented by the server. The signer of theSSL certificate must be recognized as a trustedcertificate authority (CA). To specify the SSL clientkey file, type the fully qualified path and file namefor the trust store file or browse and choose anexisting trust store file.

SSL trust store file password Specifies the existing password that protects thetrust store file if a secure connection with the IBMWebSphere Application Server is being used. Thetrust store file password was set when the truststore file was first created.

SSL key file with full path Specifies the fully qualified path where the existingkey file is located. The key file holds the client-sidecertificates that are used in SSL communication. Tospecify the SSL client key file, type the fullyqualified path and file name for the key file orbrowse and choose an existing key file.

SSL key file password Specifies the existing password that is associatedwith the specified client key file. The key filepassword was set when the key file was firstcreated.

Clusters * Select an existing cluster where Web PortalManager is to be deployed from the list displayed.You must select at least one cluster or applicationserver. For example: WPM_Cluster

Application servers * Select an existing application server from the listdisplayed where Web Portal Manager is to bedeployed. You must select at least one applicationserver or cluster. For example: WebSphere:cell-was01Cell01,node=was01Node01,server==server1

Web servers Select an existing Web server from the listdisplayed where Web Portal Manager is to bedeployed. For example: WPM_WebServer


Table 51. Access Manager Web Portal Manager configuration options (continued). *indicates a required option.


Host name *(Tivoli Access Manager policy serveror policy proxy server)

Specifies the host name or IP address of the TivoliAccess Manager policy server or policy proxyserver. The policy server manages the policydatabase (sometimes referred as the masterauthorization database), updates the database replicaswhenever a change is made to the master database,and replicates the policy information throughoutthe domains. The policy server also maintainslocation information about other resource managersoperating in the domain. There must be at least onepolicy server defined for each domain. Forexample: WPM_PolServer

Port * (Tivoli Access Manager policyserver or policy proxy server)

Specifies the port number on which the TivoliAccess Manager policy server or policy proxyserver listens for SSL requests. Use the default portnumber value, which is server-dependent. Thedefault port number for the policy server is 7135.The default port number for the policy proxyserver is 7138.

Is Access Manager authorizationserver configured?

Select the check box to configure the Tivoli AccessManager authorization server.

Default: not enabled (The check box is notselected.)

Host name * Specifies the existing fully qualified host name orIP address to configure the Tivoli Access Managerauthorization server to be used by Web PortalManager. For example: WPM_AuthServer

Port * Specifies the port number on which the TivoliAccess Manager authorization server listens for SSLrequests. Use the default port number value, whichis server-dependent. The default port number forthe authorization server is 7136.

Administrator ID * Specifies the identifier for an existing administratoraccount for the specified Tivoli Access Managerdomain. The default Tivoli Access Manageradministrator ID is sec_master.

Administrator password * Specifies the password that is associated with thespecified Tivoli Access Manager administrator ID.This administrator password was created when youcreated the administrator account.

Domain * Specifies the name of the domain. The domainmust already exist. Any security policy that isimplemented in a domain affects only those objectsin that domain. Users with authority to performtasks in one domain do not necessarily have theauthority to perform those tasks in other domains.The default domain name is Default, whichindicates the management domain.


Access Manager WebSEALTable 52 lists options prompted for during configuration of the Access ManagerWebSEAL package.

Note: Configure the Access Manager Runtime package before configuring theAccess Manager WebSEAL package.

Table 52. Access Manager WebSEAL configuration options. * indicates a required option.


WebSEAL instance name * Specifies the fully qualified host name used by thepolicy server to contact the WebSEAL server.

Use logical network interface Specifies to use a logical network interface. If yes,you are prompted for the IP address of the logicalnetwork interface.

WebSEAL host name * Specifies the host name of the WebSEAL server.

WebSEAL listening port * Specifies the port number on which the WebSEALserver listens for requests. The default port numberis 7234.

Administrator ID * Specifies the identifier for the Tivoli AccessManager administrator of the management domain.The default administrator ID is sec_master.

Administrator password * Specifies the password for the Tivoli AccessManager administrator ID.

Allow HTTP access (y/n) Specifies whether to enable HTTP access. Ifselected, you must specify the HTTP port number.HTTP access is enabled by default.

HTTP port [80] Specifies the HTTP port. The default port numberis 80. If there is a conflict with the port,configuration detects the conflict and incrementallyincreases the port number.

Allow secure HTTPS access (y/n) Specifies whether to enable HTTPS access. Ifselected, you must specify the HTTPS port number.HTTPS access is enabled by default.

HTTPS port [443] Specifies the HTTPS port. The default port numberis 443. If there is a conflict with the port,configuration detects the conflict and incrementallyincreases the port number choice.

Web document root directory[opt/pdweb/www-default/docs]

Default directories are as follows:

v UNIX or Linux: /opt/pdweb/www-default/docs

v Windows: C:\Progam Files\Tivoli\PolicyDirector\PDWeb\www-default\docs

Enable SSL with the registry server Specifies whether to enable encrypted SecureSockets Layer (SSL) connections with an LDAPserver.Note: You must first configure the LDAP serverfor SSL access.



Table 52. Access Manager WebSEAL configuration options (continued). * indicates arequired option.


Key file with full path Specifies the fully qualified path where the SSLclient key database file is located on the runtimesystem. This key file must be obtained from theLDAP server. Any file extension can be used, butthe file extension is normally .kdb.

Use the SSL key file to handle certificates that areused in SSL communication. The signer of the SSLcertificate must be recognized as a trustedcertificate authority in the client key database.


Certificate label Specifies the SSL certificate label of the clientcertificate in the SSL key database that is sent tothe registry server if the registry server isconfigured to perform both server and clientauthorization during SSL establishment. This labelis only valid when SSL is being used and when theregistry server has been configured to require clientauthorization. Typically, the registry server requiresonly server-side certificates that were specifiedduring creation of the client .kdb file. Thecertificate label is an alphanumeric, case-sensitivestring that you choose. String values should becharacters that are part of the local code set. Forexample: PDLDAP

This field requires that you type any character.Because you do not need to set up client-sidecertificate authentication, the character that youspecify is ignored.

SSL port Specifies the port number on which the LDAPserver listens for SSL requests. A valid port numberis any positive number that is allowed by TCP/IPand that is not currently being used by anotherapplication.


Chapter 23. Enabling Secure Sockets Layer (SSL) security

Tivoli Access Manager servers and any LDAP registry server, you can enableSecure Sockets Layer (SSL) security. When SSL is enabled, data exchanged betweenthe Tivoli Access Manager servers and the LDAP registry server is encrypted. Bothserver authentication and client authentication are supported.

When enabling SSL communication, you must first configure SSL on the LDAPregistry server, and then configure SSL on each Tivoli Access Manager server andon any other system that communicates with the LDAP registry server using theIBM Tivoli Directory Server client. The LDAP registry server configuration onlyneeds to be done the first time SSL communication is set up between the LDAPserver and the Tivoli Access Manager servers.

This chapter contains the following main sections:v “Configuring IBM Tivoli Directory Server for SSL access” on page 474v “Configuring IBM z/OS LDAP servers for SSL access” on page 485v “Configuring Microsoft Active Directory for SSL access” on page 488v “Configuring Active Directory Application Mode (ADAM) for SSL access” on

page 491v “Configuring Novell eDirectory server for SSL access” on page 495v “Configuring Sun Java System Directory Server for SSL access” on page 498v “Configuring the Tivoli Directory Server client for SSL access” on page 501v “Configuring SSL for server and client authentication” on page 504


Configuring IBM Tivoli Directory Server for SSL accessThe following high-level steps are required to enable SSL support for TivoliDirectory Server for server authentication. See the IBM Tivoli Directory ServerAdministration Guide for more information about securing directorycommunications. These steps assume you have already installed and configuredthe Tivoli Directory Server.1. If necessary, create a key database to contain the server certificates as well as

the server's private and public keys.2. Do one of the following:

v Request a personal certificate from a Certificate Authority (CA) and receivethat personal certificate into the key database file. You also might need toadd a signer certificate for the Certificate Authority to the key database file.

v Create a self-signed certificate and extract the certificate and make itavailable on all client systems that will securely communicate with theserver.

Note: A client system is any Tivoli Access Manager server system as well asany other system that uses the Tivoli Directory Server client to securelycommunicate with the Tivoli Directory Server. This includes any systemusing the Access Manager Runtime component.

3. Make the key database and associated password stash file available in a securelocation on the Tivoli Directory Server system.

4. Configure Tivoli Directory Server to use the key database and enable SSL.

The creation and handling of X.509 certificates and keys is performed using theIIBM Global Security Kit (GSKit) key management utility, gsk7ikm. This graphicalutility must be configured before use, as described in “Setting up the GSKitiKeyman utility” on page 315. See the SSL Introduction and iKeyman User's Guide formore information on this utility.

Configuration of the Tivoli Directory Server can be done using either the WebAdministration Tool or the command line. The Web Administration Tool must beinstalled separately, as described in “Installing the Web Administration Tool” onpage 338. See the IBM Tivoli Directory Server Version 6.1 Administration Guide formore information on the Web Administration Tool.

Creating the key database file

Note: If you used the install_ldap_server installation wizard to install TivoliDirectory Server, you either created a key database file or provided thename and location of an existing key database file.

A key database file also can be created using the GSKit key management utility asfollows.1. Start the key management utility, gsk7ikm, which is located in one of the

following default directories:

AIX /usr/opt/ibm/gskta/bin/gsk7ikm

HP-UX/opt/ibm/gsk7/bin/gsk7ikm

HP-UX on Integrity/opt/ibm/gsk7_32/bin/gsk7ikm_32


All Linux platforms/usr/local/ibm/gsk7/bin/gsk7ikm

Solaris and Solaris on x86_64/opt/ibm/gsk7/bin/gsk7ikm

WindowsC:\Program Files\IBM\gsk7\bin\gsk7ikm.exe

2. Click Key Database File → New...

3. In the New window:a. Select a Key database type of CMS.b. Specify the name and location for the key database file. The key database

file usually has a file extension of kdb.c. Click OK to continue.

4. In the Password Prompt window:a. Specify a password for the key database file which meets your

organization's password complexity rules.b. Optional. Set an expiration time for the password.c. Optional. Select Stash the password to a file? to have an encrypted version

of the password stored in a separate stash file.A stash file can be used by some applications, such as Tivoli DirectoryServer, so that the application administrator does not need to know thepassword for the key database file. The stash file has the same location andname as the key database file, but has a file extension of .sth.

d. Click OK to create the key database file and, optionally, the stash file.

Requesting or creating a personal certificateA personal certificate and its associated private key must be added to the keydatabase file before SSL can be enabled between the Tivoli Directory Server systemand client systems. This personal certificate represents the identity of the TivoliDirectory Server system during SSL communications.

In production or Internet environments, obtain a commercial certificate from arecognized Certificate Authority (CA) such as VeriSign. This permits other systemsto verify the identity of the certificate owner using a third party, the CA. In test orintranet environments, where a lower level of security can be tolerated, aself-signed certificate can be created and used. When a personal certificate isreceived from a Certificate Authority (CA), or when a self-signed certificate iscreated by GSKit, the associated private key of the certificate is automaticallyadded to the key database file.

Note: A self-signed certificate acts as both a personal certificate and as a signercertificate and could be used to impersonate the server or for othermalicious purposes.

Using certificates from a Certificate Authority (CA)To use a certificate from a Certificate Authority (CA), you must:1. Request a personal certificate from a Certificate Authority (CA)2. Receive the personal certificate into the key database file3. Add the certificate for the Certificate Authority (CA) as a signer certificate in

the key database file, if it is not already present.

Chapter 23. Enabling Secure Sockets Layer (SSL) security 475

Requesting a personal certificate from a Certificate Authority(CA)You can obtain a personal certificate from a Certificate Authority (CA) by creatinga certificate request. If you require a certificate that supports Federal InformationProcessing Standards (FIPS) mode, ensure that you use a Certificate Authority (CA)that can provide one that supports it.

To create a certificate request, do the following.1. Start the key management utility, gsk7ikm, if it is not already running.2. Click Key Database File → Open....

See “Creating the key database file” on page 474 if you need to create a keydatabase file.

3. Select the key database file and click OK.4. When prompted, enter the password for the key database file. Click OK.5. In the Key database content pane, select Personal Certificates.6. Click Create → New Certificate Request....7. In the Create New Key and Certificate Request window:

a. In the Key Label field, enter a name for your key.b. In the Key size field, enter a size for your key.c. In the Common Name field, enter the host name of the server system.d. In the Organization field, enter the name of your organization.

Your Certificate Authority might require you to specify a specific value.e. Select the appropriate value in the Country or region field.f. Complete any of the optional fields as desired.g. Specify a name and location for the certificate request. The file usually is

given a file extension of .arm.h. Click OK to create a certificate request file.

8. Send the certificate request file to your Certificate Authority for processing.

Receiving a personal certificate from a Certificate Authority (CA)After processing your certificate request, your Certificate Authority (CA) typicallysends you two certificates: your requested personal certificate and a certificate thatidentifies the Certificate Authority itself. To use the personal certificate, you mustreceive the personal certificate into your key database file.

To receive the personal certificate into the key database:1. Start the key management utility, gsk7ikm, if it is not already running.2. Click Key Database File → Open....3. Select the key database file and click OK.4. When prompted, enter the password for the key database file. Click OK.5. In the Key database content pane, select Personal Certificates.6. Click Receive.7. In the Receive Certificate from a File window:

a. Select the data type of the certificate file received, which is usuallyBase64-encoded ASCII data.

b. Enter the name and location of the file containing your personal certificate,which usually has a file extension of .arm.

c. Click OK.


If you already have one or more personal certificates in the key database file,GSKit asks whether you want to make the certificate just received the defaultcertificate. The default certificate is used when no label is provided on a request tothe key database.

Adding the signer certificate for the Certificate Authority (CA)After processing your certificate request, your Certificate Authority (CA) typicallysends you two certificates: your requested personal certificate and a certificate thatidentifies the Certificate Authority itself. If the Certificate Authority (CA) is notalready recognized as a valid certificate signer in the key database file on theserver, then the certificate from the Certificate Authority must be added.

To add the certificate from the Certificate Authority into the key database as asigner certificate:1. Start the key management utility, gsk7ikm, if it is not already running.2. Click Key Database File → Open....3. Select the key database file and click OK.4. When prompted, enter the password for the key database file. Click OK.5. In the Key database content pane, select Signer Certificates.6. Click Add....7. In the Add CA's Certificate from a File window:


b. Enter the name and location of the file containing the certificate from theCA, which usually has a file extension of .arm.

c. Click OK.8. Enter a label for the signer certificate that you are adding. If the certificate

was created by a certificate authority, you can use the name of the CertificateAuthority as the label. For a self-signed certificate, use the name of the LDAPserver for the label.

9. Click OK. The certificate is displayed in the key database file as a signercertificate.

10. Select the newly added signer certificate, and click View/Edit....11. Ensure that Set the certificate as a trusted root is selected so that the

certificate is marked as a trusted root.12. Click OK.

The certificate from the Certificate Authority (CA) must be added as a signercertificate in the key database file on each client system as well, if it is not alreadypresent. See “Configuring the Tivoli Directory Server client for SSL access” on page501 for details.

Continue with “Configuring a key database file for Tivoli Directory Server” onpage 479.

Using self-signed certificatesIn test or intranet environments, a self-signed certificate can be created and used.However, in production or Internet environments, obtain a commercial certificatefrom a recognized Certificate Authority (CA) as described in “Using certificatesfrom a Certificate Authority (CA)” on page 475.


Note: A self-signed certificate acts as both a personal certificate and as a signercertificate and could be used to impersonate the server or for othermalicious purposes.

Creating a self-signed certificateTo create a self-signed certificate, do the following.1. Start the key management utility, gsk7ikm, if it is not already running.2. Click Key Database File → Open....


3. Select the key database file and click OK.4. When prompted, enter the password for the key database file. Click OK.5. Click Create → New Self-Signed Certificate....6. In the Create New Self-Signed Certificate window:

a. In the Key Label field, enter a name for your key.b. In the Version field, leave the default value of X509 V3 selected.c. In the Key Size field, select the key size desired.d. In the Common Name field, enter the host name of the server system.e. In the Organization field, enter the name of your organization.f. Select the appropriate value in the Country or region field.g. In the Validity Period field, specify the number of days that the certificate

is to be valid.h. Complete any of the optional fields as desired.i. Click OK to create a self-signed certificate and add it to your key database

file.


Continue with “Extracting the certificate.”

Extracting the certificateAfter you have created a self-signed certificate, you must extract the certificate foruse by client systems that will securely communicate with the Tivoli DirectoryServer.

To extract the certificate from the key database, do the following.1. Start the key management utility, gsk7ikm, if it is not already running.2. Click Key Database File → Open....3. Select the key database file and click OK.4. When prompted, enter the password for the key database file. Click OK.5. In the Key database content pane, select Personal Certificates.

The personal certificates available in the key database file are displayed. Thepersonal certificates which are displayed include both self-signed certificatesand certificates previously received from a Certificate Authority (CA).

6. Select the desired personal certificate to process.7. Click Extract Certificate....8. In the Extract Certificate to a File window:


a. Select the data type of the extracted file, which is usually Base64-encodedASCII data.

b. Specify the desired name and location for the certificate file. A file extensionof .arm is generally used for this file.

c. Click OK to extract the public key certificate.

After the certificate has been extracted to a file, that file must be made available onall the client systems that will be securely communicating with the Tivoli DirectoryServer. See “Configuring the Tivoli Directory Server client for SSL access” on page501 for details.

Configuring a key database file for Tivoli Directory ServerAfter a key database file has been created and the necessary certificates and keyshave been defined, make the key database file available for use by Tivoli DirectoryServer.

Using the Web Administration Tool:To define a key database file to Tivoli Directory Server, do the following.1. Go to the Web Administration console.2. Log on to the Tivoli Directory Server system to be managed using the LDAP

administrator DN (such as cn=root) and password.3. Expand the Server administration → Manage security properties category in

the navigation area of the Web Administration Tool and select the Keydatabase property.

4. Specify the Key database path and file name. This is the fully qualified filespecification of the key database file. If a password stash file is defined, it isassumed to have the same file specification, with an extension of .sth.

5. Specify the Key password. If a password stash file is not being used, thepassword for the key database file must be specified here. Then specify thepassword again in the Confirm password field.

6. Specify the Key label. This administrator-defined key label indicates whichcertificate and key in the key database is to be used.

7. When you are finished, click Apply to save your changes without exiting, orclick OK to apply your changes and exit.

You must stop and restart both the Tivoli Directory Server and the administrationdaemon for the changes to take effect.

See the IBM Tivoli Directory Server Version 6.1 Administration Guide if you needinformation about performing this task.

Using the command line:To use the command line to set the key database file for Tivoli Directory Server,issue the command:idsldapmodify -D ldap_admin -w admin_pw -i file_name

where file_name contains:dn: cn=SSL,cn=Configurationchangetype: modifyreplace: ibm-slapdSSLKeyDatabaseibm-slapdSSLKeyDatabase: fully_qualified_database_name (such as /usr/am_key.kdb)-replace:ibm-slapdSslCertificateibm-slapdSslCertificate: certificate_name (such as PDLDAP)


-replace: ibm-slapdSSLKeyDatabasePWibm-slapdSSLKeyDatabasePW: password (such as key4ssl)

You must stop and restart both the Tivoli Directory Server and the administrationdaemon for the changes to take effect.

See the IBM Tivoli Directory Server Version 6.1 Administration Guide if you needinformation about performing this task.

Enabling SSL for Tivoli Directory ServerAfter configuring Tivoli Directory Server to use your key database file, you canenable SSL communications.

Using the Web Administration Tool:To enable SSL communications, do the following:1. Go to the Web Administration console.2. Log on to the Tivoli Directory Server system to be managed using the LDAP

administrator DN (such as cn=root) and password.3. Click Server administration.4. Click Manage security properties.5. Click Settings.6. Select the type of security:

SSL Enables the server to receive either secure (default port 636) orunsecure (default port 389) communications from clients.

SSL onlyEnables the server to receive only secure communications from clients.This is the most secure way to configure your server. The default portis 636.

None Enables the server to receive only unsecure communications fromclients. The default port is 389.

Use this option to disable SSL security.7. Select the authentication method.

Server authentication

For server authentication the Tivoli Directory Server supplies the clientwith the Tivoli Directory Server's X.509 certificate during the initial SSLhandshake. If the client validates the server's certificate, then a secure,encrypted communication channel is established between the TivoliDirectory Server and the client application.

For server authentication to work, the Tivoli Directory Server musthave a private key and associated server certificate in the server's keydatabase file.

Server and client authenticationThis type of authentication provides for two-way authenticationbetween the LDAP client and the LDAP server. With clientauthentication, the LDAP client must have a digital certificate. Thisdigital certificate is used to authenticate the LDAP client to the TivoliDirectory Server.

8. When you are finished, click Apply to save your changes without exiting, orclick OK to apply your changes and exit.


9. You must stop and restart both the Tivoli Directory Server and theadministration daemon for the changes to take effect. You can restart either byusing the Web Administration Tool or by using the following instructions:a. Stop the Tivoli Directory Server using one of the following methods.

v Remotely, issue the command:ibmdirctl -h host_name -D ldap_admin -w admin_pw stop

v Locally issue the command:idsslapd -I instance_name -k

v On Windows systems, the Control Panel → Administrative Tools →Services window also can be used to stop the IBM Tivoli DirectoryServer Instance V6.1 - instance_name service.

b. Stop the administration daemon using one of the following methods.v Remotely, issue the command:

ibmdirctl -h host_name -D ldap_admin -w ldap_pw admstop

v Locally issue the command:idsdiradm instance_name -k

v On Windows systems, the Control Panel → Administrative Tools →Services window also can be used to stop the IBM Tivoli DirectoryServer Admin Daemon V6.1 - instance_name service.

c. Start the administration daemon using one of the following methods.v Issue the command:

idsdiradm instance_name

v On Windows systems, the Control Panel → Administrative Tools →Services window also can be used to start the IBM Tivoli DirectoryServer Admin Daemon V6.1 - instance_name service.

d. Start the Tivoli Directory Server using one of the following methods.v Remotely, issue the command:

ibmdirctl -h host_name -D ldap_admin -w admin_pw start

v Locally issue the command:idsslapd -I instance_name

v On Windows systems, the Control Panel → Administrative Tools →Services window also can be used to start the IBM Tivoli DirectoryServer Instance V6.1 - instance_name service.

Note: You must distribute the public key certificate of the Certificate Authority(CA) of the server to each client. If server and client authentication isenabled, you also must add the public key certificate for each client systemto the server's key database, if the certificate is not already recognized as atrusted signer.

See the IBM Tivoli Directory Server Version 6.0 Administration Guide if you needinformation about performing these tasks.

Using the command line:To enable SSL communications, issue the command:idsldapmodify -D adminDN -w adminPW -i file_name

where file_name contains:dn: cn=SSL,cn=Configurationchangetype: modifyreplace: ibm-slapdSslAuth


ibm-slapdSslAuth: authentication_type-replace: ibm-slapdSecurityibm-slapdSecurity: security_type

and:

authentication_typeSpecifies the type of authentication.

serverAuth

For server authentication the Tivoli Directory Server supplies theclient with the Tivoli Directory Server's X.509 certificate during theinitial SSL handshake. If the client validates the server's certificate,then a secure, encrypted communication channel is establishedbetween the Tivoli Directory Server and the client application.

For server authentication to work, the Tivoli Directory Server musthave a private key and associated server certificate in the server'skey database file.

serverClientAuthThis type of authentication provides for two-way authenticationbetween the LDAP client and the LDAP server. With clientauthentication, the LDAP client must have a digital certificate. Thisdigital certificate is used to authenticate the LDAP client to theTivoli Directory Server.

security_typeSpecifies the type of security.

SSL Enables the server to receive either secure (default port 636) orunsecure (default port 389) communications from clients.

SSLOnlyEnables the server to receive only secure communications fromclients. This is the most secure way to configure your server. Thedefault port is 636.

none Enables the server to receive only unsecure communications fromclients. The default port is 389.

Use this option to disable SSL security.

You must stop and restart both the server and the administration daemon for thechanges to take effect.

Verifying that SSL has been enabled on the serverTo test that SSL has been enabled, enter the following command on the TivoliDirectory Server system:

idsldapsearch -h host_name -Z -K key_file -P key_pwd -b "" -s base objectclass=*

where:

host_nameSpecifies the DNS host name of the Tivoli Directory Server.

key_fileSpecifies the name of the key database file, with the usual file extension of.kdb. If the key database file is not in the current directory, specify thefully-qualified file name.


key_pwdSpecifies the key file password. This password is required to access theencrypted information in the key database file (which might include one ormore private keys). If a password stash file is associated with the keydatabase file, the password is obtained from the password stash file, andthe –P option is not required. This option is ignored if neither –Z nor –K isspecified.

-Z Indicates that SSL is to be used to establish the connection with the IBMDirectory Server.

The idsldapsearch command returns base information from the server, whichincludes the suffixes on the LDAP server.

Enabling FIPSTivoli Access Manager can be configured to run in Federal Information ProcessingStandards (FIPS) mode. You can make this selection when you configure the TivoliAccess Manager policy server. If the user registry to be used for Tivoli AccessManager is LDAP and if the IBM Tivoli Directory Server is to be used as the LDAPserver type, you must configure the IBM Tivoli Directory Server to performprocessing in FIPS mode also. If you are using a supported LDAP server otherthan IBM Tivoli Directory Server, see the LDAP server documentation forinformation on whether FIPS mode is supported and how to enable FIPS modeprocessing when supported.

Use the Web Administration Tool included with IBM Tivoli Directory Server tocomplete these steps. Be sure that the Web Administration Tool has been properlyinstalled and configured into the IBM WebSphere Application Server first.

To enable FIPS support for the IBM Tivoli Directory Server, follow these steps:1. Access the login page by using a supported Web browser. The default login

page location is:

http://server_name:12100/IDSWebApp/IDSjsp/Login.jsp

where server_name is the host name of the application server where the WebAdministration Tool has been installed.

2. Do one of the following:v If you have already added the LDAP host to be administered to the list of

existing console servers, select the LDAP server host name and then skip tostep 8 on page 484.

v If you have not already added the LDAP host to the list to be administered,continue to step 3 to add the LDAP server to the list of console servers.

3. Log in as the console administrator (referred to as Console Admin). Thedefault Console Admin identity is superadmin and the default password issecret.

4. In the navigation area on the left, select Console administration → Manageconsole servers to be able to view a list of the LDAP servers currentlyconfigured for administration.

5. To add another LDAP server, click Add. Enter the host name and the portnumber information for the LDAP server to be administered, and then clickOK.

6. After you have added one or more LDAP servers to be administered, clickClose to complete the step. From the navigation area, click Logout .


7. Re-access the login page using the same URL specified in step 1 on page 483.Select one of the LDAP servers that you just added from the list of LDAPservers currently configured.

8. After selecting the LDAP server from the list, enter the LDAP serveradministrator user name (cn=root) and the administrator password on theLogin window, and then click Login.

9. In the navigation area on the left, select Server administration → Managesecurity properties.

10. Click Encryption property. The Encryption property page is displayed.11. Under Implementation, select the Use FIPS certified implementation and Run

server in FIPS mode check boxes, and then click OK.12. Restart the server to make sure that the sever is running in FIPS mode. To do

this step in the navigation area on the left, select Server administration →Start/stop/restart server. The Start/stop/restart server page is displayed.

13. Make sure that the Start/restart in configuration only mode check box is notselected, and then click Restart. Wait until a message is displayed that statesthe server has successfully been restarted and is currently running. The serveris now running in FIPS mode.

14. If you have finished using the Web Administration Tool, select Logout.15. Next, set up the IBM Tivoli Directory Server client for SSL access, if necessary.

See “Configuring the Tivoli Directory Server client for SSL access” on page 501for details.


Configuring IBM z/OS LDAP servers for SSL accessWhen Tivoli Access Manager and LDAP services are not on the same protectednetwork, enable SSL communication between the LDAP server and the clients thatsupport Tivoli Access Manager software. This protocol provides secure, encryptedcommunications between each server and client. Tivoli Access Manager uses thesecommunications channels as part of the process for making authentication andauthorization decisions.

To configure an LDAP server on z/OS for SSL/TLS communications, consult theIBM z/OS LDAP Server Administration and Use manual for your particular release ofz/OS. This document is located at


The following high-level steps are required to enable SSL/TLS support for LDAPon z/OS releases 1.4 through 1.9. This includes the z/OS Security Server LDAPServer that shipped with z/OS 1.4 and subsequent releases, the z/OS IntegratedSecurity Services LDAP Server (ISS) that shipped with z/OS 1.6 and subsequentreleases, and the IBM Tivoli Directory Server for z/OS that shipped with z/OS 1.8and subsequent releases. These steps assume that you have installed andconfigured the LDAP directory server, installed z/OS Cryptographic ServicesSystem SSL, and set STEPLIB, LPALIB, or LINKLIST.1. Configure the LDAP server to listen for LDAP requests on the SSL port for

server authentication and, optionally, client authentication. See “Setting thesecurity options.”

2. Generate the LDAP server private key and server certificate. Mark thecertificate as the default in the key database or key ring, or identify thecertificate by using its label on the sslCertificate option in the configurationfile.Starting with z/OS release 1.4, the z/OS LDAP Server can use certificates in akey ring managed with the RACF RACDCERT command. The gskkymanutility, which was used in previous releases, also can be used and an exampleof using that utility to create a key database file can be found in “Creating akey database file” on page 486. More information on the RACDCERTcommand can be found in the IBM z/OS Security Server RACF CommandLanguage Reference manual for your particular release of z/OS. This document islocated at

http://www.ibm.com/servers/eserver/System z/zos/bkserv/3. Restart the LDAP server.

Setting the security optionsThe following options for SSL can be set in the ibmslapd.conf file:

listen ldap_URLSpecifies, in LDAP URL format, the IP address (or host name) and the portnumber where the LDAP server will listen to incoming client requests. Thisparameter can be specified more than one time in the configuration file.

sslAuth {serverAuth | serverClientAuth}Specifies the SSL/TLS authentication method. The serverAuth methodallows the LDAP client to validate the LDAP server on the initial contactbetween the client and the server. The serverAuth method is the default.




sslCertificate {certificateLabel | none}Specifies the label of the certificate that is used for server authentication.This option is needed if a default certificate is not set in the key databasefile or key ring, or if a certificate other than the default one is required. Ifthis option is omitted, the default certificate is used.

sslCipherSpecs {string | ANY}Specifies the SSL/TLS cipher specifications that can be accepted fromclients. For a complete list of the ciphers supported by your z/OS LDAPServer, consult the IBM z/OS LDAP Server Administration and Use manualfor your particular release of z/OS. This document is located at


sslKeyRingFile filename | keyringSpecifies the path and file name of the SSL/TLS key database file or keyring for the server.

sslKeyRingFilePW stringSpecifies the password protecting access to the SSL/TLS key database file.

When a RACF key ring is used instead of a key database file, do notspecify this option in the configuration file.

Note: Use of the sslKeyRingFilePW configuration option is stronglydiscouraged. As an alternative, use either the RACF key ringsupport or the sslKeyRingPWStashFile configuration option. Thiseliminates this password from the configuration file.

sslKeyRingPWStashFile filenameSpecifies a file name where the password for the server's key database fileis stashed. If this option is present, then the password from this stash fileoverrides the value specified for the sslKeyRingFilePW configurationoption. Use the gskkyman utility with the –s option to create a keydatabase password stash file.

When a RACF key ring is used instead of a key database file, do notspecify this option in the configuration file.

Creating a key database fileThe following example shows you how to use the gskkyman utility to create a keydatabase file.1. Start the gskkyman utility from a shell prompt (OMVS or rlogin session) as

follows:$ gskkyman

The gskkyman utility provides a menu-based interface. To perform a function,choose the option you want to perform by entering its number at the commandprompt. You are prompted for configuration options. Press Enter after eachprompt to continue.

2. Enter option 1 to create a new key database file.3. Type a key database name or accept the default (key.kdb) and press Enter.4. Create a password to protect the key database.5. Re-enter the database password for verification.6. Type a password expiration interval in days or accept the default (no expiration

date).7. Type a database record length or accept the default (2500).



The key database is created and a message is displayed indicating the successor failure of this operation

8. From the Key Management Menu, select option 6 to create a self-signed servercertificate and follow the prompts.

9. After the certificate is created, you must extract this certificate so it can be sentto the LDAP client system and added as a trusted CA certificate. To do so,follow these steps:a. Select option 1 to manage keys and certificates.b. From the Key and Certificate List, enter the label number of the certificate

to be exported.c. From the Key and Certificate Menu, enter option 6 to export the certificate

to a file.d. From the Export File Format dialog, select the export format. For example,

select option 1 to export to Binary ASN.1 DER.e. Enter the export file name.

The certificate is exported. You can now transfer the exported file to the LDAPclient system, and add it as a trusted CA certificate. Since the file format of binaryDER was specified on the export, this same file type must be specified to thegsk7ikm utility on the LDAP client system, when doing the Add operation.


Configuring Microsoft Active Directory for SSL accessEnsure that the Active Directory domain is set up and that the Tivoli AccessManager policy server is installed and configured on a Windows 2003 system. Alsoensure that the Certificate Authority (CA) is installed on the Windows ActiveDirectory domain where Tivoli Access Manager is configured.

If the Certificate Authority (CA) is not installed, you can install it on your ActiveDirectory server as follows:1. Click Start → Control Panel → Add or Remove Programs.2. Click Add/Remove Windows Components and select Certificate Services.3. Follow the procedure provided to install the Certificate Services CA.

Verifying that SSL is enabled on the Active Directory serverTo verify that SSL has been enabled on the Active Directory server, do thefollowing:1. Ensure that Windows Support Tools is installed on the Active Directory

machine. The suptools.msi setup program is located in the \Support\Toolsdirectory on your Windows installation CD.

2. Select Start → All Programs → Windows Support Tools → Command Prompt.Start the ldp tool by typing ldp at the command prompt.

3. From the ldp window, select Connection → Connect and supply the host nameand port number (636). Also select the SSL check box.

Note: Ensure that you type the Active Directory domain server name correctly.

If successful, a window is displayed listing information related to the ActiveDirectory SSL connection. If the connection is unsuccessful, restart your system,and repeat this procedure.

Exporting the certificate from the Active Directory serverTo export the CA certificate from the Active Directory server, follow these steps:1. Log on as a Domain Administrator to the Active Directory domain server that

is being used as the Tivoli Access Manager user registry.2. Export the certificate from the Active Directory server to a file. To do so, follow

these steps:a. Click Start → Control Panel → Administrative Tools → Certificate Authority

to open the CA Microsoft Management Console (MMC) GUI.b. Highlight the CA machine and right-click to select Properties for the CA.c. From General menu, click View Certificate.d. Select the Details view, and click the Copy to File button on the lower-right

corner of the window.e. Use the Certificate Export Wizard to save the CA certificate in a file.

Note: You can save the CA certificate in either DER Encoded Binary X-509format or Based-64 Encoded X-509 format.

After you have extracted the public key certificate of the Certificate Authority (CA)of the Active Directory server, you must distribute the certificate to every TivoliAccess Manager system that will communicate securely with the Active Directoryserver using the LDAP client.


Importing the certificate on the LDAP client systemAfter you have exported the certificate from the Active Directory server, you mustimport the certificate to each Tivoli Access Manager system on which you plan toset up encrypted communications. To do so, follow these steps:1. Ensure that the following components are installed on the Tivoli Access

Manager system.Attention: Do not configure the Access Manager Runtime component at this time.

v IBM Global Security Kit (GSKit)v IBM Tivoli Directory Server client (LDAP client)v Access Manager Runtime

2. Ensure that you have set up the iKeyman Key Management Utility, which isinstalled with GSKit. For instructions, see information about setting up theGSKit iKeyman utility in “Installing the IBM Global Security Kit (GSKit)” onpage 311.

3. Ensure that the extracted CA certificate is on the Tivoli Access Manager system.4. Using the GSKit iKeyman utility, create a key database file and add the Active

Directory server's CA signer certificate to this key database file. Ensure that theCA certificate that is added points to the CA certificate file extracted from theActive Directory server system.For instructions on creating a key database file or adding a signer certificate tothe key database file on the client, see “Configuring the Tivoli Directory Serverclient for SSL access” on page 501.

5. To test the SSL connection to the Active Directory server with the key file thatyou just created, you can use the idsldapsearch command on the Tivoli AccessManager system. For instructions, see “Testing SSL access.”

6. Use the Tivoli Access Manager pdconfig utility to configure the AccessManager Runtime component. When prompted to enable encryptedconnections, select Yes. For descriptions of configuration options, see “AccessManager Runtime — Active Directory” on page 451.

7. If you have additional Tivoli Access Manager components installed on thissystem, such as the Access Manager Authorization Server or Web PortalManager, configure these components at this time.

SSL setup on the Active Directory Server is now complete.

Testing SSL accessAfter the Active Directory server recognizes the Certificate Authority (CA) thatcreated the client’s personal certificate, test SSL access using the followingcommand on the LDAP client:

idsldapsearch -h AD_server_name -s base -Z -K client_keyfile -P keyfile_pwd objectclass=*

The command variables are as follows:

Variable Description

AD_server_name Specifies the DNS host name of the Active Directoryserver.

client_keyfile Specifies the fully qualified path name of the generatedclient key file.

keyfile_pwd Specifies the password of the generated key file.


If successful, a window is displayed listing Active Directory server information.


Configuring Active Directory Application Mode (ADAM) for SSL accessMany operations performed with Active Directory Application Mode (ADAM)using the LDAP protocol must be performed while the connection is secured bySSL. These enforced operations include bind (authentication) and changepassword.

Note: You can disable SSL for ADAM, although it is not recommended. Forinformation about disabling SSL for ADAM, see “Disabling SSL for ActiveDirectory Application Mode (ADAM)” on page 494.

You can enable SSL with ADAM by installing a properly formatted certificate fromeither a Microsoft Certificate Authority (CA) or a non-Microsoft CertificateAuthority. To use Microsoft Certificate Authority (CA), see “Setting up ActiveDirectory Application Mode (ADAM) to use SSL (Example).” To use anon-Microsoft Certificate Authority, go to the following web address forinstructions:

http://support.microsoft.com/default.aspx?scid=kb;en-us;321051

Setting up Active Directory Application Mode (ADAM) to useSSL (Example)

The procedure documented in this section is provided as an example and areference. It describes how to use the Microsoft Certificate Services to create andissue the certificate used by Active Directory Application Mode (ADAM). Forcomplete instructions on how to set up ADAM to use SSL, see the Microsoftdocumentation for ADAM at the following Web address:


These instructions assume that the Internet Information Server (IIS) is alreadyinstalled. If IIS is not already installed, install it before installing MicrosoftCertificate Services CA.

Once IIS is installed and configured, install and use the Certificates Services toenable SSL for ADAM:1. If you have not done so already, install Certificate Services by clicking Add or

Remove Programs > Add/Remove Windows Components. If your operatingsystem is Windows 2003 server only (meaning Active Directory is notconfigured), select Stand-alone CA.Attention: Choose the name of the certification authority carefully, because itcannot be changed after the CA setup is complete. When specifying the nameof the root CA certificate, do not specify the fully qualified domain name of theworkstation host name if you have Active Directory installed on the sameworkstation as the Certificate Authority services workstation. The ADAMcertificate requires its name to be the fully qualified domain name of theworkstation on which it runs. It can't have a certificate with the same name asits CA root certificate.

2. Allow the ADAM system to trust the newly installed Certificate Authority. Theroot CA certificate must be installed onto the system as a trusted root:a. Using a web browser on the workstation running ADAM , go to

http://CA_server_machine/certsrv to install the CA certificate.b. Click Download a CA certificate, certificate chain or CRL > Install this CA

certificate chain. If this is the first time this root CA certificate has been


http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b321051


installed to this system, a security warning will be presented. Click Yes toinstall the root CA certificate onto the system as a trusted root.

c. Request a certificate for use with ADAM SSL by again using the webbrowser and going to http://CA_server_machine/certsrv

d. Click Request a Certificate ->Advanced Certificate Request -> Create andSubmit a request to this CA.

e. In the Name field, enter the fully qualified domain name of the ADAMmachine the exact way it appears in My Computer > Properties >ComputerName.

f. Fill out the remaining Advanced Certificate Request information per yourorganization’s requirements.

g. Select Server Authentication Certificate as the type of Certificate needed.h. Select Create new key set as a key option.i. Select Store certificate in the local computer certificate store. The defaults

may be used for all other fields unless otherwise required for yourorganization.

j. Click Submit. Make sure you record the RequestID number for use in thenext step.

3. Use the Certification Authority tool to issue the certificate request:a. Click Start->Administrative Tools->Certification Authority.b. Expand the Certification Authority CA and click the Pending Requests

folder.c. Select the certificate request with the same RequestID from 2j.d. Right-click the RequestID and select All Tasks > Issue to issue the

certificate. In the Certification Authority tool, the request will now movefrom the "Pending Request" folder to the "Issued Certificates" folder.

4. Install the issued certificate:a. Opening a web browser and enter http://CA_server_machine/certsrvb. Select View the status of a pending certificate request.c. Select the request and click Install this certificate. After a warning about

installing a certificate on this machine, click Yes to install the certificate intothe system key store.

5. Use the Microsoft Management Console to install the certificate for use byADAM:a. Run mmc.exe and select File >Add/Remove Snap-in.b. Click Add... and select the Certificates snap-in.c. Click Add. On the Certificate Snap-in panel, select Service Account and

click Next.d. Select the workstation to be managed and click Next. On the Service

account panel, scroll to locate and select the ADAM instance service nameand click Finish.

e. After returning to the Add Standalone Snap-in panel, select Certificatessnap-in and click Add.

f. Select Computer Account and click Next.g. Select the workstation to be managed and click Next.h. Close the Add Standalone Snap-in panel.i. Click OK to add the snap-ins.j. Go to Certificates (Local Computer) > Personal > Certificates folder and

verify that the certificate is installed. Double-click the certificate and confirm


that the General tab states, You have a private key that corresponds to thiscertificate. Click OK to dismiss the Certificate information panel.

6. Use the following steps to give read permission for the ADAM service accountto read the keystore of the certificate above.a. From the command line, run the certutil -store my command to identify the

Key Container of the ADAM certificate.b. Using Microsoft Explorer, go to C:\Documents and Settings\AllUsers\

Application Data\Microsoft\Crypto\RSA\MachineKeys and match the KeyContainer name you determined in 6a with the file in this folder.

c. Right click the file and choose Properties.d. On the Security tab, click Add > Advanced > Find Now and choose the

service account under which ADAM is running.e. Click OK twice to add Read permission to the certificate keystore for the

ADAM service account.7. Test the ADAM SSL set up using ldp:

a. Bring up ldp.exe by typing ldp from an ADAM tools command prompt onthe ADAM system. To start an ADAM tools command prompt, click Start>All Programs >ADAM >ADAM Tools Command Prompt.

b. In the ldp tool, click Connect in the Connection tab.c. Fill in the fully qualified domain name of the ADAM workstation

hostname.d. Enter 636 in the Port fielde. Check the SSL check box and click OK.f. Once successfully connected, click Connection >Bind and put in an ADAM

user and password to bind to the server. If the ldp tool is able tosuccessfully connect and bind to the ADAM instance, SSL is configuredproperly.

Configuring Access Manager SSL for use with Active DirectoryApplication Mode (ADAM)When Active Directory Application Mode (ADAM) is properly configured to useSSL, Tivoli Access Manager must be configured to recognize the ADAM server andconnect via SSL. If Microsoft Certification Services was used to create and installthe ADAM certificate, the Certificate Authority root certificate must bedownloaded to the Access Manager system and established as a trusted rootauthority.

To download the CA root certificate, follow these steps:1. Open a web browser on the Access Manager workstation and go to the

following Web address:

http://CA_server_machine/certsrv2. Click Download a CA certificate, certificate chain, or CRL.3. Select the CA certificate to be downloaded.4. Select Base 64 as the encoding method choice.5. Click Download CA certificate.6. When prompted, select to Save the file and specify a path and filename on the

local system in which to save the downloaded root certificate.


7. To configure the Access Manager client to establish the downloaded CA rootcertificate as a trusted root (signer) and test the SSL connection to ADAM, Usethe instructions found in “Configuring the Tivoli Directory Server client for SSLaccess” on page 501.

Disabling SSL for Active Directory Application Mode (ADAM)Active Directory Application Mode (ADAM) requires that any operation performedwith a user’s password, is done on an SSL secured connection. Using an SSLconnection when using LDAP as the user registry is recommended, although theuse of SSL is optional. When ADAM is used as the user registry, SSL must be usedor the requirement for SSL must be disabled on the ADAM instance being used byAccess Manager. To disable the requirement for SSL on ADAM, perform thefollowing procedure using the ADAM ADSI Edit tool:1. Click Start->All Programs->ADAM->ADAM ADSI Edit.2. In the console tree, click ADAM ADSI Edit.3. On the Action menu, click Connect To... The Connection Settings dialog box

appears.4. In the Connection name field, you can type a label under which this

connection will appear in the console tree of ADAM ADSI Edit. For thisconnection, type: Configuration.

5. In the Server name field, type the host or DNS name of the system on whichthe ADAM instance is running. If the ADAM instance is on the local system,you can use localhost as the server name.

6. In the Port field, type the LDAP or SSL communication port in use by thisADAM instance.

Note: To list the port numbers used by ADAM instances, click Start->AllPrograms->ADAM->ADAM Tools Command Prompt and then at thecommand prompt, type: dsdbutil “list instances” quit on thesystem where the ADAM instance is running.

7. Under Connect to the following node, select Well-known naming context:and choose Configuration from the pull down list.

8. Under Connect using these credentials, click The account of the currentlylogged on user.

9. Click OK. Configuration should now appear in the console tree.10. Expand the Configuration subtree by double-clicking Configuration and then

double-click CN=Configuration,CN={GUID}, where GUID was generatedwhen the configuration of the ADAM instance was performed.

11. Expand the CN=Services folder by double-clicking it. Then expandCN=Windows NT by double-clicking it. Highlight and right-clickCN=Directory Service and click Properties.

12. Scroll down and click dsHeuristics and click Edit.13. Change the 13th character (counting from left) to a 1. The value should be

similar to 0000000001001 in the String Attribute Editor. Click OK.14. Click OK. The requirement for SSL connections for password operations is

now disabled. Although this can be used in a testing environment, it is notrecommended in production.


Configuring Novell eDirectory server for SSL accessSecure Socket Layer (SSL) allows the data, which is transmitted between the TivoliAccess Manager services and the Novell eDirectory server, to be encrypted toprovide data privacy and integrity. Administrators should consider enabling SSL toprotect information, such as user passwords and private data. However, SSL is notrequired for Tivoli Access Manager to operate. If SSL is not required in your TivoliAccess Manager environment, skip this section.

Tivoli Access Manager supports server-side authentication with Novell eDirectoryonly. To configure the Novell eDirectory server for SSL, ensure that theConsoleOne tool is installed and complete the following sections:v “Creating an organizational certificate authority object”v “Creating a self-signed certificate” on page 496v “Creating a server certificate for the LDAP server” on page 496v “Enabling SSL” on page 497v “Adding the self-signed CA certificate to the IBM key file” on page 497

Note: For more information, see Novell product documentation at the followingWeb sites:

For Novell eDirectory, Version 8.6.x, see:




Creating an organizational certificate authority objectDuring installation of eDirectory, an NDSPKI:Certificate Authority object iscreated by default (if one does not already exist in the network). It is importantthat the subject name (not the object name) be a valid signatory. The subject namemust have an organization field and a country field to be recognized as valid byTivoli Access Manager. The default subject name is as follows:0=organizational_entry_name.OU=Organizational CD

This is not a valid signatory. To change it, you must re-create the CertificateAuthority object with a valid subject name. To do so, follow these steps:1. Start ConsoleOne.2. Select the Security container object. Objects are displayed in the right pane of

the window.3. Select the Organization CA object and delete it.4. Right-click the Security container object again and click New → Object.5. From the list box in the New Object dialog, double-click NDSPKI: Certificate

Authority. The Create an Organizational Certificate Authority Object dialog isdisplayed. Follow the online instructions.

6. Select the target server and enter an eDirectory object name. For example:Host Server Field = C22Knt_NDS.AM

Object Name Field = C22KNT-CA

7. In Creation Method, select Custom and click Next.




Depending on the installed version of Novell eDirectory, two additional screensmight be displayed. Click Next twice to continue.

8. Accept the default Subject name or enter a valid distinguished name for theCertificate Authority being defined. All certificates generated by the CertificateAuthority are placed in this location.

9. The Organizational Certificate Authority is displayed in ConsoleOne asC22KNT-CA.

Creating a self-signed certificateTo create a self-signed certificate, do the following:1. Go to the properties of the Organizational Certificate Authority (C22KNT-CA).

The Properties window is displayed.2. Select the Certificate tab and then select Self Signed Certificate from the

menu.3. Validate the certificate.4. Export the certificate. The Export a Certificate window is displayed.5. Accept the default values and write down the location where the self-signed

certificate will be saved. For example:c:\c22knt\CA-SelfSignedCert.der

6. Transfer (FTP) the file to the Tivoli Access Manager host directory. For example:c:\Program Files\Tivoli\Policy Directory\keytab

Note that this is a binary file.

Creating a server certificate for the LDAP serverTo create the server certificate for the Novell eDirectory server, follow these steps:1. To create a server certificate for the LDAP server, right-click the Organization

entry and click New → Object. A New Object window is displayed.2. Select NDSPKI: Key Material and then click OK. The Create Server Certificate

(Key Material) window is displayed.3. Enter the certificate name (for example, AM), select Custom for the creation

method, and click Next.4. Use the default values for Specify the Certificate Authority option, which will

sign the certificate and click Next.5. Specify the key size, accept default values for all other options, and click Next.

Note: The default key size for Novell eDirectory Version 8.6.2 is 1024 bits; 2048bits for Version 8.7.

6. In the Specify the Certificate Parameters window, click the Edit button next tothe Subject name field. The Edit Subject window is displayed.

7. Enter the subject name and then click OK. The Create Server Certificate (KeyMaterial) window is displayed with the Subject Name field updated. ClickNext to continue.

8. To accept the default values in the following windows, click Next twice andthen click Finish to create a key material.The Creating Certificate window is temporarily displayed. When it clears, theright pane of ConsoleOne is updated with a Key Material entry named AM. Thisentry is the server certificate.


Enabling SSLTo enable SSL for the Novell LDAP server, do the following:1. In the right pane of ConsoleOne, locate an entry named LDAP Server –

hostname and right-click it.2. From the menu, select Properties. From the Properties notebook, select the SSL

Configuration tab.3. Click the Tree Search icon next to the SSL Certificate field. The Select SSL

Certificate window is displayed. The SSL Certificate List pane displays thecertificates known to the organization.

4. Select the AM certificate and click OK. The Properties of LDAP Server – hostnamewindow is redisplayed with an updated SSL Certificate field.

Note: Do not select Enable and Require Mutual Authentication.

Adding the self-signed CA certificate to the IBM key fileTo add the self-signed CA certificate to the IBM key file on the Tivoli AccessManager server, follow these steps:1. Start thegsk7ikm utility. An IBM Key Manager window is displayed.2. Select Key Database File → New. A new window is displayed.3. Update the fields to the following values and then click OK:

Key database type: CMS key database fileFile name: key.kdbLocation: /var/PolicyDirector/keytabs

A Password Prompt window is displayed.4. Create a password, entering it twice for configuration, and then click OK. The

IBM Key Manager window is displayed with the Signer Certificates windowsdisplayed.

5. Click the Add button. The Add CA's Certificate from a File window isdisplayed. Update the following fields and then click OK:Data type: Binary der dataCertificate file name: <hostname>CA-SelfSignedCert.derLocation: /var/PolicyDirector/keytabs

The Signer Certificates dialog is now updated with a certificate named AM.


Configuring Sun Java System Directory Server for SSL accessSSL allows the data that is transmitted between the Tivoli Access Manager servicesand Sun Java System Directory Server to be encrypted to provide data privacy andintegrity. Administrators should consider enabling SSL to protect information suchas user passwords and private data. However, SSL is not required for Tivoli AccessManager to operate.

This procedure needs to be done only the first time SSL communication is set upbetween the Sun Java System Directory Server and IBM Tivoli Directory Serverclients. To enable SSL communication, both Sun Java System Directory Server andthe IBM Tivoli Directory Server clients must be configured.

The following procedure is an example only. For complete information aboutenabling SSL access on Sun Java System Directory Server, see Sun documentationat the following Web address:


Complete the instructions in the following sections:v “Obtaining a server certificate” on page 498v “Installing the server certificate” on page 499v “Enabling SSL access” on page 499

Obtaining a server certificateTo enable SSL support, Sun Java System Directory Server requires a certificate thatproves its identity to client systems. The server sends the certificate to the client toenable the client to authenticate with the server. This certificate is called aServer-Cert.

Use the Sun Java Console 6.0 and the Certificate Setup Wizard to establish theServer-Cert:1. Start Sun Java Console 6.0.2. From the Sun Java Server Console Login window, enter the administrator user

ID, password, and the URL of the Admin Server for that directory server.3. Select the domain to be used by Tivoli Access Manager.4. Expand the server name.5. Expand Server Group.6. Select the entry labeled Directory Server.

Configuration information about Sun Java System Directory Server isdisplayed.

7. Click Open. The Sun Java System Directory Server is accessed.8. Click the Configuration tab.9. Click the Encryption tab.

10. Verify that the Enable SSL for this server check box is not selected.11. Click the Tasks tab and then click Manage Certificates.

Note: The private key for the certificate is stored on an internal securitydevice called a token, which is password protected. The first time thatyou click the Manage Certificates button, you are prompted to createthe password for this token.



12. Enter the Security password twice and then click OK. The Manage Certificateswindow is displayed.

13. In the Security Device list, ensure that internal (software) is selected and thatthe Server Certs tab is selected.

14. Click the Request button at the bottom of the window. The Certificate RequestWizard panel is displayed.

15. Ensure that the Request certificate manually button is selected and clickNext.

16. Enter the requestor information and then click Next. Ensure that you completeall fields. When prompted to continue, click Yes.

17. Ensure that the Active Encryption token field states internal (software).18. Enter the security device password and then click Next.19. To save the certificate request to a file, click Save to File. To copy the request

to the clipboard, click Copy to Clipboard. Then click Done to complete yourrequest.

20. E-mail your request or attach the saved file and send your request to thecertificate authority administrator.

Installing the server certificateAfter you have received the certificate from the certificate authority, install it bycompleting the following steps:1. Open the Sun Java Console 6.0.2. Click the Tasks tab and then click Manage Certificates.3. Ensure that Server Certs is selected and then click Install.4. Do one of the following:

v To install the certificate from a file, select In this local file.v To paste the text in the window, select In the following encoded text block,

copy the text of the certificate, and then click Paste from Clipboard.5. Click Next.6. Verify that the certificate information is correct and click Next.7. In the This certificate will be named field, type a certificate name or accept the

default name, server-cert, and then click Next.8. Enter the token password and then click Done. If the process is successful, the

Manage Certificate panel is displayed and the server certificate name is listedunder the Server Certs tab.

9. Continue to “Enabling SSL access.”

Enabling SSL accessWhen you have exited the Certificate Setup Wizard, you are returned to theEncryption tab as shown:


1. Select Enable SSL for this server.2. Select Use the cipher family;RSA.3. If you do not plan to require certificate-based client authentication, select Do

not allow client authentication.4. Click Save.5. Restart Sun Java System Directory Server for changes to take effect.

Note: You have to type the trust database password each time the server isstarted.

SSL is now enabled on Sun Java System Directory Server. Next, you need toenable SSL on the IBM Tivoli Directory Server client systems that will functionas LDAP clients to Sun Java System Directory Server.See “Configuring the Tivoli Directory Server client for SSL access” on page 501.


Configuring the Tivoli Directory Server client for SSL accessAfter enabling SSL access on the LDAP server, you can set up SSL access on theclient systems. If you have not yet configured your server for SSL access, followinstructions in one of the following before proceeding:v “Configuring IBM Tivoli Directory Server for SSL access” on page 474v “Configuring IBM z/OS LDAP servers for SSL access” on page 485v “Configuring Microsoft Active Directory for SSL access” on page 488v “Configuring Active Directory Application Mode (ADAM) for SSL access” on

page 491v “Configuring Novell eDirectory server for SSL access” on page 495v “Configuring Sun Java System Directory Server for SSL access” on page 498

Similar to creating a key database file for the server, you must create a keydatabase file on the client system. Note that for the client to authenticate the LDAPserver, the client must recognize the Certificate Authority (CA) that created thecertificate for the LDAP server. If the LDAP server is using a self-signed certificate,the client must be enabled to recognize the system that generated the LDAPserver's certificate as a trusted root (certificate authority).

To configure the LDAP client for SSL access to the LDAP server, complete theinstructions in the following sections:v “Creating the key database file” on page 501v “Adding the signer certificate to the client key database file” on page 502v “Testing SSL access from the client” on page 503

Creating the key database fileA key database file can be created on the client using the GSKit key managementutility as follows.1. Start the key management utility, gsk7ikm, which is located in one of the













organization's password complexity rules.b. Optional. Set an expiration time for the password.c. Optional. Select Stash the password to a file? to have an encrypted version

of the password stored in a separate stash file.A stash file can be used by some applications, such as Tivoli DirectoryServer, so that the application administrator does not need to know thepassword for the key database file. The stash file has the same location andname as the key database file, but has a file extension of .sth.

d. Click OK to create the key database file and, optionally, the stash file.After creating the key database file, change the file ownership of the keydatabase file to user ivmgr and group ivmgr. Use the appropriate operatingsystem command for changing file ownership. For example, on UNIX andLinux systems, enter the following:chown ivmgr:ivmgr client_keyfile

Adding the signer certificate to the client key database fileIf the certificate on the LDAP server is from a Certificate Authority (CA) that is notalready recognized as a valid certificate signer in the key database file on theclient, or if a self-signed certificate is being used on the server, then that certificate(either from the CA or the self-signed one from the server) must be added to thekey database on the client system as a trusted signer.

To add the signer certificate to the key database on the client system:1. If the server is using a certificate from a Certificate Authority (CA), ensure

that the file containing the signer certificate from the Certificate Authority(CA) has been copied to the client system.If the server is using a self-signed certificate, ensure that the certificate hasbeen extracted from the key database file on the server, as described in“Extracting the certificate” on page 478, and that the extracted certificate filehas been copied to the client system.

2. Start the key management utility, gsk7ikm, if it is not already running.3. Click Key Database File → Open....4. Select the key database file and click OK.5. When prompted, enter the password for the key database file. Click OK.6. In the Key database content pane, select Signer Certificates.7. Click Add....8. In the Add CA's Certificate from a File window:


b. Enter the name and location of the file containing the certificate from theCertificate Authority (CA) or the extracted self-signed certificate, whichusually has a file extension of .arm.


was created by a certificate authority, you can use the name of the CertificateAuthority as the label. For a self-signed certificate, use the name of the LDAPserver for the label.





Configuring the client for SSL communicationsWhen you install and configure an Access Manager component, you are given theoption of enabling SSL communication with the registry server. If you did notenable SSL at that time, or if you wish to change the SSL configuration options,such as selecting a different key database file or specifying a different certificatelabel, you must unconfigure and then reconfigure the Access Manager componenton the affected system using the Tivoli Access Manager pdconfig utility. For adescription of configuration options, see “Access Manager Runtime — LDAP” onpage 448.

Testing SSL access from the clientTo test that SSL access has been enabled, enter the following command on theLDAP client system:idsldapsearch -h server_name -Z -K client_keyfile -P keyfile_pwd-b "" -s base objectclass=*


server_nameThe DNS host name of the LDAP server.

client_keyfileThe fully qualified path name of the generated client key ring.

keyfile_pwdThe password of the generated key ring.

-Z Indicates that SSL is to be used to establish the connection with the LDAPserver.

This command returns the LDAP base information, which includes the suffixes onthe LDAP server.

During LDAP server configuration in “Configuring IBM Tivoli Directory Server forSSL access” on page 474, you chose an authentication method of either ServerAuthentication or Server and Client Authentication.v If you chose Server Authentication, the SSL setup is now complete.v If you chose Server and Client Authentication, go to “Configuring SSL for

server and client authentication” on page 504.


Configuring SSL for server and client authenticationDuring the configuration of the LDAP server to enable SSL access, as described in“Enabling SSL for Tivoli Directory Server” on page 480, you were prompted tochoose either Server Authentication or Server and Client Authentication.

If you chose Server Authentication and have completed the steps in “Configuringthe Tivoli Directory Server client for SSL access” on page 501, then SSLconfiguration is complete.

If you chose Server and Client Authentication and have completed the steps in“Configuring the Tivoli Directory Server client for SSL access” on page 501, youmust now establish a certificate for the client system. In this mode ofauthentication, after the client authenticates the server, the server requests theclient’s certificate and uses it to authenticate the client’s identity.

To establish a certificate for the client system, complete the instructions in thefollowing sections:v “Creating the key database file on the client” on page 504v “Requesting or creating a personal certificate on the client” on page 505v “Testing SSL access when using server and client authentication” on page 509

Creating the key database file on the clientIf you have not already created a key database file on the client system, a keydatabase file can be created using the GSKit key management utility as follows.1. Start the key management utility, gsk7ikm, which is located in one of the












organization's password complexity rules.b. Optional. Set an expiration time for the password.


c. Optional. Select Stash the password to a file? to have an encrypted versionof the password stored in a separate stash file.A stash file can be used by some applications, such as Tivoli DirectoryServer, so that the application administrator does not need to know thepassword for the key database file. The stash file has the same location andname as the key database file, but has a file extension of .sth.

d. Click OK to create the key database file and, optionally, the stash file.e. After creating the key database file on the client system, change the file

ownership of the key database file to user ivmgr and group ivmgr. Use theappropriate operating system command for changing file ownership. Forexample, on UNIX and Linux systems, enter the following:chown ivmgr:ivmgr client_keyfile

Requesting or creating a personal certificate on the clientA personal certificate and its associated private key must be added to the keydatabase file for the client before SSL using server and client authentication can beenabled between the Tivoli Directory Server system and client systems. Thispersonal certificate represents the identity of the Tivoli Directory Server clientsystem during SSL communications.

In production or Internet environments, obtain a commercial certificate from arecognized Certificate Authority (CA) such as VeriSign. This permits other systemsto verify the identity of the certificate owner using a third party, the CA. In test orintranet environments, where a lower level of security can be tolerated, aself-signed certificate can be created and used. When a personal certificate isreceived from a Certificate Authority (CA), or when a self-signed certificate iscreated by GSKit, the associated private key of the certificate is automaticallyadded to the key database file.

Using certificates from a Certificate Authority (CA) on theclient

To use a certificate from a Certificate Authority (CA), you must:1. Request a personal certificate from a Certificate Authority (CA) which

represents the identity of the client system in SSL communications.2. Receive the personal certificate into the key database file.3. Add the certificate for the Certificate Authority (CA) as a signer certificate in

the key database file on the client, if it is not already present.4. Add the certificate for the Certificate Authority (CA) as a signer certificate in

the key database file on the server, if it is not already present.

Requesting a personal certificate from a Certificate Authority(CA)You can obtain a personal certificate from a Certificate Authority (CA) by creatinga certificate request. If you require a certificate that supports Federal InformationProcessing Standards (FIPS) mode, ensure that you use a Certificate Authority (CA)that can provide one that supports it.

To create a certificate request, do the following.1. Start the key management utility, gsk7ikm, if it is not already running.2. Click Key Database File → Open....



3. Select the key database file and click OK.4. When prompted, enter the password for the key database file. Click OK.5. In the Key database content pane, select Personal Certificates.6. Click Create → New Certificate Request....7. In the Create New Key and Certificate Request window:

a. In the Key Label field, enter a name for your key.b. In the Key size field, enter a size for your key.c. In the Common Name field, enter the host name of the server system.d. In the Organization field, enter the name of your organization.

Your Certificate Authority might require you to specify a specific value.e. Select the appropriate value in the Country or region field.f. Complete any of the optional fields as desired.g. Specify a name and location for the certificate request. The file usually is

given a file extension of .arm.h. Click OK to create a certificate request file.

8. Send the certificate request file to your Certificate Authority for processing.

Receiving a personal certificate from a Certificate Authority (CA)After processing your certificate request, your Certificate Authority (CA) typicallysends you two certificates: your requested personal certificate and a certificate thatidentifies the Certificate Authority itself. To use the personal certificate, you mustreceive the personal certificate into your key database file.

To receive the personal certificate into the key database:1. Start the key management utility, gsk7ikm, if it is not already running.2. Click Key Database File → Open....3. Select the key database file and click OK.4. When prompted, enter the password for the key database file. Click OK.5. In the Key database content pane, select Personal Certificates.6. Click Receive.7. In the Receive Certificate from a File window:


b. Enter the name and location of the file containing your personal certificate,which usually has a file extension of .arm.

c. Click OK.


Adding the signer certificate for the Certificate Authority (CA)After processing your certificate request, your Certificate Authority (CA) typicallysends you two certificates: your requested personal certificate and a certificate thatidentifies the Certificate Authority itself. If the Certificate Authority (CA) is notalready recognized as a valid certificate signer in the key database file on theclient, then the certificate from the Certificate Authority must be added.


To add the certificate from the Certificate Authority into the key database as asigner certificate:1. Start the key management utility, gsk7ikm, if it is not already running.2. Click Key Database File → Open....3. Select the key database file and click OK.4. When prompted, enter the password for the key database file. Click OK.5. In the Key database content pane, select Signer Certificates.6. Click Add....7. In the Add CA's Certificate from a File window:


b. Enter the name and location of the file containing the certificate from theCA, which usually has a file extension of .arm.

c. Click OK.

Using self-signed certificates on the clientIn test or intranet environments, a self-signed certificate can be created and used.However, in production or Internet environments, obtain a commercial certificatefrom a recognized Certificate Authority (CA) as described in “Using certificatesfrom a Certificate Authority (CA) on the client” on page 505.

Creating a self-signed certificateTo create a self-signed certificate, do the following.1. Start the key management utility, gsk7ikm, if it is not already running.2. Click Key Database File → Open....


3. Select the key database file and click OK.4. When prompted, enter the password for the key database file. Click OK.5. Click Create → New Self-Signed Certificate....6. In the Create New Self-Signed Certificate window:

a. In the Key Label field, enter a name for your key.b. In the Version field, leave the default value of X509 V3 selected.c. In the Key Size field, select the key size desired.d. In the Common Name field, enter the host name of the server system.e. In the Organization field, enter the name of your organization.f. Select the appropriate value in the Country or region field.g. In the Validity Period field, specify the number of days that the certificate

is to be valid.h. Complete any of the optional fields as desired.i. Click OK to create a self-signed certificate and add it to your key database

file.


Continue with “Extracting the certificate” on page 478.


Extracting the certificateAfter you have created a self-signed certificate, you must extract the certificate foruse on the LDAP server system that will securely communicate with the client.

To extract the certificate from the key database, do the following.1. Start the key management utility, gsk7ikm, if it is not already running.2. Click Key Database File → Open....3. Select the key database file and click OK.4. When prompted, enter the password for the key database file. Click OK.5. In the Key database content pane, select Personal Certificates.

The personal certificates available in the key database file are displayed. Thepersonal certificates which are displayed include both self-signed certificatesand certificates previously received from a Certificate Authority (CA).

6. Select the desired personal certificate to process.7. Click Extract Certificate....8. In the Extract Certificate to a File window:

a. Select the data type of the extracted file, which is usually Base64-encodedASCII data.

b. Specify the desired name and location for the certificate file. A file extensionof .arm is generally used for this file.

c. Click OK to extract the public key certificate.

After the client certificate has been extracted to a file, that file must be madeavailable on the Tivoli Directory Server.

Adding the signer certificate to the server key database fileIf the certificate on the LDAP client is from a Certificate Authority (CA) that is notalready recognized as a valid certificate signer in the key database file on theserver, or if a self-signed certificate is being used on the client, then that certificate(either from the CA or the client's self-signed certificate) must be added to the keydatabase on the server system as a trusted signer.

To add the signer certificate to the key database on the server system:1. If the client is using a certificate from a Certificate Authority (CA), ensure that

the file containing the signer certificate from the Certificate Authority (CA)has been copied to the server system.If the client is using a self-signed certificate, ensure that the certificate hasbeen extracted from the key database file on the client, as described in“Extracting the certificate” on page 478, and that the extracted certificate filehas been copied to the server system.

2. Start the key management utility, gsk7ikm on the server system, if it is notalready running.

3. Click Key Database File → Open....4. Select the key database file and click OK.5. When prompted, enter the password for the key database file. Click OK.6. In the Key database content pane, select Signer Certificates.7. Click Add....8. In the Add CA's Certificate from a File window:



b. Enter the name and location of the file containing the certificate from theCertificate Authority (CA) or the extracted self-signed certificate, whichusually has a file extension of .arm.


was created by a certificate authority, you can use the name of the CertificateAuthority as the label. For a self-signed certificate, use the name of the clientsystem for the label.




Testing SSL access when using server and clientauthentication

After the LDAP server recognizes the certificate authority that created the client’spersonal certificate, test SSL access using the following command on the LDAPclient:idsldapsearch -h server_name -Z -K client_keyfile -P keyfile_pwd -N \client_label -b "" -s base objectclass=*


server_nameThe DNS host name of the LDAP server.

client_keyfileThe fully qualified path name of the generated client key ring.

keyfile_pwdThe password of the generated key ring.

client_labelThe label associated with the key, if any. This field is needed only whenthe LDAP server is configured to perform server and client authentication.

-Z Indicates that SSL is to be used to establish the connection with the LDAPserver.

The idsldapsearch command returns the LDAP base information, which includesthe suffixes on the LDAP server. Notice that the –N parameter indicates the labelthat was specified when the client’s personal certificate was added to the client’skey database file.

Note: Do not specify the LDAP server’s signer certificate label. The –N option indicatesto GSKit which client certificate is sent to the server when requested. If nolabel is specified, then the default personal certificate is sent when the serverrequests the client’s certificate.

SSL setup is now complete.



Chapter 24. AIX: Setting up a standby policy server

You can configure a standby server to take over policy server functions in theevent of a system failure or unplanned outage. When the policy server goes down,the standby policy server acts as the primary policy server until the primary policyserver assumes its original role. In turn, the standby policy server reverts back to astandby role. At any given time, there is only one active policy server and only oneshared copy of the policy databases.

Tivoli Access Manager supports the use of one standby policy server on supportedAIX platforms. In addition, deploying a standby policy server requires theinstallation and configuration of High Availability Cluster Multiprocessing(HACMP) software, a clustering solution designed to provide high-availabilityaccess to business-critical data and application through component redundancyand application failover.

This chapter includes the following sections:v “Preinstallation requirements” on page 512v “HACMP environment scenario” on page 513v “Creating a standby policy server environment” on page 523

The HACMP scenario is provided as a general guide to show you how to installand configure an HACMP environment for standby policy server capability. Afteryou set up your HACMP environment, follow product-specific instructions aboutcreating a standby policy server within a Tivoli Access Manager secure domain.Scripts and examples are provided for your convenience.

For detailed information on clustering and HACMP, see the following Web sites:v http://www.ibm.com/servers/eserver/clusters/software/v http://www.ibm.com/servers/aix/products/ibmsw/ high_avail_network/

hacmp.html

Rules

v You can create one primary policy server and one standby policy server.v Both the primary and standby policy servers must be located on AIX

systems that are part of a High Availability Cluster Multiprocessing(HACMP) environment.

v Each AIX system must have access to a shared disk array that is configuredfor data redundancy.

v The policy database and the configuration files used by the policy servermust be located on a shared disk array.

v The registry server, such as IBM Tivoli Directory Server, must be availableand installed on a separate system.


http://www.ibm.com/servers/eserver/clusters/software/

http://www.ibm.com/servers/aix/products/ibmsw/high_avail_network/hacmp.html

http://www.ibm.com/servers/aix/products/ibmsw/high_avail_network/hacmp.html

Preinstallation requirementsBefore you set up a primary and standby policy server environment, ensure thatthe following conditions are met:v Ensure that two machines (primary and standby) are at the same maintenance

levels, and have similar hardware and performance capabilities. Supportedmaintenance levels are:– For AIX 5.2, Technology Level (TL) 5200-08 or above, Service Pack (SP)

5200-08-02 or above– For AIX 5.3, Technology Level (TL) 5300-04 or above, Service Pack (SP)

5200-04-02 or abovev Ensure that HACMP 4.5 or higher is installed, configured, and running on both

the primary and standby policy server systems.v Ensure that a shared file system is mounted. For example, you can connect an

external SSA-based storage tower to both systems, such as the SSA-based 7133Model T40 storage enclosure.

For general instructions about setting up a basic HACMP environment, see thescenario on page 513.


HACMP environment scenarioThis scenario is just one example of how you might install and configure anHACMP environment for standby policy server capability. In this examplescenario, similar to other HACMP environments that provide for standby policyserver capability, you must configure the HACMP environment for IP addresstakeover of the primary system’s service IP address as well as for shared access toan external file system.

For more complete details about how to configure and set up these environments,refer to the HACMP documents included when you purchased your HACMPproduct. If you have any service problems involving HACMP, contact IBM Supportfor these products.

This scenario provides instructions for setting up a policy server on each of twoAIX systems. The host systems that are used throughout this scenario are asfollows:v tucana has a service IP address of 192.168.2.13, a boot IP address of

192.168.2.79, and a standby IP address, which must be on a different subnetfrom the service and boot IP addresses of 192.168.3.2. These IP addressesrequire that two network adapters, such as Ethernet adapters, be available ontucana. Only two network adapters are needed because in an HACMPenvironment the service IP address is activated and the boot IP address isdeactivated after the HACMP cluster is started on an HACMP node.

v perseus has a service IP address of 192.168.2.14, a boot IP address of192.168.2.80, and a standby IP address, which must be on a different subnetfrom the service and boot IP addresses of 192.168.3.3. These IP addressesrequire that two network adapters, such as Ethernet adapters, be available onperseus.

Note: The service and boot IP addresses on each AIX system will use the samenetwork adapter. The standby IP address on each AIX system will use thesecond network adapter.

The primary policy server will be installed and configured on the primary AIXsystem. The primary host system in this scenario is tucana.

The standby policy server will be installed and configured on the other remainingAIX system. The other host system is perseus in this scenario.

Chapter 24. AIX: Setting up a standby policy server 513

Hardware and software requirementsIn this scenario, the following hardware and software are used. Yourhardware and softwarerequirements will be different, depending on yourconfiguration.v Two AIX systems with the following hardware:

– Two Ethernet or Token Ring cards connected and configured to thenetwork

– A serial cable that is connected from the serial port on one AIX systemto the serial port on the other AIX system

Note: Each AIX system must be able to ping the IP address of the otherAIX system.

– An SSA adapter cardv An SSA-based disk array, such as: IBM 7133 Model T40 storage tower or an

IBM 7133 D40 rack mounted enclosurev Three SSA connection cables. Two (one per AIX system) are cabled to the

disk array and one is cabled between the two AIX systemsv The recommended IBM AIX version and service pack installed on both AIX

systems. If you use other versions, the version and service pack level mustmatch on both machines.

Use the following scenario to set up a basic HACMP environment on IBM AIX 5.1and Service Pack 3.1. Install the AIX operating system using the AIX installation CDs, including all

rsct packages and the appropriate service pack. To check the operating systemlevel, type:oslevel -r

For example, if IBM AIX 5.2 and Service Pack 1 are installed, 5200–01 will bedisplayed.

2. Install the separately purchased HACMP Version 4.5 ES/CRM software andany AIX operating system prerequisites that are needed.

3. Update file information by doing the following:a. In the /etc/hosts file on both AIX systems, type the host name and IP

address for all your network card connections. For example, if you havefour connection network cards between your two systems, your /etc/hostsfile must contain lines similar to the following example:# @(#)47 1.1 src/bos/usr/sbin/netstart/hosts, cmdnet, bos510 7/24/91 10:46## COMPONENT_NAME: TCPIP hosts## FUNCTIONS: loopback## ORIGINS: 26 27## (C) COPYRIGHT International Business Machines Corp. 1985, 1989# All Rights Reserved# Licensed Materials - Property of IBM## US Government Users Restricted Rights - Use, duplication or# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.## /etc/hosts


## This file contains the hostnames and their address for hosts in the# network. This file is used to resolve a hostname into an Internet# address.## At minimum, this file must contain the name and address for each# device defined for TCP in your /etc/net file. It may also contain# entries for well-known (reserved) names such as timeserver# and printserver as well as any other host name and address.## The format of this file is:# Internet Address Hostname # Comments# Items are separated by any number of blanks and/or tabs. A ’#’# indicates the beginning of a comment; characters up to the end of the# line are not interpreted by routines which search this file. Blank# lines are allowed.

# Internet Address Hostname # Comments# 192.9.200.1 net0sample # ethernet name/address# 128.100.0.1 token0sample # token ring name/address# 10.2.0.2 x25sample # x.25 name/address127.0.0.1 loopback localhost # loopback (lo0) name/address192.168.2.13 tucana192.168.2.79 tucana-boot192.168.3.2 tucana-stby192.168.2.14 perseus192.168.2.80 perseus-boot192.168.3.3 perseus-stby

b. Edit the /.rhosts file to ensure that it contains the correct host names. Forexample:perseusperseus-bootperseus-stbytucanatucana-boottucana-stby

c. To set the correct permission, run the following:chmod 600 /.rhosts

d. Edit the /etc/rc.net file, and add these lines:no -o thewall=10240no -o routerevalidate=1no -o ipqmaxlen=512

4. Configure the HACMP cluster. To do so, consult your HACMP softwaredocumentation. Use the “Example HACMP configuration” as a guide.

Example HACMP configurationThis section provides an example of a typical HACMP configuration for TivoliAccess Manager. This example illustrates SMITTY menu panels that were Usedwhile performing actual test cases. Parts to this example are as follows:v “Part 1: Overall HACMP cluster topology” on page 516

Describes the overall cluster topology of the HACMP environment, including thenames of the nodes, network definitions, and other pertinent information.

v “Part 2: Cluster resources within HACMP topology” on page 518Describes the cluster resources within the HACMP cluster topology, includingthe resource groups and the shared file system.

v “Part 3: Application server definition within HACMP topology” on page 522Describes the application server definition (which is the policy server in thisexample) within the HACMP cluster topology.


Figure 3 illustrates a two system (or two node) configuration sharing an externalstorage enclosure.

The primary (tucana) and standby (perseus) policy servers are sharing anSSA-based external storage enclosure. When the primary policy server goes downbecause of a failover event, such as a network or hardware failure, the HACMPsoftware on the standby system recognizes this event and takes over the service IPaddress of the primary policy server. The HACMP software also mounts the sharedfile system on the standby system and starts the standby policy server. Thestandby policy server remains operational until the HACMP software on thestandby system recognizes that the primary system has been restored. At that time,the HACMP software on the primary system does the following:1. Resumes control of the service IP address associated with the primary system2. Mounts the shared file system3. Starts the primary policy server

Note: While the HACMP software on the primary system is performing theseactions, the HACMP software on the standby system stops the standbypolicy server, unmounts the shared file system , and relinquishes control ofthe service IP address of the primary policy server.

The following example illustrates an HACMP environment containing a primaryand a standby policy server. Before each SMITTY screen output is the hierarchy ofmenus that you must progress through to display the screen.

Part 1: Overall HACMP cluster topologySMITTY MENU Hierarchy:

HACMP for AIX- Cluster Configuration

- Cluster Topology- Show Cluster Topology

- Show Cluster Topology

COMMAND STATUS

Figure 3. Standby policy server configuration


Command: OK stdout: yes stderr: no

Before command completion, additional instructions may appear below.

[TOP]Cluster Description of Cluster am51bosCluster ID: 1There were 2 networks defined: tucanaip, tucanatty1There are 2 nodes in this cluster

NODE perseus:This node has 2 service interface(s):

Service Interface perseus:IP address: 192.168.2.14Hardware Address:Network: tucanaipAttribute: public

Service Interface perseus has a possible boot configuration:Boot (Alternate Service) Interface: perseus-boot

IP Address: 192.168.2.80Network: tucanaipAttribute: public

Service Interface perseus has 1 standby interfacesStandby Interface 1: perseus-stby


Service Interface perseus-tty1:IP address: /dev/tty1Hardware Address:Network: tucanatty1Attribute: serial

Service Interface perseus-tty1 has no standby interfaces

NODE tucana:This node has 2 service interface(s):

Service Interface tucana:IP address: 192.168.2.13Hardware Address:Network: tucanaipAttribute: public

Service Interface tucana has a possible boot configuration:Boot (Alternate Service) Interface: tucana-boot


Service Interface tucana has 1 standby interfacesStandby Interface 1: tucana-stby


Service Interface tucana-tty1:IP address: /dev/tty1Hardware Address:


Network: tucanatty1Attribute: serial

Service Interface tucana-tty1 has no standby interfaces

Breakdown of network connections:

Connections to network tucanaipNode perseus is connected to network tucanaip by these interfaces:

perseus-bootperseusperseus-stby

Node tucana is connected to network tucanaip by these interfaces:tucana-boottucanatucana-stby

Connections to network tucanatty1Node perseus is connected to network tucanatty1 by these interfaces:

perseus-tty1

Node tucana is connected to network tucanatty1 by these interfaces:tucana-tty1

[BOTTOM]

Part 2: Cluster resources within HACMP topologySMITTY MENU Hierarchy:


- Cluster Resources- Show Cluster Resources

- Show Resource Information by Node- Select Node Name

- perseus

COMMAND STATUS



[TOP]

Resource Group Name tucanasipNode Relationship cascadingParticipating Node Name(s) tucana perseusService IP Label tucanaFilesystems /amfs1Filesystems Consistency Check fsckFilesystems Recovery Method sequentialFilesystems/Directories to be exported /amfs1Filesystems to be NFS mountedNetwork For NFS MountVolume Groups amvgConcurrent Volume GroupsDisks


Shared Tape ResourcesAIX Connections ServicesAIX Fast Connect ServicesApplication Servers PDMGRHighly Available Communication LinksMiscellaneous DataAutomatically Import Volume Groups falseInactive Takeover falseCascading Without Fallback false9333 Disk Fencing falseSSA Disk Fencing falseFilesystems mounted before IP configured false

Resource Group Name perseusipNode Relationship cascadingParticipating Node Name(s) perseus tucanaService IP Label perseusFilesystemsFilesystems Consistency Check fsckFilesystems Recovery Method sequentialFilesystems/Directories to be exportedFilesystems to be NFS mountedNetwork For NFS MountVolume GroupsConcurrent Volume GroupsDisksShared Tape ResourcesAIX Connections ServicesAIX Fast Connect ServicesApplication ServersHighly Available Communication LinksMiscellaneous DataAutomatically Import Volume Groups falseInactive Takeover falseCascading Without Fallback false9333 Disk Fencing falseSSA Disk Fencing falseFilesystems mounted before IP configured false

Run Time Parameters:

Node Name perseusDebug Level highHost uses NIS or Name Server false

[BOTTOM]

SMITTY MENU Hierarchy:



- Show Resource Information by Node- Select Node Name

- tucana

COMMAND STATUS




[TOP]

Resource Group Name tucanasipNode Relationship cascadingParticipating Node Name(s) tucana perseusService IP Label tucanaFilesystems /amfs1Filesystems Consistency Check fsckFilesystems Recovery Method sequentialFilesystems/Directories to be exported /amfs1Filesystems to be NFS mountedNetwork For NFS MountVolume Groups amvgConcurrent Volume GroupsDisksShared Tape ResourcesAIX Connections ServicesAIX Fast Connect ServicesApplication Servers PDMGRHighly Available Communication LinksMiscellaneous DataAutomatically Import Volume Groups falseInactive Takeover falseCascading Without Fallback false9333 Disk Fencing falseSSA Disk Fencing falseFilesystems mounted before IP configured false



Node Name tucanaDebug Level highHost uses NIS or Name Server false

[BOTTOM]





- Show Resource Information by Resource Group- Select Resouce Group Name

- perseusip

COMMAND STATUS









- Cluster Resources


- Show Cluster Resources- Show Resource Information by Resource Group

- Select Resouce Group Name- tucanasip

COMMAND STATUS



Resource Group Name tucanasipNode Relationship cascadingParticipating Node Name(s) tucana perseusService IP Label tucanaFilesystems /amfs1Filesystems Consistency Check fsckFilesystems Recovery Method sequentialFilesystems/Directories to be exported /amfs1Filesystems to be NFS mountedNetwork For NFS MountVolume Groups amvgConcurrent Volume GroupsDisksShared Tape ResourcesAIX Connections ServicesAIX Fast Connect ServicesApplication Servers PDMGRHighly Available Communication LinksMiscellaneous DataAutomatically Import Volume Groups falseInactive Takeover falseCascading Without Fallback false9333 Disk Fencing falseSSA Disk Fencing falseFilesystems mounted before IP configured false




Part 3: Application server definition within HACMP topologySMITTY MENU Hierarchy:


- Cluster Resources- Define Application Servers

- Change / Show an Application Server

Change Application Server


Type or select values in entry fields.Press Enter AFTER making all desired changes.

[Entry Fields]Server Name PDMGRNew Server Name [PDMGR]Start Script [/usr/bin/pd_start start]Stop Script [/usr/bin/pd_start stop]

Creating a standby policy server environmentTo create a standby policy server environment, follow these steps:1. On both the primary policy server and the standby policy server systems, create

an ivmgr user ID, an ivmgr group ID, a tivoli user ID, and a tivoli group ID.Before creating these IDs, ensure that the /etc/security/limits file on eachsystem has the same default settings (where the creation of user and group IDsare concerned). These settings are necessary to ensure that the user and groupIDs are created with exactly the same characteristics on both systems. To createthese IDs, do one of the following:v Use the SMITTY utility to ensure that both AIX systems use the same number

for each ID. For example, both systems must have the same ID number forthe ivmgr user ID. In addition, the ID numbers must be different for each ofthe four IDs.

v Create a script similar to the sample shown in “Script: Setting UIDs for boththe primary and standby systems” on page 527. Run this script to set UIDsfor ivmgr and tivoli users and groups. For example, if this script was namedsetivug, the following command would create an ivmgr group with an ID of250, an ivmgr user with an ID of 251, a tivoli group with an ID of 260, and ativoli user with an ID of 261../setivug 250 251 260 261

Note: Ensure that the four UID values are not being used on either systembefore attempting to create them.

2. After configuring and starting the HACMP cluster on your two systems, createa directory, such as /share in the shared file system, which is mountable onthese systems. For example, create a /share directory on the shared externalSSA-based storage tower. To do so, follow these steps:a. Using the system that will serve as the primary policy server, create a

/share directory in the shared file system. This shared directory, located inthe external SSA-based storage tower, will contain critical information thatmust be shared between the primary and standby policy servers.

b. Create a /share subdirectory named /PolicyDirector (/share/PolicyDirector). Also ensure that ivmgr is the owner and ivmgr is the groupassociated with both directories.

c. Use SMITTY HACMP menus to simulate an IP takeover scenario. To do so,stop cluster services on the primary policy server machine using thegraceful with takeover shutdown mode.When the cluster shutdown completes on the primary policy server, thestandby policy server takes over the service IP address of the primarypolicy server and is able to access the /share and /share/PolicyDirectordirectories within the shared file system.

d. From the standby policy server system, issue the ls –l command to validatethat both of these directories are associated with the ivmgr user and theivmgr group.


e. Restart the cluster on the primary policy server. After the restart hascompleted, the service IP address will be restored to the primary policyserver system and the shared file system will be mounted on the primarypolicy server system.

3. On the primary policy server, do the following:a. Install and configure required Tivoli Access Manager components using

either the install_ammgr wizard or the native installation method. Forinstructions, see Chapter 4, “Setting up a policy server,” on page 137.Figure 4 illustrates the location of key files after the primary policy server isinstalled and configured.

b. Stop the primary policy server.c. Edit the /opt/PolicyDirector/etc/ivmgrd.conf file and do the following:

1) Within the [ssl] stanza, change the value of the ssl-io-inactivity-timeout entry to 300.

2) Within the [configuration-database] stanza, update the file= entry toindicate the fully qualified location of the ivmgrd.conf.obf file within theSHARED external file system. For example: file=/share/PolicyDirector/etc/ivmgrd.conf.obf

d. Edit the /opt/PolicyDirector/pd.conf file and change the host name of theprimary policy server to match the host name of the service IP interface,which was configured in your HACMP configuration for this system. In theexample depicted in “HACMP environment scenario” on page 513, this hostname value was tucana.

e. After changes are saved to the configuration files, create a script similar tothe sample shown in “Script: Linking files and directories on the primarysystem” on page 529. Run this script on the primary policy server to linkrequired files and directories to the shared file system (/share).Figure 5 on page 525 illustrates the location of key files after they have beenmoved to the shared file system. Note that the standby policy server hasnot been configured at this point.

Primary policyserver

PDRTE

tucana

/opt/PolicyDirector/etc/pd.conf/opt/PolicyDirector/etc/ivmgrd.conf/opt/PolicyDirector/etc/ivmgrd.conf.obf

/var/PolicyDirector/keytab/ivmgrd.kdb/var/PolicyDirector/keytab/ivmgrd.sth/var/PolicyDirector/db/master_authzn.db

/var/PolicyDirector/keytab/pd.kdb/var/PolicyDirector/keytab/pd.sth/var/PolicyDirector/keytab/pdcacert.b64

Figure 4. Primary policy server after initial configuration


f. Restart the primary policy server.g. Verify the directory structure, file location, soft links and file permissions as

shown on page 530.4. On the standby policy server, do the following:

a. Install (do not configure) required Tivoli Access Manager components using anative installation utility, such as installp. For instructions, see “AIX:Installing the policy server” on page 142.

b. Ensure that the HACMP cluster is running on this system and validate thatthe shared external file system (/share/PolicyDirector) is accessible. This isnecessary so that the configuration process can access .conf files stored inthe file system.For the standby policy server to access this shared external file system, theprimary policy server must be shut down. To do so, use the SMITTYHACMP menus to stop cluster services by specifying the graceful withtakeover shutdown mode on the primary policy server system. After thecluster has been stopped on this system and after the HACMP failoveroperation is completed (which should take no more than a minute), verifythat the standby policy server system has taken over the service IP addressof the primary policy server and that the shared file system is mounted onthe standby policy server system.

c. Configure the standby policy server using the pdconfig utility. Forinstructions, see “AIX: Installing the policy server” on page 142.

Note: The primary policy server does not have to be running to configure astandby policy server. However, the registry server that is used bythe primary policy server must be available and running on adifferent system than the primary policy server system.

During configuration, the pdconfig utility detects that a policy serverconfiguration already exists. Respond y (Yes) to the following prompts:A policy server is already configured to this LDAP server. A secondpolicy server may be configured for migration or standby purposes ONLY!Would you like to configure a second policy server to this LDAP server(y/n) [No]? yUse this policy server for standby (y/n) [No]: y

Figure 5. Primary policy server after incorporating use of the shared file system


When prompted, type the “fully qualified” location of the ivmgrd.conf file(the existing policy server configuration file). For example, if the shareddirectory is /share, type the following:/share/PolicyDirector/ivmgrd.conf

The pdconfig utility places a link to this file in the /opt/PolicyDirector/etcdirectory and modifies the ivmgrd.conf file to enable standby operation.

Note: After successful configuration of the standby policy server, thestandby policy server is not started. It will automatically start onlyafter a failover condition is detected by the HACMP software that isrunning on the standby policy server. Otherwise, serious errors andconflicts can occur if both the primary and the standby policy serversattempt to run in a concurrent manner.

d. Create a script similar to the sample shown in “Script: Linking from the AIXsystem files to the shared directory on the standby system” on page 532.Run this script to link from the AIX system files to the shared directory.

e. Verify the directory structure, file location, soft links and file permissions asshown on page 533.

Note: Because both systems share the same directory, the contents of/share/PolicyDirector on the standby server must be identical to thecontents shown for the primary server.

Configuration of the primary and standby policy servers is now complete. At thispoint, the HACMP cluster is down on the primary policy server system and up onthe standby policy server system.

Before testing the policy server failover capabilities, verification must be performedto ensure that the policy server executable is specified in the HACMPconfiguration as an application server. To verify using the SMITTY utility, selectShow Cluster Resources from the HACMP Cluster Resources panel to display thecluster resources. To define an application server, select the =AAdd an ApplicationServer option from the HACMP Define Application Servers panel. After this panelis selected, the start script (/usr/bin/pd_start start) and the stop script(/usr/bin/pd_start stop) for the policy server executable are specified.

Figure 6 on page 527 illustrates the location of key files after using a nativeinstallation method to configure the standby policy server. Appropriate links tothese key files within the shared system are also created.


After the application server configuration has been verified, it is now possible tofully activate the HACMP primary or standby policy server configuration. Toactivate this configuration, the HACMP cluster on the primary policy serversystem must be restarted. This action will start the primary policy server and putthe standby policy server in standby mode.

Script: Setting UIDs for both the primary and standby systemsUse a script similar to the following to set UIDs for ivmgr and tivoli users andgroups on both the primary and standby policy server systems.

Figure 6. Completed primary/standby policy server environment


#!/bin/ksh## This script sets the uid values for the ivmgr user and the ivmgr group# to values that are specified on the command line when this script is# executed. In addition, this script defines the tivoli group uid and the# tivoli user uid.## The first parameter ($1) is the uid for the ivmgr group. The second parameter# ($2) is the uid for the ivmgr user. The third parameter ($3) is the uid# for the tivoli group. The fourth parameter ($4) is for the tivoli user uid.# Before executing this script, insure that the four uid values ARE NOT already# being used on either system.## Due to the importance of these values, it is ABSOLUTELY necessary on the# system which will run as the Standby Policy Server to set the ivmgr group# uid and the ivmgr user uid to MATCH the corresponding settings for these# entities on the system which is serving as the Primary Policy Server. Also,# since the definition of the ivmgr user has membership in the tivoli group,# then it is also necessary to create the tivoli group as well. Finally, since# the tivoli group contains the tivoli user, then then tivoli user, with the# appropriate uid, must be defined as well. These user/group settings insure# consistency across the two policy servers allowing for each system to take# over the role of the Primary Policy Server when it is appropriate.# Otherwise, the Standby Policy Server will not run or will not even configure# correctly if these values are not the same on BOTH systems.## Note that this script, setivug, MUST be run BEFORE the Standby Policy Server# is installed. As a matter of fact, it is recommended that this script be run# BEFORE any Access Manager software is installed on either the Primary OR the# Standby Policy server. In this way, all four of these ID's will be consistent# across BOTH systems.#set -eset -x## Create the ivmgr and tivoli groups with the appropriate uids#mkgroup -’A’ id="$1" ivmgrmkgroup -’A’ id="$3" tivolix() {LIST=SET_A=for i in "$@"doif [ "$i" = "admin=true" ]thenSET_A="-a"continuefiLIST="$LIST \"$i\""doneeval mkuser $SET_A $LIST}## Now define the ivmgr user uid to be a part of the staff, tivoli, and ivmgr groups.# (Enter the following command on one continuous line.)#x id="$2" pgrp=’staff’ groups=’staff,tivoli,ivmgr’ home=’/opt/PolicyDirector’

shell=’/usr/bin/ksh’ gecos=’Policy Director Manager’ ivmgr## Now define the tivoli user uid to be a part of the staff and tivoli groups.# (Enter the following command on one continuous line.)#x id="$4" pgrp=’staff’ groups=’staff,tivoli’ home=’/home/tivoli’ shell=’/usr/bin/ksh’

gecos=’Owner of Tivoli Common Files’ tivoli#


Script: Linking files and directories on the primary systemUse a script similar to the following to link required files and directories on theprimary policy server system.

#!/bin/ksh#

# Save a copy of the 3 files below under the .bkp extensioncp -p /opt/PolicyDirector/etc/pd.conf /opt/PolicyDirector/etc/pd.conf.bkpcp -p /opt/PolicyDirector/etc/ivmgrd.conf /opt/PolicyDirector/etc/ivmgrd.conf.bkpcp -p /opt/PolicyDirector/etc/ivmgrd.conf.obf /opt/PolicyDirector/etc/ivmgrd.conf.obf.bkp

# Move configuration files to shared directory on the external file systemmv /opt/PolicyDirector/etc/pd.conf /share/PolicyDirectormv /opt/PolicyDirector/etc/ivmgrd.conf /share/PolicyDirector/ivmgrd.confmv /opt/PolicyDirector/etc/ivmgrd.conf.obf /share/PolicyDirector/ivmgrd.conf.obf

# Link the configuration files back to the original installation directory# and change the ownership and group of these links to ivmgr.ln -s /share/PolicyDirector/pd.conf /opt/PolicyDirector/etcln -s /share/PolicyDirector/ivmgrd.conf /opt/PolicyDirector/etcln -s /share/PolicyDirector/ivmgrd.conf.obf /opt/PolicyDirector/etcchown -h ivmgr /opt/PolicyDirector/etc/ivmgrd.confchown -h ivmgr /opt/PolicyDirector/etc/ivmgrd.conf.obfchown -h ivmgr /opt/PolicyDirector/etc/pd.confchgrp -h ivmgr /opt/PolicyDirector/etc/ivmgrd.confchgrp -h ivmgr /opt/PolicyDirector/etc/ivmgrd.conf.obfchgrp -h ivmgr /opt/PolicyDirector/etc/pd.conf

# For the keytab, db and lock subdirectories, create a backup of these directories,# move their contents to the shared external file system, and link the files in# these directories back to the original installation directory.

cp -R -p /var/PolicyDirector/keytab /var/PolicyDirector/keytab_bkpmv /var/PolicyDirector/keytab /share/PolicyDirectorln -s /share/PolicyDirector/keytab /var/PolicyDirector

cp -R -p /var/PolicyDirector/db /var/PolicyDirector/db_bkpmv /var/PolicyDirector/db /share/PolicyDirectorln -s /share/PolicyDirector/db /var/PolicyDirector

cp -R -p /var/PolicyDirector/lock /var/PolicyDirector/lock_bkpmv /var/PolicyDirector/lock /share/PolicyDirectorln -s /share/PolicyDirector/lock /var/PolicyDirector

# Change the ownership and group of these links to ivmgr.chown -h ivmgr /var/PolicyDirector/dbchown -h ivmgr /var/PolicyDirector/keytabchown -h ivmgr /var/PolicyDirector/lockchgrp -h ivmgr /var/PolicyDirector/dbchgrp -h ivmgr /var/PolicyDirector/keytabchgrp -h ivmgr /var/PolicyDirector/lock


Example: Verifying the primary server directories, soft links,and permissions

In the /opt/PolicyDirector/etc directory:

==> ls -ltotal 3714-rw-r----- 1 ivmgr ivmgr 1682440 Oct 10 11:48 AccessManagerBaseAutoTraceDatabaseFile.obfuscated-rw-r--r-- 1 ivmgr ivmgr 2703 Oct 14 13:16 activedir_ldap.conf-rw-r----- 1 ivmgr ivmgr 2703 Jul 14 14:21 activedir_ldap.conf.template-rw-r----- 1 ivmgr ivmgr 18195 Jul 7 10:46 additional_licenses.txtdrw-rw---- 2 ivmgr ivmgr 512 Dec 31 1969 blades-rw-r----- 1 ivmgr ivmgr 5890 Jan 24 2003 config-rw-r----- 1 ivmgr ivmgr 718 May 13 11:40 domino.conf.template-rw-r----- 1 ivmgr ivmgr 114 Oct 10 11:48 ffdclrwxrwxrwx 1 ivmgr ivmgr 36 Oct 15 13:45 ivmgrd.conf -> /amfs1/PolicyDirector/ivmgrd.conf-rw-r----- 1 ivmgr ivmgr 16949 Oct 14 13:19 ivmgrd.conf.bkplrwxrwxrwx 1 ivmgr ivmgr 40 Oct 15 13:45 ivmgrd.conf.obf -> /amfs1/PolicyDirector/ivmgrd.conf.obf-rw-r----- 1 ivmgr ivmgr 64 Oct 14 13:19 ivmgrd.conf.obf.bkp-rw-r----- 1 ivmgr ivmgr 16731 Oct 10 11:29 ivmgrd.conf.template-rw-r--r-- 1 ivmgr ivmgr 2319 Oct 14 13:18 ldap.conf-rw-r----- 1 ivmgr ivmgr 2187 Oct 10 11:21 ldap.conf.template-rw-r--r-- 1 ivmgr ivmgr 36544 Sep 29 12:45 novschema.def-rw-r--r-- 1 ivmgr ivmgr 26260 Sep 29 12:45 nsschema.deflrwxrwxrwx 1 ivmgr ivmgr 32 Oct 15 13:45 pd.conf -> /amfs1/PolicyDirector/pd.conf-rw-r--r-- 1 ivmgr ivmgr 3736 Oct 14 13:20 pd.conf.bkp-rw-r----- 1 ivmgr ivmgr 3645 Oct 10 11:29 pd.conf.template-rw-r----- 1 ivmgr ivmgr 5576 Oct 10 10:05 pdbackup.lst-rw-r----- 1 ivmgr ivmgr 7448 Oct 10 10:05 pdinfo.lst-rw-r--r-- 1 ivmgr ivmgr 5354 Oct 14 13:19 pdmgrd_routing-rw-r--r-- 1 ivmgr ivmgr 5255 Oct 10 11:36 pdmgrd_routing.template-rw-r--r-- 1 ivmgr ivmgr 1492 Oct 14 12:49 pdversion.dat-rw-r--r-- 1 ivmgr ivmgr 1492 Aug 18 11:37 pdversion.dat.template-rw-r----- 1 ivmgr ivmgr 1466 Jan 24 2003 product-rw-r--r-- 1 ivmgr ivmgr 5827 Oct 14 13:16 routing-rw-r--r-- 1 ivmgr ivmgr 5674 Oct 10 11:36 routing.template-rw-r--r-- 1 ivmgr ivmgr 14035 Sep 29 12:45 secschema.def-rw-r--r-- 1 ivmgr ivmgr 11236 Jan 24 2003 secschema390.def-rw-r--r-- 1 ivmgr ivmgr 1 Oct 14 12:49 startup-rw-r--r-- 1 ivmgr ivmgr 1 Jun 24 10:48 startup.template-rw-r--r-- 1 ivmgr ivmgr 1233 Jan 24 2003 upgrade3.7_ibm_schema.def-rw-r--r-- 1 ivmgr ivmgr 1938 Jan 24 2003 upgrade3.7_ibm_schema390.def-rw-r--r-- 1 ivmgr ivmgr 1744 Jan 24 2003 upgrade3.7_netscape_schema.def


In the /var/PolicyDirector directory:

==> ls -Rltotal 7drwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 auditlrwxrwxrwx 1 ivmgr ivmgr 27 Oct 15 13:45 db -> /amfs1/PolicyDirector/dbdrwxrwxr-x 2 ivmgr ivmgr 512 Oct 14 13:19 db_bkplrwxrwxrwx 1 ivmgr ivmgr 31 Oct 16 15:48 keytab -> /amfs1/PolicyDirector/keytabdrwxr-xr-x 2 ivmgr ivmgr 512 Oct 16 15:42 keytab_bkplrwxrwxrwx 1 ivmgr ivmgr 29 Oct 15 13:45 lock -> /amfs1/PolicyDirector/lockdrwxr-x--- 2 ivmgr ivmgr 512 Dec 31 1969 lock_bkpdrwxrwxrwx 3 ivmgr ivmgr 512 Oct 16 13:40 logdrwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 pdbackupdrwxr-x--- 2 ivmgr ivmgr 512 Oct 14 12:49 pdmgrd./audit:total 0

./db_bkp:total 1056-rw------- 1 ivmgr ivmgr 540672 Oct 15 13:45 master_authzn.db

./keytab_bkp:total 35-rw------- 1 ivmgr ivmgr 10080 Oct 14 13:19 ivmgrd.kdb-rw------- 1 ivmgr ivmgr 129 Oct 14 13:18 ivmgrd.sth-rw-rw-rw- 1 root system 5080 Oct 14 13:19 pd.kdb-rw-rw-rw- 1 root system 129 Oct 14 13:19 pd.sth-rw------- 1 root system 1070 Oct 14 13:18 pdcacert.b64

./lock_bkp:total 0

In the SHARED directory, /share/PolicyDirector, on the external file system:

==> ls -Rltotal 80drwxrwxr-x 2 ivmgr ivmgr 512 Oct 14 13:19 db-rw-r----- 1 ivmgr ivmgr 16950 Oct 16 13:32 ivmgrd.conf-rw-r----- 1 ivmgr ivmgr 64 Oct 16 13:32 ivmgrd.conf.obfdrwxr-xr-x 2 ivmgr ivmgr 512 Oct 16 15:42 keytabdrwxr-x--- 2 ivmgr ivmgr 512 Dec 31 1969 lock-rw-r--r-- 1 ivmgr ivmgr 3736 Oct 14 13:20 pd.conf

./db:total 1056-rw------- 1 ivmgr ivmgr 540672 Oct 16 16:18 master_authzn.db

./keytab:total 64-rw------- 1 ivmgr ivmgr 10080 Oct 14 13:19 ivmgrd.kdb-rw------- 1 ivmgr ivmgr 129 Oct 14 13:18 ivmgrd.sth-rw-rw-rw- 1 root system 5080 Oct 14 13:19 pd.kdb-rw-rw-rw- 1 root system 129 Oct 14 13:19 pd.sth-rw------- 1 root system 1070 Oct 14 13:18 pdcacert.b64

./lock:total 0


Script: Linking from the AIX system files to the shareddirectory on the standby system

Use a script similar to the following to link from the AIX system files to the shareddirectory on the standby policy server system.

#!/bin/ksh#

# The Standby Policy Server must use the same configuration files as the# Primary Policy Server. For this reason, the following links must be created# in order for the Standby Policy Server to function correctly.## Note the Access Manager configuration software will automatically create# a link to the ivmgrd.conf file that is stored in the shared external file system.

# Backup pd.conf to pd.bkp and link to pd.conf in the shared external file systemmv /opt/PolicyDirector/etc/pd.conf /opt/PolicyDirector/etc/pd.conf.bkpln -s /share/PolicyDirector/pd.conf /opt/PolicyDirector/etc

# Backup keytab, db and lock directories and link the keytab, db, and lock# directories to their corresponding files in the shared external file system.

mv /var/PolicyDirector/keytab /var/PolicyDirector/keytab_bkpln -s /share/PolicyDirector/keytab /var/PolicyDirector

mv /var/PolicyDirector/db /var/PolicyDirector/db_bkpln -s /share/PolicyDirector/db /var/PolicyDirector

mv /var/PolicyDirector/lock /var/PolicyDirector/lock_bkpln -s /share/PolicyDirector/lock /var/PolicyDirector

# Change the group and ownership of the five links above to ivmgr.chown -h ivmgr /opt/PolicyDirector/etc/pd.confchown -h ivmgr /var/PolicyDirector/dbchown -h ivmgr /var/PolicyDirector/keytabchown -h ivmgr /var/PolicyDirector/lockchgrp -h ivmgr /opt/PolicyDirector/etc/pd.confchgrp -h ivmgr /var/PolicyDirector/dbchgrp -h ivmgr /var/PolicyDirector/keytabchgrp -h ivmgr /var/PolicyDirector/lock


Example: Verifying standby server directories, soft links andpermissions

In the /opt/PolicyDirector/etc directory:

==> ls -ltotal 3668-rw-r----- 1 ivmgr ivmgr 1682440 Oct 10 11:48 AccessManagerBaseAutoTraceDatabaseFile.obfuscated-rw-r--r-- 1 ivmgr ivmgr 2703 Oct 16 13:26 activedir_ldap.conf-rw-r----- 1 ivmgr ivmgr 2703 Jul 14 14:21 activedir_ldap.conf.template-rw-r----- 1 ivmgr ivmgr 18195 Jul 07 10:46 additional_licenses.txtdrw-rw---- 2 ivmgr ivmgr 512 Dec 31 1969 blades-rw-r----- 1 ivmgr ivmgr 5890 Jan 24 2003 config-rw-r----- 1 ivmgr ivmgr 718 May 13 11:40 domino.conf.template-rw-r----- 1 ivmgr ivmgr 114 Oct 10 11:48 ffdclrwxrwxrwx 1 root system 36 Oct 16 13:32 ivmgrd.conf -> /amfs1/PolicyDirector/ivmgrd.conflrwxrwxrwx 1 root system 40 Oct 16 13:32 ivmgrd.conf.obf -> /amfs1/PolicyDirector/ivmgrd.conf.obf-rw-r----- 1 ivmgr ivmgr 16731 Oct 10 11:29 ivmgrd.conf.template-rw-r--r-- 1 ivmgr ivmgr 2319 Oct 16 13:31 ldap.conf-rw-r----- 1 ivmgr ivmgr 2187 Oct 10 11:21 ldap.conf.template-rw-r--r-- 1 ivmgr ivmgr 36544 Sep 29 12:45 novschema.def-rw-r--r-- 1 ivmgr ivmgr 26260 Sep 29 12:45 nsschema.deflrwxrwxrwx 1 ivmgr ivmgr 32 Oct 16 13:36 pd.conf -> /amfs1/PolicyDirector/pd.conf-rw-r--r-- 1 ivmgr ivmgr 3741 Oct 16 13:32 pd.conf.bkp-rw-r----- 1 ivmgr ivmgr 3645 Oct 10 11:29 pd.conf.template-rw-r----- 1 ivmgr ivmgr 5576 Oct 10 10:05 pdbackup.lst-rw-r----- 1 ivmgr ivmgr 7448 Oct 10 10:05 pdinfo.lst-rw-r--r-- 1 ivmgr ivmgr 5255 Oct 10 11:36 pdmgrd_routing.template-rw-r--r-- 1 ivmgr ivmgr 1492 Oct 16 13:27 pdversion.dat-rw-r--r-- 1 ivmgr ivmgr 1492 Aug 18 11:37 pdversion.dat.template-rw-r----- 1 ivmgr ivmgr 1466 Jan 24 2003 product-rw-r--r-- 1 ivmgr ivmgr 5810 Oct 16 13:27 routing-rw-r--r-- 1 ivmgr ivmgr 5674 Oct 10 11:36 routing.template-rw-r--r-- 1 ivmgr ivmgr 14035 Sep 29 12:45 secschema.def-rw-r--r-- 1 ivmgr ivmgr 11236 Jan 24 2003 secschema390.def-rw-r--r-- 1 ivmgr ivmgr 1 Oct 16 13:27 startup-rw-r--r-- 1 ivmgr ivmgr 1 Jun 24 10:48 startup.template-rw-r--r-- 1 ivmgr ivmgr 1233 Jan 24 2003 upgrade3.7_ibm_schema.def-rw-r--r-- 1 ivmgr ivmgr 1938 Jan 24 2003 upgrade3.7_ibm_schema390.def-rw-r--r-- 1 ivmgr ivmgr 1744 Jan 24 2003 upgrade3.7_netscape_schema.def


In the /var/PolicyDirector directory:

==> ls -Rltotal 7drwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 auditlrwxrwxrwx 1 ivmgr ivmgr 27 Oct 16 13:36 db -> /amfs1/PolicyDirector/dbdrwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 db_bkplrwxrwxrwx 1 ivmgr ivmgr 31 Oct 16 13:36 keytab -> /amfs1/PolicyDirector/keytabdrwxrwxrwx 2 ivmgr ivmgr 512 Dec 31 1969 keytab_bkplrwxrwxrwx 1 ivmgr ivmgr 29 Oct 16 13:36 lock -> /amfs1/PolicyDirector/lockdrwxr-x--- 2 ivmgr ivmgr 512 Dec 31 1969 lock_bkpdrwxrwxrwx 2 ivmgr ivmgr 512 Dec 31 1969 logdrwxrwxr-x 2 ivmgr ivmgr 512 Dec 31 1969 pdbackupdrwxr-x--- 2 ivmgr ivmgr 512 Oct 16 13:24 pdmgrd./audit:total 0

./db_bkp:total 0

./keytab_bkp:total 0

./lock_bkp:total 0


Chapter 25. Setting up a Tivoli Directory Server proxyenvironment

This example scenario explains how to set up the proxy environment shown inFigure 7 when using Tivoli Access Manager. This example evenly distributes theDirectory Information Tree (DIT) across two Tivoli Directory Server servers (ServerA and Server B) based on a hash of the Relative Distinguished Name (RDN®).Because the Tivoli Directory Server proxy server handles the routing of requests tothe servers, no referrals are used. LDAP client applications, such as Tivoli AccessManager, need only be aware of the Tivoli Directory Server proxy server. Clientapplications never have to authenticate directly with Server A or Server B. TheTivoli Directory Server proxy server (Proxy), is configured to assist with handlingthe distribution of the DIT and to make the distribution of the data transparent toapplications that use the data.

This section describes:v “Configuring the Tivoli Directory Server proxy”v “Configuring Tivoli Access Manager to use the proxy” on page 543v “Unconfiguring Tivoli Access Manager from the proxy” on page 545

For more comprehensive information on configuring the Tivoli Directory Serverproxy, such as using the command line interfaces, see the IBM Tivoli DirectoryServer Version 6.0 Administration Guide. If you already have the Tivoli DirectoryServer proxy configured for use with Tivoli Access Manager, you can continuewith “Configuring Tivoli Access Manager to use the proxy” on page 543.

Note: In this section, proxy and proxy server refer to the Tivoli Directory Serverproxy and not to the Tivoli Access Manager policy proxy server.

Configuring the Tivoli Directory Server proxyThe Tivoli Directory Server proxy server is configured with its own schema. Ensurethat the proxy server is configured with the same schema as the back-end serversfor which it is acting as the proxy. The Tivoli Directory Server version 6.1 includesthe schema for IBM Tivoli Access Manager for e-business. Assuming that the proxy

Proxy

schema/ACLs

schema/ACLs

Server A

Server B

Figure 7. Tivoli Directory Server proxy environment


server and each of the back-end servers is also Tivoli Directory Server version 6.1,the schema is already in place to support Tivoli Access Manager. The TivoliDirectory Server proxy server must also be configured with partition information,which determines how the data is distributed between the back-end servers.

In this example the data within the subtree is split based on the hash value of theRDN. Hashing is only supported on the RDN at one level in the tree under acontainer. Nested partitions are allowed. In the case of a compound RDN the entirenormalized compound RDN is hashed. The hash algorithm assigns an index valueto the DN of each entry. This value is then used to distribute the entries across theavailable servers.

Notes:

1. The parent entries across multiple servers must remain synchronized. TheLDAP administrator must maintain the parent entries.

2. ACLs must be defined at the partition base level on each server.3. The number of partitions and the partition level are determined when the

Tivoli Directory Server proxy server is configured and when the data is split.There is no way to expand or reduce the topology without re-partitioning.

Entries that exist at the base of a partition, for example o=ibm,c=us, cannot bemodified through the Tivoli Directory Server proxy server (Proxy). The proxyserver can return one of these entries during a search. The proxy searches forduplicates on the back-end servers (Server A, Server B). Any entry that is returnedis a random entry (either Server A or Server B).

Type of configuration informationIn a distributed directory, the following configuration information must be keptsynchronized among the servers:

Subtree policiesACLs are currently the only type of subtree policy. ACLs are honoredlocally within a server only. When data is split across a flat container eachserver contains the parent entry. If ACLs are defined on the parent entry,they must be defined on each of the parent entries. ACLs defined at theparent level or below must not have any dependencies on entries abovethe parent entry in the tree. The server does not enforce ACLs defined onanother server. During setup, exact copies of the entire parent entry areadded to each server when the ddsetup command is used; otherwise, theuser must add copies of the entire parent entry to the server. After initialconfiguration, if the parent entry has ACLs that are defined on it, eachserver has the same ACLs for the entries below the parent. Without usingthe Tivoli Directory Server proxy server, any change that is made to theparent entries after initial configuration have to be sent to each server thatcontains the parent entry. The administrator must keep the parent entries,including the ACLs on the parent, synchronized among the servers.

Global policies, including schema and password policyThe cn=pwdpolicy subtree, cn=ibmpolicies subtree, and cn=schema subtreestore global configuration information and must be replicated among theservers in a distributed directory. If any of the servers have a replica, setthe gateway replication agreements under the cn=ibmpolicies subtree sothat the change will be passed on to its individual replica. With thecn=ibmpolicies replication agreement, the cn=schema and cn=pwdpolicysubtrees are automatically replicated. Global policies include the globaladministration group entry that is stored under cn=ibmpolicies.


Synchronizing server instancesWhen you create a new directory server instance and you want to use adistributed directory, you must cryptographically synchronize the server instancesto obtain the best performance.

If you are creating a directory server instance that must be cryptographicallysynchronized with an existing directory server instance, you must synchronize theserver instances before you do any of the following tasks:v Start the second server instance.v Run the idsbulkload command from the second server instance.v Run the idsldif2db command from the second server instance.

See the IBM Tivoli Directory Server: Administration Guide for information aboutsynchronizing directory server instances.

Creating server instancesIn this example, data under o=ibm,c=us is split across two servers (Server A andServer B). The Tivoli Directory Server proxy server (Proxy) is configured to hashRDN values immediately after o=ibm,c=us among Server A and Server B, and theRDN values, which are more than one away from o=ibm,c=us, map to the sameserver as values immediately after o=ibm,c=us. For example, cn=test,o=ibm,c=usand cn=user1,cn=test,o=ibm,c=us always map to the same server. Server A holdsall the entries with a hash value of 1, and Server B holds all the entries with ahash value of 2.

To create these server instances, perform the following steps:1. Create three directory server instances on three separate systems (Proxy,

Server A, Server B). Follow the instructions in the IBM Tivoli Directory Server:Administration Guide to use the idsicrt tool.

2. Before starting the Server B copy the directory_instance\etc\ibmslapddir.ksffile from Server A to Server B. Copying this file allows the two serverinstances to be cryptographically synchronized.

3. Configure all three instances into the Web Administration Tool.4. Log in to Server A.5. Start the server in Configuration Only Mode.6. Select Server administration → Manage server properties.7. Select the Suffixes property.8. In the Suffix DN field, type: o=ibm,c=us and click Add.9. Repeat this process for as many suffixes as you want to add.

10. When you are finished click Apply to save your changes without exiting, orclick OK to apply your changes and exit.

11. Repeat steps 5 to 10 for Server B.

Global administration groupThe global administration group is a way for the directory administrator todelegate administrative rights in a distributed environment to the databaseback-end. Global administrative group members are users that are assigned thesame set of privileges as the administrative group with regard to access entries inthe database back-end and have complete access to the directory server back-end.

Chapter 25. Setting up a Tivoli Directory Server proxy environment 537

All global administrative group members have the same set of privileges. Globaladministrative group members:v Have no privileges or access rights to any data or operations that are related to

the configuration settings of the directory server. The configuration settings arecommonly called the configuration back-end.

v Have no privileges or access rights to any schema data.v Have no access to the audit log. Therefore, local administrators can use the audit

log to monitor global administrative group member activity for securitypurposes.

Creating a user entry for membership in the globaladministrators groupTo create a user entry for membership, perform the following steps:1. Log on to Server A through the Web Administration Tool. Use this server as

the partition for cn=ibmpolicies

2. Start the server, if it is not already running.3. From the navigation pane, expand Directory management.4. Click Add an entry.5. From the Structural object classes menu, select person.6. Click Next.7. Click Next to skip the Select auxiliary object classes window.8. In the Relative DN field, type: cn=manager9. In the Parent DN field, type: cn=ibmpolicies

10. In the cn field, type: manager11. In the sn field, type: manager12. Click the Optional attributes tab.13. In the userPassword field, type the password.14. Click Finish.

Adding user entries to the global administration groupTo add the cn=manager user to the global administration group, perform thefollowing steps:1. In the navigation pane, click Manage entries.2. Select the cn=ibmpolicies radio button and then click Expand.3. Select the globalGroupName=GlobalAdminGroup radio button. From the

Select Action menu, click Manage Members and then click Go.4. In the member field, type cn=manager,cn=ibmpolicies and click Add. The

following message is displayed:

You have not loaded entries from the server. Only your changes willbe displayed in the table. Do you want to continue?

5. Click OK. The cn=manager,cn=ibmpolicies member is displayed in the table.6. Click OK.

The cn=manager user is now a member of the global administration group.

Configuring the Tivoli Directory Server proxy serverIf the server, which you are configuring as a proxy server, contains the entry datato be distributed across the directory, you must extract the entry data into an LDIFfile before you configure the server.


Note: After the Tivoli Directory Server server is configured as a Tivoli DirectoryServer proxy server, you cannot access the data that is contained in itsRDBMS. The Tivoli Directory Server proxy server does not have an RDBMSback-end and cannot take part in the replication. If you need to access thedata in its RDBMS, you can either reconfigure the server so that it is not aTivoli Directory Server proxy or you can create a new directory serverinstance that points to the RDBMS as its database.

To configure a Tivoli Directory Server proxy server, perform the following steps:1. Log in to the server that you are going to use as the Tivoli Directory Server

proxy server as the local LDAP administrator (for example, cn=root).2. Start the server in Configuration Only Mode.3. From the navigation pane, expand Proxy administration.4. Click Manage proxy properties.5. Select Configure as proxy server check box.6. In the Suffix DN field, type cn=ibmpolicies and click Add.7. In the Suffix DN field, type o=ibm,c=us and click Add.8. In the Suffix DN field, type cn=pwdpolicy and click Add.9. Click OK to save your changes and return to the Introduction window.

Note: You must log out from the Web Administration Tool, and log on again.Doing so updates the navigation pane. If you do not log off and log onagain, the navigation pane is not updated for a Tivoli Directory Server proxyserver.

The Tivoli Directory Server proxy server is configured with its own schema. Ensurethat the back-end servers and the proxy server are configured with the sameschema. If the proxy server and the back-end server use Tivoli Directory Server,version 6.1, the schema is already in place to support Tivoli Access Manager.

Adding back-end servers to the proxy serverTo add back-end servers to the Tivoli Directory Server proxy server, perform thefollowing steps:1. Log back into the Tivoli Directory Server proxy server (Proxy) as the local

LDAP administrator (for example, cn=root).2. From the navigation pane, click Proxy administration.3. Click Manage back-end directory servers, and then click Add.4. In the Hostname field, type the host name for Server A.5. In the Port field, type the port number for Server A (for this example, all

servers use 389).6. In the Connection pool size field, type the number of connections that the

proxy server can have with the back-end server. The minimum value is 1 andthe maximum value is 100. For this example, set the value to 5.

7. In the Authentication method field, select Simple and click Next.8. The proxy server binds to the back-end server as the local administrator for

the back-end server. Type the LDAP administration DN for the back-endserver in the Bind DN field (for example, cn=root).

9. Specify and confirm the password for the administration DN that youspecified in step 8 in the Bind password fields.

10. Click Finish.


11. Repeat steps 3 to 10 for Server B.12. When you are finished, click Close to save your changes and return to the

Introduction window.13. Ensure that all back-end servers are now started in normal mode (not in

Configuration Only Mode).

Partitioning to back-end serversThe Tivoli Directory Server proxy server must be configured with partitioninformation. This information determines how data is distributed among theback-end servers.

To partition a Tivoli Directory Server proxy server to use back-end servers, performthe following tasks:v Synchronize global policiesv Divide the data into partitionsv Assign partition index values to the server instancesv Instantiate the suffix object

Synchronizing global policiesThese steps set up cn=ibmpolicies as a single partition. A single partition isnecessary to enable you to synchronize the global policies on all of the servers.

Note: Schema modifications are not replicated by or to the Tivoli Directory Serverproxy server. Any schema updates need to be entered on each TivoliDirectory Server proxy server manually.

To synchronize global policies, perform the following steps:1. From the navigation pane, click Manage partition bases.2. On the Partition bases table, click Add.3. In the Partition base DN field, type: cn=ibmpolicies4. In the Number of partitions field, type: 1

Note: A value greater than 1 for cn=ibmpolicies and cn=pwdpolicy is notsupported.

5. Click OK.6. Select the cn=ibmpolicies radio button7. Click View servers and then verify that cn=ibmpolicies is displayed in the

Partition base DN field.8. In the Back-end directory servers for partition base table, click Add.9. From the Add Back-end directory server menu, select Back-end directory

server → Server A.10. In the Partition index field, type: 111. Click OK.

Doing this12. Repeat steps 1 to 11 for cn=pwdpolicy.

Synchronizing global policies lets you have the global administration groupmember entry on a single back-end server instead of having to create it on each ofthe back-end servers.


Dividing the data into partitionsTo divide the data in the subtree o=ibm,c=us into two partitions, perform thefollowing steps:1. On the Partition bases table, click Add.2. In the Partition base DN field, type: o=ibm,c=us3. In the Number of partitions field, type 2 and click OK.

Assigning partition index values to the serversTo assign a partition value to each of the servers, perform the following steps:1. Select the o=ibm,c=us radio button.2. Click View servers and then verify that o=ibm,c=us is displayed in the

Partition base DN field.3. In the Back-end directory servers for partition base table, click Add

4. From the Add Back-end directory server menu, select Back-end directoryserver → Server A.

5. Ensure that 1 is displayed in the Partition index field.6. Click OK.7. In the Back-end directory servers for partition base table, click Add

8. From the Add Back-end directory server menu, select Back-end directoryserver → Server B.

9. Ensure that 2 is displayed in the Partition index field.

Note: This number is automatically increased for you. You can manuallychange the partition index number, but the number cannot exceed theactual number of partitions for the base. For example, you cannot use 3as a partition index if the partition base has only two partitions.Duplicate partition indexes are only allowed on servers that participatein replication on that subtree.

10. Click OK.11. When you are finished, click Close.12. Restart the Tivoli Directory Server proxy server for the changes to take effect.

Instantiating the suffix objectIf the partition created on the back-end servers is created at the suffix (as they arein this example), you should ensure that the object for the suffix is instantiated oneach back-end server.

To use the Web Administration Tool to create the object for the suffix used in thisexample (o=ibm,c=us) on each back-end server, perform the following steps:1. Log in to Server A as the local LDAP administrator (for example cn=root).2. From the navigation pane, click Directory management.3. Then select Add an entry.4. In the Add an entry menu, scroll down to highlight organization in the

Structural object classes list box.5. Click on Next.6. There are no auxiliary objectclasses needed for this object and so to skip the

Select auxiliary object classes choice, click Next.7. In the Relative DN field, type: o=ibm,c=us8. Leave the Parent DN blank, because this object occurs at the suffix.9. Fill in the value of the o attribute (for organization) as ibm.


10. When you are finished, click Finish to create the object.11. Repeat steps 1 to 10 for Server B.

At this point, the suffix and corresponding object exists on each back-end server.You can verify that the object can be searched by using the idsldapsearchcommand against any of the three servers (Server A, Server B or Proxy) with thefollowing command:idsldapsearch -h hostname -D local_ldap_administrator -w password \-b "o=ibm,c=us" -s base "objectclass=*"

When this search is performed against the Tivoli Directory Server proxy server andbecause the object exists in each partition, the proxy server randomly selects fromwhich back-end server to acquire the requested object.

Setting up a proxy environment for Tivoli Access ManagerTivoli Access Manager stores its metadata within a required suffix calledsecAuthority=Default. Metadata includes information that is used to track userand group status information specific to Tivoli Access Manager. When using aproxy, the secAuthority=Default object itself cannot be modified using the proxybecause the object at a proxy partition split point cannot be modified through theproxy. Therefore, Tivoli Access Manager cannot be configured directly through theproxy because Tivoli Access Manager must modify the secAuthority=Defaultobject during configuration.

In a proxy environment, the administrator should decide on which back-end serverthe secAuthority=Default subtree will be hosted and set up that back-end serverand the proxy partition information to reflect that topology. This exampleconfigures Server A to host the secAuthority=Default subtree.

Data under a proxy partition split point (for example, o=ibm,c=us) is hashed todetermine which back-end server has the subtree. In this example, Proxy isconfigured to hash RDN values immediately after o=ibm,c=us among two servers.This also means the RDN values more than 1 away from o=ibm,c=us will map tothe same server as values immediately after o=ibm,c=us. For this reason, it isusually more advantageous to configure the proxy with a single partition for thesecAuthority=Default suffix. If you want to distribute the Tivoli Access Managermetadata within the secAuthority=Default suffix among multiple back-endservers, it is best to split the partition below the cn=Users,secAuthority=Defaultcontainer. Entries are made on behalf of each user defined, below thecn=Users,secAuthority=Default container and therefore splitting this userinformation can help distribute the data more evenly across the back-end servers.This example will not distribute the data but instead maintain the entiresecAuthority=Default subtree within Server A.

Adding the Tivoli Access Manager suffix to the proxyTo configure the Tivoli Access Manager secAuthority=Default suffix for use by theproxy, perform the following steps:1. Log in to Server A as the local LDAP administrator (for example cn=root).2. Select Server administration → Manage server properties. Select the Suffixes

property.3. In the Suffix DN field, type secAuthority=Default and click Add.4. When you are finished, click Apply to save your changes without exiting or

click OK to apply your changes and exit.


5. The suffix will not be available until the server is restarted. In the navigationpane, select Server administration and then select Start/stop/restart server.Ensure the Start/restart in configuration only mode check box is not selectedand then click Restart.After a message is displayed that the restart request was sent, go to Serveradministration and check the status of the server. Wait until the server hasrestarted successfully and is currently running before continuing.

6. Log in to Proxy as the local LDAP administrator (for example cn=root).7. From the navigation pane, expand Proxy administration.8. On the Proxy administration page, click Manage proxy properties.9. In the Suffix DN field, type secAuthority=Default and click Add.

10. Click OK to save your changes and return to the Introduction window.11. From the navigation pane, click Proxy administration and then click Manage

partition bases.12. From the Manage partition bases menu, click Add.13. In the Partition base DN field, type: secAuthority=Default14. In the Number of partitions field, type: 115. In the Partition bases table, select the secAuthority=Default radio button.16. Click View servers and then verify that secAuthority=Default is displayed in

the Partition base DN field.17. In the Back-end directory servers for partition base table, click Add.18. From the Add Back-end directory server menu, click Back-end directory

server → Server A.19. Ensure that 1 is displayed in the Partition index field and click OK.20. When you are finished, click Close.21. Restart Proxy for the changes to take effect.

Configuring Tivoli Access Manager to use the proxyAfter the Tivoli Directory Server proxy server and back-end servers are configuredwith the Directory Information Tree (DIT) partitioning setup, Tivoli AccessManager can be configured to use the proxy. The proxy server provides a unifiedview of the directory and shields the LDAP application (Tivoli Access Manager forexample) from having to be aware of the DIT partitioning. When configured to usethe Tivoli Directory Server proxy server, Tivoli Access Manager is only aware ofthe proxy and performs all operations through the proxy, as if it represented theentire DIT namespace.

To provide failover support, multiple Tivoli Directory Server proxy servers can alsobe configured. See the IBM Tivoli Directory Server: Administration Guide forinformation about configuring multiple Tivoli Directory Server proxy servers toprovide failover support. When configuring multiple proxy servers to providefailover support, Tivoli Access Manager should be configured to treat each of theproxy servers as a directory server replica. The example scenario described here,assumes a single proxy.

Because Tivoli Access Manager cannot be configured directly to the TivoliDirectory Server proxy server, Tivoli Access Manager must first be configured tothe back-end server that hosts the secAuthority=Default subtree. Whenconfiguring the Access Manager Runtime component for use with this back-endserver, select LDAP as the registry type. When the pdconfig utility requests theLDAP hostname, type the host name and LDAP port number of Server A (the


back-end server that hosts the secAuthority=Default subtree); do not type the hostname of the Tivoli Directory Server proxy server (Proxy).

Configure SSL information for setting up an SSL connection with Server A, if SSLis to be used. When using SSL, Proxy needs to be configured with a servercertificate that is generated by the same certificate authority (CA) that was used tocreate the server certificate for Server A. Specify the LDAP DN (for examplecn=root) and the LDAP administrator password for Server A. After the TivoliAccess Manager policy server is configured successfully to the back-end server(Server A), you can then retarget the Tivoli Access Manager policy server system tothe Tivoli Directory Server proxy server. Exit the pdconfig utility.

Redirecting the policy server to the proxyTo retarget the Tivoli Access Manager policy server system to the proxy, stop thepolicy server by using the pd_start stop command on UNIX or by using WindowsServices. Edit the policy server ldap.conf and pd.conf configuration files by usingthe pdadmin config command. Complete the following steps:1. Start the pdadmin utility.2. Login to the local system with the login –l command.3. After locally logged in, change the value of the host and port in the

configuration files to specify the host name and port of the Tivoli DirectoryServer proxy server with the following commands:For UNIX:config modify keyvalue set /opt/PolicyDirector/etc/ldap.conf \

ldap host proxy_hostnameconfig modify keyvalue set /opt/PolicyDirector/etc/ldap.conf \

ldap port proxy_portconfig modify keyvalue set /opt/PolicyDirector/etc/pd.conf \

pdrte user-reg-server proxy_hostnameconfig modify keyvalue set /opt/PolicyDirector/etc/pd.conf \

pdrte user-reg-host proxy_hostnameconfig modify keyvalue set /opt/PolicyDirector/etc/pd.conf \

pdrte user-reg-hostport proxy_port

For Windows:

Note: This example assumes that Tivoli Access Manager is installed to thedefault location. Change the following commands to match theinstallation location for your system if necessary.

config modify keyvalue set \"c:\Program Files\Tivoli\Policy Director\etc\ldap.conf" \ldap host proxy_hostname

config modify keyvalue set \"c:\Program Files\Tivoli\Policy Director\etc\ldap.conf" \ldap port proxy_port

config modify keyvalue set \"c:\Program Files\Tivoli\Policy Director\etc\pd.conf" \pdrte user-reg-server proxy_hostname

config modify keyvalue set \"c:\Program Files\Tivoli\Policy Director\etc\pd.conf" \pdrte user-reg-host proxy_hostname

config modify keyvalue set \"c:\Program Files\Tivoli\Policy Director\etc\pd.conf" \pdrte user-reg-hostport proxy_port

where:

proxy_hostnameThe host name of the Tivoli Directory Server proxy server.


proxy_portThe port number of the Tivoli Directory Server proxy server.

4. After the configuration files are modified, the policy server can be restartedusing the pd_start start utility for UNIX or using Windows Services.

For additional information about these commands and utilities, see the IBM TivoliAccess Manager for e-business: Command Reference.

Setting access controls for the proxyAs stated earlier, access control lists (ACLs) cannot be managed from the TivoliDirectory Server proxy server. When a proxy server is used, it is the back-endserver that enforces access control. The LDAP administrator is responsible toensure that the proper ACLs are created on each of the back-end servers if theACLs exist on the top-level object of the partition split point. Tivoli AccessManager must have proper access control to allow it to manage users and groupswithin the suffixes where user and group definitions are maintained. To set thenecessary ACLs on the back-end servers to allow Tivoli Access Manager to managethe partition suffixes, use the Tivoli Access Manager ivrgy_tool utility with theadd-acls parameter.

Complete the following steps:1. Run the ivrgy_tool utility from any system where the Access Manager Runtime

component is installed, for example the system where the policy server isinstalled.

2. To apply the proper ACLs on each of the back-end servers, run the followingcommand:ivrgy_tool -h backend_host -p backend_port -D ldap_admin_DN \

-w ldap_admin_pwd -d [-Z] [-K ssl_keyfile] [-P ssl_keyfile_pwd] \[-N label] add-acls domain

For additional information about the ivrgy_tool utility, see “ivrgy_tool” onpage 569.

The policy server is the only Tivoli Access Manager component that needs to beretargeted to the Tivoli Directory Server proxy server as described in “ConfiguringTivoli Access Manager to use the proxy” on page 543. Other Tivoli Access Managercomponents, such as the authorization server or WebSEAL, do not need to beretargeted. After the policy server has been configured, other Tivoli AccessManager components can be configured normally. When configuring AccessManager Runtime for other components, the Tivoli Directory Server proxy serverhost name and port should be specified for the LDAP host name. It is notnecessary to indicate any of the back-end servers.

Unconfiguring Tivoli Access Manager from the proxyAll Tivoli Access Manager components other than the policy server can beunconfigured normally when the environment is set up as with the TivoliDirectory Server proxy server (as described in “Configuring Tivoli Access Managerto use the proxy” on page 543).

Before the policy server can be unconfigured, it must be retargeted back to theback-end server that hosts the secAuthority=Default subtree. Before attempting toretarget and unconfigure the policy server, ensure that all other Tivoli AccessManager components are unconfigured and stopped.


After all Tivoli Access Manager components are unconfigured, the policy servercan be retargeted to the back-end server that is hosting the secAuthority=Defaultsubtree.

To retarget the policy server system to the back-end server, stop the policy serverusing the pd_start stop command on UNIX or using Windows Services. Edit thepolicy server ldap.conf and pd.conf configuration files using the pdadmin configcommand with the following steps:1. Start the pdadmin command.2. Login to the local system with the login –l command.3. Change the value of the host and port in the configuration files to specify the

host name and port of the back-end server hosting the secAuthority=Defaultsubtree (Server A in this example) with the following commands:

For UNIXconfig modify keyvalue set /opt/PolicyDirector/etc/ldap.conf \

ldap host serverA_hostnameconfig modify keyvalue set /opt/PolicyDirector/etc/ldap.conf \

ldap port serverA_portconfig modify keyvalue set /opt/PolicyDirector/etc/pd.conf \

pdrte user-reg-server serverA_hostnameconfig modify keyvalue set /opt/PolicyDirector/etc/pd.conf \

pdrte user-reg-host serverA_hostnameconfig modify keyvalue set /opt/PolicyDirector/etc/pd.conf \

pdrte user-reg-hostport serverA_port

For Windows

This example assumes that Tivoli Access Manager is installed to thedefault location. Change the following commands to match theinstallation location for your system if necessary:config modify keyvalue set \

"c:\Program Files\Tivoli\Policy Director\etc\ldap.conf" \ldap host serverA_hostname

config modify keyvalue set \"c:\Program Files\Tivoli\Policy Director\etc\ldap.conf" \ldap port serverA_port

config modify keyvalue set \"c:\Program Files\Tivoli\Policy Director\etc\pd.conf" \pdrte user-reg-server serverA_hostname

config modify keyvalue set \"c:\Program Files\Tivoli\Policy Director\etc\pd.conf" \pdrte user-reg-host serverA_hostname

config modify keyvalue set \"c:\Program Files\Tivoli\Policy Director\etc\pd.conf" \pdrte user-reg-hostport serverA_port

where:

serverA_hostnameThe host name of the back-end server.

serverA_portThe port number of the back-end server.

4. After the configuration files are modified, the policy server can be restartedusing the pd_start start utility for UNIX or using Windows Services.

5. After the policy server is successfully restarted, it can be unconfigurednormally using the pdconfig utility.

For additional information about these commands and utilities, see the IBM TivoliAccess Manager for e-business: Command Reference.


Chapter 26. Tivoli Access Manager utilities

In addition to the pdadmin command utility, Tivoli Access Manager provides thefollowing installation and configuration utilities for your use. See the IBM TivoliAccess Manager for e-business: Command Reference for descriptions of all the TivoliAccess Manager utilities.

Table 53. Tivoli Access Manager installation and configuration utilities

Utility Description

amauditcfg Configures or unconfigures the Common Auditing andReporting Service client.

amwebcfg Configures or unconfigures a WebSEAL server.

amwpmcfg Configures or unconfigures the Web Portal Managercomponent of Tivoli Access Manager.

bassslcfg Configures or modifies the configuration information of theTivoli Access Manager runtime.

install_component Expedites the installation and configuration of Tivoli AccessManager components.

ivrgy_tool Updates the Tivoli Access Manager schema on the specifiedLDAP server or apply required ACLs to suffixes that wereadded to the LDAP server after the policy server wasconfigured.

mgrsslcfg Creates or modifies the SSL certificates of the Tivoli AccessManager policy server.

pdbackup Backs up, restores, and extracts Tivoli Access Manager data.

pdconfig Configures and unconfigures Tivoli Access Managercomponents.

pdjrtecfg Configures the Tivoli Access Manager Runtime for Java.

pdproxycfg Configures and unconfigures a policy proxy server.

pdsmsclicfg Configures the command line utility plug-in for the sessionmanagement server.

pdversion Lists the current version of Tivoli Access Managercomponents that are installed on the system.

pdwpicfg Configures or unconfigures the Plug-in for Web Servers.

smscfg Configures the session management server.

svrsslcfg Configures, unconfigures, or modifies the configurationinformation of a resource manager to use an SSL connectionfor communicating with the policy server. This utility isused for C application servers only. For Java applicationservers, use the equivalent com.tivoli.pd.jcfg.SvrSslCfgJava class. For information about this class, see the IBMTivoli Access Manager for e-business: Authorization Java ClassesDeveloper Reference.


amauditcfgConfigures Tivoli Access Manager servers to use common audit services orunconfigures Tivoli Access Manager servers from common audit services.

Syntaxamauditcfg –action config –srv_cfg_file configuration_file –audit_srv_url url–enable_ssl no –disk_cache_mode never

amauditcfg –action config –srv_cfg_file configuration_file –audit_srv_url url–enable_ssl no –disk_cache_mode {always|auto} –disk_cache_file cache_file

amauditcfg –action config –srv_cfg_file configuration_file –audit_srv_url url–enable_ssl yes –audit_key_file key_file –audit_stash_file stash_file–enable_pwd_auth no –disk_cache_mode never

amauditcfg –action config –srv_cfg_file configuration_file –audit_srv_url url–enable_ssl yes –audit_key_file key_file –audit_stash_file stash_file–enable_pwd_auth no –disk_cache_mode {always|auto} –disk_cache_filecache_file

amauditcfg –action config –srv_cfg_file configuration_file –audit_srv_url url–enable_ssl yes –audit_key_file key_file –audit_stash_file stash_file–enable_pwd_auth yes –audit_id audit_id –audit_pwd audit_password–disk_cache_mode never

amauditcfg –action config –srv_cfg_file configuration_file –audit_srv_url url–enable_ssl yes –audit_key_file key_file –audit_stash_file stash_file–enable_pwd_auth yes –audit_id audit_id –audit_pwd audit_password–disk_cache_mode {always|auto}–disk_cache_file cache_file–temp_storage_full_timeout number_of_seconds

amauditcfg –action unconfig –srv_cfg_file configuration_file

amauditcfg –operations

amauditcfg –help [options]

amauditcfg –rspfile response_file

amauditcfg –usage

amauditcfg –?

DescriptionUse the amauditcfg utility to configure or unconfigure the Common AuditingService client from the command line. The utility can be run in command linemode or response file mode.

In command line mode, all parameters must be specified from the command line.

In response file mode, the utility obtains the necessary parameters from theresponse file. You must manually create the response file, and the response filerequires all parameters.


Parameters–? Displays the syntax and an example for this utility.

–action {config|unconfig}This parameter takes one of the following arguments:

config Configures the client.

unconfigUnconfigures the client.

–audit_id administrator_idSpecifies the WebSphere administrator who has the EventSource rolemapped to the CommonAuditService. This ID is authenticated throughWebSphere using HTTP basic authentication. This parameter is valid whenthe –enable_pwd_auth parameter is set to yes.

–audit_key_file key_fileSpecifies the fully qualified name of the key file that is needed tocommunicate securely with the Web service. This parameter is requiredwhen the –enable_ssl parameter is set to yes.

–audit_pwd audit_id_passwordSpecifies the password for the WebSphere administrator who has theEventSource role mapped to the CommonAuditService. This parameter isvalid when the –enable_pwd_auth parameter is set to yes.

–audit_srv_url urlSpecifies the URL of the Web service. For secure communication, use thefollowing URL:

https://hostname:9443/CommonAuditService/services/Emitter

For nonsecure communication, use the following URL:http://hostname:9080/CommonAuditService/services/Emitter

–audit_stash_file stash_fileSpecifies the fully qualified name of the stash file that is needed tocommunicate securely with the Common Audit Web service. Thisparameter is required when the –enable_ssl parameter is set to yes.

–disk_cache_file cache_fileSpecifies the fully qualified name of the disk cache file. This parameter isrequired when the –disk_cache_mode parameter is set to always or auto.

–disk_cache_mode {always|never|auto}Specifies whether to enable disk caching, and, when enabled, indicateshow to handle disk caching. The following values are valid:

always Indicates that audit events are always written directly to the diskcache.

never Indicates that audit events are written to the event queue. There isno disk cache.

auto Indicates that audit events are written to the event queue exceptwhen the server is down or the event queue is full. Under theseconditions, the audit events are written to disk cache.

The default value is auto.

–temp_storage_full_timeout {0|-1| and number_of_seconds}Specifies the number of seconds that the common auditing and reportingservices client waits before discarding cached events when the temporary

amauditcfg

Chapter 26. Tivoli Access Manager utilities 549

disk cache storage is filled. Valid values are -1, 0, number of seconds. Avalue of -1 indicates that cached events are not discarded. A value of 0indicates that cached events are discarded immediately. A specified numberof seconds indicates that cached events are not discarded until thespecified number of seconds has passed. The default value is 0.

This parameter takes effect only when –disk_cache_mode is set to alwaysor auto.

–enable_pwd_auth {yes|no}Specifies whether password authentication is used. Valid values are yes orno. The default value is no.

–enable_ssl {yes|no}Specifies whether to enable SSL communication between the CommonAudit client (the security server) and the Common Audit Web service.Valid values are yes or no. The default value is no.

–help [parameters]Lists all parameters and their descriptions when specified withoutparameters. When one or more parameters are specified, lists the specifiedparameters and their descriptions.

–operationsPrints out all the valid parameters.

–rspfile response_fileSpecifies the fully qualified path and file name of the response file to useduring silent configuration. A response file can be used for configuration.There is no default response file name. The response file contains stanzasand parameter=value pairs. To use response files, see the procedures in theIBM Tivoli Access Manager for e-business: Auditing Guide.

–srv_cfg_file configuration_fileThe fully qualified configuration file name of the Access Manager server toconfigure to or unconfigure from common auditing services.

–usageDisplays the syntax and an example for this utility.

AvailabilityThis utility is located in one of the following default installation directories:v On Linux and UNIX operating systems:

/opt/policyDirector/sbin/

v On Windows operating systems:c:\Program Files\Tivoli\PolicyDirector\sbin

When an installation directory other than the default is selected, this utility islocated in the /sbin directory under the installation directory (for example,installation_directory/sbin).

Return codes0 The utility completed successfully.

1 The utility failed. When a utility fails, a description of the error and anerror status code in hexadecimal format is provided (for example,0x15c3a00c). Refer to the IBM Tivoli Access Manager for e-business: Error

amauditcfg


Message Reference. This reference provides a list of the Tivoli AccessManager error messages by decimal or hexadecimal codes.

Examplesv The following example configures an authorization server using SSL and

password authentication:amauditcfg -action config \

-srv_cfg_file /opt/PolicyDirector/etc/ivacld.conf \-srv_url https://hostname:9443/CommonAuditService/services/Emitter \-enable_ssl yes -audit_key_file /certs/WSclient.kdb \-audit_stash_file /certs/WSclient.sth -enable_pwd_auth yes \-audit_id administrator_id -auditpwd password

v The following example uses the /tmp/rspfile/cars_pdacld.rsp response file toconfigure an authorization server using SSL and password authentication:amauditcfg –rspfile /tmp/rspfile/cars_pdacld.rsp

The /tmp/rspfile/cars_pdacld.rsp response file contains the following data:[amauditcfg]action = configsrv_cfg_file = /opt/PolicyDirector/etc/ivacld.confaudit_srv_url = https://hostname:9443/CommonAuditService/services/Emitterenable_ssl = yesaudit_key_file = /certs/WSclient.kdbaudit_stash_file = /certs/WSclient.sthenable_pwd_auth = yesaudit_id = administrator_idaudit_pwd = password

amauditcfg


amwebcfgConfigures or unconfigures a WebSEAL server.

Syntaxamwebcfg –action config –host host_name –listening_port am_listening_port–inst_name instance_name –nw_interface_yn {yes|no} admin –admin_pwd password–ip_address ip_address –ssl_yn {yes|no} –key_file key_file –key_file_pwd password–cert_label label –ssl_port ssl_port –http_yn {yes|no} –http_port http_port–https_yn {yes|no} –https_port https_port –doc_root doc_root

amwebcfg –action config –rspfile response_file

amwebcfg –action config –interactive

amwebcfg –action unconfig –inst_name instance_name –admin_id admin–admin_pwd password

amwebcfg –action unconfig –interactive

amwebcfg –operations

amwebcfg –help [options]

amwebcfg –usage

amwebcfg –?

DescriptionUse the amwebcfg utility to configure a WebSEAL instance from the commandline. The utility can be run in interactive mode, command line mode, or responsefile mode.

In interactive mode, you are prompted to supply the necessary values.

In command line mode, all parameters must be specified from the command line.

In response file mode, the utility obtains the necessary options from the responsefile. The response file requires all parameters. The response file must be createdmanually.


–action {config|name|status|unconfig}This parameter takes one of the following arguments:

config Configures a WebSEAL instance.

name Retrieves the Tivoli Access Manager WebSEAL package name andreturns the name value to the pdconfig utility. This parameter isused only by pdconfig. Do not use this parameter from thecommand line.


status Returns the status value to the pdconfig utility. This parameter isused only by pdconfig. Do not use this parameter from thecommand line.

unconfigUnconfigures a WebSEAL instance.

–admin_id adminSpecifies the name of the Tivoli Access Manager administrative user. Thedefault value is sec_master.

–admin_pwd passwordSpecifies the Tivoli Access Manager administrative user password (theadministrative user is normally sec_master).

–cert_label labelSpecifies the LDAP client certificate label. This parameter is used onlywhen SSL communication is enabled between WebSEAL and an LDAPserver (–ssl_yn yes).

Note that when SSL communication is enabled between WebSEAL and theLDAP server, SSL does not require a LDAP client certificate label. Thus thislabel file is optional, even amwebcfg is called with –ssl_yn yes. When theclient label is not specified, SSL uses default certificate contained in thekeyfile.

Used with –action config.

–doc_root doc_rootSpecifies the Web document root directory. The directory must alreadyexist. Used with –action config.

When this parameter is not supplied on the command line, amwebcfgcreates a default directory. The default directory path includes the instancename, prefixed by www-. For example, when the instance name is web1, andthe doc_root is not specified on the command line, the following directoryis created:

On Linux and UNIX operating systemsopt/pdweb/www-web1/docs

On Windows operating systemsinstallation_directory\pdweb\www-web1\docs

When the first WebSEAL instance is configured, and the default serverinstance name of default is accepted, and no value for –doc-root issupplied, amwebcfg creates the following Web document root directory:

On Linux and UNIX operating systemsopt/pdweb/www-default/docs

On Windows operating systemsinstallation_directory\pdweb\www-default\docs

–help [options]Lists each parameter and a one line description of it when specifiedwithout an argument. When one or more arguments are specified,WebSEAL lists each specified parameter and a one line description of it.

–host host_nameSpecifies the host name that is used by the Tivoli Access Manager policyserver to contact a WebSEAL server. This parameter is required for –actionconfig.

amwebcfg


Valid values include any valid IP host name. For example:libra.dallas.ibm.com

–http_yn {yes|no}Specifies whether HTTP access is allowed to the WebSEAL instance. Thisparameter is required for –action config. The valid Boolean indicators areyes or no. There is no default value.

–http_port http_portSpecifies the port number for unsecure HTTP access. This parameter isrequired for –action config when –http_yn is set to yes. The well knownport for HTTP is 80. There is no default value.

–https_yn {yes|no}Specifies whether HTTPS access is allowed to the WebSEAL instance. Thisparameter is required for –action config. The valid Boolean indicators areyes or no. There is no default value.

–https_port https_portSpecifies the port number for secure HTTP access. This parameter isrequired for –action config when –https_yn is set to yes. The well knownport for HTTPS is 443. There is no default value.

–inst_name instance_nameSpecifies the name of the WebSEAL instance as a string. For example, web1.This string does not include the host name. This parameter is required for–action config.

The following characters are allowed:v Any ASCII character (A-Z or a-z)v Period (.)v Hyphen (–)v Underscore (_)

When using the GUI to configure the first WebSEAL instance, amwebcfgsupplies a default instance name of default. This instance name can bechanged to another name (for example, webseal1).

–interactiveSpecifies that the configuration is to be done interactively by theadministrator. WebSEAL displays a text-based menu and presents a seriesof prompts to obtain the necessary configuration information from theadministrator.

Note: Interactive mode is supported only on Linux and UNIX operatingsystems. When this parameter is used on Windows operatingsystems, an error message states that the parameter is notsupported.

–ip_address ip_addressSpecifies the logical network interface that is the IP address for theWebSEAL server. This parameter is required with –action config onlywhen –nw_interface_yn is set to yes.

–key_file key_fileSpecifies the LDAP SSL key file. This parameter is required with –actionconfig only when SSL communication is enabled between the WebSEALserver and an LDAP server.

amwebcfg


–key_file_pwd passwordSpecifies the LDAP SSL key file password. This parameter is required with–action config only when SSL communication is enabled between theWebSEAL server and the LDAP server.

–listening_port am_listening_portSpecifies the listening port number for the Tivoli Access Manager policyserver. This listening port is the port on which the WebSEAL server andthe policy server communicate. The port must be greater than 1024, andmust be available for use. This parameter is required with –action config.

–nw_interface_yn {yes|no}Specifies whether to use a logical network interface. The valid Booleanindicators are yes or no. This parameter is required with –action configwhen adding an additional WebSEAL instance. There is no default value.

–operationsPrints out all the valid command line options.

–rspfile response_fileSpecifies the fully qualified path and file name of the response file to useduring silent configuration. A response file can be used for configuration.There is no default response file name. The response file contains stanzasand parameter=value pairs. To use response files, see the procedures in theIBM Tivoli Access Manager for e-business: Installation Guide.

–ssl_port ssl_portSpecifies the port number on which SSL communication takes placebetween the WebSEAL server and the LDAP server. This parameter isrequired only when –ssl_yn is set to yes as part of –action config. The wellknown port for SSL is 636. There is no default value.

–ssl_yn {yes|no}Specifies whether to enable SSL communication between the WebSEALserver and the LDAP server. The valid Boolean indicators are yes or no.This parameter is required with –action config. There is no default value.



/opt/pdweb/bin

v On Windows operating systems:c:\Program Files\Tivoli\pdweb\bin

When an installation directory other than the default is selected, this utility islocated in the /bin directory under the installation directory (for example,installation_directory/bin).


1 The utility failed. When a utility fails, a description of the error and anerror status code in hexadecimal format is provided (for example,0x15c3a00c). Refer to the IBM Tivoli Access Manager for e-business: Error

amwebcfg


Message Reference. This reference provides a list of the Tivoli AccessManager error messages by decimal or hexadecimal codes.

Examplesv The following example configures the default WebSEAL instance with SSL

communication enabled with an LDAP server:amwebcfg –action config –inst_name default –host diamond.subnet2.ibm.com

–listening_port 7234 –nw_interface_yn no –admin_id sec_master–admin_pwd mypassw0rd –ssl_yn yes –key_file /tmp/client.kdb–keyfile_pwd mypassw0rd –cert_label ibm_cert –ssl_port 636 –http_yn yes–http_port 80 –https_yn yes –https_port 443 –doc_root /usr/docs

v The following example configures a WebSEAL instance named web1 to use alogical network interface, and to not enable SSL communication with an LDAPserver:amwebcfg –action config –host emerald.subnet2.ibm.com –listening_port 7235

–inst_name web1 –nw_interface_yn yes –ip_address 111.222.333.222–admin_id sec_master –admin_pwd mypassw0rd –http_yn yes –http_port 81–https_yn yes –https_port 444

v The following example unconfigures the default WebSEAL instance:amwebcfg -action unconfig -inst_name default -admin_id sec_master

-admin_pwd mypassw0rd

v The following example unconfigures a WebSEAL instance named web1:amwebcfg -action unconfig -inst_name web1 -admin_id sec_master

-admin_pwd mypassw0rd

amwebcfg


amwpmcfgConfigures or unconfigures the Web Portal Manager component of Tivoli AccessManager.

Syntaxamwpmcfg –action config –policysvr policy_server_host [–policysvr_portpolicy_server_port] –waspath websphere_installation_path [–was_host websphere_host][–was_port websphere_port] [–was_admin_id websphere_admin] [–was_admin_pwdwebsphere_admin_password] [–trust_store trust_store] [–trust_store_pwdtrust_store_password] [–keyfile key_file] [–key_pwd key_file_password]http_server_name] [–authzsvr authorization_server_host] [–authzsvr_portauthorization_server_port] [–admin_id tam_admin] [–admin_pwdtam_admin_password] [–domain domain]

amwpmcfg –action config –interactive

amwpmcfg –action config –rspfile properties_file

amwpmcfg –action name

amwpmcfg –action status

amwpmcfg –action unconfig –policysvr policy_server_host [–policysvr_portpolicy_server_port] –waspath websphere_installation_path [–was_host websphere_host][–was_port websphere_port] [–was_admin_id websphere_admin] [–was_admin_pwdwebsphere_admin_password] [–trust_store trust_store] [–trust_store_pwdtrust_store_password] [–keyfile key_file] [–key_pwd key_file_password] [http_server_name] [–admin_id tam_admin] [–admin_pwd tam_admin_password]

amwpmcfg –action unconfig –interactive

amwpmcfg –help [parameters]

amwpmcfg –operations

amwpmcfg –usage

amwpmcfg –?

DescriptionThe amwpmcfg utility is used to configure or unconfigure the Web Portal Managercomponent of Tivoli Access Manager. You can perform these actions in thefollowing ways:v Directly from the command linev Interactively through a graphical interfacev Silently with a response file

When using this utility to configure Web Portal Manager, different parameters arerequired depending on the following situations:v When using a secure connection to WebSphere Application Serverv Whether the Tivoli Access Manager authorization server is already configured


When using secure connection to WebSphere Application Server, you must specifythe following parameters:v –was_admin_id

v –was_admin_pwd

v –trust_store

v –trust_store_pwd

v –keyfile

v –key_pwd

When the authorization server is already configured, you must specify thefollowing parameters:v –authzsvr

v –authzsvr_port

Parameters–? Displays the usage statement for this utility.

–action {config|name|status|unconfig}Specifies the action to perform. Actions include:

config Configure Web Portal Manager for Tivoli Access Manager.

name Retrieves the package name of Web Portal Manager and returnsthe name value to the pdconfig utility. This parameter is usedinternally by the pdconfig utility. Do not use this parameter fromthe command line.

status Determines the configuration status of Web Portal Manager andreturn status to the pdconfig utility. This parameter is usedinternally by the pdconfig utility. Do not use this parameter fromthe command line.

unconfigUnconfigure Web Portal Manager for Tivoli Access Manager.

–admin_id tam_adminSpecifies the name of the Tivoli Access Manager administrator with theappropriate administrative privileges. If not specified, you will beprompted.

–admin_pwd tam_admin_passwordSpecifies the password for the Tivoli Access Manager administrator. If notspecified, you will be prompted.

–authzsvr authorization_server_hostSpecifies the host name of the Tivoli Access Manager authorization server.Valid values include any valid IP host name. For example:libra.dallas.ibm.com

–authzsvr_port authorization_server_portSpecifies the port number for the Tivoli Access Manager authorizationserver. The default value is 7136.

–domain domainSpecifies the name of the domain. The domain must already exist. Anysecurity policy that is a domain affects only those objects in that domain.Users with authority to perform tasks in one domain do not necessarily

amwpmcfg


have authority to perform those same tasks in other domains. The defaultdomain is Default, which indicates the management domain.

–help [parameter]Displays online help for this utility. Without parameters, the entire usagestatement is displayed. With one or more parameters, the help for thoseparameters only will be displayed.

–interactiveSpecifies interactive mode, using a graphical interface, to configure orunconfigure Web Portal Manager. If not specified, the utility runs in silentmode.

–key_pwd key_file_passwordSpecifies the existing password that is associated with the specified clientkey file. This password was set when the key file was created. Thisparameter is required when using a secure connection to WebSphereApplication Server.

–keyfile key_fileSpecifies the fully qualified file name of the key file. This key file holds theclient-side certificates that are used in secure communication. Thisparameter is required when using a secure connection to WebSphereApplication Server.

–operationsDisplays all of the valid parameters for this utility.

–policysvr policy_server_hostSpecifies the host name of the Tivoli Access Manager policy server. Validvalues include any valid IP host name. For example:libra.dallas.ibm.com

–policysvr_port policy_server_portSpecifies the port number for the Tivoli Access Manager policy server. Thedefault value is 7135.

–rspfile properties_fileSpecifies the fully qualified path and file name of the properties file to useduring silent configuration. A properties file can be used for configuration.There is no default properties file name. The properties file containsparameter=value pairs. To use properties files, see the procedures in the IBMTivoli Access Manager for e-business: Installation Guide.

–trust_store trust_storeSpecifies the fully qualified file name of the trust store. This trust filehandles the server-side certificates that are used in secure communication.The trust store verifies the certificate that is presented by the server. Thesigner of the certificate must be a trusted certificate authority (CA). Thisparameter is required when using a secure connection to WebSphereApplication Server.

–trust_store_pwd trust_store_passwordSpecifies the existing password that protects the trust store file. Thispassword was set when the trust store was created. This parameter isrequired when using a secure connection to WebSphere Application Server.

–usageDisplays the usage statement for this utility.

–was_admin_id websphere_adminSpecifies the name of the WebSphere administrator with the appropriate

amwpmcfg


administrative privileges. This parameter is required when using a secureconnection to WebSphere Application Server. If not specified, you will beprompted.

–was_admin_pwd websphere_admin_passwordSpecifies the password for the WebSphere administrator. This parameter isrequired when using a secure connection to WebSphere Application Server.If not specified, you will be prompted.

–was_host websphere_hostSpecifies the host name or IP address of the system where WebSphereApplication Server is installed.

–was_port websphere_portSpecifies the SOAP port number for the WebSphere Application Server. Thedefault value is 8879 when using Deployment Manager in a clusterenvironment and 8880 when using an application server in a single serverenvironment.

–waspath websphere_installation_pathSpecifies the full path to the installation directory for IBM WebSphereApplication Server. This directory will be validated by checking for theexistence of the wsadmin script in the /bin directory and the/java/jre/lib/ext/PD.jar file. The configuration will fail if a requiredversion of WebSphere Application Server is not installed.


/opt/PolicyDirector/sbin

v On Windows operating systems:c:\Program Files\Tivoli\Policy Director\sbin



1 The utility failed. When a utility fails, a description of the error and anerror status code in hexadecimal format is provided (for example,0x15c3a00c). Refer to the IBM Tivoli Access Manager for e-business: ErrorMessage Reference. This reference provides a list of the Tivoli AccessManager error messages by decimal or hexadecimal codes.

amwpmcfg


bassslcfgConfigures or modifies the configuration information of the Tivoli Access Managerruntime.

Syntaxbassslcfg –add_replica –h host_name –p port –r replica_rank

bassslcfg –chgpwd –e password_life

bassslcfg –chg_replica –h host_name [–p server_port –r replica_rank]

bassslcfg –config –c cert_file –h host_name [–p server_port] [–e password_life] [–tssl_timeout] [–d primary_domain] [–a {yes|no}]

bassslcfg –getcacert –c cert_file –h host_name [–p server_port]

bassslcfg –getmgtdomain –h host_name [–p port]

bassslcfg –modify [–h host_name] [–e password_life] [–p server_port] [–t ssl_timeout][–d primary_domain] [–a {yes|no}]

bassslcfg –ping –h host_name [–p server_port]

bassslcfg –rmv_replica –h host_name

Parameters–a {yes|no}

Sets the key file password ssl-auto-refresh entry in the pd.confconfiguration file. The value must be yes or no.

–add_replicaBefore deprecation, added an authentication server replica.

–c cert_fileSpecifies the name of the policy server base-64 encoded, self-signedcertificate.

–chgpwdChanges the key database password. A new random password is generatedand saved in the stash file.

–chg_replica

Before deprecation, changed the attributes of a authentication serverreplica. The replica host name is used to identify the replica server andcannot be changed by this utility.

–configConfigures the Tivoli Access Manager runtime so that pdadmin commandsand the svrsslcfg utility can communicate with the policy server. Alsocreates a new key and stash file.

–d domainSpecifies the local domain name. During a configuration action, thisdomain must exist and an the administrator ID and password must bevalid for this domain. If not specified, the local domain that was specified


during configuration of the Tivoli Access Manager runtime will be used.The local domain value will be retrieved from the configuration file.

A valid local domain name is an alphanumeric, case-sensitive string. Stringcharacters are expected to be characters that are part of the local code set.You cannot use a space in the domain name.

–e password_lifeSets the key file password expiration time in days.

During a configuration action, the default value is 7299.

When modifying:v Specify 0 if you want to use the currently configured value.v Specify 7299 days if the currently configured value cannot be

determined.v Otherwise, specify a valid value from 1 to 7299.

–getcacertDownloads the root CA certificate to a file.

–getmgtdomainPrints the name of the management domain from the policy server tostandard out (stdout).

–h host_nameSpecifies the TCP host name of the policy server. Valid values include anyvalid IP host name. For example:host = librahost = libra.dallas.ibm.com

–modifyModifies the policy server configuration.

–p server_portSpecifies the listening port of the policy server. The default value is 7135.For a ping action, specify the listening port of that server. If not specified,the default listening port is 7135.

–ping Pings a Tivoli Access Manager server.

–rmv_replicaBefore deprecation, removed an authentication server replica.

–t ssl_timeoutSpecifies the SSL session timeout in seconds. The value must be from 1 to86400. During a configuration action, the default value is 7200.





bassslcfg




bassslcfg


install_componentExpedites the installation and configuration of Tivoli Access Manager components.

Syntaxinstall_amacld –console

install_amacld –options response_file [–silent]

install_amadk –console

install_amadk –options response_file [–silent]

install_amjrte –console

install_amjrte –options response_file [–silent]

install_ammgr –console

install_ammgr –options response_file[–silent]

install_amproxy –console

install_amproxy –options response_file [–silent]

install_amrte –console

install_amrte –options response_file [–silent]

install_amweb –console

install_amweb –options response_file [–silent]

install_amwebadk –console

install_amwebadk –options response_file [–silent]

install_amwebars –console

install_amwebars –options response_file [–silent]

install_amwpi –console

install_amwpi –options response_file [–silent]

install_amwpm –console

install_amwpm –options response_file [–silent]

install_ldap_server –console

install_ldap_server –options response_file [–silent]

install_sms –console


install_sms –options response_file [–silent]

install_smscli –console

install_smscli –options response_file [–silent]

DescriptionThe install_component command expedites the installation and configuration ofTivoli Access Manager components.

Note: If you use Microsoft Active Directory on Linux or UNIX operating system,or if the domain of the policy server is different than the domain of the localmachine, Tivoli Directory Server is required on Tivoli Access Managersystems.

The installation wizard executable files are also useful if you want to add a TivoliAccess Manager component or set up a system in an existing domain. Allprerequisite products and Tivoli Access Manager components are installed andconfigured except for a platform-specific JRE that must be installed manually.

To create a response file for a Tivoli Access Manager installation wizard, you mustcopy a template that is provided on the Tivoli Access Manager CD for thecomponent from the /rspfile directory on the CD to your hard drive and edit itsvalues.

For detailed information, including step-by-step scenarios, see the IBM Tivoli AccessManager for e-business: Installation Guide. Ensure that you are familiar with theconfiguration options of the install_component executable files. Before running theinstall_component utility, ensure that the component is supported on your platform.

Parametersinstall_amacld

Sets up a Tivoli Access Manager authorization server system with thefollowing software packages:v IBM Global Security Kitv IBM Tivoli Directory Server client (if needed for LDAP or Active

Directory on Linux and UNIX operating systems)v Tivoli Security Utilitiesv Tivoli Access Manager Licensev Tivoli Access Manager Runtimev Tivoli Access Manager Authorization Server

install_amadkSets up a Tivoli Access Manager Application Development Kitdevelopment system with the following software packages:v IBM Global Security Kitv IBM Tivoli Directory Server client (if needed for LDAP or Active

Directory on Linux and UNIX operating systems)v Tivoli Security Utilitiesv Tivoli Access Manager Licensev Tivoli Access Manager Runtimev Tivoli Access Manager Application Development Kit

install_component


install_amjrteSets up a Java Runtime Environment (JRE) system with the followingsoftware packages:v Tivoli Access Manager Licensev Tivoli Access Manager Runtime for Java

install_ammgrSets up the Tivoli Access Manager policy server system with the followingsoftware packages:v IBM Global Security Kitv IBM Tivoli Directory Server client (if needed for LDAP on Linux and

UNIX operating systems)v Tivoli Security Utilitiesv Tivoli Access Manager Licensev Tivoli Access Manager Runtimev Tivoli Access Manager Policy Server

install_amproxySets up the Tivoli Access Manager policy proxy server system with thefollowing software packages:v IBM Global Security Kitv IBM Tivoli Directory Server clientv Tivoli Security Utilitiesv Tivoli Access Manager Licensev Tivoli Access Manager Runtimev Tivoli Access Manager Policy Proxy Server

install_amrteSets up a Tivoli Access Manager runtime system with the followingsoftware packages:v IBM Global Security Kitv IBM Tivoli Directory Server client (if needed for LDAP or Active

Directory on Linux and UNIX operating systems)v Tivoli Security Utilitiesv Tivoli Access Manager Licensev Tivoli Access Manager Runtime

install_amwebSets up a Tivoli Access Manager WebSEAL system with the followingsoftware packages:v IBM Global Security Kitv IBM Tivoli Directory Server client (if needed for LDAP or Active

Directory on Linux and UNIX operating systems)v Tivoli Security Utilitiesv Tivoli Access Manager Licensev Tivoli Access Manager Runtimev Tivoli Access Manager Web Security Runtimev Tivoli Access Manager WebSEAL

install_amwebadkSets up a Tivoli Access Manager Web security Application DevelopmentKit development system with the following software packages:

install_component


v IBM Global Security Kitv IBM Tivoli Directory Server client (if needed for LDAP or Active

Directory on Linux and UNIX operating systems)v Tivoli Security Utilitiesv Tivoli Access Manager Licensev Tivoli Access Manager Runtimev Tivoli Access Manager Application Development Kitv Tivoli Access Manager Web Security Runtimev Tivoli Access Manager WebSEAL Application Development Kit

install_amwebarsSets up a Tivoli Access Manager Attribute Retrieval Service system withthe following software packages:v IBM WebSphere Application Serverv Tivoli Access Manager Licensev Tivoli Access Manager Attribute Retrieval Service

install_amwpiSets up a Tivoli Access Manager plug-in for Web server system with thefollowing software packages:v IBM Global Security Kitv IBM Tivoli Directory Server client (if needed for LDAP or Active

Directory on Linux and UNIX operating systems)v Tivoli Security Utilitiesv Tivoli Access Manager Licensev Tivoli Access Manager Runtimev Tivoli Access Manager Web Security Runtimev Tivoli Access Manager Plug-in for Web Serversv One of the following Web server-specific plug-ins:

– Tivoli Access Manager Plug-in for Apache Web Server– Tivoli Access Manager Plug-in for IBM HTTP Server– Tivoli Access Manager Plug-in for Sun Java System Web Server

install_amwpmSets up the Web Portal Manager interface with the following softwarepackages:v IBM WebSphere Application Serverv Tivoli Access Manager Licensev Tivoli Access Manager Runtime for Javav Tivoli Access Manager Web Portal Manager

install_ldap_serverSets up an IBM Tivoli Directory Server system with the following softwarepackages:v IBM Global Security Kitv IBM DB2 Universal Databasev IBM Tivoli Directory Server clientv IBM Tivoli Directory Server

Note: You cannot use the install_ldap_server executable file if an existingversion of Tivoli Directory Server is installed.

install_component


install_smsSets up a Tivoli Access Manager session management server system withthe following software packages:v IBM WebSphere Application Serverv Tivoli Access Manager Session Management Server

install_smscliSets up a Tivoli Access Manager session management command linesystem with the following software packages:v IBM WebSphere Application Serverv IBM Global Security Kitv IBM Tivoli Directory Server client (if needed for LDAP or Active

Directory on Linux and UNIX operating systems)v Tivoli Security Utilitiesv Tivoli Access Manager Licensev Tivoli Access Manager Runtimev Tivoli Access Manager Authorization Serverv Tivoli Access Manager Session Management Command Line

response_fileSpecifies a response file to perform a silent, unattended installation ofTivoli Access Manager components. To use response files, see theprocedures in the IBM Tivoli Access Manager for e-business: Installation Guide.


non–zeroThe utility failed.

1003 A reboot of the system is required.

install_component


ivrgy_toolUpdates the Tivoli Access Manager schema on the specified LDAP server orapplies the required ACLs to suffixes that were added to the LDAP server after thepolicy server was configured.

Syntaxivrgy_tool –h host_name –p port –D admin_dn –w admin_password –d add-aclsdomain_name

ivrgy_tool –h host_name –p port –D admin_dn –w admin_password –d –Z –K keyfile–P keyfile_password [–N keyfile_label] add-acls domain_name

ivrgy_tool –h host_name –p port –D admin_dn –w admin_password –d schema

ivrgy_tool –h host_name –p port –D admin_dn –w admin_password –d –Z –K keyfile–P keyfile_password [–N keyfile_label] schema

DescriptionThe ivrgy_tool utility with the add-acls parameter can be used to apply therequired ACLs to suffixes that were added to the LDAP server after the policyserver was configured or to apply ACLs to the back-end servers in an TivoliDirectory Server proxy environment. In the proxy environment, the back-endserver enforces access control. You need to ensure that the proper ACLs are createdon each back-end server if the ACLs exist on the top-level object of the partitionsplit. To set the necessary ACLs on the back-end servers to allow Tivoli AccessManager to manage the partition suffix, use the add-acls parameter.

The ivrgy_tool utility with the schema parameter updates the Tivoli AccessManager schema on the specified supported LDAP server. The schema is definedin a set of files. The files relate to the type of LDAP server that is being used.

These files are installed during the installation of the Tivoli Access Managerruntime and are used as input to the automatic schema update process when youconfigure the policy server.

Normally, the schema is updated when the policy server is configured. Whenmigrating an existing installation of Tivoli Access Manager, the schema on theLDAP server must be upgraded to the current version using the ivrgy_tool utility.

The following files contain the LDAP-specific schema:

secschema.defUsed for Tivoli Directory Server

nsschema.defUsed for Sun Java System Directory Server or Sun ONE Directory Server

novschema.defUsed for Novell eDirectory Server

An administrator can also apply and update the schema by using one of these filesas the LDAP Data Interchange Format (LDIF) input to the Tivoli Directory Serverldapmodify utility.


Note: The ivrgy_tool schema command cannot be used to apply the Tivoli AccessManager schema to the Active Directory Application Mode (ADAM). To addthe Tivoli Access Manager schema to ADAM, see “Configuring the TivoliAccess Manager schema for Active Directory Application Mode (ADAM)”on page 121.

Parameters–d Indicates verbose mode.

–D admin_dnSpecifies the distinguished name of the LDAP administrator. The formatfor a distinguished name is similar to cn=root.

–h host_nameSpecifies the IP address or host name of the LDAP server. Valid valuesinclude any valid IP host name; for examples:host = librahost = libra.dallas.ibm.com

When used in an Tivoli Directory Server proxy environment, the value isthe IP address or host name of the back-end server on which to set theACLs.

–K keyfileSpecifies the fully qualified path and file name of the SSL key database.This parameter is required only when the –Z parameter is specified. Usethe SSL key file to handle certificates that are used in LDAPcommunication. The file type can be anything, but the extension, as shownin the following example for the policy server, is usually .kdb.

Policy server on WindowsC:\Program Files\Tivoli\Policy Director\keytab\ivmgrd.kdb

Policy server on Linux or UNIX/opt/PolicyDirector/keytab/ivmgrd.kdb

–N keyfile_labelSpecifies the label name of the client certificate in the SSL key databasethat is sent to the LDAP server if the LDAP server is configured to performboth server and client authentication during SSL establishment. Thisparameter is valid only when SSL is being used (indicated by using the –Zparameter) and when the LDAP server has been configured to requireclient authentication.

If the installation wizard was used, the default client certificate label isPDLDAP.

–p portSpecifies the port number of the LDAP server. Use the LDAPserver-configured port number. The default port number is 636 if SecureSockets Layer (SSL) is used and 389 if SSL is not used.

When used in an Tivoli Directory Server proxy environment, the value isthe port number of the back-end server.

–P keyfile_passwordSpecifies the password for the SSL key database. This parameter isrequired only if the –Z parameter is specified.

–w admin_passwordSpecifies the password of the LDAP administrator.

ivrgy_tool


–Z Indicates that SSL is used.

add-acls domain_nameIndicates that the required access control lists (ACLs) should be applied toall suffixes that were defined on the LDAP server for the specified domain.When the policy server is configured, the management domain (Default)domain is created. When using the add-acls parameters in a TivoliDirectory Server proxy environment, at a minimum, always apply theACLs to the management domain.

This option is useful for adding access control to suffixes that were addedto the LDAP server after the policy server is configured.

schemaUpdates the Tivoli Access Manager schema. Use this parameter when:v You are using a version of Tivoli Directory Server prior to version 6.1.

For example, you are using Tivoli Directory Server version 5.2.v You are using an LDAP server other than Tivoli Directory Server. For

example, you are using Novell eDirectory Server.

Note: This command cannot be used when ADAM is used as the LDAPregistry


1 The utility failed. When a utility fails, a description of the error and anerror is provided.

ivrgy_tool


mgrsslcfgCreates or modifies the SSL certificates of the policy server.

Syntaxmgrsslcfg –chgcert –l cert_life

mgrsslcfg –chgpwd –e password_life

mgrsslcfg –config [–e password_life] [–l cert_life] [–t ssl_timeout] [–a {yes|no}]

mgrsslcfg –modify [–e password_life] [–l cert_life] [–t ssl_timeout] [–a {yes|no}]

DescriptionStop the Tivoli Access Manager policy server before running this utility.

Parameters–a {yes|no}

Sets the key file password ssl-auto-refresh entry in the ivmgrd.confconfiguration file. The value must be yes or no. The default value is yes.

–chgcertRenews the SSL certificate. A new public-private key pair and certificateare created and stored in the key database.

–chgpwdChanges the key database password. A new random password is generatedand saved in the stash file.

Before running this action, stop the policy server.

–configCreates new key and stash files and generates new certificates for thepolicy server.

–e password_lifeSets the key file password expiration time in days.

During a configuration action (–config), the default value is 183

When modifying:v Specify 0 to use the currently configured value.v Specify 183, if the currently configured value cannot be determined.v Otherwise, specify a valid value from 1 to 7299.

–l cert_lifeSets the maximum certificate expiration time in days. The actual time usedwill be the lesser of this value and the number of days before the CAcertificate for the policy server expires. The CA certificate lifetime is set to7300 days at initial configuration of the policy server.

During an configuration action (–config), the default value is 1460.

When modifying:v Specify 0 to use the currently configured value.v Specify 1460, if the currently configured value cannot be determined.v Otherwise, specify a valid value from 1 to 7299.


–modifyModifies the current configuration.

–t ssl_timeoutSpecifies the SSL session timeout in seconds. The ssl_timeout value must bein the range from 1 to 86400. During configuration, the default value is7200.







mgrsslcfg


pdbackupBacks up, restores, and extracts Tivoli Access Manager data.

Syntaxpdbackup –action backup –list list_file [–path path] [–file filename]

pdbackup –action restore –file filename [–path path]

pdbackup –action extract –file filename –path path

pdbackup –usage

pdbackup –?

DescriptionUse the pdbackup utility to back up and restore Tivoli Access Manager data. As analternative to a restore action, you can extract all archived files into a singledirectory. This utility is most commonly used for backing up, restoring, andextracting Tivoli Access Manager component files.

ParametersNote that you can shorten a parameter name, but the abbreviation must beunambiguous. For example, you can type –a for –action or –l for –list. However,values for parameters cannot be shortened.

–? Displays the syntax and an example for this utility.

–action [backup|restore|extract]Specifies to action to be performed. This parameter supports one of thefollowing values:

backupBacks up the data, service information, or migration information toan archive file. The archive file has a tar extension on Linux andUNIX operating systems and a dar extension on Windowsoperating systems.

extract Extracts the data from an archive file to a specified directory. Thisaction is used during a two-machine migration only.

restoreRestores the data from the archive file.

–file filenameSpecifies the name of the archive file. When this parameter is required, itsvalue must be the fully qualified name of the archive file. When thisparameter is optional, its value must be the name of the archive file only.For the extract and restore actions, this parameter is required. For thebackup action, this parameter is optional.

When using the backup action, specifies a file name other than the defaultname. The default name is the name of the service list file with a date andtime of the file creation. On Linux and UNIX operating systems, thedefault file name is list_file_ddmmmyyyy.hh_mm.tar. On Windows operatingsystems, the default file name is list_file_ddmmmyyyy.hh_mm.dar.


–list list_fileSpecifies the fully qualified name of the list file. The list file is an ASCIIfile that contains the information about the various files and data tobackup. These files are located in the /etc directory under thecomponent-specific installation directory. The following list contains thedefault file name and location of each component-specific list file byoperating system (assuming that the default installation directory was usedduring installation):Tivoli Access Manager data

On Linux and UNIX operating systems:/opt/PolicyDirector/etc/pdbackup.lst

On Windows operating systems:"C:\Program Files\Tivoli\Policy Director\etc\pdbackup.lst"

Tivoli Access Manager service informationOn Linux and UNIX operating systems:

/opt/PolicyDirector/etc/pdinfo.lstOn Windows operating systems:

"C:\Program Files\Tivoli\Policy Director\etc\pdinfo.lst"WebSEAL data

On Linux and UNIX operating systems:/opt/pdweb/etc/amwebbackup-instance.lst

On Windows operating systems:"C:\Program Files\Tivoli\pdweb\etc\amwebbackup-instance.lst"

Where instance is the name of the instance.WebSEAL service information

On Linux and UNIX operating systems:/opt/pdweb/etc/pdinfo-amwebbackup-instance.lst

On Windows operating systems:"C:\Program Files\Tivoli\pdweb\etc\pdinfo-amwebbackup-instance.lst"

Where instance is the name of the instance.Plug-in for Web Servers data

On Linux and UNIX operating systems:/opt/pdwebpi/etc/pdwebpi.lst

On Windows operating systems:"C:\Program Files\Tivoli\pdwebpi\etc\pdwebpi.lst"

Plug-in for Web Servers service informationOn Linux and UNIX operating systems:

/opt/pdwebpi/etc/pdinfo-pdwebpi.lstOn Windows operating systems:

"C:\Program Files\Tivoli\pdwebpi\etc\pdinfo-pdwebpi.lst"

–path pathSpecifies the target directory for the specified action. This parameter isrequired with the extract action, but is optional with the backup andrestore actions.

When specified with the backup action, specifies the target directory forthe archive file. When not specified, the command uses the defaultdirectory for the component. The following list contains the defaultdirectory for each component by operating system:On Linux and UNIX operating systems

/var/PolicyDirector/pdbackup/On Windows operating systems:

c:\program files\tivoli\policy director\pdbackup\

pdbackup


With the extract action, specifies the directory where the files that areextracted from the archive file are stored. There is no default value for the–path parameter when used for an extract action.v On Linux and UNIX operating systems only, when specified with the

restore action, specifies the directory where the files from the archive fileare restored. By default, this path is one used during the backup process.On Windows operating systems, the restore process does not support the–path parameter. On Windows operating systems, the files are restoredto their original directory.


AvailabilityThis utility is located in one of the following default installation directories:

On Linux and UNIX operating systems:/opt/PolicyDirector/bin

On Windows operating systems:c:\Program Files\Tivoli\Policy Director\bin




Examplesv The following example backs up the Tivoli Access Manager data on a Windows

operating system using default values for the archive files:pdbackup -a backup -list \

c:\program files\tivoli\policy director\etc\pdbackup.lst

If the command is run on December 22, 2005 at 10:22 AM, thepdbackup.lst_22dec2005.10_22.dar archive file is created and stored in thec:\program files\tivoli\policy director\pdbackup\ directory.

v The following example backs up the WebSEAL service information on a UNIXoperating system and stores the archive in the /var/backup directory:pdbackup -a backup -list \

/opt/pdweb/etc/pdinfo-amwebbackup.lst \-path /var/backup

If the command is run on December 22, 2005 at 10:22 AM, thepdinfo-amwebbackup.lst_22dec2005.10_22.tar archive file is created and stored inthe /var/pdbackup directory.

v The following example backs up the Plug-in for Web Servers files on a Linuxoperating system and creates the webpi.tar file in the /var/pdback directory:

pdbackup


pdbackup -a backup -list \/opt/pdwebpi/etc/pdwebpi.lst \-f webpi -p /var/pdback

Independent of when the command is run, the webpi.tar file is created in the/var/pdback directory. The .tar file extension is added to file name during thebackup process.

v The following example restores the pdbackup.lst_22dec2005.10_22.dar archivefile on a Windows operating system from the default location.pdbackup -a restore -f c:\program files\tivoli\policy \

director\pdbackup\pdbackup.lst_22dec2005.10_22.dar

The file is restored to its original location. On Windows operating systems, filescannot be restored to another location.

v The following example restores the amwebbackup.lst_22dec2005.10_22.tararchive file that is stored in the /var/pdbackup directory to the /amwebtestdirectory:pdbackup -a restore -f \

/var/pdbackup/amwebbackup.lst_22dec2005.10_22.tar \-p /amwebtest

v The following example extracts the amwebbackup.lst_22dec2005.10_22.tararchive file that is stored in the /var/pdbackup directory to the/amwebextracttest directory:pdbackup -a extract -f \

/var/pdbackup/amwebbackup.lst_22dec2005.10_22.tar \-p /amwebextracttest

pdbackup


pdconfigConfigures and unconfigures Tivoli Access Manager components.

See the IBM Tivoli Access Manager for e-business: Installation Guide for step-by-stepinstructions on how to use this utility.

Syntaxpdconfig

ParametersNone.


/opt/PolicyDirector/bin

v On Windows operating systems:c:\Program Files\Tivoli\Policy Director\bin





pdjrtecfgConfigures or unconfigures Tivoli Access Manager Runtime for Java. Thiscomponent enables Java applications to manage and use Tivoli Access Managersecurity.

Syntaxpdjrtecfg –action config –host policy_server_host [–port policy_server_port][–java_home jre_home] [–domain domain_name] [–config_type full] [–enable_tcd[–tcd path]]

pdjrtecfg –action config –config_type standalone

pdjrtecfg –action config –interactive

pdjrtecfg –action config –rspfile properties_file

pdjrtecfg –action name

pdjrtecfg –action status [–java_home jre_home]

pdjrtecfg –action unconfig [–java_home {jre_home|all}]

pdjrtecfg –action unconfig –interactive

pdjrtecfg –operations

pdjrtecfg –help [options]

pdjrtecfg –usage

pdjrtecfg –?

DescriptionThis utility copies Tivoli Access Manager Java libraries to a library extensionsdirectory that exists for a Java runtime that has already been installed on thesystem.

Using this utility does not overwrite JAR files that already exist in thejre_home\lib\ext directory, except the PD.jar file that is overwritten if the file exists.

You can install more than one Java runtime on a given machine. The pdjrtecfgutility can be used to configure the Tivoli Access Manager Runtime for Javaindependently to each of the JREs.

Note: Make sure that you use the pdjrtecfg utility and not the PdJrteCfg Javaclass directly.

Parameters–? Displays the syntax for this utility.

–action {config|name|status|unconfig}Specifies the action to be performed that is one of the following values:


config Configures the Tivoli Access Manager Runtime for Javacomponent.

name Retrieves the Tivoli Access Manager Runtime for Java componentpackage name and returns the name value to the pdconfig utility.This parameter is used only by pdconfig. Do not use thisparameter from the command line.

status Determines and returns the Tivoli Access Manager Runtime forJava component configuration status information to the pdconfigutility. This parameter is used only by pdconfig. Do not use thisparameter from the command line.

unconfigUnconfigures the Tivoli Access Manager Runtime for Javacomponent.

–config_type {full|standalone}Specifies the configuration mode. The default value is full.

full Performs all of the required configuration steps, including thegeneration of the server-side certificate for the policy server.

standalonePerforms all of the required configuration steps, except for thegeneration of the server-side certificate for the policy server. Withthis configuration, you can use the Tivoli Access Manager JavaAPIs without requiring a policy server. Typically, this configurationis used during the configuration of a Tivoli Access Managerdevelopment environment.

–domain domainSpecifies the local domain name for the Java runtime being configured. Alocal domain is a Tivoli Access Manager secure domain that is used byprograms when no explicit domain is specified. If this parameter is notspecified, the local domain will default to the management domain.

–enable_tcd [–tcd path]Enables Tivoli Common Directory (TCD) logging, if not already enabled,and specifies the fully qualified path location to use for common logging.When TCD is enabled, all Tivoli Access Manager message log files will beplaced in this common location.

–help [options]Provides online help for one or more utility options by displayingdescriptions of the valid command line options. Alternatively, providesonline help about a specific command line parameter.

–host policy_server_hostSpecifies the Tivoli Access Manager policy server host name. Valid valuesinclude any valid IP host name. Examples:host = librahost = libra.dallas.ibm.com

–interactiveSpecifies the interactive mode, in which the user is prompted forconfiguration information to configure the Tivoli Access Manager Runtimefor Java component. If not specified, the configuration program will run innon-interactive (silent) mode.

–java_home jre_pathSpecifies the fully qualified path to the Java runtime (such as the directory

pdjrtecfg


ending in JRE). If this parameter is not specified, the home directory for theJRE in the PATH statement will be used. If the home directory for the JREis not in the PATH statement, this utility fails.

During unconfiguration, you can specify the all parameter thatunconfigures all configured JREs.


–port policy_server_portSpecifies the Tivoli Access Manager policy server port number. The defaultvalue is 7135.

–rspfile properties_fileSpecifies the fully qualified path and file name of the properties file to useduring silent configuration. A properties file can be used for configuration.There is no default properties file name. The properties file containsparameter=value pairs. The following rules apply to properties files:v All slashes in the java_home parameter path must be either:

– Escaped with a second back slash (\)– A single front slash (/)

For example:java_home=c:\\Program Files\\IBM\\Java15

orjava_home=c:/Program Files/IBM/Java15

v The path must not include quotation marks.

To use properties files, see Chapter 27, “Using response files,” on page 607.

–usageDisplays the syntax for this utility.







pdjrtecfg


Examplesv The following example configures the Tivoli Access Manager Runtime for Java

component:pdjrtecfg -action config -host sys123.acme.com -port 7135

-java_home e:\apps\IBM\java15sr2\jre

v The following example unconfigures the Tivoli Access Manager Runtime for Javacomponent:pdjrtecfg -action unconfig -java_home e:\apps\IBM\java15sr2\jre

pdjrtecfg


pdproxycfgConfigures or unconfigures a policy proxy server.

Syntaxpdproxycfg –action config –admin_id admin_id –admin_pwd password policysvrpolicy_server_name –admin_port policy_server_port –host proxy_server_name–proxy_port proxy_server_port –ssl_enabled {yes|no} –keyfile keyfile –key_pwdpassword –key_label label –ssl_port ssl_port

pdproxycfg –action config –rspfile response_file

pdproxycfg –action config –interactive {yes|no}

pdproxycfg –action unconfig –interactive {yes|no}

pdproxycfg –operations

pdproxycfg –help [options]

pdproxycfg –usage

pdproxycfg –?

DescriptionUse the pdproxycfg utility to configure a policy proxy server from the commandline. The utility can be run in interactive mode, command line mode, or responsefile mode. In interactive mode, the user is prompted to supply the necessaryvalues. In command line mode, all options can be specified from the commandline.

In response file mode, the utility obtains the necessary parameters from theresponse file. When the response file does not contain a necessary parameter, theuser is prompted to supply it. The response file must be created manually.

Parameters–? Displays the syntax for this utility.

–action {config|name|status|unconfig}This parameter takes one of the following arguments:

config Configures a policy proxy server.

name Retrieves the policy proxy server name and returns the name valueto the pdconfig utility. This parameter is used only by thepdconfig utility. Do not use this parameter from the command line.

status Returns the status value to the pdconfig utility. This parameter isused only by the pdconfig utility . Do not use this parameter fromthe command line.

unconfigUnconfigures a policy proxy server.

–admin_id admin_idSpecifies the name of the administrative user in the Default domain.Because the policy proxy server represents the policy server, and therefore


is able to represent all of the defined domains at the policy server, thepolicy proxy server must be configured into the Default domain. Thedefault value is sec_master.

–admin_port policy_server_portSpecifies the port number of the Tivoli Access Manager policy server. Thedefault port number is 7139.

–admin_pwd passwordSpecifies the password of the administrative user. The default value issec_master.

–help [options]Returns online help for one or more utility options by displayingdescriptions of the valid command line options. Alternatively, providesonline help about a specific command line option.

–host proxy_server_nameSpecifies the host name that is used by the policy server to contact thepolicy proxy server. Valid values include any valid IP host name. Forexample:libra.dallas.ibm.com

–interactive {yes|no}Specifies that the configuration is to be done interactively by theadministrator (yes) or silently (no).

–key_label labelSpecifies the label of the SSL LDAP client certificate. This parameter isused only when SSL communication is enabled between the policy proxyserver and an LDAP server.

–key_pwd passwordSpecifies the password of the LDAP SSL key file. This parameter isrequired only when SSL communication is enabled between the policyproxy server and the LDAP server.

–keyfile keyfileSpecifies the LDAP SSL key file. This parameter is required only when SSLcommunication is enabled between the policy proxy server and an LDAPserver.


–policysvr policy_server_nameSpecifies the host name of the Tivoli Access Manager policy server or otherpolicy proxy server that can be used for configuration and unconfiguration.

–proxy_port proxy_server_portSpecifies the port on which the policy proxy server listens for incomingproxy requests. The default value is 7138.


pdproxycfg


–ssl_enabled {yes|no}Specifies whether to enable SSL communication between the policy proxyserver and the LDAP server. Valid indicators are yes or no.

–ssl_port ssl_portThe port number on which SSL communication takes place between thepolicy proxy server and the LDAP server. This parameter is used onlywhen SSL communication is enabled between the policy proxy server andan LDAP server.

–usageDisplays the syntax for this utility.


/opt/PolicyDirector/sbin/





Examplesv The following example configures a policy proxy server with SSL

communication enabled with an LDAP server:pdproxycfg –action config –host diamond.subnet2.ibm.com \

–proxy_port 7234 –admin_id sec_master –admin_pwd mypassw0rd \policysvr libra.subnet2.ibm.com -admin_port 7242 –ssl_enabled yes \–keyfile /tmp/client.kdb –key_pwd mypassw0rd –key_label ibm_cert \–ssl_port 636

pdproxycfg


pdsmsclicfgConfigures the command line administration utility for the session managementserver.

Syntaxpdsmsclicfg –action config [–rspfile response_file] [–interactive {yes|no}][–tam_integration {yes|no}] [–aznapi_app_config_file path_name][–webservice_location host:port[,host:port...]] [–instances name1,name2] [-ssl_enable{yes|no}] [–sslkeyfile path] [–sslkeyfile_stash path] [–sslkeyfile_label label]

pdsmsclicfg –action unconfig

pdsmsclicfg –action name

pdsmsclicfg –action version

pdsmsclicfg –action upgrade

DescriptionThe pdsmsclicfg utility configures or unconfigures the session management servercommand line administration utility. A log of the configuration progress is writtento the msg_pdsmsclicfg.log log file, which is located in the /var/pdsms/logdirectory on Linux and UNIX operating systems and in the installation_directory\log directory on Windows operating systems.

This utility can be run either interactively, where the user is prompted to provideconfiguration information, or silently, where the utility accepts input from aresponse file or the command line.

If integration with Tivoli Access Manager is enabled during configuration, theprogram prompts the user to specify the path to the configuration file for analready configured aznapi application. The program prompts the user to specifythe location of the Web service. The location of the Web service is defined by ahost name and port that are separated by a semicolon. The user can specifymultiple locations, when each location is separated by a comma. If this Web serviceuses a secure connection, the program prompts the user for the SSL options. Youmust also specify the session management server instance(s).

The configuration information is saved to /opt/pdsms/etc/pdsmsclicfg.conf. Thepresence of this configuration file is used to determine the configuration status ofthe utility.

The command line executable on Windows is pdsmsclicfg-cl.exe.

Parameters–action {config|unconfig|upgrade|name|version}

Specifies the action to be performed that is one of the following values:

config Configures the command line administration utility.

unconfigFully unconfigures the command line administration utility. Noother parameters are required.


name Displays the translated "Session Management Command Line"name. No other options are required.

upgradePerforms a configuration upgrade from a previous version.

versionDisplays the version number for the currently installed SMS CLIpackage.


–interactive {yes|no}Indicates whether the configuration is interactive. The default value is yes.

–tam_integration {yes|no}Specifies whether integration with the Tivoli Access Manageradministration framework is required. The default value is no.

–aznapi_app_config_file path_nameSpecifies the fully qualified name of the configuration file for the hostingauthorization server. Only required if Tivoli Access Manager integration isenabled.

–webservice_location host:portSpecifies the location of the session management server AdministrationWeb service. The location is the name of the hosting server and the port onwhich the Web service resides. Multiple locations can be specified. Whenspecifying multiple locations, separate the locations with commas.

–instances name1,name2The session management server instances which are to be administered.The instance names should be separated by a comma. The default value isDSess.

–ssl_enable {yes|no}Indicates whether SSL communication with the Web server should beenabled.

–sslkeyfile pathSpecifies the fully qualified name of the SSL key file to use whencommunicating with the session management server Web service. Use thisparameter only when the –ssl_enable parameter is set to yes.

–sslkeyfile_label labelSpecifies the SSL key file label of the certificate to be used. Use thisparameter only when the –ssl_enable parameter is set to yes.

–sslkeyfile_stash pathSpecifies the fully qualified name of the stash file that contains thepassword for the SSL key file. Use this parameter only when the–ssl_enable parameter is set to yes.


pdsmsclicfg


/opt/pdsms/bin

v On Windows operating systems:c:\Program Files\Tivoli\PDSMS\bin

To invoke the command line under Windows, use pdsmsclicfg-cl.exe. Thepdsmsclicfg command will invoke the wizard.



non-zeroThe utility failed. When a utility fails, a description of the error and anerror status code in hexadecimal format is provided (for example,0x15c3a00c). Refer to the IBM Tivoli Access Manager for e-business: ErrorMessage Reference. This reference provides a list of the Tivoli AccessManager error messages by decimal or hexadecimal codes.

pdsmsclicfg


pdversionLists the current version of Tivoli Access Manager components that are installed onthe system.

Syntaxpdversion [–key key1, key2...keyX] [–separator delimiter_character]

Parameters–key key1, key2...keyX

Specifies the component or components for which the current version willbe presented. Possible values are as follows:v pdacldv pdadkv pdjrtev pdmgrv pdproxyv pdrtev pdsmsv pdwebv pdwebarsv pdwebadkv pdwpiv pdwslv pdwpm

–separator delimiter_characterSpecifies the separator that is used to delimit the description of thecomponent from its version.







Examplesv The following example lists the base components of Tivoli Access Manager:


> pdversion

IBM Tivoli Access Manager Runtime 6.1.1.0IBM Tivoli Access Manager Policy Server 6.1.1.0IBM Tivoli Access Manager Policy Proxy Server Not InstalledIBM Tivoli Access Manager Web Portal Manager Not InstalledIBM Tivoli Access Manager Application Developer Kit 6.1.1.0IBM Tivoli Access Manager Authorization Server 6.1.1.0IBM Tivoli Access Manager Runtime for Java Not Installed

v The following example lists the Tivoli Access Manager Runtime package(PDRTE) and specifies X as the delimiter to separate the component descriptionfrom its version:> pdversion -key pdrte -separator X

IBM Tivoli Access Manager RuntimeX6.1.0.0

pdversion


pdwpicfg

Configures or unconfigures the Plug-in for Web Servers.

Syntaxpdwpicfg –action config –admin_id admin_id –admin_pwd password –auth_portport_number –web_server {iis|iplanet|ihs|apache} –iis_filter {yes|no}–web_directory installation_directory –vhosts virtual_host_id –ssl_enable {yes|no}–keyfile keyfile –key_pwd password –key_label label –ssl_port port_number

pdwpicfg –action config –interactive {yes|no}

pdwpicfg –action config –rspfile response_file

pdwpicfg –action unconfig –admin_id admin_id –admin_pwd password –force{yes|no} –remove {none|acls|objspace|all} –vhosts virtual_host_id

pdwpicfg –action unconfig –interactive {yes|no}

pdwpicfg –operations

pdwpicfg –help [options]

pdwpicfg –usage

pdwpicfg –?


–action {config|unconfig}Indicates the action to perform. This parameter takes one of the followingvalues:

config Configures the Tivoli Access Manager Plug-in for Web Servers.

unconfigUnconfigures the Tivoli Access Manager Plug-in for Web Servers.

–admin_id admin_idSpecifies the administration user identifier (the administrative user isnormally sec_master).

–admin_pwd passwordSpecifies the password for the administrative user.

–auth_port port_numberSpecifies the port number of the authorization server. The default value is7237.

–help [options]Lists the name of the parameter and a short description. If one or moreoptions are specified, it lists each parameter and a short description.

–interactive {yes|no}Enables interactive mode for the utility if yes; otherwise, disablesinteractive mode for the utility. The default value is yes.


–iis_filter {yes|no}Enables the Internet Information Server (IIS) filtering if yes; otherwise,disables the IIS filtering.

–keyfile keyfileSpecifies the LDAP SSL key file. There is no default value. Specify thisparameter when you are not running the utility in interactive mode andwhen you have enabled SSL between the Plug-in for Web Servers andLDAP.

–key_label labelSpecifies the LDAP SSL key label. There is no default value. Specify thisparameter when you are not running the utility in interactive mode andwhen you have enabled SSL between the Plug-in for Web Servers andLDAP.

–key_pwd passwordSpecifies the LDAP SSL key file password.

–operationsLists each of the parameter names, one after another, without a description.

–remove {none|acls|objspace|all}Specifies whether to remove the object space or the ACLs or both as partof the unconfiguration process. The default value is none.


–ssl_enable {yes|no}Enables SSL communications with LDAP if yes; otherwise, disables SSLcommunications with LDAP. The default value is yes.

–ssl_port port_numberSpecifies the LDAP SSL port. The default value is 636.


–vhosts virtual_host_idSpecifies the identifiers of the virtual hosts to protect. The value should bein the format of a comma separated list of virtual host IDs. There shouldbe no spaces between the virtual host IDs.

–web_directory installation_directorySpecifies the Web server installation directory.

–web_server {iis|iplanet|ihs|apache}Specifies the Web server type on which the Plug-in for Web Servers is to beinstalled. This parameter defaults to the type and location of theconfigured Web server. The following choices are supported:

ihs For IBM HTTP Server

iis For Internet Information Server

iplanetFor Sun Java System Web Server or Sun ONE Web Server

pdwpicfg


apacheFor the Apache Server


/opt/pdwebpi/bin

v On Windows operating systems:C:\Program Files\Tivoli\pdwebpi\bin



1 The utility failed. When a utility fails, a description of the error and anerror status code in hexadecimal format is provided (for example,0x14c012f2). Refer to the IBM Tivoli Access Manager for e-business: ErrorMessage Reference. This reference provides a list of the Tivoli AccessManager error messages by decimal or hexadecimal codes.

pdwpicfg


smscfgDeploys and configures the session management server.

Syntaxsmscfg –action {config|unconfig|deploy|undeploy|extract|upgrade|revert|}

Configurationsmscfg –action config [–interactive {yes|no}] [–rsp_file file_name] [–recordfile_name] [–was_port port] [–was_enable_security {yes|no}][–was_admin_id administrator_id] [–was_admin_pwd password][–trust_store file_name] [–trust_store_pwd password] [–keyfile file_name][–key_pwd password] [–instance instance_name][–enable_session_limit_policy {yes|no}] [–session_realmrealm:max_login=replica_set1_name,replica_set2_name,...][–session_realm_remove realm_name] [–enable_tcd {yes|no}] [–tcdfully_qualified_directory_name] [–enable_tam_integration {yes|no}][–policysvr_host host_name] [–policysvr_port port] [–admin_idadministrator_id] [–admin_pwd password] [–domain domain] [–authzsvrhost_name:port:rank] [–cred_refresh_rule rule] [–enable_last_login{yes|no}][–enable_last_login_database {yes|no}] [–last_login_tablelast_login_database_table_name] [–last_login_max_entriesmax_number_memory_entries] [–last_login_jsp_file file_name][–last_login_jsp server_jsp_name][–enable_database_session_storage{yes|no}][–enable_auditing {yes|no}][–auditing_propertiesfile_name][–key_lifetime key_lifetime] [–client_idle_timeout timeout]

Configuration with response filesmscfg –action config –rspfile file_name

Configuration, interactivesmscfg –action config –interactive

Unconfigurationsmscfg –action unconfig [–interactive {yes|no}] [–rspfile file_name][–record file_name] [–was_port port] [–was_enable_security {yes|no}][–was_admin_id administrator_id] [–was_admin_pwd password][–trust_store file_name] [–trust_store_pwd password] [–keyfile file_name][–key_pwd password] [–instance instance_name] [–admin_id administrator_id][–admin_pwd password] [–remove_last_login_db {yes|no}]

Unconfiguration, response filesmscfg –action unconfig –rspfile file_name

Unconfiguration, interactivesmscfg –action unconfig –interactive

Deploymentsmscfg –action deploy [–interactive {yes|no}] [–rspfile file_name] [–recordfile_name] [–was_port port] [–was_enable_security {yes|no}][–was_admin_id administrator_id] [–was_admin_pwd password][–trust_store file_name] [–trust_store_pwd password] [–keyfile file_name][–key_pwd password] [–instance instance_name] [–enable_database_storage{yes|no}][–database_name database_name][–virtual_host host_name][–clustered {yes|no}] [–was_node node_name] [–was_server server_name][–was_cluster cluster_name]

Undeploymentsmscfg –action undeploy [–interactive {yes|no}] [–rspfile file_name]


[–record file_name] [–was_port port] [–was_enable_security {yes|no}][–was_admin_id administrator_id] [–was_admin_pwd password][–trust_store file_name] [–trust_store_pwd password] [–keyfile file_name][–key_pwd password] [–instance instance_name]

Extractsmscfg –action extract [–interactive {yes|no}] [–rspfile file_name] [–recordfile_name] [–was_port port] [–was_enable_security {yes|no}][–was_admin_id administrator_id] [–was_admin_pwd password][–trust_store file_name] [–trust_store_pwd password] [–keyfile file_name][–key_pwd password] [–instance instance_name]

Upgradesmscfg –action upgrade [–interactive {yes|no}] [–rspfile file_name][–record file_name] [–was_port port] [–was_enable_security {yes|no}][–was_admin_id administrator_id] [–was_admin_pwd password][–trust_store file_name] [–trust_store_pwd password] [–keyfile file_name][–key_pwd password] [–instance instance_name]

Revertsmscfg –action revert [–interactive {yes|no}] [–rspfile file_name] [–recordfile_name] [–was_port port] [–was_enable_security {yes|no}][–was_admin_id administrator_id] [–was_admin_pwd password][–trust_store file_name] [–trust_store_pwd password] [–keyfile file_name][–key_pwd password] [–instance instance_name]

Utility helpsmscfg –help option

smscfg –usage

smscfg –?

DescriptionThe smscfg utility deploys, configures or unconfigures session management serverinstances. It can also be used to extract the session management serverconfiguration, or to install and remove fixpack upgrades.

A log of the configuration progress is written to msg_smscfg.log log file that islocated in the /var/pdsms/log directory on Linux and UNIX operating systemsand in the installation_directory\log directory on Windows operating systems.

This utility can be run either interactively, where the user is prompted to provideconfiguration information, or silently, where the utility accepts input from aresponse file.


–action {deploy|config|unconfig|undeploy|extract}Specifies the action to be performed that is one of the following values:

deployDeploys the session management server instance to a WebSphereApplication Server.

undeployRemoves a session management server instance from a WebSphereApplication Server.

smscfg


config Configures or reconfigures a deployed session management serverinstance.

unconfigUnconfigures a session management server instance.

extract Extracts the configuration information from a session managementserver instance.

upgradeUpgrades to a new session management server fixpack.

revert Reverts to the previous session management server fixpack.

–admin_id administrator_idSpecifies the Tivoli Access Manager administration ID. The default value issec_master. This parameter is required when –enable_tam_integration isset to yes.

–admin_pwd passwordSpecifies the password for the Tivoli Access Manager administrator. Thisparameter is required when you specify the –admin_id parameter.

–auditing_properties file_nameSpecifies the path to the properties file which contains the configuration ofthe auditing component.

–authzsvr host_name:port:rankSpecifies the host name, port number, and rank of the Tivoli AccessManager authorization server. This optional parameter can be specifiedmultiple times.

A Tivoli Access Manager authorization server is required to use thesesession refresh capabilities or to use certificates that are issued by theTivoli Access Manager policy server to authenticate session managementclients.

The default value is localhost:7136:1.

–client_idle_timeout timeoutSpecifies the client idle timeout in seconds after which a client isconsidered idle. A client is considered idle if it is not actively requestingupdates from the session management server. This parameter is optional.

–clustered {yes|no}Whether the application will be deployed to a WebSphere cluster. Thedefault value is no.

–cred_refresh_rule ruleSpecifies rules to preserve when a user's credential is refreshed. The defaultcredential refresh rule set is preserve=tagvalue_*.

–database_name databaseSpecifies the name of the of the WebSphere JDBC data source that thesession management server uses to access the database that it uses to storeits data. There is no default value.

–domain domainSpecifies the name of the Tivoli Access Manager policy domain. Thisparameter is required when –enable_tam_integration is set to yes. Thedefault value is Default.

–enable_auditing {yes|no}Indicates whether or not auditing is required. The default value is no.

smscfg


–enable_database_storage {yes|no}Indicates whether database storage is required. The parameter is onlymeaningful in the context of WebSphere Application Server single serverdeployments. If the application is deployed to a cluster, this parameter isredundant. The default value is no. Setting this parameter to no sets thedatabase configuration to the WebSphere default resource reference,normally jdbc/DataSource.

–enable_database_session_storage {yes|no}Indicates whether storage of session data to a database is required. Thedefault value is no.

–enable_last_login {yes|no}Indicates whether last login information is stored. When set to yes, youmust specify the following parameters or accept their default values:v –last_login_jsp_filev –last_login_max_entriesv –last_login_table

The default value is no (not to enable the recording of last logininformation). The –enable_last_login field is only required if installing intoa stand alone application server. When installing into a cluster this field isnot required.

–enable_last_login_database {yes|no}Indicates whether last login information is stored to a database. Thedefault value is no.

–enable_tam_integration {yes|no}Indicates whether to enable integration with Tivoli Access Manager or tochange enablement. When set to yes, you must specify the followingparameters or accept their default values, where applicable:v –policysvr_hostv –policysvr_portv –authzsvrv –admin_idv –admin_pwdv –domain

The default value is no.

–enable_tcd {yes|no}Indicates whether Tivoli Common Directory logging is required. When setto yes, you must specify the –tcd parameter. The default value is no.

–enable_session_limit_policy {yes|no}Specifies whether to enable session limit and displacement policy. Thedefault value is yes.

–help [options]Lists the name of the utility parameter and a short description. If one ormore options are specified, it lists each parameter and a short description.

–instance instance_nameSpecifies the name of the instance to be administered. The default value isDSess.

–interactive {yes|no}Indicates whether the configuration is interactive. The default value is yes.

–key_lifetime lifecycleSpecifies the lifetime in seconds of the key for the session management

smscfg


server. After the defined lifecycle completes, a new key is generated. If thisvalue is set to zero, keys are not automatically generated. This parameter isoptional.

–key_pwd passwordSpecifies the password to access the server-side certificates. This parameteris required when you specify the –keyfile parameter. Otherwise, thisparameter is optional.

–keyfile file_nameSpecifies the fully qualified name for the key store when making a secureconnection to WebSphere Application Server. The key store holds theserver-side certificates. This parameter is required when you specify the–was_admin_id parameter. Otherwise, this parameter is optional.

–last_login_jsp server_jsp_nameThe server-side path for the last login JSP file. This is an optionalargument.

–last_login_jsp_file file_nameSpecifies the fully qualified name of the last login JSP file to use forrecording last login information. This parameter is required when the–enable_last_login parameter is set to yes. The default value isinstallation_directory/etc/lastLogin.jsp

Note: Configuration of the lastLogin.jsp file can produce a long Webbrowser URL, which could exceed the limits imposed by someproxy servers. To avoid this, access the WebSphere ISC using adirect connection to the Internet.

–last_login_max_entries maximum_entriesSpecifies the maximum number of entries to be stored in the memorycache for recording last login information. This parameter is required whenthe –enable_last_login parameter is set to yes. The default value is 0. The–last_login_max_entries field is only required if installing into a standalone application server. When installing into a cluster this field is notrequired.

–last_login_table table_nameSpecifies the name of the database table to use for recording last logininformation. This parameter is required when the –enable_last_loginparameter is set to yes. The default value is AMSMSUSERINFOTABLE.

–operationsLists each of the parameter names, one after another, without a description.

–policysvr_host host_nameSpecifies the host name of the Tivoli Access Manager policy server. Thisparameter is required when –enable_tam_integration is set to yes.

–policysvr_port portSpecifies the port of the Tivoli Access Manager policy server. Thisparameter is required when you specify the –host parameter.

–record file_nameSpecifies the name of the response file to which configuration parameterswill be recorded.

–remove_last_login_db {yes|no}Indicates whether the last login database should be removed. The defaultvalue is no.

smscfg



–session_realm [realm[:max_logins]=replica_set1, replica_set2,...]A session realm to add to the configuration. If the session realm name orany of the replica set names contain spaces, the entire argument must bespecified within quotes. The max_logins parameter is used to specify themaximum number of concurrent logins which are permitted for the sessionrealm. If the max_logins parameter is not supplied there will be anunlimited number of concurrent logins allowed for the session realm.Replica set names must be separated by commas.

–session_realm_remove realm=set_name[,...][;realm=set_name[,...]...]The name of a session realm which is to be removed. If the session realmname contain spaces, the entire argument must be specified within quotes.

–tcd path_nameSpecifies the fully qualified directory to be used for Tivoli CommonDirectory logging. This parameter is required when –enable_tcd is set toyes. If the Tivoli common directory has already been configured on thetarget system, this option will be ignored.

–trust_store file_nameSpecifies the fully qualified name for the trust store when making a secureconnection to WebSphere Application Server. The trust store holds theclient-side certificates. This parameter is required when you specify the–was_admin_id parameter.

–trust_store_pwd passwordSpecifies the password to access the client-side certificates. This parameteris required when you specify the –trust_store parameter.


–virtual_host host_nameSpecifies the name of the WebSphere virtual host to which to deploy thesession management server application. If not specified, the application isdeployed on the default virtual host.

–was_admin_id administrator_idSpecifies the name of the administrator to use when making a secureconnection to WebSphere Application Server. In interactive mode, thisparameter is optional unless you are making a secure connection. Whenyou use this parameter, you must specify the –was_admin_pwd parameter.When not making a secure connection, this parameter is optional.

–was_admin_pwd passwordSpecifies the administrator's password to use when making a secureconnection to WebSphere Application Server.

–was_cluster cluster_nameSpecifies the name of the WebSphere cluster to which to deploy the sessionmanagement server application. This parameter is mutually exclusive withthe –was_server parameter.

smscfg


When using WebSphere Network Deployment and –was_cluster isspecified and there is only one cluster, the application is deployed to thatcluster.

When using WebSphere Network Deployment and –was_cluster isspecified and there is no cluster but there is only one server, theapplication is deployed to that server.

–was_enable_security {yes|no}Indicates whether the communication with the WebSphere server uses asecure connection. When set to yes, you must specify the followingparameters:v –was_admin_idv –was_admin_pwdv –trust_storev –trust_store_pwdv –keyfilev –key_pwd

The default value is no.

–was_node node_nameSpecifies the name of the WebSphere node. This parameter is optional.

–was_port portSpecifies the simple object access protocol (SOAP) port to use on theWebSphere server. This parameter is always required unless the–interactive parameter is set to yes.

–was_server server_nameSpecifies the name of the WebSphere server to which to deploy the sessionmanagement server application. This parameter is mutually exclusive withthe –was_cluster parameter. When using WebSphere Application Server (asingle server deployment) and –was_server is not specified, the applicationis deployed to the server to which this configuration utility is connected.


/opt/pdsms/bin

v On Windows operating systems:c:\Program Files\Tivoli\PDSMS\bin



non-zeroThe utility failed. When a utility fails, a description of the error and anerror status code in hexadecimal format is provided (for example,0x15c3a00c). Refer to the IBM Tivoli Access Manager for e-business: ErrorMessage Reference. This reference provides a list of the Tivoli AccessManager error messages by decimal or hexadecimal codes.

smscfg


svrsslcfgConfigures, unconfigures, or modifies the configuration information of a resourcemanager to use an SSL connection for communicating with the policy server.

This utility is used for C application servers only. For Java application servers, usethe equivalent com.tivoli.pd.jcfg.SvrSslCfg Java class. For information aboutthis Java class, see the IBM Tivoli Access Manager for e-business: Authorization JavaClasses Developer Reference.

Syntaxsvrsslcfg –add_replica –f cfg_file –h host_name [–p server_port] [–k replica_rank]

svrsslcfg –chg_replica –f cfg_file –h host_name [–p server_port] [–k replica_rank]

svrsslcfg –chgcert –f cfg_file [–P password] [–A admin_id]

svrsslcfg –chgport –f cfg_file –r port_number

svrsslcfg –chgpwd –f cfg_file –e password_life

svrsslcfg –config –f cfg_file –d kdb_dir –s server_mode–r port_number –P password [–Spassword] [–A admin_id] [–t ssl_timeout] [–e password_life] [–l listening_mode] [–arefresh_mode] [–C cert_file] [–h host_name] [–o login_domain] [–g group_list] [–Ddescription]

svrsslcfg –modify –f cfg_file [–t ssl_timeout] [–C cert_file] [–l listening_mode]

svrsslcfg –rmv_replica –f cfg_file –h host_name

svrsslcfg –unconfig –f cfg_file –n appl_name [–P password] [–A admin_id] [–hhost_name] [–o login_domain]

Parameters–a refresh_mode

Sets the certificate and key file password auto-refresh entry in theconfiguration file. The default value is yes.

–A admin_idSpecifies the name of the Tivoli Access Manager administrator. The defaultvalue is sec_master.

A valid administrative ID is an alphanumeric, case-sensitive string. Stringvalues are expected to be characters that are part of the local code set. Youcannot use a space in the administrative ID.

For example, for U.S. English the valid characters are the letters a-Z, thenumbers 0-9, a period (.), an underscore (_), a plus sign (+), a hyphen (-),an at sign (@), an ampersand (&), and an asterisk (*). If there are limits, theminimum and maximum lengths of the ID are imposed by the underlyingregistry. See Appendix B, “User registry differences,” on page 637.

–add_replicaAdds an authorization server replica to the configuration of a resourcemanager. A resource manager can contact a replica server to performauthorization decisions.


C cert_fileSpecifies the fully qualified name of the file containing the base-64 encodedSSL certificate used when the server authenticates directly with the userregistry.

–chg_replicaChanges attributes for the replica server. The replica host name is used toidentify the replica server and cannot be changed by this action.

–chgcertRenews the SSL certificate of the resource manager. Before running thisaction, stop the policy server.

The certificate renewal process is as follows:v When an initial request for a certificate is made, a new public/private

key pair is generated for the resource manager along with the certificaterequest. The certificate request that contains the new public key for theresource manager, is sent to the Tivoli Access Manager policy server. TheTivoli Access Manager policy server signs the request and sends thenewly signed certificate back to the resource manager. The resourcemanager stores the signed certificate in a secure keystore and also storesthe new private key for the resource manager. The lifetime of the newcertificate is determined by the Tivoli Access Manager policy serverssl-cert-life entry in the ivmgrd.conf configuration file. Thisparameter determines the number-of-days value for the lifetime of acertificate. Any issued or renewed certificates must use this value. Thedefault value is 1460.

v The certificate for a resource manager must be renewed if it has expiredor if it has been compromised. Also, it must be renewed to adhere toany changes in the security policy. If both the certificate and thepassword to the key database file that contains the certificate expire, thepassword must be refreshed first.

–chgportChanges the listening port for a resource manager. Before running thisaction, stop the policy server.

–chgpwdChanges the key file password for a resource manager. Before running thisaction, stop the policy server.

–configPerforms a full configuration of a resource manager.

–D descriptionSpecifies a description for the application. A valid description is analphanumeric string that is not case-sensitive. String values are expected tobe characters that are part of the local code set. Spaces are allowed. If thedescription contains a space, ensure that you enclose the description indouble quotation marks.

–d kdb_dirSpecifies the directory that is to contain the key files for the server. A validdirectory name is determined by the operating system. Do not use relativedirectory names. For example:

On Linux and UNIX operating systems/opt/PolicyDirector/keytab/ivmgrd.kbd

svrsslcfg


On Windows operating systemsC:\Program Files\Tivoli\Policy Director\keytab\ivmgrd.kbd

Make sure that server user (for example, ivmgr) or all users havepermission to access the .kdb file and the folder that contains the .kdb file.

–e password_lifeSets the key file password expiration time in days. This parameter isrequired.v Specify 0 to use the currently configured value.v Specify 183 days if the currently configured value cannot be determined.v Otherwise, valid values are from 1 to 7299.

During a configuration action (–config) the default value is 183.

–f cfg_fileSpecifies the configuration path and file name. A file name should be anabsolute file name (fully qualified file name) to be valid. For example:

On Linux and UNIX operating systems/opt/PolicyDirector/etc/activedir.conf

On Windows operating systemsC:\Program Files\Tivoli\Policy Director\etc\activedir.conf

–g group_listSpecifies a list of groups to which this server should be added. Thefollowing names are not permitted in this list: ivacld_servers andremote_acl_users. The list of names must be separated by commas with nowhite space. If a group name contains a space, the entire list must beenclosed in double quotation marks.

–h host_nameFor a configuration action (–config) or an unconfiguration action(–unconfig), specifies the TCP host name used by the policy server tocontact this server.v During a configuration action, this name is saved in the configuration

file using the azn-app-host key. The default is the local host namereturned by the operating system.

v If not specified during an unconfiguration action, the value is retrievedfrom the configuration file. The default value will be used only if avalue cannot be determined from the configuration file. The default isthe local host name returned by the operating system.

For all other actions, specifies the TCP host name of an authorizationserver replica.

Valid values include any valid IP host name. Examples:host = librahost = libra.dallas.ibm.com

–k replica_rankSpecifies the replica order of preference among other replicas. Replicaservers with higher ranks are used preferentially. For example, a resourcemanager contacts a replica server with a ranking of 10 before contacting areplica server with a ranking of 9. The default value is 10.

–l listening_modeSets the listening-enabled entry in the configuration file. The value must beyes or no. If not specified, the default is no. A value of yes requires that the–r parameter have non-zero value.

svrsslcfg


–modifyChanges the current configuration of a resource manager. Before runningthis action, stop the policy server.

This action fails only if you are not authorized to run the utility or thepolicy server could not be contacted. This action is designed to clean up apartial or damaged configuration and to ensure that errors are not reportedfor information that is not valid and for information that is missing.

–n appl_nameSpecifies the name of the application. The name is combined with the hostname to create unique names for Tivoli Access Manager objects created foryour application. The following names are reserved for Tivoli AccessManager applications: ivacld, secmgrd, ivnet, and ivweb.

–o login_domainSpecifies the domain name for the domain to which this server isconfigured. This domain must exist and an the administrator ID andpassword must be valid for this domain.

If not specified, the local domain that was specified during Tivoli AccessManager runtime configuration will be used. The local domain value willbe retrieved from the configuration file.

A valid domain name is an alphanumeric, case-sensitive string. Stringvalues are expected to be characters that are part of the local code set. Youcannot use a space in the domain name.

For example, for U.S. English the valid characters for domain names arethe letters a-Z, the numbers 0-9, a period (.), an underscore (_), a plus sign(+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk (*). Theminimum and maximum lengths of the domain name, if there are limits,are imposed by the underlying registry. See Appendix B, “User registrydifferences,” on page 637.

–p server_portSpecifies the port number on which the replica server listens for requests.The default value is 7136.

–P passwordSpecifies the password for the Tivoli Access Manager administrator user(admin_id). If this parameter is not specified, the administrator is prompted,and the password is read from standard input (stdin).

–r port_numberSets the listening port number for the server. A value of 0 can be specifiedonly if the [aznapi-admin-services] stanza in the configuration file isempty.

During a configuration action (–config) this parameter is required.

–rmv_replicaRemoves an authorization server replica from the configuration of aresource manager.

–s server_modeSpecifies the mode in which the application will operate. This value mustbe either local or remote.

–S passwordSpecifies the server password. This parameter is required. A password iscreated by the system and the configuration file is updated with the

svrsslcfg


password created by the system. It is saved as an obfuscated value usingthe pd-user-pwd stanza entry in the [aznapi-configuration] stanza in theconfiguration file specified with the –f parameter. If this parameter is notspecified, the server password will be read from standard input.

–t ssl_timeoutSpecifies the SSL session timeout in seconds. The value must be in therange 1 to 86400. The default value is 7200.

–unconfigUnconfigures a resource manager. The key files are deleted and the serveris removed from the user registry and Tivoli Access Manager database.

Before running this utility, stop the server application.







svrsslcfg



Chapter 27. Using response files

You can create response files to streamline the installation and configuration ofTivoli Access Manager components. A response file is a text file that contains theproduct and system information needed to install and configure components. It isuseful for performing unattended (silent) installations. The installation processreads the information from the response file instead of prompting you to fill in theblanks. You can also reuse a response file for future installations, using a texteditor to add components or to customize options.

Response file templates are located in the /rspfile directory on the IBM TivoliAccess Manager Base CD, the IBM Tivoli Access Manager Web Security CD, the IBMTivoli Access Manager Shared Session Management CD, and the IBM Tivoli AccessManager Language Support CD.

Edit the values in an options file template and then run the script as follows:install_amrte -options filename

where filename is the name of the options file. For example:install_amrte -options d:\temp\install_amrte.options

Note: Response files are not available for all Tivoli Access Manager components.

Prerequisite systemsTable 54 lists options file templates for installation of Tivoli Access ManagerPrerequisite systems using the installation wizard method.

Table 54. Installation wizard options file templates

Installs and configures the followingTivoli Access Manager prerequisitesystem:

Template

IBM Tivoli Directory Server with IBM DB2 install_ldap_server.options.template

The IBM Tivoli Directory Server with IBMDB2 template is located in the \rspfiledirectory on the first IBM Tivoli AccessManager Directory Server CD for the supportedplatform.

Base systemsTable 55 lists options file templates for installation of Tivoli Access Manager basesystems using the installation wizard method. These templates are located in the\rspfile directory on IBM Tivoli Access Manager Base CDs for the supportedplatform.


Installs and configures the followingTivoli Access Manager Base system:

Template

Access Manager Authorization Server install_amacld.options.template


Table 55. Installation wizard options file templates (continued)

Installs and configures the followingTivoli Access Manager Base system:

Template

Access Manager Application DevelopmentKit (ADK)

install_amadk.options.template

Access Manager Runtime for Java install_amjrte.options.template

Access Manager Policy Server install_ammgr.options.template

Access Manager Policy Proxy Server install_amproxy.options.template

Access Manager Runtime install_amrte.options.template

Access Manager Web Portal Manager install_amwpm.options.template

Response files are also available for configuration using native installation utilitiesfor the following Tivoli Access Manager components.

Table 56. Response file templates for configuration using native installation utilities

Configures the following Tivoli AccessManager Base system:

Template

Access Manager Web Portal Manager(configuration)

amwpmcfg.rsp.template

Access Manager Runtime for Java(configuration)

pdjrtecfg.rsp.template

Access Manager Policy Proxy Server(configuration)

pdproxycfg.rsp.template

Web security systemsTable 57 lists options file templates for installation of Tivoli Access Managercomponents using the installation wizard method. These templates are located inthe \rspfile directory on IBM Tivoli Access Manager Web Security CDs for thesupported platforms.

Table 57. Installation wizard s

Installs and configures the followingTivoli Access Manager Web securitysystem:

Template

Access Manager WebSEAL install_amweb.options.template

Access Manager Web Security ApplicationDevelopment Kit (ADK)

install_amwebadk.options.template

Access Manager Attribute Retrieval Service install_amwebars.options.template

Access Manager Plug-in for Web Servers install_amwpi.options.template

Response files are also available for configuration using native installation utilitiesfor the following Tivoli Access Manager components.

Table 58. Response file templates for configuration using native installation utilities

Tivoli Access Manager component Template

Access Manager WebSEAL (configuration) amweb_config.rsp.template

Access Manager WebSEAL(unconfiguration)

amweb_unconfig.rsp.template


Session management systemsTable 59 lists options file templates for installation of Tivoli Access Manager sessionmanagement systems using the installation wizard method. These templates arelocated in the \rspfile directory on IBM Tivoli Access Manager Shared SessionManagement CDs for the supported platform.


Installs and configures the followingTivoli Access Manager sessionmanagement system:

Template

Session management server install_amsms_options.template

Session management command line install_amsmscli_options.template

Note: Response files are not available for all Tivoli Access Manager components.

Response file templateThe following is an example of a template used to create a response file to installand configure a policy server system. For descriptions of the configuration optionsthat you require to complete a template, see Chapter 21, “Installation wizardoptions,” on page 377.################################################################################## InstallShield Options File Template## Wizard name: Setup# Wizard source: install_ammgr_setup.jar# Created on: Tue Jan 08 14:51:52 CST 2008# Created by: InstallShield Options File Generator## This file can be used to create an options file (i.e., response file) for the# wizard "install_ammgr." Options files are used with "-options" on the# command line to modify wizard settings.## This file was created by the following:# install_ammgr -options-template <file name># This file was later edited for clarity.## Response file values can also be recorded during an installation process by:# install_ammgr -options-record <file name>## The settings that can be specified for the wizard are listed below. To use# this template, follow these steps:## 1. Enable a setting below by removing leading ’###’ characters from the# line (search for ’###’ to find settings you can change).## 2. Specify a value for a setting by replacing the characters ’<value>’.# Read each setting’s documentation for information on how to specify its# value.## 3. Save the changes to the file.## 4. To use the options file with the wizard, specify -options <file name># as a command line argument to the wizard, where <file name> is the name# of this options file.#################################################################################

Chapter 27. Using response files 609

################################################################################## User Input Field - regType (required)## Enter the registry type. The valid options are: LDAP, Active Directory, or# Domino.#

### -W AMRTE_RegistryTypeUIPanel.regType="<value>"

################################################################################## Directory name for GSKIT (Windows only)## Specify the product’s installation directory.#

### -W GSKIT_DestinationPanel.productInstallLocation="<value>"

################################################################################## Directory name for IBM Tivoli Directory Server client (Windows only)## Specify the product’s installation directory.#

### -W LDAPC_DestinationPanel.productInstallLocation="<value>"

################################################################################## Directory name for IBM Tivoli Security Utilities (Windows only)## Specify the product’s installation directory.#

### -W TIVSECUTL_DestinationPanel.productInstallLocation="<value>"

################################################################################## Directory name for Tivoli Access Manager (Windows only)# All Tivoli Access Manager products will be installed to the same location.## Specify the product’s installation directory.#

### -W AMRTE_DestinationPanel.productInstallLocation="<value>"

################################################################################## User Input Field - useTcd## Enable Tivoli Common Logging (yes or no)#

### -W AM_TCDPanel.useTcd="no"


################################################################################## User Input Field - tcdDir (required if useTcd=yes)## Tivoli Common Directory - Specify the full path to where Tivoli common logging# will occur.#

### -W AM_TCDPanel.tcdDir="<value>"

################################################################################## User Input Field - hostName## Fully qualified host name of the Tivoli policy server#

### -W AMRTE_ServerOptionsUIPanel.hostName="<value>"

################################################################################## User Input Field - listeningPort## Listening port of the Tivoli policy server. Default is 7135.#

### -W AMRTE_ServerOptionsUIPanel.listeningPort="7135"

################################################################################## User Input Field - certFile## Fully qualified path to the local copy of the Tivoli policy servers# certificate file. To have the system automatically download the file, leave# the field empty. The default value is empty.#

### -W AMRTE_ServerOptionsUIPanel.certFile="<value>"

################################################################################## User Input Field - localDomain## Local domain. The default is Default.#

### -W AMRTE_ServerOptionsUIPanel.localDomain="<value>"

################################################################################## User Input Field - localHostName## Fully qualified host name of this machine. If left blank, the wizard will# attempt to determine the host name automatically.#


### -W AMRTE_ServerOptionsUIPanel.localHostName="<value>"

################################################################################## User Input Field - ldapHost (required for LDAP registry type)## Host name of IBM Tivoli Directory server (LDAP)#

### -W AMRTE_LDAPOptionsUIPanel.ldapHost="<value>"

################################################################################## User Input Field - ldapPort (required for LDAP registry type)## Non-SSL listening port of IBM Tivoli Directory server (LDAP). The default is 389.#

### -W AMRTE_LDAPOptionsUIPanel.ldapPort="389"

################################################################################## User Input Field - enableSSL (used for LDAP registry type)## Enable SSL communication with the LDAP or Active Directory server - yes or no#

### -W AMRTE_EnableSSLUIPanel.enableSSL="no"

################################################################################## User Input Field - multipleDomains (required for Active Directory registry type)## Use multiple domains for Active Directory configuration: 1=Yes or 0=No#

### -W AMRTE_ADServerInfoUIPanel.multipleDomains="0"

################################################################################## User Input Field - hostName (required for Active Directory registry type)## Active Directory host name#

### -W AMRTE_ADServerInfoUIPanel.hostName="<value>"

################################################################################## User Input Field - domainName (required for Active Directory registry type)## Active Directory domain name#


### -W AMRTE_ADServerInfoUIPanel.domainName="<value>"

################################################################################## User Input Field - encryptedConnection#(required for Active Directory registry type)## Enable encrypted connections with the Active Directory server: 1=Yes, 0=No#

### -W AMRTE_ADServerInfoUIPanel.encryptedConnection="0"

################################################################################## User Input Field - multipleDomains#(required for Active Directory registry type)## This field may be the same as what was previously indicated.## Use multiple domains for Active Directory configuration: 1=Yes or 0=No#

### -W AMRTE_ADServerInfoDifDomUIPanel.multipleDomains="0"

################################################################################## User Input Field - hostName (required for Active Directory registry type)# This field may be the same as what was previously indicated.## Active Directory host name#

### -W AMRTE_ADServerInfoDifDomUIPanel.hostName="<value>"

################################################################################## User Input Field - domainName (required for Active Directory registry type)## Active Directory domain name#

### -W AMRTE_ADServerInfoDifDomUIPanel.domainName="<value>"

################################################################################## User Input Field - enableSSL (used for Active Directory registry type)## Enable SSL connections with the Active Directory server: 1=Yes, 0=No#

### -W AMRTE_ADServerInfoDifDomUIPanel.enableSSL="0"

################################################################################## User Input Field - adminId (required for Active Directory registry type)#


# Active Directory administrator Id#

### -W AMRTE_ADAdminInfoUIPanel.adminId="<value>"

################################################################################## User Input Field - adminPwd (required for Active Directory registry type)## Active Directory administrator password#

### -W AMRTE_ADAdminInfoUIPanel.adminPwd="<value>"

################################################################################## User Input Field - sslKeyfile (required if using SSL)## Fully qualified local copy of SSL keyfile used to communicate with LDAP# server.)#

### -W AMRTE_SSLOptionsUIPanel.sslKeyfile="<value>"

################################################################################## User Input Field - sslKeyfilePassword (required if using SSL)## Password associated with the LDAP SSL keyfile.#

### -W AMRTE_SSLOptionsUIPanel.sslKeyfilePassword="<value>"

################################################################################## User Input Field - sslKeyfileLabel (required if using SSL)## DN label associated with the LDAP SSL keyfile.#

### -W AMRTE_SSLOptionsUIPanel.sslKeyfileLabel="<value>"

################################################################################## User Input Field - sslPort (required if using SSL)## SSL port of the LDAP server. The default is 636.#

### -W AMRTE_SSLOptionsUIPanel.sslPort="636"

################################################################################## User Input Field - enabled (required for Active Directory registry type)#


# Enable the use of e-mail address as user ID (true or false)#

### -W AMRTE_ADAltUPN.enabled="false"

################################################################################## User Input Field - gcServer (required for Active Directory registry type)## Global Catalog server host name#

### -W AMRTE_ADAltUPN.gcServer="<value>"

################################################################################## User Input Field - gcPort (required for Active Directory registry type)## Global Catalog server port (cannot be changed) -- SSL: 3269 Non-SSL: 3268#

### -W AMRTE_ADAltUPN.gcPort="3268"

################################################################################## User Input Field - distName (required for Active Directory registry type)## Access Manager data location: distinguished name#

### -W AMRTE_ADDataInfoUIPanel.distName="<value>"

################################################################################## User Input Field - dominoServer (required for Domino registry type)## Domino server name#

### -W AMRTE_DominoUIPanel.dominoServer="<value>"

################################################################################## User Input Field - notesClientPwd (required for Domino registry type)## Notes client password#

### -W AMRTE_DominoUIPanel.notesClientPwd="<value>"

################################################################################## User Input Field - nabDbName (required for Domino registry type)## Notes address book database name


#

### -W AMRTE_DominoUIPanel.nabDbName="<value>"

################################################################################## User Input Field - amDbName (required for Domino registry type)## Access Manager database name#

### -W AMRTE_DominoUIPanel.amDbName="<value>"

################################################################################## Directory name for Tivoli Access Manager Policy Server (Windows only)# Use the same value as Tivoli Access Manager (above).## Specify the product’s installation directory.#

### -W AMMGR_DestinationPanel.productInstallLocation="<value>"

################################################################################## User Input Field - secmasterPwd## Tivoli Access Manager administrator password#

### -W AMMGR_ConfigOptions.secmasterPwd="<value>"

################################################################################## User Input Field - secmasterPwdConfirm## Password confirmation (re-enter the password from secmasterPwd)#

### -W AMMGR_ConfigOptions.secmasterPwdConfirm="<value>"

################################################################################## User Input Field - secmasterPort## Policy server SSL port (default is 7135)#

### -W AMMGR_ConfigOptions.secmasterPort="7135"

################################################################################## User Input Field - SSLcertlife## SSL certificate lifecycle (number of days). Default is 1460.#


### -W AMMGR_ConfigOptions.SSLcertlife="1460"

################################################################################## User Input Field - SSLtimeout## SSL connection timeout (number of seconds). Default is 7200.#

### -W AMMGR_ConfigOptions.SSLtimeout="7200"

################################################################################## User Input Field - ldapadminid (required for LDAP registry type)## LDAP administrator DN#

### -W AMMGR_LdapOptions.ldapadminid="<value>"

################################################################################## User Input Field - ldapadminpwd (required for LDAP registry type)## LDAP administrator password#

### -W AMMGR_LdapOptions.ldapadminpwd="<value>"

################################################################################## User Input Field - ldapauthority (required for LDAP registry type)## Management domain name. Default value is Default.#

### -W AMMGR_LdapOptions.ldapauthority="Default"

################################################################################## User Input Field - ldapauthsuffix (required for LDAP registry type)## LDAP management domain location DN. Default value is empty.#

### -W AMMGR_LdapOptions.ldapauthsuffix=""

################################################################################## User Input Field - ldapdataformat (required for LDAP registry type)## Indicates to use minimal data format or not. Minimal=6, Standard=0# Default is Minimal (6).#


### -W AMMGR_LdapDataFormat.ldapdataformat="6"

################################################################################## User Input Field - enableSSL (required for LDAP registry type)## Enable SSL communication with the LDAP server - yes or no#

### -W AMMGR_EnableSSLUIPanel.enableSSL="no"

################################################################################## User Input Field - sslKeyfile (required if enableSSL=yes)## Fully qualified local copy of SSL keyfile used to communicate with LDAP# server.#

### -W AMMGR_SSLOptionsUIPanel.sslKeyfile="<value>"

################################################################################## User Input Field - sslKeyfilePassword (required if enableSSL=yes)## Password associated with the LDAP SSL keyfile.#

### -W AMMGR_SSLOptionsUIPanel.sslKeyfilePassword="<value>"

################################################################################## User Input Field - sslKeyfileLabel (required if enableSSL=yes)## DN label associated with the LDAP SSL keyfile.#

### -W AMMGR_SSLOptionsUIPanel.sslKeyfileLabel="<value>"

################################################################################## User Input Field - sslPort (required if enableSSL=yes)## SSL port of the LDAP server. The default is 636.#

### -W AMMGR_SSLOptionsUIPanel.sslPort="636"

################################################################################## User Input Field - enableFIPS## Indicates if FIPS will be enabled or not. 1=yes, 0=no


### -W AMMGR_EnableFIPS.enableFIPS="0"

################################################################################## User Input Field - adminId (required for Active Directory registry type)## Active Directory administrator Id#

### -W AD_UpdatePanel.adminId="<value>"

################################################################################## User Input Field - adminPwd (required for Active Directory registry type)## Active Directory administrator password#

### -W AD_UpdatePanel.adminPwd="<value>"



Chapter 28. Using software package definition files

The Software Distribution component of IBM Tivoli Configuration Managerenables you to create a software package in software package definition (SPD) fileformat by using the Software Package Editor graphical user interface (GUI). Youcan edit the SPD file to change the characteristics of the software package.

You can do this manually by using a text editor or by exporting an existingsoftware package and modifying it. An SPD file is a text file in ASCII format. Thisfile consists of a signature and a sequence of stanzas, each of which describesobjects (such as files, directories, and registry keys). This file also consists ofactions to be performed on these objects.

Regardless of the method used to create a software package, the output can besaved in any of the following formats:v Software package file (.sp)v Software package definition file (.spd)v Software package block (.spb)

Tivoli Access Manager provides these software package definition files (SPD):v amacld.spd.templatev amadk.spd.templatev amjrte.spd.templatev ammgr.spd.templatev amproxy.spd.templatev amrte.spd.templatev amsms.spd.templatev amsmscli.spd.templatev amweb.spd.templatev amwebadk.spd.templatev amwebars.spd.templatev amwpi.spd.templatev amwpm.spd.template

See “Software Distribution installation method” on page 26 for instructions toinstall using software package definition files.

The following contents are from the Tivoli Access Manager amacld.spd.templateSPD file:# 21 41 1.21 src/cdrom/spd/create_spd.sh, pd.instcfg.spd,am610, 071022a 5/25/07 11:11:58# Licensed Materials - Property of IBM# 5724-C08# (c) Copyright International Business Machines Corp. 1999, 2007# All Rights Reserved# US Government Users Restricted Rights - Use, duplication or# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

"TIVOLI Software Package v4.2 - SPDF"


packagename = install_amacld_windowsversion = 61web_view_mode = hiddenundoable = ocommittable = ohistory_reset = nsave_default_variables = ncreation_time = "2007-11-05 16:18:22"last_modification_time = "2007-11-05 16:18:22"

default_variables### Drive letter of location of options file (leave blank if not Windows)options_drive = ""

### location of options fileoptions_filename = /install/config/windows/install_amacld.options

### Drive letter if source server is Windows (leave blank if not Windows)install_srcdrive = ""

### location of install imagesinstall_srcdir = /install/tam610.windowsend

# source_host_name = your.source.host# log_host_name = your.log.hostlog_path = c:/progra~1/tivoli/swdis/1/work/install_amacld_windows.log

move_removing_host = yno_check_source_host = ylenient_distribution = ndefault_operation = installserver_mode = alloperation_mode = not_transactionalpost_notice = nbefore_as_uid = 0skip_non_zero = nafter_as_uid = 0no_chk_on_rm = yversioning_type = swdpackage_type = refreshstop_on_failure = y

execute_user_programcaption = "IBM Tivoli Access Manager Authorization Server 6.1 for WINDOWS"transactional = n

during_installpath = $(temp_dir)/$(install_srcdir)/install_amacld.exearguments = "-W EZ_RebootPanel.exitWithoutReboot=true -options

$(temp_dir)/$(options_filename) -silent"inhibit_parsing = nworking_dir = $(temp_dir)/$(install_srcdir)timeout = -1unix_user_id = 0unix_group_id = 0user_input_required = noutput_file_append = nerror_file_append = nreporting_stdout_on_server = nreporting_stderr_on_server = nmax_stdout_size = 10000max_stderr_size = 10000bootable = nretry = 1


exit_codessuccess = 0,0failure = 1,1002success_reboot_now = 1003,1003failure = 1004,65535

end

corequisite_files

add_filereplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = $(options_drive)$(options_filename)translate = ndestination = $(temp_dir)/$(options_filename)compression_method = storedrename_if_locked = n

end

add_directoryreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = $(install_srcdrive)$(install_srcdir)destination = $(temp_dir)/$(install_srcdir)descend_dirs = ncompression_method = storedrename_if_locked = n

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "common"destination = "common"descend_dirs = ycompression_method = storedrename_if_locked = n

end # common

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "EIC"destination = "EIC"descend_dirs = ycompression_method = storedrename_if_locked = n

end # EIC

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "license"destination = "license"descend_dirs = ycompression_method = storedrename_if_locked = n

end # license

Chapter 28. Using software package definition files 623

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "lib"destination = "lib"descend_dirs = ycompression_method = storedrename_if_locked = n

end # lib

add_filereplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "install_amacld.exe"translate = ndestination = "install_amacld.exe"compression_method = storedrename_if_locked = n

end

add_filereplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "install_amacld_setup.jar"translate = ndestination = "install_amacld_setup.jar"compression_method = storedrename_if_locked = n

end

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "windows"destination = "windows"descend_dirs = ncompression_method = storedrename_if_locked = n

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "GSKit"destination = "GSKit"descend_dirs = ycompression_method = storedrename_if_locked = n

end # GSKit

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "tds"destination = "tds"descend_dirs = ycompression_method = stored


rename_if_locked = nend # tds

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "migrate"destination = "migrate"descend_dirs = ycompression_method = storedrename_if_locked = n

end # migrate

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "bin"destination = "bin"descend_dirs = ycompression_method = storedrename_if_locked = n

end # bin

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "TivSecUtl"destination = "TivSecUtl"descend_dirs = ycompression_method = storedrename_if_locked = n

end # TivSecUtl

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "PolicyDirector"destination = "PolicyDirector"descend_dirs = ncompression_method = storedrename_if_locked = n

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "Disk Images"destination = "Disk Images"descend_dirs = ncompression_method = storedrename_if_locked = n

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "Disk1"


destination = "Disk1"descend_dirs = ncompression_method = storedrename_if_locked = n

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "PDLIC"destination = "PDLIC"descend_dirs = ycompression_method = storedrename_if_locked = n

end # PDLIC

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "PDMGR"destination = "PDMGR"descend_dirs = ycompression_method = storedrename_if_locked = n

end # PDMGR

add_directorystop_on_failure = yreplace_if_existing = yreplace_if_newer = nremove_if_modified = nname = "PDAcld"destination = "PDAcld"descend_dirs = ycompression_method = storedrename_if_locked = n

end # PDAcldend # Disk1

end # Disk Imagesend # PolicyDirector

end # windows

# add_file# replace_if_existing = y# replace_if_newer = n# remove_if_modified = n# name = "/my/path/to/pdcacert.b64"# translate = n# destination = "/var/PolicyDirector/keytab/pdcacert.b64"# compression_method = stored# rename_if_locked = n# end

end # $(temp_dir)/$(install_srcdir)end # corequisite_files

end # during_installend # execute_user_program

execute_user_programcaption = "IBM Tivoli Access Manager Authorization Server 6.1

for WINDOWS (reboot: 1)"transactional = n

during_install


path = $(temp_dir)/$(install_srcdir)/install_amacld.exearguments = "-W EZ_RebootPanel.exitWithoutReboot=true -options$(temp_dir)/$(options_filename) -silent"

inhibit_parsing = nworking_dir = $(temp_dir)/$(install_srcdir)timeout = -1unix_user_id = 0unix_group_id = 0user_input_required = noutput_file_append = nerror_file_append = nreporting_stdout_on_server = nreporting_stderr_on_server = nmax_stdout_size = 10000max_stderr_size = 10000bootable = nretry = 1

exit_codessuccess = 0,0failure = 1,1002success_reboot_now = 1003,1003failure = 1004,65535

endend # during_install

end # execute_user_program

end # package



Chapter 29. Tivoli Access Manager registry adapter forWebSphere federated repositories

The Tivoli Access Manager registry adapter for WebSphere federated repositoriesuses the Tivoli Access Manager Registry Direct Java API to perform registry-relatedoperations. The adapter:v Is a virtual member manager (VMM) adapter. For detailed information about

VMM, see the Virtual member manager documentation in the IBM WebSphereApplication Server information center at http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp.

v Supports a single Tivoli Access Manager domain. However, the Tivoli AccessManager supports multiple secure domains support when configured with theLDAP registry.

v Supports the Tivoli Access Manager registries supported by the Registry DirectJava API.

Tivoli Access Manager registry adapter installationThe Tivoli Access Manager registry adapter is included with the Tivoli AccessManager installation program. The adapter package is namedcom.tivoli.pd.vmm.tam.adapter and the JAR file is named VMMTamAdapter.jar.When you install the Tivoli Access Manager Java RTE, the adapter is automaticallyinstalled along with the Java Runtime files. The adapter JAR file is located is in the<Tivoli Access Manager installation directory>/java/export/vmm_tam_adapterdirectory.

Configuring the Tivoli Access Manager registry adapterConfiguring the Tivoli Access Manager registry adapter consists of two steps:1. Configuring the Tivoli Access Manager adapter.2. Configuring the adapter as a WebSphere custom registry.

Configuring a Tivoli Access Manager adapterConfigure this adapter when you want to perform Tivoli Access Manager registryoperations. This adapter uses the Tivoli Access Manager Registry Direct Java APIto perform administration commands such as creating users and groups. Thisadapter is provided as part of the Tivoli Access Manager installation.

To configure the adapter, complete the following steps:1. Ensure that you have installed and configured the Tivoli Access Manager using

the Tivoli Directory Server as a user registry.2. Ensure that you have installed the Tivoli Access Manager 6.1.1 Java run time

component.3. Copy the com.tivoli.pd.rgy.jar file from TAM_installation_directory/java/

export/rgy to WebSphere_installation_directory/lib.4. Create a Tivoli Access Manager user identity that runs the Java API, for

example:


pdadmin -a sec_master -p sec_master_passwordpdadmin sec_master> user create -no-password-policy user_namecn=user_name,registry_suffix user_name user_name password( SecurityGroup ivacld-servers remote-acl-users )pdadmin sec_master> user modify user_name account-valid yes

In the example, user_name is your choice of name for the user.A good naming scheme would be: tamVMMAdapter-machine_name.The value registry_suffix is the suffix of the registry where this user must bestored, for example, o=ibm,c=us.

5. Go to the computer where the Tivoli Access Manager adapter is to beconfigured.

6. Change directory to <WebSphere Application Server installation directory>/lib.7. Run the com.tivoli.pd.rgy.until.RgyConfigtool.

Note: You must use the IBM Java runtime environment to run this tool, forexample:

Using the com.tivoli.pd.rgy.util.RgyConfig utility:

<WebSphere Application Server installation directory>/java/jre/bin/java

Syntax:java com.tivoli.pd.rgy.util.RgyConfigproperties_file_destination create DefaultDefault "ldaphostname:389:readwrite:5" "DN" DN_password

properties_file_destinationSpecifies the full path to an existing directory and the name of afile that is created when this command is run. Place the file in adirectory appropriate for your WebSphere deployment:v For a non-clustered WebSphere server: <WebSphere Application

Server installation directory>//profiles/<servername>/config/vm_tam_adapter

v For a WebSphere cluster (replicated) environment, create thefile on the DMgr: <WebSphere Application Server installationdirectory>/profiles/<DMgr server name>/config/vm_tam_adapter

ldaphostnameThe host name of the LDAP server to which Tivoli AccessManager is configured. The host name is specified in the TivoliAccess Manager runtime configuration file:<Tivoli Access Manager installation directory>/etc/ldap.conf

389 The default LDAP port. Modify as needed for your deployment.

"DN" The Distinguished Name (DN) specified in the pdadmin usercreation command. Ensure that the value is surrounded bydouble quotation marks.

DN_passwordThe password for the DN.

Example command:java com.tivoli.pd.rgy.util.RgyConfigWebSphere_application/profiles/<server>/config/vmm_tam_adapter/tamVMMAdapter.propertiescreate Default Default "myldapsystem:389:readwrite:5""cn=tamVMMAdapter-myhost,o=ibm,c=us" mypasswordmypassword


8. After running the com.tivoli.pd.rgy.until.RgyConfig, update theconfiguration as needed for your WebSphere deployment:v For a non-clustered WebSphere server, restart the WebSphere Application

Server.v For a WebSphere cluster (replicated) environment, perform a full WebSphere

resynchronization and restart the WebSphere Application Server.

Configuring the adapter as a WebSphere custom registryTo accomplish integration with WebSphere, configure the Tivoli Access Manageradapter as a WebSphere custom registry.

After configuring the Tivoli Access Manager adapter with the Tivoli AccessManager runtime environment, you must configure the Virtual Member Manager(VMM) Tivoli Access Manager Adapter into WebSphere as a custom registry.

Note: For information about configuring WebSphere Federated Repository customregistries, see the WebSphere documentation. For WebSphere NetworkDeployment 6.1, see the IBM WebSphere Application Server informationcenter.

1. Stop the WebSphere Application Sever.2. Change directory to <WebSphere installation directory>/profiles/<profile

name>/config/cells/<cell name>/wim/config3. Use a text editor to open wimconfig.xml.

Note: Create a copy of wimconfig.xml before you modifying the file.4. Add a config:repositories element to the file.5. Place the config:repositories element before the config:realmConfiguration

element.This entry specifies the class name of the adapter, and sets an identifier for therepository. For example, to specify a class name ofcom.tivoli.pd.vmm.adapter.tam.TAMRegistryAdapter and to set theTAMRegistryAdapter repository as the identifier, use the following:<config:repositoriesadapterClassName="com.tivoli.pd.vmm.adapter.tam.TAMRegistryAdapter"id="TAMRegistryAdapter"/>

6. Save the wimconfig.xml file and close the text editor.7. Copy the TAM_installation_directory/java/export/vmm_tam_adapter/

VMMTamAdapter.jar file to the WebSphere_install_directory/lib folder.8. Start wsadmin in the no-connection mode:

wsadmin -conntype none

9. Disable paging in the common repository configuration. by setting thesupportPaging parameter for the updateIdMgrRepository command to false.$AdminTask updateIdMgrRepository {-id TAMRegistryAdapter-supportPaging false }

Note: A warning is shown until the configuration of the sample repository isfinished.

10. Add a custom property for the TAMRegistryAdapter.$AdminTask setIdMgrCustomProperty {-id TAMRegistryAdapter-name tamConfFile -value "properties_file_destination"}

Chapter 29. Tivoli Access Manager registry adapter for WebSphere federated repositories 631

properties_file_destinationThe properties file that was created as the result of runningcom.tivoli.pd.rgy.util.RgyConfig in the prerequisite task.

This value can either be a fully qualified file path or a relative filepath to the WebSphere configuration repository.

For example, if the physical file path is C:/Programfiles/IBM/Websphere/AppServer/profiles/AppSrv01/config/tamvmm/tam.conf.properties. The C:/Program files/IBM/Websphere/AppServer/profiles/AppSrv01/config is the WebSphere ApplicationServer configuration repository. So the value of the relative path to beused is tamvmm/tam.conf.properties.

In a WebSphere cluster environment, use the relative path.11. Add a base entry to the adapter configuration using the

addIdMgrRepositoryBaseEntry command to specify the name of the base entryfor the specified repository:$AdminTask addIdMgrRepositoryBaseEntry {-id TAMRegistryAdapter-name base_entry_name }

base_entry_nameThis name must match the suffix used by the Tivoli Access Manageruser registry.

12. Use the addIdMgrRealmBaseEntry command to add the base entry to the realm.This action links the realm with the repository.$AdminTask addIdMgrRealmBaseEntry {-name defaultWIMFileBasedRealm-baseEntry base_entry_name }

base_entry_nameThis name must match the value specified in the previous step.

defaultWIMFileBasedRealmThe default realm name is defaultWIMFileBasedRealm. If this realmname was renamed, use the new realm name instead ofdefaultWIMFileBasedRealm.

13. Save your configuration changes. Enter the following commands to save thenew configuration and close the wsadmin tool:$AdminConfig saveexit

14. Restart the WebSphere Application Server.

Troubleshooting WebSphere login failureIf you cannot log on to WebSphere after configuring the adapter, review thesetroubleshooting tips.

If a registry is not accessible, WebSphere prevents you from logging on. Thislimitation occurs even if the WebSphere administration account is located in adifferent registry. Misconfiguration or unavailability of a required registry canresult in WebSphere preventing you from logging in as the administrator. If youencounter this problem after configuring the Tivoli Access Manager adapter,perform the following steps:1. Ensure that the Tivoli Access Manager registry is available. Since Tivoli Access

Manager Registry adapter does not maintain an authentication cache, you see a"cannot log in" error immediately when the registry is unavailable.


a. Use pdadmin to connect to the registry and perform a test user creation toconfirm.

b. Restart the registry and correct any connection issues if necessary.c. If the problem persists, continue to the next step.

2. Open the wimconfig.xml file and verify the settings in the new code that youcreated.<config:repositories adapterClassName="com.tivoli.pd.vmm.adapter.tam.TAMRegistryAdapter"id="TAMRegistryAdapter" supportPaging="false"><config:baseEntries name="o=ibm,c=us"/><config:CustomPropertiesname="tamConfFile"value="/opt/IBM/WebSphere/AppServer/profiles/dmgr/config/itfim/tamVMMAdapter.properties"/></config:repositories>

v Confirm that the location or name of the properties file is correct.v Confirm that the suffix is correct for the Tivoli Access Manager registry.

Note: If you modify the configuration file, you must restart WebSphere.WebSphere requires you to log in as the administrator to stopWebSphere. However, if you cannot log in you must stop the WebSphereprocess. You can then restart WebSphere without a login.

3. If in the previous step, you did not identify any problems with theconfiguration file, revert to the backup copy of wimconfig.xml.a. Make a backup of your new wimconfig.xml file.

4. Restore the backup of the original wimconfig.xml file.5. Restart WebSphere.

If you can log in after restoring the backed up file, there is a problem with theTivoli Access Manager adapter configuration. Review the configuration and correctany errors.

Tivoli Access Manager registry adapter limitationsThe limitations of the adapter are that it:v Does not support VMM schema extension.v Only supports single base entry, and not multiple based entries.v Only supports user registry operations, and not group registry operations.

Group operations support is limited to group membership management.

Chapter 29. Tivoli Access Manager registry adapter for WebSphere federated repositories 633


Appendix A. Installing IBM Tivoli Directory Integrator

IBM Tivoli Directory Integrator version 6.1.1 is included on the IBM TivoliDirectory Integrator CD for the desired operating system.

For IBM Tivoli Directory Integrator installation instructions, see the installationinformation provided with the IBM Tivoli Directory Integrator CD.



Appendix B. User registry differences

Each user registry presents unique concerns when integrated with Tivoli AccessManager. This release of Tivoli Access Manager supports LDAP and URAF userregistries.

Tivoli Access Manager supports the following LDAP user registries:v Tivoli Directory Serverv IBM z/OS Security Server LDAP Serverv Novell eDirectory Serverv Sun Java System Directory Serverv Sun ONE Directory Serverv Microsoft Active Directory Application Mode (ADAM)

Tivoli Access Manager supports the following URAF user registries:v Microsoft Active Directory Serverv Lotus Domino Server

General concernsThe following concerns are specific to all of the supported user registries:v Avoid using the forward slash (/) character when defining the names for users

and groups when that name is defined using distinguished names strings. Eachuser registry treats this character differently.

v Avoid using leading and trailing blanks in user and group names. Each userregistry treats blanks differently.

LDAP concernsThe following concerns are specific to all of the supported LDAP user registries:v There are no configuration steps needed in Tivoli Access Manager to make it

support LDAP's own Password Policy. Tivoli Access Manager does not assumethe existence or non-existence of LDAP's own Password Policy at all.Tivoli Access Manager enforces its own Password Policy first and foremost.Tivoli Access Manager will attempt to update password in LDAP only when theprovided password passes Tivoli Access Manager's own Password Policy check.After that Tivoli Access Manager tries to accommodate LDAP's own PasswordPolicy to the best of its ability using the return code that its get from LDAPduring a password related update.If Tivoli Access Manager can map this return code without any ambiguity withthe corresponding Tivoli Access Manager error code, it will do so and willreturn a proper error message.

v To take advantage of the multi-domain support in Tivoli Access Manager, youmust use an LDAP user registry. When using a URAF user registry, only a singleTivoli Access Manager domain is supported.

v When using an LDAP user registry, the capability to own global sign-oncredentials must be explicitly granted to a user. After this capability is granted, it


can subsequently be removed. Conversely, users that are created in a URAF userregistry are automatically given this capability. This capability cannot beremoved.

v Leading and trailing blanks in user names and group names are ignored whenusing an LDAP user registry in a Tivoli Access Manager secure domain. Toensure consistent processing regardless of the user registry, define user namesand group names without leading or trailing blanks.

v Attempting to add a single duplicate user to a group does not produce an errorwhen using an LDAP user registry.

v The Tivoli Access Manager authorization API provides a credentials attributeentitlements service. This service is used to retrieve user attributes from a userregistry. When this service is used with an LDAP user registry, the retrievedattributes can be string data or binary data. However, when used with a URAFuser registry, the retrieved attributes can be string data, binary data, or integerdata.

Sun Java System Directory Server concernsThe following concerns are specific to Sun Java System Directory Server:v If the user registry contains more entries than the defined look-through limit, the

directory server might return the following status that Tivoli Access Managertreats as an error:LDAP_ADMINLIMIT_EXCEEDED

When the directory server is installed, the default value is 5000. To modify thisvalue, perform the following steps from the Sun Java System Directory ServerConsole:1. Select the Configuration tab.2. Expand the Data entry.3. Select Database Settings.4. Select the LDBM Plug-in Settings tab.5. In the Look-through Limit field, type the maximum number of entries that

you want the server to check in response to the search, or type -1 to defineno maximum limit.

If you bind the directory as the Directory Manager, the look-through limit isunlimited and overrides any settings specified in this field.

Microsoft Active Directory Application Mode (ADAM) concernsThe following concerns are specific to ADAM.v Policy Server configuration allows you to select between a standard or minimal

data model for the user registry. Because ADAM allows only a single namingattribute to be used when creating LDAP objects, ADAM requires the minimaldata model. Regardless of which data model is chosen during Policy Serverconfiguration, Access Manager will always use the minimal data model whenADAM is selected as the user registry.

v The common name (cn) attribute is a single-value attribute and can store onlyone value. The ADAM registry requires the value of cn to be the same as the cnnaming attribute in the distinguished name (dn) attribute. When creating a useror group in Tivoli Access Manager, specify the same value for cn as the cnnaming attribute in the dn. Tivoli Access Manager ignores the value of the cnattribute if it is different from the value of the cn naming attribute in the dn. For


example, you cannot use the following command to create a user because thevalue of the cn attribute, fred, is different from the cn naming attribute in thedn, user1:pdadmin user create user1 cn=user1,o=ibm,c=us fred smith password1

URAF concernsThe following concerns are specific to all of the supported URAF user registries:v When using a URAF user registry, only a single Tivoli Access Manager domain

is supported. To take advantage of the Tivoli Access Manager multi-domainsupport, use an LDAP user registry.

v Users created in a URAF user registry are automatically given the capability toown global sign-on credentials. This capability cannot be removed. When usingan LDAP user registry, this capability must be explicitly granted. After thiscapability is granted, it can subsequently be removed.

v The Tivoli Access Manager authorization API provides a credentials attributeentitlements service. This service is used to retrieve user attributes from a userregistry. When this service is used with a URAF user registry, the retrievedattributes can be string data, binary data, or integer data. However, when usedwith an LDAP user registry, the retrieved attributes can be only string data orbinary data.

Lotus Domino Server concernsIn addition to the general URAF-specific concerns, the following concerns arespecific to Lotus Domino Server:v Leading and trailing blanks in user names and group names are significant

when using Lotus Domino Server as the user registry in a Tivoli Access Managersecure domain. To ensure consistent processing, regardless of the user registry,define user names and group names without leading or trailing blanks.

v When creating names for users or groups and that name is defined with adistinguished name string that contains a forward slash (/) character, you mustdefine that name using distinguished name designations. For example, to createa user with the distinguished name string username/locinfo, use the followingcommand:pdadmin user create myuser cn=username/o=locinfo test test testpwd

Microsoft Active Directory Server concernsIn addition to the general URAF-specific concerns, the following concerns arespecific to Microsoft Active Directory Server:v Users created in Active Directory may have an associated primary group. The

Active Directory default primary group is Domain Users.But Active Directory does not add the primary group information to the user'smemberOf or the group's member attribute. This means that when Tivoli AccessManager queries for a list of members of a group, the result does not includeany members for whom the group is the primary group. Additionally, whenTivoli Access Manager queries for all the groups to which a user belongs, thequery result does not display the primary group of the user.For this reason, avoid using a Tivoli Access Manager group as the ActiveDirectory primary group for Tivoli Access Manager users.

v Tivoli Access Manager does not support cross domain group membership oruniversal groups. Tivoli Access Manager does not support importing these typesof groups.

Appendix B. User registry differences 639

v When Tivoli Access Manager imports a dynamic group, the ivacld-servers andremote-acl-users groups apply read permission on each authorization store towhich the dynamic group belongs. This read permission enables Tivoli AccessManager blade servers, such as WebSEAL, to have read permission to theregistry authorization store; thus, providing the blade server with the ability toread dynamic group data, such as group membership for building Tivoli AccessManager credentials. Manually removing this read permission while TivoliAccess Manager is configured to the Active Directory registry results in adversebehavior, such as inaccurate group membership.

v If the option to change a user's password using LDAP APIs is enabled in anenvironment where:

– Tivoli Access Manager is configured to use the Active Directoryuser registry

and

– Tivoli Access Manager blade servers use LDAP APIs to communicate withthe Active Directory server,

Tivoli Access Manager must be configured with Secure Socket Layer (SSL) toallow connections between the LDAP client and the Active Directory server. TheActive Directory environment must also be enabled to accept LDAP connectionsover Secure Socket Layer (SSL).

v When using an Active Directory user registry in a Tivoli Access Managerconfiguration with blade servers that use LDAP APIs to communicate with theActive Directory server, Access Manager supports user password changerequests using either the Policy Server or LDAP APIs. Change user passwordrequests using the LDAP APIs do not require the Policy Server to beup-and-running.The use of LDAP APIs to communicate with the Active Directory Server forblade servers is a multi-platform support that allows blade servers to beinstalled on machines that are not clients of the same domain as the policyserver. In this configuration, the policy server must be installed and configuredon a Windows operating system.

v When using an Active Directory user registry, each user name and each groupname in a domain must be unique. User and group short name values that arestored in the sAMAccountName attribute of Active Directory user objects andgroup objects. Active Directory user objects and group objects both have thesAMAccountName attribute as one of their attributes. Microsoft requires that thesAMAccountName attributes be unique within an Active Directory domain.

v When using a multi-domain Active Directory user registry, multiple users andgroups can be defined with the same short name as long as they are located indifferent domains. However, the full name of the user or group, including thedomain suffix, must always be specified to Tivoli Access Manager.

v Leading and trailing blanks in user names and group names are ignored whenusing Microsoft Active Directory Server as the user registry in a Tivoli AccessManager secure domain. To ensure consistent processing, regardless of the userregistry, define user names and group names without leading or trailing blanks.

v Tivoli Access Manager supports the use of an email address or other alternateformat of the userPrincipalName attribute of the Active Directory registry userobject as a Tivoli Access Manager user identity. This is an optional enhancement;


when it is enabled, both the default and the email address or other alternateformat of the userPrincipalName can co-exist in the Tivoli Access Managerenvironment.The default format of the userPrincipalName registry attribute isuser_id@domain_suffix, where domain_suffix is the Active Directory domainwhere the user identity is created.For example, [email protected] is the value of the userPrincipalName;tivoli.com is the Active Directory domain where the user identity is created.The Tivoli Access Manager user identity corresponding to the registry user inthis example is either [email protected] or johndoe, depending on whetherTivoli Access Manager is configured to use Active Directory with multipledomains or a single domain, respectively.The alternate format of the userPrincipalName attribute is user_id@any_suffix,where any_suffix can be any domain (Active Directory or non-Active Directory)other than the Active Directory domain in which the user identity is created. Forexample, if the registry user johndoe@other_domain.com is created in ActiveDirectory tivoli.com, and the registry user [email protected] is created inActive Directory domain child_domain.tivoli.com. Both of these users can beTivoli Access Manager users, and their user identities arejohndoe@other_domain.com and [email protected], respectively.The alternate user principal name (UPN) support must be enabled in all TivoliAccess Manager run-time environments to ensure that Tivoli Access Manageruser identities work properly with alternate UPNs.Once the use of alternate UPN format as Access Manager user identity isenabled, it cannot be reversed without breaking Tivoli Access Managerfunctionalities.

v Although users and groups can be created with names that use a distinguishedname string that contain a forward slash (/) character, subsequent operations onthe object might fail. Some Active Directory functions interpret the forward slashcharacter as a separator between the object name and the host name. To avoidthe problem, do not use a forward slash character to define the user.

Length of namesThe maximum lengths of various names that are associated with Tivoli AccessManager vary depending on the user registry that is being used. See Table 60 for acomparison of the maximum lengths that are allowed and the recommendedmaximum length to use to ensure compatibility with all the user registries that aresupported by Tivoli Access Manager.

Table 60. Maximum lengths for names by user registry and the optimal length across user registries

Name IBM TivoliDirectory

Server

IBM z/OSSecurityServer

NovelleDirectory

Server

Sun JavaSystem

DirectoryServer

MicrosoftActive

DirectoryServer

LotusDominoServer

ActiveDirectory

ApplicationMode

(ADAM)

Optimallength

First name(LDAP CN)

256 256 64 256 64 960 64 64

Middlename

128 128 128 128 64 65535 64 64

Last name(surname)

128 128 128 128 64 960 64 64

Registry UID(LDAP DN)

1024 1024 1024 1024 2048 255 1024 255


Table 60. Maximum lengths for names by user registry and the optimal length across user registries (continued)

Name IBM TivoliDirectory

Server

IBM z/OSSecurityServer

NovelleDirectory

Server

Sun JavaSystem

DirectoryServer

MicrosoftActive

DirectoryServer

LotusDominoServer

ActiveDirectory

ApplicationMode

(ADAM)

Optimallength

Tivoli AccessManageruser identity

256 256 256 256 64 196 -domain_

name_length

64 64

Userpassword

unlimited unlimited unlimited unlimited 256 unlimited 128 256

Userdescription

1024 1024 1024

Group name 256 256 256 256 64 196 -domain_

name_length

64 64

Groupdescription

1024 1024 1024

Singlesign-onresourcename

240 240 240 240 60 256 240 60

Singlesign-onresourcedescription

1024 1024 1024

Singlesign-on userID

240 240 240 240 60 256 240 60

Singlesign-onpassword

unlimited unlimited unlimited unlimited 256 unlimited unlimited 256

Singlesign-ongroup name

240 240 240 240 60 256 240 60

Singlesign-ongroupdescription

1024 1024 1024

Action name 1 1 1

Actiondescription,action type

unlimited unlimited unlimited

Object name,objectdescription


Object spacename, objectspacedescription


ACL name,ACLdescriptions


POP name,POPdescription



Although the maximum length of an Active Directory distinguished name (registryUID) is 2048, the maximum length of each relative distinguished name (RDN) is64.

If you configure Tivoli Access Manager to use multiple Active Directory domains,the maximum length of the user identity and group name does not include thedomain suffix. When using multiple domains, the format of a user identity isuser_id@domain_suffix. The maximum length of 64 applies only to the user_idportion. If you use an email address or other alternate format for the Tivoli AccessManager user identity in the Active Directory, the maximum name length remainsthe same, but includes the suffix.

Although the lengths of some names can be of unlimited, excessive lengths canresult in policy that is difficult to manage and might result in poor systemperformance. Choose maximum values that are logical for your environment.



Appendix C. Support information

This section describes the following options for obtaining support for IBMproducts:v “Searching knowledge bases”v “Obtaining fixes”v “Registering with IBM Software Support” on page 646v “Receiving weekly software updates” on page 646v “Contacting IBM Software Support” on page 647

Searching knowledge basesIf you encounter a problem, you want it resolved quickly. You can search theavailable knowledge bases to determine whether the resolution to your problemwas already encountered and is already documented.

Searching information centersIBM provides extensive documentation in an information center that can beinstalled on your local computer or on an intranet server. You can use the searchfunction of this information center to query conceptual information, instructionsfor completing tasks, reference information, and support documents.

Searching the InternetIf you cannot find an answer to your question in the information center, search theInternet for the latest, most complete information that might help you resolve yourproblem. To search multiple Internet resources for your product, perform thefollowing steps:1. Expand the product folder in the navigation frame on the left.2. Expand Troubleshooting and support.3. Expand Searching knowledge bases.4. Click Web search.

From this topic, you can search a variety of resources, which includes thefollowing resources:v IBM Technotesv IBM downloadsv IBM Redbooks®

v IBM developerWorks®

v Forums and news groupsv Google

Obtaining fixesA product fix might be available to resolve your problem. To determine what fixesare available for your IBM software product, check the product support site byperforming the following steps:1. Go to the IBM Software Support site at the following Web address:


http://www.ibm.com/software/support2. Under Products A - Z, click the letter with which your product starts to open a

Software Product List.3. Click your product name to open the product-specific support page.4. Under Self help, follow the link to All Updates, where you will find a list of

fixes, fix packs, and other service updates for your product. For tips on refiningyour search, click Search tips.

5. Click the name of a fix to read the description.6. Optional, download the fix.

Registering with IBM Software SupportBefore you can receive weekly e-mail updates about fixes and other news aboutIBM products, you need to register with IBM Software Support. To register withIBM Software Support, follow these steps:1. Go to the IBM Software Support site at the following Web address:

http://www.ibm.com/software/support2. Click Register in the upper right-hand corner of the support page to establish

your user ID and password.3. Complete the form, and click Submit.

Receiving weekly software updatesAfter registering with IBM Software Support, you can receive weekly e-mailupdates about fixes and other news about IBM products. To receive weeklynotifications, follow these steps:1. Go to the IBM Software Support site at the following Web address

http://www.ibm.com/software/support2. Click the My support link to open the Sign in page.3. Provide your sign in information, and click Submit to open your support page.4. Click the Edit profile tab.5. For each product about which you want to receive updates, use the filters to

choose your exact interests, and click Add products.6. Repeat step 5 for each additional product.7. After choosing all your products, click the Subscribe to email link.8. For each product category, use the filters and choose which updates you want

to receive, and click Update.9. Repeat step 8 for each additional product category.

For more information about the types of fixes that are available, see the IBMSoftware Support Handbook at the following Web address:

http://techsupport.services.ibm.com/guides/handbook.html


http://www.ibm.com/software/support



http://techsupport.services.ibm.com/guides/handbook.html

Contacting IBM Software SupportIBM Software Support provides assistance with product defects. Before contactingIBM Software Support, the following criteria must be met:v Your company has an active IBM software maintenance contract.v You are authorized to submit problems to IBM Software Support.

The type of software maintenance contract that you need depends on the type ofproduct that you have. Product types are one of the following categories:v For IBM distributed software products (including, but not limited to, Tivoli,

Lotus, and Rational® products, as well as DB2 and WebSphere products that runon Windows, Linux, or UNIX operating systems), enroll in Passport Advantagein one of the following ways:

OnlineGo to the IBM Software Passport Advantage site at the following Webaddress and click How to Enroll:

http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home

By phoneFor the phone number to call in your country, go to the IBM SoftwareSupport site at the following Web address and click the name of yourgeographic region:

http://techsupport.services.ibm.com/guides/contacts.htmlv For IBM eServer™ software products (including, but not limited to, DB2 and

WebSphere products that run in System z, pSeries®, and iSeries® environments),you can purchase a software maintenance agreement by working directly withan IBM sales representative or an IBM Business Partner. For more informationabout support for eServer software products, go to the IBM eServer TechnicalSupport Advantage site at the following Web address:

http://www.ibm.com/servers/eserver/techsupport.html

If you are not sure what type of software maintenance contract you need, call1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go tothe contacts page of the IBM Software Support Handbook at the following Webaddress and click the name of your geographic region for phone numbers ofpeople who provide support for your location:

http://techsupport.services.ibm.com/guides/contacts.html

To contact IBM Software support, follow these steps:1. “Determining the business impact”2. “Describing problems and gathering information” on page 6483. “Submitting problems” on page 648

Determining the business impactWhen you report a problem to IBM, you are asked to supply a severity level.Therefore, you need to understand and assess the business impact of the problemthat you are reporting. Use the following severity criteria:

Appendix C. Support information 647




http://www.ibm.com/servers/eserver/techsupport.html


Severity 1The problem has a critical business impact. You are unable to use theprogram, resulting in a critical impact on operations. This conditionrequires an immediate solution.

Severity 2The problem has a significant business impact. The program is usable, butit is severely limited.

Severity 3The problem has some business impact. The program is usable, but lesssignificant features that are not critical are unavailable.

Severity 4The problem has minimal business impact. The problem causes little impacton operations, or a reasonable circumvention to the problem wasimplemented.

Describing problems and gathering informationWhen explaining a problem to IBM, be as specific as possible. Include all relevantbackground information so that IBM Software Support specialists can help yousolve the problem efficiently. To save time, know the answers to these questions:v What software versions were you running when the problem occurred?v Do you have logs, traces, and messages that are related to the problem

symptoms? IBM Software Support is likely to ask for this information.v Can you create the problem again? If so, what steps were performed to

encounter the problem?v Was any change made to the system? For example, were there changes to the

hardware, operating system, networking software, and so on.v Are you currently using a workaround for this problem? If so, please be

prepared to explain it when you report the problem.

Submitting problemsYou can submit your problem to IBM Software Support in one of two ways:

OnlineGo to the Submit and track problems page on the IBM Software Supportsite at the following address, and provide your information into theappropriate problem submission tool:


By phoneFor the phone number to call in your country, go to the contacts page ofthe IBM Software Support Handbook at the following Web address and clickthe name of your geographic region:


If the problem you submit is for a software defect or for missing or inaccuratedocumentation, IBM Software Support creates an Authorized Program AnalysisReport (APAR). The APAR describes the problem in detail. Whenever possible,IBM Software Support provides a workaround that you can implement until theAPAR is resolved and a fix is delivered. IBM publishes resolved APARs on theIBM product support Web pages daily, so that other users who experience thesame problem can benefit from the same resolution.




For more information about problem resolution, see “Searching knowledge bases”on page 645 and “Obtaining fixes” on page 645.

Appendix C. Support information 649


Appendix D. Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any functionally equivalentproduct, program, or service that does not infringe any IBM intellectual propertyright may be used instead. Any reference to an IBM product, program, or service isnot intended to state or imply that only that IBM product, program, or service maybe used. However, it is the user responsibility to evaluate and verify the operationof any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia CorporationLicensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements, or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility, or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

This information is for planning purposes only. The information herein is subject tochange before the products described become available.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have not


been thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM‘s application programming interfaces.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

TrademarksIBM, the IBM logo, AIX, DB2, IBMLink, Tivoli, Tivoli Enterprise Console®, andTME are trademarks or registered trademarks of International Business MachinesCorporation in the United States, other countries, or both.

Adobe, the Adobe logo, Acrobat, PostScript and all Adobe-based trademarks areeither registered trademarks or trademarks of Adobe Systems Incorporated in theUnited States, other countries, or both.

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc., inthe United States, other countries, or both and is used under license therefrom.

Intel®, Intel logo, Intel Inside®, Intel Inside logo, Intel Centrino®, Intel Centrinologo, Celeron®, Intel Xeon®, Intel SpeedStep®, Itanium®, and Pentium® aretrademarks or registered trademarks of Intel Corporation or its subsidiaries in theUnited States and other countries.

IT Infrastructure Library® is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

ITIL® is a registered trademark, and a registered community trademark of theOffice of Government Commerce, and is registered in the U.S. Patent andTrademark Office.

Java and all Java-based trademarks and logos are trademarks orregistered trademarks of Sun Microsystems, Inc. in the United States,other countries, or both.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

Appendix D. Notices 653

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Other company, product, and service names may be trademarks or service marksof others.


Glossary

This glossary defines the technical terms andabbreviations that are used in Tivoli AccessManager. If you do not find the term orabbreviation for which you are looking, refer tothe IBM Terminology Web site at the followingWeb address:

http://www.ibm.com/ibm/terminology

The following cross-references are used amongterms:

Contrast withRefers the reader to a term that has anopposed or substantively differentmeaning.

See Refers the reader to a term that is theexpanded form of an abbreviation oracronym or to a synonym or morepreferred term.

See alsoRefers the reader to a related term.

ObsoleteIndicates that the term should not be usedand refers the reader to the preferredterm.

Aaccess control. In computer security, the process ofensuring that only authorized users can access theresources of a computer system in authorized ways.

access control list (ACL). In computer security, a listwith an object that identifies all the subjects that canaccess the object and their access rights. For example,an access control list is a list that is associated with afile that identifies the users who can access the file andidentifies the users' access rights to that file.

access decision information (ADI). The data andattributes that are used by the authorization engine toevaluate a rule. Authorization API attributes arename-value pairs, form the basis of all ADI that can bereferenced in a rule or presented to the authorizationengine.

access permission. The access privilege that applies tothe entire object.

account. Information about an identity.

ACL. See access control list.

ACL entry. Data in an access control list that specifiesa set of permissions.

ACL policy. Part of the security policy that containsACL entries that control who can access which domainresources and perform which actions. See alsoauthorization rule and protected object policy.

action. An access control list (ACL) permissionattribute. See also access control list.

action group. A set of actions that are explicitlyassociated with a resource or set of resources.

ADI. See access decision information.

ADK. See application development kit

administration service. An authorization API runtimeplug-in that can be used to perform administrationrequests on a Tivoli Access Manager resource managerapplication. The administration service responds toremote requests from the pdadmin command toperform tasks, such as listing the objects under aparticular node in the protected object tree. Customersmay develop these services using the authorizationADK.

application development kit (ADK). A set of tools,APIs, and documentation to assist with thedevelopment of software in a specific computerlanguage or for a particular operating environment.

attribute. A characteristic or trait of an entity thatdescribes the entity. An attribute can have a type,which indicates the range of information given by theattribute, and a value, which is within a range. In XML,for example, an attribute consists of a name-value pairwithin a tagged element and modifies a feature of anelement.

attribute list. A linked list that contains extendedinformation that is used to make authorizationdecisions. Attribute lists consist of a set of name-valuepairs.

audit event. A record of an operation in the audit logor change history; for example, an audit entry iscreated when a resource is modified.

audit level. The types of user actions that arecurrently being audited for the entire system or forspecific users on the system. Actions that can beaudited include authority failures and restoring objects.A record of each action is written to the audit journal.

audit trail. A chronological record of events thatenables the user to examine and reconstruct a sequence


http://www.ibm.com/software/globalization/terminology

of events. Audit trails are useful for managing securityand for recovering lost transactions.

audit trail file. The file that contains the audit trail.

authentication. In computer security, the process thatverifies identity. Authentication is distinct fromauthorization; authorization is concerned with grantingand denying access to resources. See also multi-factorauthentication, network-based authentication, andstep-up authentication.

authorization. In computer security, the process thatgrants or denies access to resources. Security uses atwo-step process: after authentication has verified theidentity, authorization allows the resource or processaccess to various resources based on its identity.

authorization API. The Tivoli Access Managercomponent that passes requests for authorizationdecisions from the resource manager to theauthorization evaluator. See also authorization serverand authorization service.

authorization evaluator. The decision-making processthat determines whether a client can access a protectedresource based on the security policy. The evaluatormakes its recommendation to the resource manager,which, in turn, responds accordingly.

authorization rule. Part of the security policy thatdefine conditions that are contained in authorizationpolicy. An authorization rule is used to make accessdecisions based on attributes such as user, application,and environment context. See also ACL policy andprotected object policy.

authorization server. The Tivoli Access Managercomponent that runs the authorization service. See alsoauthorization service.

authorization service. A dynamic or shared librarythat can be loaded by the authorization API runtimeclient at initialization time to perform operations thatextend a service interface in the Authorization API.

BBA. See basic authentication.

basic authentication. An authentication method thatverifies identity using a user name and password.

bind. To relate an identifier to another object in aprogram; for example, to relate an identifier to a value,to an address, or to another identifier or to associateformal parameters to actual parameters.

blade. A component that provides application-specificservices and components.

Boolean. A binary numbering system that is namedafter mathematician George Boole in which zero and

one are the only two values that can be returned; avalue of zero represents false while a value of onerepresents true.

business entitlement. The supplemental attribute of auser credential that describes the fine-grainedconditions that can be used in the authorizationprocess.

CCA. See certificate authority.

CDAS. Obsolete. See external authentication C API.

CDMF. See cross domain mapping framework.

certificate. In computer security, a digital documentthat binds a public key to the identity of the certificateowner, thereby enabling the certificate owner to beauthenticated. A certificate is issued by a certificateauthority.

certificate authority (CA). An organization that issuescertificates. A CA creates digital signatures andpublic-private key pairs. The CA guarantees theidentity of the individual who is granted the uniquecertificate and guarantees the services that the owner isauthorized to use, to issue new certificates, and torevoke certificates that belong to users andorganizations who are no longer authorized to use theservices. The role of the CA s to authenticate theentities (users and organizations) involved in electronictransactions. Because the CA guarantees that the twoparties that are exchanging information are really whothey claim to be, the CA is a critical component in datasecurity and electronic commerce.

CGI. See common gateway interface.

cipher. A cryptographic algorithm that is used toencrypt data that is unreadable until it is converted intoplain data (decrypted) with a predefined key.

common gateway interface (CGI). An Internetstandard for defining scripts that pass information froma Web server to an application program, through anHTTP request, and vice versa. A CGI script is a CGIprogram that is written in a scripting language, such asPerl.

configuration. The manner in which the hardwareand software of a system, subsystem, or network areorganized and interconnected.

connection. (1) In data communication, an associationestablished between functional units for conveyinginformation. (2) In TCP/IP, the path between twoprotocol applications that provides reliable data streamdelivery service. In the Internet, a connection extendsfrom a TCP application on one system to a TCPapplication on another system. (3) In system


communication, a line over which data can be passedbetween two systems or between a system and adevice.

console log agent. A log agent that writes events tostandard error or standard output. See also file logagent, pipe log agent, and remote log agent.

container object. A structural designation thatorganizes the object space into distinct functionalregions.

cookie. Information that a server stores on a clientmachine and accesses during subsequent sessions.Cookies allow servers to remember specific informationabout clients.

credentials. Detailed information, acquired duringauthentication, that describes the user, any groupassociations, and other security-related identityattributes. Credentials can be used to perform amultitude of services, such as authorization, auditing,and delegation.

credentials modification service. An authorizationAPI runtime plug-in which can be used to modify aTivoli Access Manager credential. Credentialsmodification services developed externally bycustomers are limited to performing operation to addand remove from the credentials attribute list and onlyto those attributes that are considered modifiable.

cross domain authentication service (CDAS).Obsolete. See external authentication C API.

cross domain mapping framework (CDMF). Aprogramming interface that allows a developer tocustomize the mapping of user identities and thehandling of user attributes when WebSEALe-Community SSO function are used.

Ddaemon. A system process that runs unattended toperform continuous or periodic system-wide functions,such as network control. See also service.

data store. A storage area for data, such as a databasesystem, directory, or file.

delegate. A user who is authorized to work foranother user. The authorization can be made by a useror by an administrator.

demilitarized zone (DMZ). In network security, acomputer or network that uses a firewall to be isolatedfrom, and to serve as a neutral zone between, a trustednetwork (for example, a private intranet) and anuntrusted network (for example, the Internet). One ormore secure gateways usually control access to theDMZ from the trusted or the untrusted network.

digital signature. Information that is encrypted with aprivate key and is appended to a message to assure therecipient of the authenticity and integrity of themessage. The digital signature proves that the messagewas signed by the entity that owns, or has access to,the private key or shared secret symmetric key.

directory schema. The valid attribute types andobjectclasses that can appear in a directory. Theattribute types and objectclasses define the syntax ofthe attribute values, which attributes are required, andwhich attributes are optional.

distinguished name (DN). (1) The name that uniquelyidentifies an entry in a directory. A distinguished nameis made up of an attribute-value pairs, separated bycommas. (2) A set of name-value pairs (such ascn=common name and c=country) that uniquelyidentifies an entry in a digital certificate.

DMZ. See demilitarized zone.

DN. See distinguished name.

domain. (1) A logical grouping of resources in anetwork that share common administration andmanagement. (2) A part of a network that isadministered with a common protocol. See also domainname.

domain administrator. The administrator for adomain who can assign any of the roles in that domainto subdomains. After assigning roles to subdomains,administrators in that subdomain can assignsubdomain users these roles.

domain name. In the Internet suite of protocols, thename of a host system. A domain name consists of asequence of subnames that are separated by a delimitercharacter. For example, if austin.ibm.com is the fullyqualified domain name (FQDN) of a host system, bothaustin.ibm.com and ibm.com® are domain names.

dynamic group. A group that is defined using asearch expression. When an attribute is added to adirectory entry that causes it to match the searchexpression, the entry automatically becomes a memberof the group.

EEAS. See external authorization service.

encryption. In computer security, the process oftransforming data into a cipher.

entitlement. A data structure that containsexternalized security policy information. Entitlementscontain policy data or capabilities that are formatted ina way that is understandable to a specific application.

entitlement service. An authorization API runtimeplug-in which can be used to return entitlements from

Glossary 657

an external source for a principal or set of conditions.Entitlements are normally application specific data thatwill be consumed by the resource manager applicationin some way or added to the principal's credentials foruse further on in the authorization process. Customersmay develop these services using the authorizationADK.

entity. In object-oriented design, an item that can betreated as a unit and, often, as a member of a particularcategory or type. An entity can be concrete or abstract.

event. Any significant change in the state of a systemresource, network resource, or network application. Anevent can be generated for a problem, for the resolutionto a problem, or for the successful completion of a task.

event pool. A set of events recognized by an activity.Each activity has its own event pool. The event pool isinitialized when the activity is created and is deletedwhen the activity is deleted.

extended attribute. Additional information that thesystem or a program associates with an object. Anextended attribute can be any format, such as text, abitmap, or binary data.

external authentication C API. A C API that enablesyou to write custom authentication modules thatreplace or extend the functionality of the built–inauthentication process. The identity information isreturned through the authentication module interface.Contrast with external authentication HTTP interface.

external authentication HTTP interface. An interfacethat enables you to extend the functionality of thebuilt-in authentication process to allow a remote serviceto handle the authentication process. The identityinformation in the HTTP response headers is used togenerate user credentials. Contrast with externalauthentication C API.

external authorization service (EAS). Anauthorization API runtime plug-in that can be used tomake application- or environment-specific authorizationdecisions as part of the authorization decision chain.Customers can develop these services using theauthorization ADK.

Extensible Markup Language (XML). A standardmeta-language for defining markup languages that isbased on Standard Generalized Markup Language(SGML).

Extensible Stylesheet Language (XSL). A language forspecifying style sheets for XML documents. XSLTransformation (XSLT) is used with XSL to describehow an XML document is transformed into anotherdocument. See also Extensible Stylesheet LanguageTransformation.

Extensible Stylesheet Language Transformation(XSLT). An XML processing language that is used toconvert an XML document into another document inXML, PDF, HTML, or other format. See also ExtensibleStylesheet Language.

Ffile log agent. A log agent that writes events to a file.See also console log agent, pipe log agent, and remotelog agent.

file transfer protocol (FTP). In the Internet suite ofprotocols, a protocol that can use Transmission ControlProtocol (TCP) and Telnet services to transfer filesbetween machines.

FTP. See file transfer protocol

Gglobal sign-on (GSO). A flexible single sign-onsolution that enables the user to provide alternativeuser names and passwords to the back-end Webapplication server. Through a single login, globalsign-on grants users access to the computing resourcesthey are authorized to use. Designed for largeenterprises consisting of multiple systems andapplications within heterogeneous, distributedcomputing environments, GSO eliminates the need forusers to manage multiple user names and passwords.See also single sign-on.

group. A named list of users by which access levels tocorporate directories, databases, and servers areassigned. Two or more individual users who arecategorized for the purpose of assigning databasesecurity settings; for example, administrators mustassign individuals to groups before assigning roles.

GSO. See global sign-on.

Hhost. A computer that is connected to a network andprovides an access point to that network. The host canbe a client, a server, or both a client and a serversimultaneously.

HTTP. See hypertext transfer protocol.

hypertext transfer protocol (HTTP). In the Internetsuite of protocols, the protocol that is used to transferand display documents.

Iinheritance. An object-oriented programmingtechnique that allows the use of existing classes as abasis for creating other classes.


Internet protocol (IP). In the Internet suite ofprotocols, a connectionless protocol that routes datathrough a network or interconnected networks. IP actsas an intermediary between the higher protocol layersand the physical network.

Internet suite of protocols. A set of protocolsdeveloped for use on the Internet and publishedthrough the Internet Engineering Task Force (IETF).

interprocess communication (IPC). (1) The process bywhich programs communicate data to each other andsynchronize their activities. Semaphores, signals, andinternal message queues are common methods ofinterprocess communication. (2) A mechanism of anoperating system that allows processes to communicatewith each other within the same computer or over anetwork.

IP. See Internet protocol.

IPC. See interprocess communication.

Jjunction. A logical connection that is created toestablish a path from one server to another.

KKDC. See key distribution center.

Kerberos. An authentication system that enables twoparties to exchange private information over anotherwise open network. It works by assigning aunique key, called a ticket, to each user that logs on tothe network. The ticket is then embedded in messagesthat are sent over the network. The receiver of amessage uses the ticket to authenticate the sender.

Kerberos ticket. A transparent application mechanismthat transmits the identity of an initiating principal toits target. A simple ticket contains the identity, a sessionkey, a timestamp, and other information that is sealedusing a secret key.

key. In computer security, a sequence of symbols thatis used with a cryptographic algorithm for encryptingor decrypting data. See private key and public key.

key database file (KDC). See key file.

key distribution center. In the Kerberos protocol, thecentral server, which includes the authentication serverand the ticket-granting server. The KDC is sometimesreferred to as the Kerberos server.

key file. In computer security, a file that containspublic keys, private keys, trusted roots, and certificates.

key pair. In computer security, a public key and aprivate key. When the key pair is used for encryption,

the sender uses the public key to encrypt the message,and the recipient uses the private key to decrypt themessage. When the key pair is used for signing, thesigner uses the private key to encrypt a representationof the message, and the recipient uses the public key todecrypt the representation of the message for signatureverification. Because the private key holds more of theencryption pattern than the public key, the key pair iscalled asymmetric.

key ring. See key file.

keystore file. A key file that contains both public keysstored as signer certificates and private keys stored inpersonal certificates.

keytab file. See key table.

key table. In the Kerberos protocol, a file that containsservice principal names and secret keys. The secret keysshould be known only to the services that use the keytable file and the key distribution center (KDC).

key-value pair. Information that is expressed as apaired set.

LLDAP. See lightweight directory access protocol.

leaf node. A node that has no children before it in thedirectory tree.

lightweight directory access protocol (LDAP). Anopen protocol that uses TCP/IP to provide access todirectories that support an X.500 model and that doesnot incur the resource requirements of the morecomplex X.500 Directory Access Protocol (DAP). Forexample, LDAP can be used to locate people,organizations, and other resources in an Internet orintranet directory.

lightweight third party authentication (LTPA). Anauthentication protocol that users cryptography tosupport security across a set of Web servers in adistributed environment.

LTPA. See lightweight third party authentication.

Mmanagement domain. The default domain in whichTivoli Access Manager enforces security policies forauthentication, authorization, and access control. Thisdomain is created when the policy server is configured.See also domain.

management interface. The interface that a domainadministrator can use to manage security policy. InTivoli Access Manager, an administrator can use WebPortal Manager or the pdadmin commands to applysecurity policy to resources.

Glossary 659

management server. Obsolete. See policy server.

master server. In a network environment, the serverthat has permissions to run commands on all othermachines in the environment. The master server isdesigned to manage the network, clients, and resourceobjects in the network database. Contrast with replicaserver

metadata. Data that describes the characteristics ofstored data.

migration. The installation of a new version or releaseof a program to replace an earlier version or release.

MPA. See multiplexing proxy agent.

multi-factor authentication. A protected object policy(POP) that forces a user to authenticate using two ormore levels of authentication. For example, the accesscontrol on a protected resource can require that theusers authenticate with both user name/password anduser name/token passcode.

multiple tenancy server. A server that permits thehosting of multiple customers on a single server insteadof multiple client machines. See also protected objectpolicy.

multiplexing proxy agent (MPA). A gateway thataccommodates multiple client access. These gatewaysare sometimes known as Wireless Access Protocol(WAP) gateways when clients access a secure domainusing a WAP. Gateways establish a single authenticatedchannel to the originating server and tunnel all clientrequests and responses through this channel.

Nnamespace. (1) In XML, a uniform resource identifier(URI) that provides a unique name to associate with allthe elements and type definitions in a schema. (2)Space reserved by a file system to contain the names ofits objects.

network-based authentication. A protected objectpolicy (POP) that controls access to objects based on theInternet protocol (IP) address of the user. See alsoprotected object policy.

notification thread. The synchronization mechanismthat the policy server uses to inform all databasereplicas of a change to the master policy database.

Oobject. (1) In object-oriented design or programming,a concrete realization (instance) of a class that consistsof data and the operations associated with that data.An object contains the instance data that is defined bythe class, but the class owns the operations that areassociated with the data. (2) Any digital content that a

user can manipulate as a single unit and perform atask. An object can appear as text, an icon, or both. (3)A named storage space that consists of a set ofcharacteristics that describe the space and, in somecases, data. An object is anything that occupies space instorage, can be located in a library or directory, can besecured, and on which defined operations can beperformed. Some examples of objects are programs,files, libraries, and stream files.

object space. A virtual representation of the resourcesto be protected. See also namespace.

object type. A categorization or group of objectinstances that share similar behavior and characteristics.

PPAC. See privilege attribute certificate.

PDCA. See Policy Director Certificate Authority

permission. The ability to access a protected object,such as a file or directory. The number and meaning ofpermissions for an object are defined by the accesscontrol list (ACL). See also access control list.

pipe log agent. A log agent that writes events asstandard input to another program. See also console logagent, file log agent, and remote log agent.

policy. A set of rules that are applied to managedresources.

policy database. The database that contains thesecurity policy information for all resources in thedomain. Each domain has its own policy database.

Policy Director Certificate Authority (PDCA). Atrusted certificate that is created during theconfiguration of the policy server and that is used tosign all other Tivoli Access Manager certificates. APDCA certificate is stored in the master policydatabase.

policy enforcer. A component of a resource managerthat directs requests to the authorization service forprocessing after authorization is granted. Traditionalapplications bundle the policy enforcer and theresource manager as one process.

policy server. The Tivoli Access Manager componentthat maintains the master policy database, replicatesthis policy information throughout the secure domain,and updates database replicas whenever a change ismade to the master policy database. The policy serveralso maintains location information about other TivoliAccess Manager and non-Tivoli Access Managerresource managers that are operating in the securedomain.


polling. The process by which databases areinterrogated at regular intervals to determine if dataneeds to be transmitted.

POP. See protected object policy.

portal. A single point of access to diverse informationand applications. Users can customize and personalizea portal.

principal. (1) An entity that can communicate securelywith another entity. (2) An authenticated user. Aprincipal is identified by its associated security context,which defines its access rights.

private key. In computer security, a key that is knownonly to its owner. Contrast with public key.

privilege attribute certificate (PAC). A digitaldocument that contains a principal's authentication andauthorization attributes and a principal's capabilities.

privilege attribute certificate service. Anauthorization API runtime client plug-in whichtranslates a PAC of a predetermined format in to aTivoli Access Manager credential, and vice-versa. Theseservices could also be used to package or marshall aTivoli Access Manager credential for transmission toother members of the secure domain. Customers maydevelop these services using the authorization ADK.See also privilege attribute certificate.

protected object. The logical representation of anactual system resource that is used for applying ACLsand POPs and for authorizing user access. See alsoprotected object policy and protected object space.

protected object policy (POP). A type of securitypolicy that imposes additional conditions on theoperation permitted by the ACL policy to access aprotected object. It is the responsibility of the resourcemanager to enforce the POP conditions. See also ACLpolicy, authorization rule, protected object, andprotected object space.

protected object space. The virtual objectrepresentation of actual system resources that is usedfor applying ACLs and POPs and for authorizing useraccess. See also protected object and protected objectpolicy.

proxy server. A server that receives requests intendedfor another server and that acts on behalf of a client toobtain the requested service. A proxy server is oftenused when the client and the server are incompatiblefor direct connection. For example, a client cannot meetthe security authentication requirements of the serverbut should be permitted some services.

public key. In computer security, a key that is madeavailable to everyone. Contrast with private key.

Qquality of protection. The level of data security,determined by a combination of authentication,integrity, and privacy conditions.

Rrecord. (1) The storage representation of a single rowof a table or other data in a database. (2) A group ofrelated data, words, or fields treated as a unit.

registry. The datastore that contains access andconfiguration information for users, systems, andsoftware.

remote cache mode. An operational mode in which aresource manager uses the functions that are providedby the authorization API to communicate to the remoteauthorization server.

remote log agent. A log agent that sends events to aremote server for recording. See also console log agent,file log agent, and pipe log agent.

replica server. A server that contains a copy of thedirectory or directories of another server. Replicas backup master servers or other replica servers to enhanceperformance or response times and to ensure dataintegrity. Contrast with master server.

resource. A hardware, software, or data entity that ismanaged.

resource group. A group of resources that can includebusiness objects such as contracts or a set of relatedcommands. In access control policies, resource groupsspecify the resource to which the policy authorizesaccess.

resource manager. (1) An application, program, ortransaction that manages and controls access to sharedresources, such as memory buffers and data sets. (2)Any server or application that uses the authorizationAPI to process client requests for access to resources.

resource object. The representation of an actualnetwork resource, such as a service, file, and program.

response file. An ASCII file that can be customizedwith the setup and configuration data that automatesan installation. The setup and configuration data has tobe entered during an interactive installation, but withthe response file, the installation can proceed withoutuser interaction. See also silent installation.

role. A definition of the access permissions that a useror process has and the specific resources that the useror process can modify at those levels. Users andprocesses are limited in how they can access resourceswhen that user or process does not have theappropriate role.

Glossary 661

role activation. The process of applying accesspermissions to a role.

role assignment. The process of assigning a role to auser, such that the user has the appropriate accesspermissions for the object defined for that role.

root container object. The top-level container object inthe hierarchy or resource objects.

root domain. Name servers that have authoritativecontrol of all the top-level domains.

routing file. An ASCII file that contains commandsthat control the configuration of messages.

routing table. A collection of path informationthrough which hosts or networks can communicatewith each other.

RSA. A public-key encryption technology that wasdeveloped by RSA Data Security, Inc., and used byGSKit. The acronym stands for Rivest, Shamir, andAdleman, the inventors of this encryption technique.

RSA encryption. A system for public-keycryptography used for encryption and authentication.The security of the system depends on the difficulty offactoring the product of two large prime numbers.

rule. A set of logical statements that enable a server torecognize relationships among events and to performautomated responses accordingly.

rules evaluator. The component responsible forevaluating an authorization rule.

run time. The time period during which a computerprogram is running.

runtime environment. A subset of an applicationdevelopment kit (ADK) that contains the executablefiles and other supporting files that comprise theoperational environment of the platform.

Sscalability. The ability of hardware, software, or adistributed system to maintain performance levels as itincreases in size and increases in the number of userswho access resources.

schema. The set of statements, expressed in a datadefinition language, that completely describes thestructure of data that is stored in a database, directory,or file.

Secure Sockets Layer (SSL). A security protocol thatprovides communication privacy. SSL enablesclient/server applications to communicate in a way thatis designed to prevent eavesdropping, tampering, andmessage forgery.

security context. The digitally signed token thatidentifies a principal, lists the roles and access rightsfor the principal, and contains information about whenthe token expires.

security management. The software discipline thataddresses how an organization can control access tomission critical applications and data.

security policy. (1) A written document that definesthe security controls that you institute for yourcomputer systems. A security policy describes the risksthat you intend to minimize and the actions thatshould be taken if someone breaches your securitycontrols. (2) In Tivoli Access Manager, the combinationof ACL policies, authorization rules, and protectedobject policies attached to objects to make themprotected objects. See also ACL policy, authorizationrule, and protected object policy.

self-registration. The process by which a user canenter required data and become a registered userwithout the involvement of an administrator.

service. Work performed by a server. A service can bea simple request for data to be sent or stored (as withfile servers, HTTP servers, or e-mail servers), or it canbe for more complex requests (as with print servers orprocess servers). See also daemon.

session. A series of requests to a server or applicationthat originate from the same user at the same browser.

silent installation. An installation that does not sendmessages to the console but instead stores messagesand errors in log files. Also, a silent installation can useresponse files for data input. See also response file.

single sign-on (SSO). The mechanism that allows auser to logon once and access multiple applicationsthrough a single authorization challenge. Using SSO, auser does not need to log on to each applicationseparately. See also global sign-on.

SSL. See Secure Socket Layer.

SSO. See single sign-on.

stanza. A group of lines in an ASCII file that togetherhave a common function or define a part of a system.Stanzas are usually separated by blank lines or colons,and each stanza has a name.

stash file. The local copy of the master key file thatresides in an encrypted format on the local disk.

step-up authentication. A protected object policy(POP) that relies on a preconfigured hierarchy ofauthentication levels and enforces a specific level ofauthentication according to the policy set on a resource.The step-up authentication POP does not force the userto authenticate using multiple levels of authenticationto access any given resource, but it requires the user to


authenticate at a level at least as high as that requiredby the policy protecting a resource. See also protectedobject policy.

suffix. A distinguished name that identifies the topentry in a locally held directory hierarchy. Because ofthe relative naming scheme used in LightweightDirectory Access Protocol (LDAP), this suffix applies toevery other entry within that directory hierarchy. Adirectory server can have multiple suffixes, eachidentifying a locally held directory hierarchy.

Tticket. See Kerberos ticket.

token. A sequence of bits (symbol of authority) that ispassed successively along a transmission medium fromone device to another to indicate the device that istemporarily in control of the transmission medium.Each device can acquire and use the token to controlthe medium.

trusted root. In the Secure Sockets Layer (SSL), thepublic key and associated distinguished name of acertificate authority (CA). See also Secure Socket Layer.

Uuniform resource identifier (URI). The characterstring used to identify an abstract or physical resourceon the Internet. A URI typically describes how to accessthe resource, the computer that contains the resource,and the name of the resource. The most common formof URI is the Web page address, which is a particularsubset or URI called uniform resource locator (URL).See also uniform resource locator.

uniform resource locator (URL). A character stringthat represent resources on a computer or in a network,such as the Internet. The URL includes the abbreviatedname of the protocol used to access the informationresource and the information used by the protocol tolocate the resource.

URI. See uniform resource identifier.

URL. See uniform resource locator.

user. Any person, organization, process, device,program, protocol, or system that uses a serviceprovided by others.

user registry. See registry.

Vvirtual hosting. The capability of a Web server thatallows it to appear as more than one host to theInternet.

WWeb Portal Manager (WPM). A Web-based graphicalapplication used to manage Tivoli Access Managersecurity policy in a secure domain. An alternative tothe pdadmin command line interface, this GUI enablesremote administrator access and enables administratorsto create delegated user domains and assign delegateadministrators to these domains.

Web resource. Any one of the resources that arecreated during the development of a Web application;for example, Web projects, HTML pages, JSP files,servlets, custom tag libraries, and archive files.

WebSEAL. A high performance, multi-threaded Webserver that applies a security policy to a protectedobject space. WebSEAL can provide single sign-onsolutions and incorporate back-end Web applicationserver resources into its security policy.

Web session. See session.

WPM. See Web Portal Manager.

XXML. See Extensible Markup Language.

XML transform. A standard that uses XSL stylesheetsto transform XML documents into other XMLdocuments or fragments or to transform XMLdocuments into HTML documents.

XSL. See Extensible Stylesheet Language.

XSL stylesheet. Code that describes how an XMLdocument should be rendered (displayed or printed).

XSLT. See Extensible Stylesheet LanguageTransformation.

Glossary 663


Index

Special characters.kdb key database file 475, 482, 501, 504.sth stash file 475, 502, 505

AAccess Manager ADK

overview 8Access Manager Plug-in for Edge Server

overview 8Access Manager Plug-in for Web Servers

overview 8Access Manager Runtime

Active Directory configuration options 382configuration options 408Domino configuration options 389installation directory 379, 383installing on AIX 193installing on HP-UX 194installing on Linux 195installing on Solaris 197installing on Solaris on x86_64 197installing on Windows 199installing using the wizard 191LDAP configuration options 378pdconfig options (Active Directory) 451pdconfig options (Domino) 455pdconfig options (LDAP) 448uninstalling on AIX 352uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 355uninstalling on Solaris 357uninstalling on Solaris on x86_64 357uninstalling on Windows 358

Access Manager Runtime for Javaconfiguration options 397configuration type 459installation components 16installing on AIX 175installing on HP-UX 176installing on Linux 177installing on Solaris 178installing on Solaris on x86_64 178installing on Windows 180installing using native utilities 175installing using the wizard 173overview 6pdconfig options 459setting up 173uninstalling on AIX 352uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 355uninstalling on Solaris 357uninstalling on Solaris on x86_64 357uninstalling on Windows 358

Access Manager Session Management Command LineSee session management command line

Access Manager Session Management ServerSee session management server

Access Manager Web Security Runtimeoverview 8

Access Manager WebSEALoverview 8

access, HTTP 471access, HTTPS 471accessibility xiiiActive Directory

administrator ID 384, 453administrator password 384, 453configuration considerations 114configuring SSL 488creating a domain 115creating an administrative user 118data location distinguished name 388data location distinguished name * 453documentation 114domain controller host name 386, 451joining a domain 116multiple domains 386, 451pdconfig runtime options 451registry 13, 382, 451replicating 119runtime configuration options 382setting up 114

Active Directory Application Modeconfiguring SSL 491management domain location for 140registry 14

activedir.conf 454ADK

Access Manager ADK 8Access Manager component 5configuration options 396installing an ADK on AIX 164installing an ADK on HP-UX 165installing an ADK on HP-UX on Integrity 165installing an ADK on Linux 167installing an ADK on Solaris 168installing an ADK on Solaris on x86_64 168installing an ADK on Windows 170installing using a wizard 163installing using the native utilities 164setting up a development system 163uninstalling on AIX 352uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 354uninstalling on Solaris 356uninstalling on Solaris on x86_64 356uninstalling on Windows 358

ADK development systeminstallation components 15

ADK, WebSEALconfiguration options 430

administration IDsrequired for DB2 362

administration request port 458, 467


administrative usercreating for Lotus Domino 110creating for Microsoft Active Directory 118

administratorID for management domain 458, 461, 462, 464, 465, 467,

471IDS (Tivoli Directory Server) 364LDAP DN 374LDAP password 374local ID 457local password 457password 364, 373sec_master password 373

administrator DNsetting

Instance Administration Tool 93administrator ID

Active Directory 384, 453ID for management domain 470

administrator IDsrequired for Tivoli Access Manager 30

administrator IDs, requireddb2admin (Windows) 59ldapdb2 (UNIX) 59

administrator passwordActive Directory 384, 453setting

Instance Administration Tool 93AIX

installing a development (ADK) system 164installing a policy proxy server 183installing Access Manager Runtime 193installing Access Manager Runtime for Java 175installing GSKit 312installing IBM Java Runtime 318installing IBM Tivoli Directory Server 62installing language packages 39installing session management command line 298installing session management server 285installing the attribute retrieval service 220installing the authorization server 155installing the plug-in for Apache Web Server 242installing the plug-in for Edge Server 226installing the plug-in for IBM HTTP Server 247installing the plug-in for Sun Java System Web Server 254installing the policy server 142installing the Tivoli Directory Server client 327installing the Web security development (ADK) 261installing Tivoli Security Utilities 323installing Web Administration Tool 338installing Web Portal Manager 204installing WebSEAL 269installing WebSphere Application Server 333setting the EXTSHM environment variable 241, 243, 248uninstalling components 351

am_key.kdb sample key file 58, 360, 369amauditcfg utility 548amldif2V6 command 138amwebcfg utility 552amwpmcfg utility 557Apache Web Server

installation components 18application server definition 522ARS

See attribute retrieval serviceattribute retrieval service

configuration options 434

attribute retrieval service (continued)installation components 17installing on AIX 220installing on HP-UX 221installing on Linux 222installing on Solaris 223installing on Windows 223installing using native utilities 220installing using the wizard 219local host name 457overview 8pdconfig options 457setting up 219uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 355uninstalling on Windows 358

Attribute Retrieval Serviceuninstalling on AIX 352uninstalling on Solaris 356uninstalling on Solaris on x86_64 356

auditingconfiguring 548starting 548stopping 548

authenticationserver 480server and client 480, 504

authority object 495authorization policy updates

listening port number 464authorization request

port number 458authorization request port 458authorization server

configuration options 392installation components 15installing on AIX 155installing on HP-UX 156installing on HP-UX on Integrity 156installing on Linux 158installing on Solaris 159installing on Solaris on x86_64 159installing on Windows 161installing using native utilities 155installing using the wizard 154local host name 458overview 5pdconfig options 458setting up 153uninstalling on AIX 352uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 355uninstalling on Solaris 356uninstalling on Solaris on x86_64 356uninstalling on Windows 358

Bbacking up database

idsdbback command 99base components

Access Manager License 7Access Manager Runtime for Java 6Application Development Kit 5authorization server 5


base components (continued)policy proxy server 5policy server 6runtime 6Tivoli Security Utilities 7Web Portal Manager 7

base system installation 53base systems

options files 607bassslcfg

add replica (deprecated) 561change password 561change replica (deprecated) 561configure 561get certificate 561get management domain 561modify 561ping server 561remove replica (deprecated) 561

bassslcfg utility 561books

see publications ix, xii

CCARS

See Common Audit Web servicecertificate

server 498, 499Certificate Authority

adding a signer certificate 477, 502, 506, 508receiving personal certificate 476, 506requesting personal certificate 476, 505

certificate authority object 495certificate file, pdcacert.b64 144certificate label

SSL key file 373certificate label, SSL 453, 472certificate lifecycle, SSL 373certificates

creating authority object 495exporting on Active Directory server 488extracting self-signed for Novell eDirectory server 496importing on LDAP client system 489lifecycle 465signer 497

client authentication, LDAP 504client certificate label 453, 472client key file 463client system, LDAP 489cluster resources 518cluster topology 516cn=root LDAP administrator DN 374code sets

file directory locations 50language support 50

command lineIBM Tivoli Directory Server 104

commandsamldif2V6 138gskkyman 486ibmdirctl 481, 483idscfgdb 98idscfgsuf 100idsdiradm 481idsidrop 350idsldapmodify 481

commands (continued)idsldapsearch 482, 509idsslapd 481install_amwebadk 259install.exe 337installp (AIX)

plug-in for Apache Web Server 242plug-in for Edge Server 226plug-in for IBM HTTP Server 247plug-in for Sun Java System Web Server 254Web security development (ADK) 261

ivrgy_tool.exe 130locale 47, 55pdconfig 447pkgadd (Solaris on x86_64) 187pkgadd (Solaris) 187


pkmspasswd 107ps 132rpm (Linux) 249, 263

plug-in for Apache Web Server 244plug-in for Edge Server 227

setup.exe (Windows) 188plug-in for Edge Server 230plug-in for Internet Information Services 253Web security development (ADK) 265

startServer 101startServer.bat 343swinstall (HP-UX)

Web security development (ADK) 262commands (Tivoli Directory Server)

ibmdiradm 101idscfgdb 98idsldapadd 105idsucfgdb 349idsxcfg 96, 349idsxinst 350ldapmodify 108

commands, configuration 547amwpmcfg 203pdjrtecfg 203

commands, installationgsk7ikm (GSKit) 311install_amacld 154install_amadk 163install_amjrte 173install_ammgr 141install_amproxy 181install_amrte 191install_amsms 282install_amsmscli 296install_amweb 267install_amwebars 219install_amwpi 241install_amwpm 201install_ldap_server 57

Common Audit Web serviceconfiguring 548unconfiguring 548

common problemsreporting

describing problem 648determining business impact 647

Index 667

common problems (continued)reporting (continued)

gathering information 648submitting problems 648

componentsrequired for Tivoli Access Manager 15Tivoli Access Manager base 5Tivoli Access Manager prerequisites 10Tivoli Access Manager Web security 8unconfiguring for Tivoli Access Manager 348

configurationHACMP example 515SSL for Tivoli Directory Server 474Tivoli Access Manager for LDAP 106Tivoli Directory Server for Tivoli Access Manager 100

configuration commands 547configuration considerations

Microsoft Active Directory 114configuration files

activedir.conf 454httpd.conf 205ibmproxy.conf 227osdef.conf 232pdwebpi.conf 242slapd.conf 485Web servers on UNIX 462

configuration optionsAccess Manager Runtime 408Access Manager Runtime (Active Directory) 451Access Manager Runtime (Domino) 455Access Manager Runtime (LDAP) 448Access Manager Runtime for Java 397, 459Active Directory 382attribute retrieval service 434, 457authorization server 392, 458development (ADK) 396Domino 389LDAP 378pdconfig 447Plug-in for Edge Server 461plug-in for Web Servers 435Plug-in for Web Servers on UNIX 462Plug-in for Web Servers on Windows 464policy proxy server 404, 467policy server 399, 465session management command line 420session management server 409Tivoli Directory Server 442Web Portal Manager 439, 468Web Security ADK 430WebSEAL 424, 471

configuration type, JRE 459configuration, plug-in for Edge Server

object space model 235overview 231server concepts 233server model 232single sign-on model 236summarizing for Edge Server 237

configuresmscfg utility 594

configuring databaseConfiguration Tool 97

connection timeout 465connections, encrypted 386, 451considerations

Microsoft Active Directory 114

console mode installation 25conventions

typeface xivcreating

standby policy server 523creation

Microsoft Active Directory administrative user 118Microsoft Active Directory domain 115

customer supportcontacting 647obtaining fixes 645receiving updates from 646registering with 646searching information centers 645searching knowledge bases 645searching the Internet 645submitting problems 648

Ddata location distinguished name 388, 453database

configuringidscfgdb command 98Instance Administration Tool 92

database instance ownercreating 59requirements 59

database name 98Tivoli Access Manager 391, 455

database ownercreating 59requirements 59

database owner ID, DB2 362database, backing up

idsdbback command 99database, configuring

Configuration Tool 97DB2

administration ID 362database owner ID 362uninstalling on AIX 352uninstalling on HP-UX 354uninstalling on HP-UX on Integrity 354uninstalling on Linux 355uninstalling on Solaris 357uninstalling on Solaris on x86_64 357

defaultsport numbers 33

deploymentplanning for 3

deprecatedbassslcfg –chg_replica 561bassslcfg –rmv_replica 561basssslcfg –add_replica 561

development (ADK) systemsetting up 163, 259

directives for languages 49directories

primary HACMP server 530standby HACMP server 533

directory namecommon log file location 460

directory namesAccess Manager Runtime 379, 383IBM Global Security Kit 378, 382IBM Tivoli Directory Server client 378, 382


directory names (continued)IBM Tivoli Security Utilities 378, 383Tivoli Common Directory 379, 454

directory names, notation xvdirectory server instance

backup 99configuring a database 98configuring a suffix 99configuring database 97creating with Instance Administration Tool 87removing 350setting administrator DN and password 96

directory server instance ownercreating 59requirements 59

Directory Server Web Administration Tool 11distinguished name

Active Directory 388Active Directory data location 453LDAP administrator 374

DNSee distinguished name

doAudit stanza entry 548documentation

IBM TAM Language Support for AIX 64IBM TAM Language Support for HP-UX 64IBM TAM Language Support for Linux 75IBM Tivoli Directory Server 54IBM z/OS LDAP Server 108Microsoft Active Directory 114Novell eDirectory 127Sun Java System Directory Server 132

domaincreating for Microsoft Active Directory 115joining for Microsoft Active Directory 116

domain controller host name 386, 451Active Directory 451

domain nameActive Directory 451

domainsadministrator ID 458, 461, 462authorization server 458multiple, Active Directory 386, 451policy server 459Tivoli Access Manager 380, 449

DominoAccess Manager Runtime pdconfig options 455registry 389, 455runtime configuration options 389server name 391, 455

EEdge Server

pdconfig options (UNIX) 461port number 461, 462Web Traffic Express 461

educationsee Tivoli technical training xiii

enablingFIPS 483

enabling SSL 473encrypted connections 386, 451encryption salt

specifying 91encryption seed

specifying 90

environment scenario, HACMP 513environment variables 46environment variables, notation xvexamples

HACMP configuration 515primary HACMP server 530standby HACMP server 533

FFederal Information Processing Standard

See FIPSfiles

java.security 316key database (.kbd) 475, 501, 504key database (.kdb) 482LDAP SSL client key file 463PDMdata.nsf 391, 455stash (.sth) 475, 502, 505

FIPSenabling access on the LDAP server 483overview 10

fixes, obtaining 645

GGlobal Security Kit

See GSKitgraphical mode installation 23groups

required for Tivoli Access Manager 30groups, required

idsldap 60gsk7ikm (GSKit) command 311GSKit

iKeyman 22installing 311installing on AIX 312installing on HP-UX 312installing on HP-UX on Integrity 312installing on Linux 313installing on Solaris 314installing on Solaris on x86_64 314installing on Windows 315overview 10setting up iKeyman utility 315uninstalling on AIX 351uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 354uninstalling on Solaris 356uninstalling on Solaris on x86_64 356

gskkyman command 486

HHACMP

configuration example 515creating a standby policy server 523environment scenario 513linking files and directories 529linking from AIX files to shared directory 532preinstallation requirements 512setting UIDs 527setting up a standby policy server 511topology, application server definition 522

Index 669

HACMP (continued)topology, cluster resources 518topology, overall cluster 516verifying for primary server 530verifying for standby server 533

High Availability Cluster MultiprocessingSee HACMP

host nameattribute retrieval service 457LDAP server 372, 380, 448local 364policy server 380, 449, 458, 459, 467policy server (Active Directory) 385, 452policy server (Domino) 390, 456WebSEAL 471

host name, localattribute retrieval service 457authorization server 458policy proxy server 467

HP-UXinstalling a development (ADK) system 165installing a policy proxy server 184installing Access Manager Runtime 194installing Access Manager Runtime for Java 176installing GSKit 312installing IBM Java Runtime 319installing IBM Tivoli Directory Server 67installing language packages 40installing session management command line 299installing session management server 286installing the attribute retrieval service 221installing the authorization server 156installing the policy server 144installing the Tivoli Directory Server client 328installing the Web security development (ADK) 262installing Tivoli Security Utilities 323installing Web Administration Tool 339installing Web Portal Manager 206installing WebSEAL 270installing WebSphere Application Server 334uninstalling components 353

HP-UX on Integrityinstalling a development (ADK) system 165installing a policy proxy server 184installing GSKit 312installing IBM Java Runtime 319installing IBM Tivoli Directory Server 67installing language packages 40installing the authorization server 156installing the policy server 144installing the Tivoli Directory Server client 328installing the Web security development (ADK) 262installing Web Administration Tool 339installing WebSEAL 270installing WebSphere Application Server 334uninstalling components 353

HTTPaccess 471port 471

httpd.conf 205HTTPS

access 471port 471

IIBM DB2

configuration options 363IBM Global Security Kit

installation directory 378, 382IBM Global Security Kit (GSKit)

See GSKitIBM HTTP Server

uninstalling on AIX 352uninstalling on HP-UX 354, 358uninstalling on Linux 356uninstalling on Solaris 357

IBM Java RuntimeSee also JREinstalling 318installing on AIX 318installing on HP-UX 319installing on HP-UX on Integrity 319installing on Linux 320installing on Solaris 321installing on Solaris on x86_64 321installing on Windows 321pdconfig options 459

IBM Network Authentication Service Toolkit 12IBM Tivoli Configuration Manager

See IBM Tivoli Configuration ManagerIBM Tivoli Directory Integrator

for idssupport tool 65, 69, 75, 80, 86for log management tool 65, 69, 75, 80, 86for SNMP 65, 69, 75, 80, 86

IBM Tivoli Directory ServerSee Tivoli Directory Servercommand line 104configuration options 364installation components 16installation on AIX 62installation wizard 57installing on HP-UX 67installing on HP-UX on Integrity 67installing on Linux 72installing on Solaris 78language support packages (one required) 39native utilities 58overview 11registry 13setup 54Web Administration Tool 101

IBM Tivoli Directory Server clientSee also Tivoli Directory ClientSee also Tivoli Directory Server clientinstallation directory 378, 382

IBM Tivoli Directory Server interfaceSee Web Administration Tool

IBM Tivoli Security UtilitiesSee Tivoli Security Utilitiesinstallation directory 378, 383

IBM WebSphere Application ServerSee WebSphere Application Server

IBM z/OSconfiguring SSL 485creating key database file 486

IBM z/OS LDAP Serveradding suffixes 106configuring Tivoli Access Manager for LDAP 106documentation 108native authentication 107registry 13


IBM z/OS LDAP Server (continued)setting up 105updating schema files 106

ibmdiradm command 101ibmdirctl command 481, 483ibmproxy.conf configuration file 227idscfgdb 98idscfgdb command 98idscfgsuf 100idsdbback command 99idsdiradm command 481idsidrop 350idsldap group 60idsldapadd command 105idsldapmodify command 481idsldapsearch command 482, 509idsslapd command 481idssupport tool

requirement for IBM Tivoli Directory Integrator 65, 69, 75,80, 86

idsucfgdb command 349idsxcfg command 96, 349idsxinst command 350iKeyman 22iKeyman utility

setting the environment variable 322setting up 315

information centers, searching 645install_amacld 23install_amacld command 154, 392install_amadk 24install_amadk command 163, 396install_amjrte 24install_amjrte command 173, 397install_ammgr 24install_ammgr command 141, 369, 399install_amproxy 24install_amproxy command 181, 404install_amrte 24

Active Directory 382install_amrte command 191, 408

configuring, runtime for Active Directory 382configuring, runtime for Domino 389configuring, runtime for LDAP 378

install_amsms 24install_amsms command 282, 409install_amsmscli 24install_amsmscli command 296, 420install_amweb command 24, 267, 424install_amwebadk command 24, 259, 430install_amwebars command 24, 219, 434install_amwpi command 24, 241, 435install_amwpm 24install_amwpm command 201, 439install_ldap_server 23, 24, 53install_ldap_server command 57, 360, 361, 442install.exe command 337installation

base components 5base system 53default port numbers 33IBM Tivoli Directory Server language support 39language support 37methods 23overview 3planning for 1process 21

installation (continued)session management system 279Tivoli Access Manager components 5using the native utilities 26using the wizard 23using Tivoli Configuration Manager 26Web security components 8Web security system 219

installation commandsIBM Tivoli Directory Server pkgadd 78IBM Tivoli Directory Server rpm 72install_ldap_server 53installp 39, 62swinstall 40swinstallp 40

installation componentsAccess Manager Runtime 16Access Manager Runtime for Java 16attribute retrieval service 17authorization server 15development (ADK) system 15IBM Tivoli Directory Server 16plug-in for Apache Web Server 18plug-in for Edge Server 18plug-in for IBM HTTP Server 18plug-in for IIS 18plug-in for Sun ONE Web Server 19policy proxy server 16policy server 16session management command line 20session management server 19Web Portal Manager 16Web security development (ADK) 17WebSEAL 17

installation modesconsole 25graphical 23interactive 25response file 25silent 25text-based 25

installation packagesAIX 64, 66

installation pathdefault, Windows 83

installation scenariosinstall_ammgr wizard 369install_ldap_server wizard 360

installation utilitiesinstall_amacld 23install_amadk 24install_amjrte 24install_ammgr 24install_amproxy 24install_amrte 24install_amsms 24install_amsmscli 24install_amweb 24install_amwebadk 24install_amwebars 24install_amwpi 24install_amwpm 24install_ldap_server 23, 24

installation wizardsattribute retrieval service 219install_amacld 154, 392install_amadk 163, 396

Index 671

installation wizards (continued)install_amjrte 173, 397install_ammgr 141, 369, 399install_amproxy 404install_amrte 408install_amrte (Active Directory) 382install_amrte (Domino) 389install_amrte (LDAP) 378install_amsms 409install_amsmscli 420install_amweb 424install_amwebadk 430install_amwebars 434install_amwpi 435install_amwpm 439install_ldap_server 57, 360, 361, 442installing Access Manager Runtime 191installing the policy proxy server 181installing the session management server 282plug-in for Web servers 241session management command line 296Web Portal Manager 201Web security development (ADK) 259WebSEAL 267

installation wizards optionsAccess Manager Runtime (Active Directory) 382Access Manager Runtime (Domino) 389Access Manager Runtime (LDAP) 378authorization server 392development (ADK) 396

installationssilent 607

installingIBM Java Runtime 318IBM Tivoli Directory Server client 327IBM Tivoli Directory Server, native utilities 58policy server on HP-UX 144policy server on HP-UX on Integrity 144Web Administration Tool 338WebSphere Application Server 333

installp (AIX) commandplug-in for Edge Server 226plug-in for IBM HTTP Server 242, 247plug-in for Sun Java System Web Server 254Web security development (ADK) 261

installp commandIBM Tivoli Directory Server 62installing language packages 39, 40

Instance Administration Tooldescription 87

instance name, WebSEAL 471instance, directory server

creating 87creating with Instance Administration Tool 87removing 350

interactive installation 25internationalization

code sets 50IBM Tivoli Directory Server language support 39installing language support 37LANG variable 47languages supported 36locale environment variables 46locale variants 48message catalogs 49uninstalling language support 44Windows LANG variable 48

Internet, searching 645iPlanet Directory Server

See Sun Java System Directory Serverivrgy_tool utility 569ivrgy_tool.exe 130

JJava Runtime Environment

configuration type 459IBM Java Runtime 318path name 459pdconfig options 459

Java virtual machine 361java.security file for iKeyman 316join

Microsoft Active Directory domain 116JRE

See also Java Runtime EnviromentSee also Java Runtime EnvironmentIBM Java Runtime 11

JVMSee Java virtual machine

Kkey database file

creating for LDAP clients 504creating for LDAP server 486creating for LDAP servers 474, 501

key file am_key.kdb 58, 360, 369knowledge bases

information centers 645searching 645the Internet 645

Llabel

SSL client certificate label 463LANG environment variable 46

UNIX 47Windows 48

language directives 49language settings 46language support

code sets 50Common Auditing and Reporting Service 37IBM Tivoli Directory Server 39installation packages 37locale names for UNIX 47locale names for Windows 48locale variables 46locale variants, implementing 48message catalogs 49overview 36uninstallation 44

language support documentationAIX 64HP-UX 64Linux 75

LDAPAccess Manager Runtime pdconfig options 448client key file 472importing certificate on client system 489registry 378, 448


LDAP administrator 374LDAP data format

converting from standard to minimal 138minimal 137standard 138

LDAP serverconfiguring SSL 504enabling FIPS 483host name 372, 380, 448port 372port number 380, 449SSL port number 463

LDAP ServerSSL client key file 463

LDAP_ADMINLIMIT_EXCEEDED 638ldapmodify command 108ldp Windows Support tool 488license

overview 7uninstalling on AIX 352uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 355uninstalling on Solaris 356uninstalling on Solaris on x86_64 356uninstalling on Windows 358

lifecycle, certificates 465linking, HACMP

primary system files and directories 529standby system files and directories 532

Linuxcode set file location 50installing a development (ADK) system 167installing a policy proxy server 185installing Access Manager Runtime 195installing Access Manager Runtime for Java 177installing GSKit 313installing IBM Java Runtime 320installing IBM Tivoli Directory Server 72installing session management command line 301installing session management server 287installing the attribute retrieval service 222installing the authorization server 158installing the plug-in for Apache Web Server 244installing the plug-in for Edge Server 227installing the plug-in for IBM HTTP Server 249installing the policy server 146installing the Tivoli Directory Server client 329installing the Web security development (ADK) 263installing Tivoli Security Utilities 324installing Web Administration Tool 340installing Web Portal Manager 208installing WebSEAL 272installing WebSphere Application Server 335LANG variable 47language support package location 44message catalogs 49text encoding 50uninstall language support packages 44uninstalling components 354

listening portauthorization policy updates 464Edge Server 462policy server (Active Directory) 385, 452policy server (Domino) 390, 456WebSEAL 471

listening port, SSLregistry server 387, 449, 452

local administrator ID 457local host name 364

attribute retrieval service 457authorization server 458policy proxy server 467

locale 47, 55locale environment variables 46locale names

UNIX 47Windows 48

locale variants 48log files

msg__ldaps_install.log 368log management tool


logical network interface 471look-through limit 638Lotus Domino

creating a Tivoli Access Manager administrative user 110installing a Lotus Notes client 112registry 13setting up 108

Lotus Notes clientinstalling on Tivoli Access Manager system 112

Mmanagement domain 4, 380, 449management domain creation 21Management Domains 138

creating 139location for Active Directory Application Mode

registry 140manuals

see publications ix, xiimessage catalog

internationalization 49language directories 49

methods of installation 23mgrsslcfg

change certificate 572change password 572configure 572modify 572

Microsoft Active DirectorySee Active Directory

Microsoft Active Directory Application ModeSee ADAMsetting up 119

msg__ldaps_install.log file 368multiple Active Directory domains 386, 451

Nnative authentication

IBM z/OS LDAP Server 107Lotus Domino 110

native installationoverview 26

native utilitiesattribute retrieval service 220IBM Tivoli Directory Server 58installing a development (ADK) system 164

Index 673

native utilities (continued)installing Access Manager Runtime for Java 175installing session management server 285installing the authorization server 155installing the policy proxy server 182installing the policy server 142installing Tivoli Access Manager runtime 193installing, session management command line 298plug-in for Web servers 242Web Portal Manager 203Web security development (ADK) 260WebSEAL 269

NLSPATH environment variable 49node name

attribute retrieval service 457non-SSL port 365notation

environment variables xvpath names xvtypeface xv

Notes clientpassword 391, 455

Novell eDirectorydocumentation 127registry 14setting up 127

Novell eDirectory serverconfiguring SSL 495creating organizational certificate authority object 495extracting a self-signed certificate 496

Oobject space configuration model 235ObjectGrid 280online publications

accessing xiioptions files

base system 607prerequisite system 607session management system 609

ordering publications xiiiorganizational certificate authority object 495osdef.conf configuration file 232overall cluster topology 516overview

Access Manager ADK 8Access Manager License 7Access Manager Plug-in for Edge Server 8Access Manager Plug-in for Web Servers 8Access Manager Runtime 6Access Manager Runtime for Java 6Access Manager WebSEAL 8ADK 5attribute retrieval service 8authorization server 5FIPS 10GSKit 10IBM Java Runtime 11IBM Tivoli Directory Server 11installation 3installation wizards 23languages supported 36policy proxy server 5policy server 6secure domain 4session management command line 9

overview (continued)session management server 9Tivoli Directory Server client 11Tivoli Security Utilities 7Web Administration Tool 11Web Portal Manager 7Web security runtime 8WebSphere Application Server 12

Ppackages

attribute retrieval service 220for language 37IBM Global Security Kit (GSKit) 10, 311IBM Java Runtime 318IBM Tivoli Directory Server client 327IBM Tivoli Directory Server language support 39language support 37plug-in for Web servers 242Tivoli Access Manager runtime 193Tivoli Security Utilities 323uninstalling language support 44Web Administration Tool 338Web security components 8WebSphere Application Server 333

packages, installationAIX 64, 66

Password policyLDAP 637

passwordsActive Directory 384, 453administrator confirmation 373LDAP administrator 374Notes client 391, 455sec_master 373SSL key file 365Tivoli Directory Server 364

path nameJava Runtime Environment 459Web Servers (UNIX) 462

path names, notation xvpdbackup utility 574pdcacert.b64 certificate file 144pdconfig command

Access Manager Runtime (LDAP) 448pdconfig configuration command 447pdconfig configuration utility 193pdconfig options

Access Manager Runtime for Java 459attribute retrieval service 457authorization server 458Plug-in for Edge Server 461Plug-in for Web Servers on UNIX 462Plug-in for Web Servers on Windows 464policy proxy server 467policy server 465Web Portal Manager 468WebSEAL 471

pdconfig utility 578installing a development (ADK) system 164

pdinfo utility (deprecated)See pdbackup

pdjrtecfgconfiguring Java runtime component 579

PDMdata.nsf file 391, 455, 462pdproxycfg utility 583


pdsmsclicfgconfigure 586

pdversion utility 589pdwebpi.conf configuration file 242pdwpicfg utility 591permissions

primary HACMP server 530standby HACMP server 533

personal certificatesTivoli Directory Server 476, 505

pkgadd (Solaris on x86_64) command 187pkgadd (Solaris) command 187


pkgadd command 78pkmspasswd command 107planning for deployment 3planning for installation 1plug-in for Apache Web Server

installing on AIX 242installing on Linux 244installing on Solaris 245uninstalling on Linux 355uninstalling on Solaris 356uninstalling on Solaris on x86_64 356

plug-in for Edge Serverconfiguration overview 231configuration procedure 237installation components 18installing on AIX 226installing on Linux 227installing on Solaris 228installing on Windows 230object space configuration model 235preinstallation requirements 225server configuration concepts 233server configuration model 232setting up 225single sign-on configuration model 236

Plug-in for Edge Serverpdconfig options 461

plug-in for IBM HTTP Serverinstallation components 18installing on AIX 247installing on Linux 249installing on Solaris 250installing on Windows 252uninstalling on AIX 352uninstalling on Linux 355uninstalling on Solaris 356uninstalling on Solaris on x86_64 356

plug-in for IISinstallation components 18

plug-in for Internet Information Servicesinstalling on Windows 253uninstalling on Windows 358

plug-in for Sun Java System Web Serverinstallation components 19installing on AIX 254installing on Solaris 256uninstalling on AIX 352uninstalling on Solaris 356uninstalling on Solaris on x86_64 356

plug-in for Web serversinstalling using native utilities 242installing using the wizard 241setting up 239uninstalling on AIX 353uninstalling on HP-UX 354uninstalling on Linux 356uninstalling on Solaris 357uninstalling on Windows 358

plug-in for Web Serversconfiguration options 435preinstallation requirements 239uninstalling on AIX 352uninstalling on Windows 358

Plug-in for Web Serverspdconfig options (UNIX) 462pdconfig options (Windows) 464uninstalling on Linux 355uninstalling on Solaris 356uninstalling on Solaris on x86_64 356

plug-insfor Apache Web Server 24for Apache Web Servers 18for Edge Server 8, 18for IBM HTTP Server 18, 24for IIS 18, 24for Sun ONE Web Server 19, 24for Web Servers 8

policy proxy serverconfiguration options 404installation components 16installing on AIX 183installing on HP-UX 184installing on HP-UX on Integrity 184installing on Linux 185installing on Solaris 187installing on Solaris on x86_64 187installing on Windows 188installing using native utilities 182installing using the wizard 181local host name 467overview 5pdconfig options 467setting up 181uninstalling on AIX 352uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 355uninstalling on Solaris 356uninstalling on Solaris on x86_64 356, 357uninstalling on Windows 358

policy serverconfiguration options 399creating a standby 523domain information 459host name 380, 449, 458, 459, 467host name (Active Directory) 385, 452host name (Domino) 390, 456installation components 16installation scenario 369installing on AIX 142installing on HP-UX 144installing on HP-UX on Integrity 144installing on Linux 146installing on Solaris 147installing on Solaris on x86_64 147installing on Windows 149

Index 675

policy server (continued)installing using native utilities 142installing using the wizard 141listening port (Active Directory) 385, 452listening port (Domino) 390, 456overview 6pdconfig options 465port number 458, 459, 467setting up 137setting up a standby 511SSL port 373SSL port number 380, 449, 465uninstalling on AIX 352uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 355uninstalling on Solaris 357uninstalling on Windows 358

portauthorization request 458Edge Server 461HTTP 471HTTPS 471LDAP server 380, 449policy server 458, 459, 467Web Traffic Express 461

port numbersneeded during installation 33

port, SSLLDAP server 463policy server 380, 449, 465

portsLDAP server 372policy server SSL 373SSL 373

preinstallation requirementsHACMP 512plug-in for Edge Server 225plug-in for Web servers 239

prerequisite products 10installing GSKit 311installing IBM Java Runtime 318installing IBM Tivoli Directory Server client 327installing the WebSphere Application Server 333installing Tivoli Security Utilities 323installing Web Administration Tool 338

prerequisite systemsoptions files 607

primary HACMP server 527, 529, 530procedure, plug-in for Edge Server configuration 237process, installation 21proxy request port 467ps command 132publications ix

accessing online xiiordering xiii

Qquery_contents utility 236

RRed Hat Enterprise Linux

installing the plug-in for Edge Server 227Regional setting, for Windows 46

registries 13IBM Tivoli Directory Server 13IBM z/OS LDAP Server 13Lotus Domino 13Microsoft Active Directory 13, 114Microsoft Active Directory Application Mode 14Novell eDirectory 14Sun Java System Directory Server 14, 132system requirements 13

registryActive Directory 382, 451Domino 389, 455LDAP 378, 448

registry serverconfiguring SSL 474listening port, SSL 387, 449, 452

registry serversIBM Tivoli Directory Server 54IBM z/OS LDAP Server 105Lotus Domino 108Microsoft Active Directory Application Mode 119Novell eDirectory 127setting up 53

removingSee uninstalling

removing packagesSee uninstalling

replicationMicrosoft Active Directory 119

request portsadministration 458, 467authorization 458proxy 467

required componentsAccess Manager Runtime 16Access Manager Runtime for Java 16attribute retrieval service 17authorization server 15development (ADK) system 15IBM Tivoli Directory Server 16plug-in for Apache Web Server 18plug-in for Edge Server 18plug-in for IBM HTTP Server 18plug-in for IIS 18plug-in for Sun Java System Web Server 19policy proxy server 16policy server 16session management command line 20session management server 19Web Portal Manager 16Web security development (ADK) 17WebSEAL 17

requirementsHACMP 512

response file mode installation 25response files

template 609Web Security system 608

restore databacking up 574extracting 574restoring 574

Rock Ridge, mount command 37, 319root administrator ID 457rpm (Linux) command

plug-in for Apache Web Server 244plug-in for Edge Server 227


rpm (Linux) command (continued)plug-in for IBM HTTP Server 249Web security development (ADK) 263

rpm command 72rspfile directory 607, 609runtime

See TAM runtimeruntime system

installation components 16installing using native utilities 193setting up Access Manager Runtime 191

runtime, JavaSee Access Manager Runtime for Java

runtimesAccess Manager Runtime 6, 191Access Manager Runtime for Java 6, 173Access Manager Web Security Runtime 8

Ssample key database file 360sample key file 58, 369scenarios

HACMP environment 513install_ammgr wizard 369install_ldap_server wizard 360, 361

schema filesIBM z/OS LDAP Server 106

scriptslinking files and directories 529linking from AIX files to shared directory 532setting UIDs 527

sec_master 458, 461, 462, 464, 465, 467, 470, 471secAuthority=Default 135secAuthority=Default suffix 104secure domain

overview 4Secure Sockets Layer

See SSLsecurity options

setting 485self-signed certificates 478, 507

Novell eDirectory server 496server and client authentication 480, 504server authentication 480server authentication, LDAP 504server certificate 498, 499server configuration concepts 233server configuration model 232server name

Domino 391, 455server utilities

idscfgsuf 100servers

Access Manager Authorization Server 5Access Manager Plug-in for Edge Server 8Access Manager Plug-in for Web Servers 8Access Manager Policy Proxy Server 5Access Manager Policy Server 6Access Manager Session Management Server 9Access Manager WebSEAL 8

session management command lineAccess Manager component 9configuration options 420installation components 20installing on AIX 298installing on HP-UX 299

session management command line (continued)installing on Linux 301installing on Solaris 302installing on Windows 304installing using native utilities 298installing using the wizard 296setting up 295uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 355uninstalling on Solaris 357uninstalling on Solaris on x86_64 357uninstalling on Windows 358

Session Management Command Lineuninstalling on AIX 352

session management components 9session management server 9

session management serverAccess Manager component 9configuration options 409installation components 19installing on AIX 285installing on HP-UX 286installing on Linux 287installing on Solaris 287installing on Windows 288installing using native utilities 285installing using the wizard 282setting up 279uninstalling on Windows 358

Session Management Serveruninstalling on AIX 352uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 355uninstalling on Solaris 357uninstalling on Solaris on x86_64 357

session management server installation 279session management systems

options files 609setting

security options for Tivoli Directory Server 485setting UIDs 527setting up

Access Manager Runtime 191Access Manager Runtime for Java 173attribute retrieval service 219development (ADK) system 163IBM Tivoli Directory Server 54IBM z/OS LDAP Server 105iKeyman utility 315Lotus Domino 108Microsoft Active Directory 114Microsoft Active Directory Application Mode 119Novell eDirectory 127plug-in for Edge Server 225plug-in for Web servers 239policy proxy server 181policy server 137prerequisite products 311registry server 53session management command line 295session management server 279standby policy server 511Sun Java System Directory Server 132Web Security ADK system 259WebSEAL 267

Index 677

setup.exe (Windows) command 188plug-in for Edge Server 230plug-in for Internet Information Services 253Web security development (ADK) 265

signer certificate 497signer certificates

Tivoli Directory Server 478, 507silent installations 607silent mode installation 25single sign-on configuration model 236slapd.conf 485SMS

See session management serverSMS CLI

See session management command linesmscfg utility 594SNMP


soft linksprimary HACMP server 530standby HACMP server 533

software updates, receiving 646Solaris

installing a development (ADK) system 168installing a policy proxy server 187installing Access Manager Runtime 197installing Access Manager Runtime for Java 178installing GSKit 314installing IBM Java Runtime 321installing IBM Tivoli Directory Server 78installing session management command line 302installing session management server 287installing the attribute retrieval service 223installing the authorization server 159installing the plug-in for Apache Web Server 245installing the plug-in for Edge Server 228installing the plug-in for IBM HTTP Server 250installing the plug-in for Sun Java System Web Server 256installing the policy server 147installing the Tivoli Directory Server client 330installing the Web security development (ADK) 264installing Tivoli Security Utilities 325installing Web Administration Tool 341installing Web Portal Manager 211installing WebSEAL 273installing WebSphere Application Server 336uninstalling components 356

Solaris on x86_64installing a development (ADK) system 168installing a policy proxy server 187installing Access Manager Runtime 197installing Access Manager Runtime for Java 178installing GSKit 314installing IBM Java Runtime 321installing the authorization server 159installing the policy server 147installing the Tivoli Directory Server client 330installing the Web security development (ADK) 264installing Tivoli Security Utilities 325installing Web Administration Tool 341installing Web Portal Manager 211installing WebSphere Application Server 336uninstalling components 356

Solaris x86_64installing WebSEAL 273

SSLcertificate label 453certificate lifecycle 373, 465client certificate label 463, 472configuring for Active Directory Application Mode 491configuring for IBM z/OS 485configuring for LDAP server 504configuring for Microsoft Active Directory 488configuring for Novell eDirectory server 495configuring for Sun Java System Directory Server 498configuring for Tivoli Directory Server 474connection timeout 373, 465enabling for Edge Server 462enabling on Tivoli Directory Server 480IBM Global Security Kit (GSKit) 311LDAP client key file 463policy server 380, 449port 373testing access on the LDAP server 489, 509testing access on the Tivoli Directory Server client 503verifying operation 482

SSL configurationfor Active Directory Application Mode 491for IBM z/OS 485for LDAP server 504for Microsoft Active Directory 488for Novell eDirectory server 495for Sun Java System Directory Server 498

SSL key filecertificate label 366, 373full path 365password 365

SSL port 365standby HACMP server 527, 532, 533standby policy server 137

creating 523setting up 511

stanza entriesdoAudit 548

startServer command 101startServer.bat command 343step-by-step installation

IBM Tivoli Directory Server 360suffix

addingidscfgsuf 100

suffix, user-defined 364suffixes

IBM z/OS LDAP Server 106suffixes (Tivoli Directory Server)

adding 104Sun Java System Directory Server

configuring SSL 498documentation 132LDAP_ADMINLIMIT_EXCEEDED 638look-through limit 638registry 14setting up 132

Sun Java System Web Serveruninstalling on AIX 352

Sun ONE Directory ServerSee Sun Java System Directory Server

supportSee customer support

support for languagesinstalling 37installing for IBM Tivoli Directory Server 39


support for languages (continued)uninstalling 44

svrsslcfgadd replica 601change certificate 601change password 601change port 601change replica 601configure 601modify 601remove replica 601unconfigure 601

swinstall (HP-UX) commandWeb security development (ADK) 262

swinstall commandinstalling language packages 40

system requirements 13registries 13

systemsbase systems 15session management systems 19Web security systems 17

Ttemplates

response file 609testing SSL 489, 503, 509text encoding

See code setstext-based mode installation 25timeout, connection 465Tivoli Access Manager 13

base system installation 53base systems 15configuration commands 547database name 391, 455default domain 380, 449default port numbers 33installation components 5installing prerequisite products 311language support packages 35policy proxy server 181policy server scenario 369registry scenario 360required IDs and groups 30session management systems 19, 279setting up an attribute retrieval service 219setting up the authorization server 153setting up the plug-in for Edge Server 225setting up the plug-in for Web servers 239unconfiguring components 348unconfiguring for Tivoli Directory Server 349Web security components 8Web security system installation 219Web security systems 17

Tivoli Access Manager runtimeSee also Access Manager Runtimeinstalling using native utilities 193

Tivoli Access Manager Runtime for JavaSee Access Manager Runtime for Java

Tivoli Access Manager Session Management Command LineSee session management command line

Tivoli Access Manager session management serverSee session management server

Tivoli Access Manager systeminstalling a Lotus Notes client 112

Tivoli Access Manager WebSEALSee WebSEAL

Tivoli Common Directorydirectory name 460directory names 379enabling 379, 383, 448, 453, 456installation directory 454trace and message logs 459

Tivoli Configuration Manageroverview 26

Tivoli Directory Serverbacking up the instance 99configuration options 442configuring a suffix 99configuring for Tivoli Access Manager 100creating key database file 474, 501documentation 54enabling FIPS 483exporting certificate 488installation scenario 360installing on Windows 83pre-installation requirements 360starting administration daemon 481starting server 481stopping administration daemon 481stopping server 481unconfiguring 349uninstalling on AIX 352uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 354uninstalling on Solaris 356uninstalling on Solaris on x86_64 356uninstalling on Windows 358

Tivoli Directory Server clientcreating key database file 504installing 327installing on AIX 327installing on HP-UX 328installing on HP-UX on Integrity 328installing on Linux 329installing on Solaris 330installing on Solaris on x86_64 330installing on Windows 331overview 11uninstalling on AIX 351uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 354uninstalling on Solaris 356uninstalling on Solaris on x86_64 356

Tivoli Directory Server installation packagesAIX 63, 328

Tivoli Directory Server interfaceSee Web Administration Tool

Tivoli Directory Server packages, installationAIX 63, 328

Tivoli Information Center xiiTivoli Security Utilities 323

installing 323installing on AIX 323installing on HP-UX 323installing on Linux 324installing on Solaris 325installing on Solaris on x86_64 325installing on Windows 326overview 7

Index 679

Tivoli Security Utilities (continued)uninstalling on AIX 352uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 355uninstalling on Solaris 357uninstalling on Solaris on x86_64 357uninstalling on Windows 358

Tivoli technical training xiiiTivoli user groups xiiitools

ivrgy_tool 106, 130ldp 488Novell eDirectory ConsoleOne 127Novell iManager 127Tivoli Directory Server Web Administration Tool 101

topology, HACMPapplication server definition 522cluster resources 518overall cluster 516

trace and message logscommon log file location 459

training, Tivoli technical xiiitypeface conventions xivtypes of

Tivoli Access Manager systems 15

Uunconfiguring

Tivoli Access Manager components 348Tivoli Directory Server 349

Unicode 50uninstallation

language support 44uninstalling

components on AIX 351components on HP-UX 353components on HP-UX on Integrity 353components on Linux 354components on Solaris 356components on Solaris on x86_64 356components on Windows 357

UNIXcode set file location 50LANG variable 47language support package location 44message catalogs 49Plug-in for Web Servers pdconfig options 462text encoding 50uninstall language support packages 44virtual hosts 462Web Servers path name 462

user groups, Tivoli xiiiuser IDs

required for Tivoli Access Manager 30user IDs, required

See administrator IDsuser registries

See registriesuser registry

Active Directory 382, 451differences 637Domino 389LDAP 378, 448maximum values 641

user-defined suffix 364

UTF-8 encoding 50utilities

See also commandsamauditcfg 548amwebcfg 552amwpmcfg 557bassslcfg 561command line

idscfgdb 98idscfgsuf 100idsidrop 350

GSKit iKeyman 22, 315install component executable files 564install_amacld 565install_amadk 565install_amjrte 566install_ammgr 566install_amproxy 566install_amrte 566install_amweb 566install_amwebadk 566install_amwebars 567install_amwpi 567install_amwpm 567install_ldap_server 567ivrgy_tool 569mgrsslcfg 572native installation 26pdbackup 574pdconfig 578pdinfo (deprecated) 574pdjrtecfg 579pdproxycfg 583pdsmsclicfg 586pdversion 589pdwpicfg 591query_contents 236sms 568smscfg 594smscli 568svrsslcfg 601wesosm 227

Vvariables

LANG 46LANG with UNIX 47LANG with Windows 48NLSPATH 49

variables, notation for xvvariants, language locales 48verifying

primary server directories, links and permissions 530standby server directories, links and permissions 533

virtual hosts 464Web Servers (UNIX) 462

WWAS

See WebSphere Application ServerWeb Administration Tool

installing 338installing on AIX 338installing on HP-UX 339


Web Administration Tool (continued)installing on HP-UX on Integrity 339installing on Linux 340installing on Solaris 341installing on Solaris on x86_64 341installing on Windows 342overview 11using 101

Web document root directory 471Web Portal Manager 216

configuration options 439configure using amwpmcfg 557installation components 16installing on AIX 204installing on HP-UX 206installing on Linux 208installing on Solaris 211installing on Solaris on x86_64 211installing on Windows 214installing using native utilities 203installing using the wizard 201overview 7pdconfig options 468uninstalling on AIX 352uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 355uninstalling on Solaris 357uninstalling on Solaris on x86_64 357uninstalling on Windows 358

Web Security ADKconfiguration options 430setting up a development system 259uninstalling on AIX 352uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 355uninstalling on Solaris 357uninstalling on Solaris on x86_64 357uninstalling on Windows 358

Web security componentsAccess Manager ADK 8Access Manager Plug-in for Edge Server 8Access Manager Plug-in for Web Servers 8Access Manager WebSEAL 8attribute retrieval service 8

Web Security componentsAccess Manager Web Security Runtime 8

Web security development (ADK)installation components 17installing on AIX 261installing on HP-UX 262installing on HP-UX on Integrity 262installing on Linux 263installing on Solaris 264installing on Solaris on x86_64 264installing on Windows 265installing using native utilities 260installing using the wizard 259

Web Security Runtimeuninstalling on AIX 352uninstalling on HP-UX 353, 355uninstalling on HP-UX on Integrity 353uninstalling on Solaris 357uninstalling on Solaris on x86_64 357uninstalling on Windows 358

Web Security systemresponse files 608

Web security system installation 219Web Servers

pdconfig options (UNIX) 462pdconfig options (Windows) 464uninstalling on AIX 352

Web Traffic Express 461WebSEAL

configuration options 424host name 471installation components 17installing on AIX 269installing on HP-UX 270installing on HP-UX on Integrity 270installing on Linux 272installing on Solaris 273installing on Solaris x86_64 273installing on Windows 275installing using native utilities 269installing using the wizard 267instance name 471listening port 471pdconfig options 471setting up 267uninstalling on AIX 352uninstalling on HP-UX 353uninstalling on HP-UX on Integrity 353uninstalling on Linux 355uninstalling on Solaris 357uninstalling on Solaris on x86_64 357uninstalling on Windows 358

WebSphere Application Serverinstall.exe command 337installing 333installing on AIX 333installing on HP-UX 334installing on HP-UX on Integrity 334installing on Linux 335installing on Solaris 336installing on Solaris on x86_64 336installing on Windows 336overview 12startServer.bat command 343uninstalling on AIX 352uninstalling on HP-UX 354uninstalling on Linux 356uninstalling on Solaris 357uninstalling on Windows 358

WebSphere Application Server security 216wesosm utility 227Windows

code set file location 50installing a development (ADK) system 170installing a policy proxy server 188installing Access Manager Runtime 199installing Access Manager Runtime for Java 180installing GSKit 315installing IBM Java Runtime 321installing session management command line 304installing session management server 288installing the attribute retrieval service 223installing the authorization server 161installing the plug-in for Edge Server 230installing the plug-in for Internet Information Services 253installing the policy server 149installing the Tivoli Directory Server client 331

Index 681

Windows (continued)installing the Web security development (ADK) 265installing the WebSphere Application Server 336installing Tivoli Directory Server 83installing Tivoli Security Utilities 252, 326installing Web Administration Tool 342installing Web Portal Manager 214installing WebSEAL 275LANG variable 48language support package location 44message catalogs 49Plug-in for Web Servers pdconfig options 464text encoding 50uninstall language support packages 44uninstalling components 357

wizardsSee installation wizards

WPMSee Web Portal Manager

Zz/OS

See IBM z/OS


��

Printed in USA

GC23-6502-01

Date post:	28-Aug-2014
Category:	Documents
Upload:	manivannan
View:	164 times
Download:	2 times