112
IBM Tivoli Access Manager for Operating Systems Installation Guide Version 5.1 SC23-4829-01
IBM
Tivoli
Access
Manager
for
Operating
Systems
Installation
Guide
Version
5.1
SC23-4829-01
���
IBM
Tivoli
Access
Manager
for
Operating
Systems
Installation
Guide
Version
5.1
SC23-4829-01
���
Note
Before
using
this
information
and
the
product
it
supports,
read
the
information
Appendix
D,
“Notices,”
on
page
93.
First
Edition
(November
2003)
This
edition
applies
to
version
5,
release
1,
of
IBM
Tivoli
Access
Manager
for
Operating
Systems
(product
number
5698-PDO)
and
to
all
subsequent
releases
and
modifications
until
otherwise
indicated
in
new
editions.
©
Copyright
International
Business
Machines
Corporation
2000,
2003.
All
rights
reserved.
US
Government
Users
Restricted
Rights
–
Use,
duplication
or
disclosure
restricted
by
GSA
ADP
Schedule
Contract
with
IBM
Corp.
Contents
Preface
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. v
Who
should
read
this
guide
.
.
.
.
.
.
.
.
. v
What
this
guide
contains
.
.
.
.
.
.
.
.
.
. v
Publications
.
.
.
.
.
.
.
.
.
.
.
.
.
. vi
IBM
Tivoli
Access
Manager
for
Operating
Systems
library
.
.
.
.
.
.
.
.
.
.
.
. vi
Prerequisite
publications
.
.
.
.
.
.
.
.
. vii
Related
publications
.
.
.
.
.
.
.
.
.
. vii
Platform-specific
information
.
.
.
.
.
.
. vii
Accessing
publications
online
.
.
.
.
.
.
. vii
Accessibility
.
.
.
.
.
.
.
.
.
.
.
.
.
. viii
Contacting
software
support
.
.
.
.
.
.
.
. viii
Conventions
used
in
this
guide
.
.
.
.
.
.
. viii
Chapter
1.
Introduction
.
.
.
.
.
.
.
. 1
What
is
IBM
Tivoli
Access
Manager
for
Operating
Systems?
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
What
are
its
features?
.
.
.
.
.
.
.
.
.
.
. 1
How
does
it
work?
.
.
.
.
.
.
.
.
.
.
.
. 1
What
does
the
package
contain?
.
.
.
.
.
.
.
. 2
Contents
of
the
Tivoli
Access
Manager
for
Operating
Systems
installation
package
CDs
.
.
. 4
Contents
of
the
Tivoli
Access
Manager
for
Operating
Systems
Framework
CD
.
.
.
.
.
. 5
Enabling
language
support
.
.
.
.
.
.
.
.
. 5
For
more
information
.
.
.
.
.
.
.
.
.
.
. 6
Chapter
2.
Planning
to
install
.
.
.
.
. 7
Migrating
from
Tivoli
Access
Control
Facility
.
.
. 7
Hardware
and
software
requirements
.
.
.
.
.
. 7
Prerequisites
.
.
.
.
.
.
.
.
.
.
.
.
.
. 7
Installation
decisions
.
.
.
.
.
.
.
.
.
.
.
. 8
Type
of
installation
.
.
.
.
.
.
.
.
.
.
. 8
Policy
branch
.
.
.
.
.
.
.
.
.
.
.
.
. 9
Before
you
install
.
.
.
.
.
.
.
.
.
.
.
.
. 9
Directories
used
.
.
.
.
.
.
.
.
.
.
.
. 10
Users
and
groups
used
.
.
.
.
.
.
.
.
. 10
Upgrade
pre-installation
procedure
.
.
.
.
.
. 10
Chapter
3.
Installing
.
.
.
.
.
.
.
.
. 13
Types
of
installation
.
.
.
.
.
.
.
.
.
.
. 13
Installing
on
any
platforms
using
InstallShield
Multiplatform
.
.
.
.
.
.
.
.
.
.
.
.
. 14
Running
the
platform-specific
setup
program
.
. 14
Running
the
InstallShield
Multiplatform
installation
program
.
.
.
.
.
.
.
.
.
. 16
Installing
using
InstallShield
Multiplatform
in
Silent
Mode
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 27
AIX
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 28
HP-UX
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 28
Solaris
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 28
Linux
on
x86
.
.
.
.
.
.
.
.
.
.
.
.
. 29
Linux
on
zSeries
.
.
.
.
.
.
.
.
.
.
.
. 29
Linux
on
pSeries
and
iSeries
.
.
.
.
.
.
.
. 29
Installing
on
AIX
using
native
installation
.
.
.
. 29
Installing
on
AIX
using
SMIT
.
.
.
.
.
.
. 30
Installing
on
AIX
from
the
command
line
.
.
. 31
Installing
on
HP-UX
using
native
installation
.
.
. 31
Installing
on
HP-UX
using
swinstall
.
.
.
.
. 31
Installing
on
HP-UX
from
the
command
line
.
. 32
Installing
on
Solaris
using
native
installation
.
.
. 32
Installing
on
Solaris
using
Admintool
.
.
.
.
. 33
Installing
on
Solaris
from
the
command
line
.
. 34
Installing
on
Linux
using
native
installation
.
.
. 34
Installing
the
Tivoli
Management
Framework
integration
packages
.
.
.
.
.
.
.
.
.
.
. 35
Installing
the
Tivoli
Access
Manager
for
Operating
Systems
management
tasks
.
.
.
. 35
Installing
the
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration
.
.
.
.
.
.
.
.
.
.
.
.
. 36
Upgrading
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
management
tasks
.
.
.
. 38
Upgrading
the
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration
.
.
.
.
.
.
.
.
.
.
.
.
. 39
Upgrade
post-installation
procedures
.
.
.
.
.
. 40
Enabling
language
support
.
.
.
.
.
.
.
.
. 41
Installing
the
language
packs
using
InstallShield
Multiplatform
.
.
.
.
.
.
.
.
.
.
.
. 42
Installing
Java
for
language
support
packages
.
. 42
Installing
language
support
packages
for
Tivoli
Access
Manager
for
Operating
Systems
Framework
Support
modules
.
.
.
.
.
.
. 44
Locale
environment
variables
.
.
.
.
.
.
. 45
Message
catalogs
.
.
.
.
.
.
.
.
.
.
. 46
Text
encoding
(code
set)
support
.
.
.
.
.
.
. 46
Location
of
code
set
files
.
.
.
.
.
.
.
.
. 47
Chapter
4.
Configuring
.
.
.
.
.
.
.
. 49
Preparing
to
configure
.
.
.
.
.
.
.
.
.
.
. 49
Using
the
configure
command
options
.
.
.
.
. 51
Configure
options
.
.
.
.
.
.
.
.
.
.
.
. 53
Configuring
from
the
command
line
.
.
.
.
.
. 59
Configuring
using
a
response
file
.
.
.
.
.
.
. 60
Creating
a
response
file
.
.
.
.
.
.
.
.
. 60
Using
a
response
file
.
.
.
.
.
.
.
.
.
. 60
Mapping
command
line
options
to
attributes
in
response
file
.
.
.
.
.
.
.
.
.
.
.
.
. 61
Chapter
5.
Configuring
and
unconfiguring
the
pdostecd
daemon
.
. 63
Configuring
pdostecd
.
.
.
.
.
.
.
.
.
.
. 63
Preparing
to
configure
.
.
.
.
.
.
.
.
.
.
. 63
Configuring
from
the
command
line
.
.
.
.
.
. 63
Unconfiguring
pdostecd
.
.
.
.
.
.
.
.
.
. 63
Unconfiguring
from
the
command
line
.
.
.
.
. 64
Chapter
6.
Starting
and
stopping
.
.
. 65
©
Copyright
IBM
Corp.
2000,
2003
iii
Starting
Tivoli
Access
Manager
for
Operating
Systems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 65
Command
line
.
.
.
.
.
.
.
.
.
.
.
. 65
Autostart
.
.
.
.
.
.
.
.
.
.
.
.
.
. 65
Protection
against
errors
during
initialization
.
. 65
Confirming
that
Tivoli
Access
Manager
for
Operating
Systems
is
running
.
.
.
.
.
.
.
. 66
Stopping
Tivoli
Access
Manager
for
Operating
Systems
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 66
Starting
and
stopping
the
PDOSTECD
daemon
.
. 66
Chapter
7.
Unconfiguring
.
.
.
.
.
.
. 67
Preparing
to
unconfigure
Tivoli
Access
Manager
for
Operating
Systems
.
.
.
.
.
.
.
.
.
.
.
. 67
Unconfigure
command
options
.
.
.
.
.
.
.
. 67
Unconfigure
option
descriptions
.
.
.
.
.
.
. 68
Using
a
response
file
to
unconfigure
.
.
.
.
.
. 69
Creating
a
response
file
.
.
.
.
.
.
.
.
. 69
Using
a
response
file
.
.
.
.
.
.
.
.
.
. 69
Mapping
command
line
options
to
attributes
in
a
response
file
.
.
.
.
.
.
.
.
.
.
.
.
. 70
Unconfiguring
associated
products
.
.
.
.
.
. 70
Local
unconfigure
script
.
.
.
.
.
.
.
.
.
. 70
Chapter
8.
Uninstalling
.
.
.
.
.
.
.
. 73
Uninstalling
with
InstallShield
Multiplatform
.
.
. 73
Uninstalling
on
AIX
.
.
.
.
.
.
.
.
.
.
. 74
Uninstalling
on
AIX
using
SMIT
.
.
.
.
.
. 74
Uninstalling
on
AIX
using
the
command
line
.
. 75
Uninstalling
on
HP-UX
.
.
.
.
.
.
.
.
.
. 75
Uninstalling
on
HP-UX
using
swremove
.
.
.
. 75
Uninstalling
on
HP-UX
using
the
command
line
75
Uninstalling
on
Solaris
.
.
.
.
.
.
.
.
.
. 75
Uninstalling
on
Solaris
using
Admintool
.
.
.
. 75
Uninstalling
on
Solaris
using
the
command
line
76
Uninstalling
on
Linux
.
.
.
.
.
.
.
.
.
.
. 76
Uninstalling
language
support
packages
.
.
.
.
. 77
Uninstalling
associated
products
.
.
.
.
.
.
. 77
AIX
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 77
HP-UX
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 78
Solaris
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 78
Linux
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 78
Uninstalling
Tivoli
Management
Framework
integration
packages
.
.
.
.
.
.
.
.
.
.
. 78
Appendix
A.
Configuration
options
.
. 79
Appendix
B.
Unconfigure
options
.
.
. 87
Appendix
C.
Migrating
from
Tivoli
Access
Control
Facility
.
.
.
.
.
.
. 89
se2pdos
translation
utility
.
.
.
.
.
.
.
.
. 89
Usage
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 89
Options
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 89
Examples
.
.
.
.
.
.
.
.
.
.
.
.
.
. 90
Appendix
D.
Notices
.
.
.
.
.
.
.
.
. 93
Trademarks
.
.
.
.
.
.
.
.
.
.
.
.
.
. 94
Index
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 97
iv
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Preface
IBM®
Tivoli®
Access
Manager
for
Operating
Systems
is
application
software
that
provides
a
layer
of
authorization
policy
enforcement
in
addition
to
that
provided
by
the
native
operating
system.
Note:
IBM
Tivoli
Access
Manager
for
Operating
Systems
(also
referred
to
as
Tivoli
Access
Manager
for
Operating
Systems)
is
the
new
name
for
the
product
previously
released
as
Tivoli
SecureWay®
Policy
Director
for
Operating
Systems
(Version
3.7)
and
Tivoli
Policy
Director
for
Operating
Systems
(Version
3.8).
Also,
for
users
familiar
with
the
Tivoli
SecureWay
Policy
Director
software
and
documentation,
the
management
server
is
now
referred
to
as
the
policy
server.
The
IBM
Tivoli
Access
Manager
for
Operating
Systems
Installation
Guide
describes
how
to
install,
configure,
upgrade,
and
uninstall
IBM
Tivoli
Access
Manager
for
Operating
Systems.
Who
should
read
this
guide
This
guide
is
for
administrators
and
system
programmers
who
have
some
knowledge
of
these
topics:
v
UNIX®
operating
systems
v
Internet
protocols,
including
HTTP,
TCP/IP,
FTP,
Telnet,
and
SSL
v
Security
management
v
Authentication
v
Authorization
v
Lightweight
Directory
Access
Protocol
(LDAP)
and
directory
services
v
IBM
Tivoli
Access
Manager
Supplementary
information
that
system
administrators
might
find
useful
includes
knowledge
of
the
following
topics:
v
IBM
Tivoli
Management
Environment®
framework
v
IBM
Tivoli
Distributed
Monitoring
v
IBM
Tivoli
Enterprise
Console®
v
IBM
Tivoli
Directory
Server
(LDAP)
v
IBM
Tivoli
User
Administration
What
this
guide
contains
This
guide
contains
the
following
sections:
v
Chapter
1,
“Introduction,”
on
page
1
Provides
an
overview
of
Tivoli
Access
Manager
for
Operating
Systems,
its
functions,
and
components.
v
Chapter
2,
“Planning
to
install,”
on
page
7
Provides
planning
and
prerequisite
information
needed
for
installing
Tivoli
Access
Manager
for
Operating
Systems.
v
Chapter
3,
“Installing,”
on
page
13
©
Copyright
IBM
Corp.
2000,
2003
v
Describes
procedures
for
installing
Tivoli
Access
Manager
for
Operating
Systems,
using
InstallShield
Multiplatform
or
native
installation
utilities.
v
Chapter
4,
“Configuring,”
on
page
49
Describes
how
to
configure
Tivoli
Access
Manager
for
Operating
Systems.
v
Chapter
5,
“Configuring
and
unconfiguring
the
pdostecd
daemon,”
on
page
63
Describes
how
to
configure
and
unconfigure
the
pdostecd
daemon.
v
Chapter
6,
“Starting
and
stopping,”
on
page
65
Explains
how
to
start
and
stop
Tivoli
Access
Manager
for
Operating
Systems,
and
how
to
determine
if
the
product
is
running.
v
Chapter
7,
“Unconfiguring,”
on
page
67
Describes
how
to
unconfigure
Tivoli
Access
Manager
for
Operating
Systems.
v
Chapter
8,
“Uninstalling,”
on
page
73
Describes
how
to
uninstall
Tivoli
Access
Manager
for
Operating
Systems
using
InstallShield
Multiplatform,
native
uninstalls,
and
the
command
line.
v
Appendix
A,
“Configuration
options,”
on
page
79
Defines
the
configure
options
and
provides
their
minimum,
maximum,
and
default
values.
v
Appendix
B,
“Unconfigure
options,”
on
page
87
Defines
the
unconfigure
options
and
provides
their
minimum,
maximum,
and
default
values.
v
Appendix
C,
“Migrating
from
Tivoli
Access
Control
Facility,”
on
page
89
Describes
the
information
needed
to
migrate
from
the
Tivoli
Access
Control
Facility
to
Tivoli
Access
Manager
for
Operating
Systems.
Publications
Read
the
descriptions
of
the
Tivoli
Access
Manager
for
Operating
Systems
library,
the
prerequisite
publications,
and
the
related
publications
to
determine
which
publications
you
might
find
helpful.
After
you
determine
the
publications
you
need,
refer
to
the
instructions
for
accessing
publications
online.
IBM
Tivoli
Access
Manager
for
Operating
Systems
library
The
publications
in
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
library
are:
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide,
SC23-4827
Describes
the
concepts
and
procedures
for
using
Tivoli
Access
Manager
for
Operating
Systems.
Provides
instructions
for
performing
administrative
tasks
from
the
command
line
and
from
the
Tivoli
Desktop,
as
well
as
auditing,
using
commands,
and
integrating
with
IBM
Tivoli
Enterprise
Console
and
IBM
Tivoli
Risk
Manager.
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Installation
Guide,
SC23-4829
Describes
how
to
install,
configure,
upgrade,
and
uninstall
Tivoli
Access
Manager
for
Operating
Systems.
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Problem
Determination
Guide,
SC23-4828
Provides
information
about
troubleshooting,
message
logging,
trace
logging,
other
diagnostic
tools,
and
reference
information
about
Tivoli
Access
Manager
for
Operating
Systems.
Also
contains
the
product
error
message
catalog.
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Release
Notes,
GI11-0951
vi
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Provides
late-breaking
information
about
Tivoli
Access
Manager
for
Operating
Systems.
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Read
This
First
Card,
GI11-0949
Provides
information
for
installing
and
getting
started
using
Tivoli
Access
Manager
for
Operating
Systems.
Prerequisite
publications
To
use
the
information
in
this
book
effectively,
you
must
have
some
prerequisite
knowledge,
which
you
can
obtain
from
the
following
publications:
v
IBM
Tivoli
Access
Manager
Base
Installation
Guide,
GC32-1362
v
IBM
Tivoli
Access
Manager
Base
Administration
Guide,
GC23-1360
v
IBM
Tivoli
Access
Manager
for
e-business
Release
Notes,
GI11-4156
Related
publications
Information
related
to
Tivoli
Access
Manager
for
Operating
Systems
is
available
in
the
following
publications:
v
IBM
Tivoli
Access
Manager
for
e-business
Performance
Tuning
Guide,
SC32-1351
Provides
performance
tuning
information
for
an
environment
consisting
of
Tivoli
Access
Manager
with
IBM
Directory
Server
defined
as
the
user
registry.
v
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide,
SC32-1352
Provides
information
about
troubleshooting
a
Tivoli
Access
Manager
environment.
v
IBM
Tivoli
Access
Manager
Error
Message
Reference,
SC32-1353
Contains
the
product
error
messages
catalogs
for
IBM
Tivoli
Access
Manager,
Tivoli
Access
Manager
for
Operating
Systems,
and
Tivoli
Access
Manager
Business
Integration.
v
IBM
Tivoli
Access
Manager
for
e-business
Command
Message
Reference,
SC32-1354
Provides
information
about
the
Tivoli
Access
Manager
commands
and
their
options.
v
The
Tivoli
Software
Library
provides
a
variety
of
Tivoli
publications,
such
as
white
papaers,
datasheets,
demonstrations,
redbooks,
and
announcement
letters.
The
Tivoli
Software
Library
is
available
on
the
Web
at:
http://www.ibm.com/software/tivoli/library/.
v
The
Tivoli
Software
Glossary
includes
definitions
for
many
of
the
technical
terms
related
to
Tivoli
software.
The
Tivoli
Software
Glossary
is
available,
in
English
only,
from
the
Glossary
link
on
the
left
side
of
the
Tivoli
Software
Library
Web
page
http://www.ibm.com/software/tivoli/library
Platform-specific
information
Information
on
supported
platforms
can
be
found
this
guide
and
in
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Release
Notes
Accessing
publications
online
The
publications
for
this
product
are
available
in
Portable
Document
Format
(PDF)
or
Hypertext
Markup
Language
(HTML)
format,
or
both,
in
the
Tivoli
Software
Library
at
http://www.ibm.com/software/tivoli/library/.
To
locate
product
publications
in
the
library,
click
the
Product
manuals
link
on
the
left
side
of
the
library
page.
Then,
locate
and
click
the
name
of
the
product
on
the
Tivoli
Software
Information
Center
page.
Preface
vii
Product
publications
include
release
notes,
installation
guides,
users
guides,
administration
guides,
problem
determination
guides,
and
developer’s
references.
Note:
To
ensure
proper
printing
of
publications,
select
the
Fit
to
page
check
box
in
the
Adobe
Acrobat
window
(which
is
available
when
you
click
File
→
Print).
Accessibility
Accessibility
features
help
users
with
a
physical
disability,
such
as
restricted
mobility
or
limited
vision,
to
use
software
products
successfully.
With
this
product,
you
can
use
assistive
technologies
to
hear
and
navigate
the
interface.
You
can
also
use
the
keyboard
instead
of
the
mouse
to
operate
all
features
of
the
graphical
user
interface.
For
additional
information,
see
the
Accessibility
Appendix
in
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide.
Contacting
software
support
Before
contacting
IBM
Tivoli
Software
support
about
a
problem,
refer
to
the
IBM
Tivoli
Software
support
site
by
clicking
the
Tivoli
support
link
at
the
following
Web
site:
http://www.ibm.com/software/support/
If
you
need
additional
help,
contact
software
support
by
using
the
methods
described
in
the
IBM
Software
Support
Guide
at
the
following
Web
site:
http://techsupport.services.ibm.com/guides/handbook.html
The
guide
provides
the
following
information:
v
Registration
and
eligibility
requirements
for
receiving
support
v
Telephone
numbers,
depending
on
the
country
in
which
you
are
located
v
A
list
of
information
you
should
gather
before
contacting
customer
support.
See
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Problem
Determination
Guide
for
additional
direction
about
gathering
information
to
be
used
for
problem
identification
and
remediation.
Conventions
used
in
this
guide
This
reference
uses
several
conventions
for
special
terms
and
actions
and
operating-system-dependent
commands
and
paths.
The
following
typeface
conventions
are
used
in
this
reference:
Bold
Lowercase
and
mixed-case
commands,
command
options,
and
flags
that
appear
within
text
are
displayed
like
this,
in
bold
type.
Graphical
user
interface
elements
(except
for
titles
of
windows
and
dialogs)
and
names
of
keys
are
also
displayed
like
this,
in
bold
type.
Italics
Variables,
values
you
must
provide,
new
terms,
and
words
and
phrases
that
are
emphasized
are
displayed
like
this,
in
italic
type.
viii
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Monospace
Commands,
command
options,
and
flags
that
appear
on
a
separate
line,
code
examples,
output,
and
message
text
are
displayed
like
this,
in
a
monospace
font.
Names
of
files
and
directories,
text
strings
you
must
type,
when
they
appear
within
text,
names
of
Java
methods
and
classes,
and
HTML
and
XML
tags
also
are
displayed
like
this,
in
a
monospace
font.
Preface
ix
x
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Chapter
1.
Introduction
This
chapter
provides
a
brief
overview
of
IBM
Tivoli
Access
Manager
for
Operating
Systems,
including
information
about
the
following
topics:
v
What
is
Tivoli
Access
Manager
for
Operating
Systems?
v
What
are
its
features?
v
How
does
it
work?
v
What
does
the
Tivoli
Access
Manager
for
Operating
Systems
package
contain?
This
chapter
also
contains
sources
to
consult
for
additional
information.
Before
you
install
Tivoli
Access
Manager
for
Operating
Systems,
it
is
suggested
that
you
read
this
guide
and
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide,
Version
5.1.
What
is
IBM
Tivoli
Access
Manager
for
Operating
Systems?
IBM
Tivoli
Access
Manager
for
Operating
Systems
provides
a
layer
of
authorization
policy
enforcement
in
addition
to
that
provided
by
the
UNIX
operating
system.
An
administrator
defines
additional
authorization
policy
by
applying
fine-grained
access
controls
that
restrict
or
permit
access
to
key
system
resources.
Controls
are
based
on
user
identity,
group
membership,
the
type
of
operation,
the
time
of
day
or
the
day
of
the
week,
and
the
accessing
application.
An
administrator
can
control
access
to
specific
file
resources,
login
and
network
services,
and
changes
of
identity.
These
controls
can
also
be
used
to
manage
the
execution
of
administrative
procedures
and
to
limit
administrative
capabilities
on
a
per-user
basis.
In
addition
to
authorization
policy
enforcement,
Tivoli
Access
Manager
for
Operating
Systems
provides
mechanisms
to
verify
defined
policy
and
audit
authorization
decisions.
What
are
its
features?
IBM
Tivoli
Access
Manager
for
Operating
Systems
enhances
UNIX
security
by
utilizing
the
core
function
of
Tivoli
Access
Manager
in
the
following
ways:
v
Provides
fine-grained
access
control
to
network
services
v
Provides
fine-grained
access
control
to
files
and
commands
v
Provides
fine-grained
control
of
login
services
v
Allows
the
capability
to
limit
the
privileges
of
the
root
user
v
Enables
centralized
management
of
authorization
policy
In
addition,
implementation
and
operation
of
Tivoli
Access
Manager
for
Operating
Systems
is
uniform
across
all
supported
platforms.
(For
the
current
list
of
supported
platforms,
see
the
IBM
Tivoli
Access
Manager
for
Operating
Systems,
Version
5.1,
Release
Notes).
How
does
it
work?
Tivoli
Access
Manager
for
Operating
Systems
is
invoked
immediately
after
the
UNIX-based
operating
system
has
completed
its
initialization
and
places
hooks
in
system
services
that
need
to
be
protected.
These
hooks
pass
control
to
Tivoli
Access
Manager
for
Operating
Systems
before
the
service
being
requested
is
©
Copyright
IBM
Corp.
2000,
2003
1
performed.
When
a
user
requests
a
system
service
for
an
object
that
is
being
protected,
Tivoli
Access
Manager
for
Operating
Systems
accesses
the
policy
information
associated
with
the
object
to
determine
whether
the
user
is
permitted
to
perform
the
requested
operation.
The
decision
to
allow
or
deny
access
is
based
on
the
access
rules
and
policies
that
are
defined
in
the
Tivoli
Access
Manager
policy
database
by
the
system
administrator.
Figure
1
shows
a
graphical
representation
of
the
interaction
between
Tivoli
Access
Manager
for
Operating
Systems,
Tivoli
Access
Manager,
and
the
IBM
Directory
Server
(the
LDAP
Server
in
the
diagram)
when
a
user
request
is
made.
UserRequest
Tivoli AccessManager
Policy Server
Replicated TivoliAccess Manager
Database
UserRegistry
Tivoli Access ManagerPolicyDatabase
Credential Cache
Tivoli Access Managerfor Operating Systems
Processes
Tivoli Access Manager for Operating Systems Kernel Interception
Native Operating System Services
User Mode
Kernel Mode
LDAPServer
What
does
the
package
contain?
The
IBM
Tivoli
Access
Manager
for
Operating
Systems
package
consists
of
the
following
CDs:
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
AIX,
Version
5.1
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
Solaris,
Version
5.1
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
HP-UX,
Version
5.1
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
Linux
on
xSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
Linux
on
zSeries®,
Version
5.1
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
Linux
on
pSeries
and
iSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Framework
Support,
Version
5.1
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Language
Support,
Version
5.1
Figure
1.
Tivoli
Access
Manager
for
Operating
Systems
Architecture
2
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
v
IBM
Tivoli
Access
Manager
Base
for
AIX,
Version
5.1
v
IBM
Tivoli
Access
Manager
Base
for
Solaris,
Version
5.1
v
IBM
Tivoli
Access
Manager
Base
for
HP-UX,
Version
5.1
v
IBM
Tivoli
Access
Manager
Base
for
Linux
on
xSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
Base
for
Linux
on
zSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
Base
for
Linux
for
pSeries
and
iSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
Base
for
Windows
NT,
Windows
XP,
Windows
2000,
and
Windows
2003,
Version
5.1
v
IBM
Tivoli
Access
Manager
Directory
Server
for
AIX,
Version
5.1
v
IBM
Tivoli
Access
Manager
Directory
Server
1
of
2
for
Solaris
,
Version
5.1
v
IBM
Tivoli
Access
Manager
Directory
Server
2
of
2
for
Solaris
,
Version
5.1
v
IBM
Tivoli
Access
Manager
Directory
Server
for
HP-UX
,
Version
5.1
v
IBM
Tivoli
Access
Manager
Directory
Server
for
Linux
on
xSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
Directory
Server
for
Linux
on
zSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
Directory
Server
for
Linux
for
pSeries
and
iSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
Directory
Server
for
Windows
2000
and
Windows
2003,
Version
5.1
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
AIX,
Version
5.1
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Solaris,
Version
5.1
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
HP-UX,
Version
5.1
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Linux
on
xSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Linux
on
zSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Linux
on
pSeries
and
iSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Windows
2000,
Version
5.1
v
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
for
Windows
2003,
Version
5.1
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
AIX,
Version
5.1
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
Solaris
,
Version
5.1
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
HP-UX,
Version
5.1
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
Linux
on
xSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
for
Windows
2000,
Version
5.1
v
IBM
Tivoli
Access
Manager
Language
Support
for
AIX,
Version
5.1
v
IBM
Tivoli
Access
Manager
Language
Support
for
Solaris,
Version
5.1
v
IBM
Tivoli
Access
Manager
Language
Support
for
HP-UX,
Version
5.1
v
IBM
Tivoli
Access
Manager
Language
Support
for
Linux
on
xSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
Language
Support
for
Linux
on
zSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
Language
Support
for
Linux
on
pSeries
and
iSeries,
Version
5.1
v
IBM
Tivoli
Access
Manager
Language
Support
for
Windows
NT,
Windows
XP,
Windows
2000,
Windows
2003,
Version
5.1
Chapter
1.
Introduction
3
Contents
of
the
Tivoli
Access
Manager
for
Operating
Systems
installation
package
CDs
The
contents
of
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
platform-specific
CDs
is
as
follows.
Table
1.
Contents
of
Base
Installation
CD
Platform
(Directory)
Component
Package
AIX
(/usr/sys/
inst.images)
IBM
Java
Runtime
Environment
1.3.1.5
Java131.rte
IBM
AIX
Certificate
and
SSL
Base
Runtime
ACME
Toolkit
7.0.1.9
gskta.rte
IBM
Directory
Client
5.2.0.0
ldap.client
IBM
Directory
Client
Runtime
(SSL)
5.2.0.0
ldap.max_crypto_client
Tivoli
Access
Manager
5.1
Runtime
Environment
PD.RTE
Tivoli
Access
Manager
for
Operating
Systems
5.1
Runtime
Environment
PDOS.rte
HP-UX
(/hp)
Java
2
RTE
1.3
for
HP-UX
(700/800),
PA1.1
+
PA2.0
Add
On
B9789AA/Jre13
IBM
Global
Security
Kit
7.0.1.9
gsk7bas
IBM
Directory
Server
5.2
Client
LDAPClient
Tivoli
Access
Manager
5.1
Runtime
Environment
PDRTE
Tivoli
Access
Manager
for
Operating
Systems
5.1
Runtime
Environment
PDOSrte
Solaris
(/solaris)
JDK
1.3
Runtime
Environment
SUNWj3rt
IBM
Global
Security
Kit
7.0.1.9
gsk7bas
IBM
Directory
Server
5.2
Client
IBMldapc
Tivoli
Access
Manager
5.1
Runtime
Environment
PDRTE
Tivoli
Access
Manager
for
Operating
Systems
5.1
Runtime
Environment
PDOSrte
ezpkgadd
ldad-rsp
pddcfault
Support
files
for
use
by
InstallShield
Multiplatform
Linux
x86
(/linux)
IBM
Java
Runtime
Environment
1.3.1-3.0
IBMJava2–JRE-1.3.1-3.0.i386.rpm
IBM
Global
Security
Kit
7.0.1.9
gsk7bas-7.0-1.9.i386.rpm
IBM
SecureWay
Directory
Server
5.2
Client
ldap-clientd-5.2-1.i386.rpm
Tivoli
Access
Manager
5.1
Runtime
Environment
PDRTE-PD-5.1.0-0.i386.rpm
Tivoli
Access
Manager
for
Operating
Systems
5.1
Runtime
Environment
PDOSrte-PDOSruntime-5.1.0-0.i386.rpm
4
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Table
1.
Contents
of
Base
Installation
CD
(continued)
Platform
(Directory)
Component
Package
Linux
on
zSeries
(/zSeries)
IBM
Java
Runtime
Environment
1.3.1-3.0
IBMJava2-JRE-1.3.1-3.0.s390.rpm
IBM
Global
Security
Kit
7.0.1.9
gsk7bas-7.0-1.9.s390.rpm
IBM
Directory
Server
5.2
Client
ldap-clientd-5.2–1.s390.rpm
Tivoli
Access
Manager
5.1
Runtime
Environment
PDRTE-PD-5.1.0-0.s390.rpm
Tivoli
Access
Manager
for
Operating
Systems
5.1
Runtime
Environment
PDOSrte-PDOSruntime-5.1.0-0.s390.rpm
Linux
i/pSeries
(/pSeries)
IBM
Java
Runtime
Environment
1.3.1-2.0
IBMJava2-JRE-1.3.1-3.0.ppc.rpm
IBM
Global
Security
Kit
7.0.1.9
gsk7bas-7.0-1.9.ppc32.rpm
IBM
Directory
Server
5.2
Client
ldap-clientd-5.2–1.ppc.rpm
Tivoli
Access
Manager
5.1
Runtime
Environment
PDRTE-PD-5.1.0-0.ppc.rpm
Tivoli
Access
Manager
for
Operating
Systems
5.1
Runtime
Environment
PDOSrte-PDOSruntime-5.1.0-0.ppc.rpm
Contents
of
the
Tivoli
Access
Manager
for
Operating
Systems
Framework
CD
The
Tivoli
Access
Manager
for
Operating
Systems
Framework
Support
CD
contains
the
following
components:
Table
2.
Contents
of
Tivoli
Access
Manager
for
Operating
Systems
Framework
Support
CD
Directory
Component
Package
PDOS.cdrom
IBM
Tivoli
Access
Manager
for
Operating
Systems
Management
Tasks,
Version
5.1
PDOSTASK.IND
IBM
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration,
Version
5.1
PDOSTEC.IND
PDOSU.cdrom
IBM
Tivoli
Access
Manager
for
Operating
Systems
Management
Tasks,
Upgrade
to
Version
5.1
PTASKU.IND
IBM
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration,
Upgrade
to
Version
5.1
PDTECU.IND
The
installation
CD
also
contains
scripts,
files,
and
directories
that
are
used
by
the
InstallShield
Multiplatform
program.
Enabling
language
support
Tivoli
Access
Manager
for
Operating
Systems
is
translated
into
the
following
languages,
where
available:
v
Brazilian
Portuguese
v
Chinese
(simplified)
Chapter
1.
Introduction
5
v
Chinese
(traditional)
v
French
v
German
v
Italian
v
Japanese
v
Korean
v
Spanish
If
language
support
is
installed
and
you
upgrade
the
product,
you
must
also
install
the
corresponding
language
support
product,
if
one
exists.
Refer
to
the
upgrade
documentation
to
determine
if
language
support
is
required.
If
you
do
not
install
the
language
support
after
upgrading,
the
associated
product
might
display
some
fields
and
messages
in
English.
For
more
information
For
general
information
about
Tivoli
Access
Manager
for
Operating
Systems,
software
support
(including
a
discussion
forum),
product
news,
and
education,
visit
this
Web
site:
http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/
6
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Chapter
2.
Planning
to
install
This
chapter
discusses
planning
and
prerequisites
needed
to
install
IBM
Tivoli
Access
Manager
for
Operating
Systems.
Migrating
from
Tivoli
Access
Control
Facility
If
you
are
currently
using
Tivoli
Access
Control
Facility
for
enforcing
policy,
whether
in
a
Tivoli
Security
Manager
environment
or
not,
read
the
information
in
Appendix
C,
“Migrating
from
Tivoli
Access
Control
Facility,”
on
page
89
in
addition
to
the
information
in
this
chapter.
Hardware
and
software
requirements
The
hardware
and
software
requirements
for
Tivoli
Access
Manager
for
Operating
Systems
can
be
found
in
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Release
Notes
for
this
release.
Ensure
that
you
are
running
a
supported
version
of
your
operating
system
and
that
you
have
installed
the
proper
patches
before
proceeding.
Prerequisites
IBM
Tivoli
Access
Manager
for
Operating
Systems
is
a
complex
product
to
install.
Three
additional
software
products
must
be
installed
and
configured
before
Tivoli
Access
Manager
for
Operating
Systems
can
be
installed
and
configured:
v
IBM
Tivoli
Access
Manager
Runtime
Environment,
Version
5.1
v
IBM
Global
Security
Toolkit,
Version
7.0.1.9
v
IBM
Directory
Client,
Version
5.2
If
you
will
install
using
operating
system
utilities,
these
prerequisite
packages
are
provided
in
operating
system
format.
You
can
use
the
command
line
interface
tools
to
install
all
the
necessary
software.
You
are
also
responsible
for
configuring
the
prerequisite
software
packages.
Installation
and
configuration
of
the
prerequisite
software
can
also
be
accomplished
through
the
InstallShield
Multiplatform
installation
process.
The
process
guides
you
through
a
series
of
input
panels,
which
gather
the
information
needed
to
install
and
configure
the
software.
The
final
step
of
the
process
installs
and
configures
the
specific
operating
system
package
formats.
Before
you
install
and
configure
Tivoli
Access
Manager
for
Operating
Systems,
you
need
to
have
certain
information
about
your
environment
and
your
environment
must
be
in
a
certain
state:
v
The
Tivoli
Access
Manager
policy
server,
Version
5.1,
should
be
installed
and
configured
to
use
the
LDAP
user
registry.
v
The
LDAP
user
registry
must
be
enabled
to
use
the
Secure
Sockets
Layer
(SSL).
v
Both
the
Tivoli
Access
Manager
policy
server
and
the
LDAP
server
should
be
running.
v
You
should
have
your
base64-encoded
LDAP
SSL
Certificate
Authority
(CA)
certificate
file
from
the
LDAP
server
machine.
©
Copyright
IBM
Corp.
2000,
2003
7
v
You
should
have
your
base-64encoded
Tivoli
Access
Manager
Certificate
Authority
(CA)
certificate
file
from
the
Tivoli
Access
Manager
machine
(unless
the
server
is
configured
for
auto-download).
v
You
should
know
your
LDAP
User
Registry
suffix.
v
You
should
know
the
name
of
the
policy
branch
under
which
you
are
configuring.
v
You
should
know
the
administrator
name
and
password
(-admin_name
and
-admin_pwd).
These
replace
the
Tivoli
Access
Manager
security
master
password
(-sec_master_pwd),
which
becomes
obsolete
with
Version
5.1.
Information
on
installing
and
configuring
the
Tivoli
Access
Manager
policy
server
and
the
LDAP
User
Registry,
as
well
as
creating
an
SSL
certificate
file,
can
be
found
in
the
IBM
Tivoli
Access
Manager
Base
Installation
Guide.
If
you
create
a
self-signed
certificate
for
SSL
communications,
be
sure
to
set
a
suitable
lifetime,
such
as
3650
days,
to
ensure
that
the
certificate
does
not
expire
prematurely.
The
default
certificate
lifetime
is
only
365
days.
Installation
decisions
There
are
a
few
basic
installation
decisions
that
you
should
make
to
assist
in
your
planning
and
deployment.
Type
of
installation
IBM
Tivoli
Access
Manager
for
Operating
Systems
can
be
installed
in
one
of
the
following
three
ways.
InstallShield
Multiplatform
full
GUI
installation
InstallShield
Multiplatform
installation
is
the
recommended
way
to
initially
install
or
to
upgrade
an
existing
system
on
which
IBM
Tivoli
Access
Manager
for
Operating
Systems
is
installed.
This
installation
procedure
is
started
by
entering
a
single
command.
You
are
then
guided
through
the
installation
by
a
series
of
interactive
panels.
The
procedure
installs
and
configures
Tivoli
Access
Manager
for
Operating
Systems
and
also
installs
or
upgrades
all
the
prerequisite
software
on
the
system.
InstallShield
MultiPlatform
Silent
Mode
installation
InstallShield
MultiPlatform
Silent
installation
provides
a
way
to
install
and
initially
configure
Tivoli
Access
Manager
for
Operating
Systems
with
a
minimum
of
effort.
You
create
a
file
with
the
necessary
options
and
configuration
variables
and
provide
the
path
to
the
file.
The
installation
procedure
uses
the
information
in
the
file
to
complete
the
installation
and
configuration.
The
prerequisite
software
needed
by
Tivoli
Access
Manager
for
Operating
Systems
is
also
installed
or
upgraded
as
needed.
Native
installation
Native
Install
not
only
provides
the
most
flexibility
in
choosing
how
to
install
or
upgrade
Tivoli
Access
Manager
for
Operating
Systems
but
also
requires
the
greatest
amount
of
technical
expertise.
You
are
responsible
for
installing
or
upgrading
the
prerequisite
software
on
the
system
and
applying
the
necessary
patches.
Native
installation
utilities
are
used
to
install
the
desired
software
packages
on
the
system.
After
installing
all
the
necessary
software,
you
must
manually
configure
Tivoli
Access
Manager
for
Operating
Systems
before
starting
it.
8
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Choose
the
installation
type
that
best
matches
your
environment
and
expectations.
The
installation
and
upgrade
instructions
depend
on
the
type
of
installation
you
choose.
See
“Types
of
installation”
on
page
13
and
“Upgrade
pre-installation
procedure”
on
page
10
for
more
details.
Policy
branch
Your
environment
probably
has
several
systems
that
are
used
for
the
same
or
similar
purposes
and
that
require
the
same
or
similar
authorization
policy.
Tivoli
Access
Manager
for
Operating
Systems
enables
you
to
group
systems
together
by
placing
them
within
a
policy
branch.
Systems
in
the
same
policy
branch
are
subject
to
the
same
authorization
policy.
The
policy
branch
is
defined
on
the
Tivoli
Access
Manager
policy
server
in
the
/OSSEAL/policy-branch
namespace,
where
policy-branch
is
your
user-defined
policy
branch
name.
For
instance,
if
you
wanted
to
group
your
systems
based
on
whether
they
are
servers,
graphics
workstations,
or
development
workstations,
you
might
choose
to
call
your
policy
branches:
/OSSEAL/Servers
/OSSEAL/Graphics
/OSSEAL/ProdDev
If
your
Tivoli
Access
Manager
policy
server
does
not
yet
have
an
/OSSEAL
branch,
no
IBM
Tivoli
Access
Manager
for
Operating
Systems
system
is
configured.
Therefore,
you
must
complete
configuration
of
the
first
system,
which
also
configures
the
policy
server
database,
before
initiating
a
configuration
of
any
other
system.
When
you
subsequently
create
a
new
policy
branch,
such
as
the
/OSSEAL/Servers
one
used
in
the
previous
example,
you
must
configure
the
first
system
in
that
policy
branch
before
initiating
a
configuration
of
any
other
system
that
will
also
subscribe
to
that
same
policy
branch.
After
one
system
has
been
configured
within
a
policy
branch,
other
systems
can
be
configured
in
parallel
under
that
branch.
Before
you
install
To
install
Tivoli
Access
Manager
for
Operating
Systems,
you
must:
v
Have
root
permission
v
Ensure
that
sufficient
space
is
available
in
the
/opt
and
/var
filesystems.
(See
the
IBM
Tivoli
Access
Manager
for
Operating
Systems,
Version
5.1,
Release
Notes
for
space
requirements.)
The
files
associated
with
the
product
are
installed
in
the
following
directories:
/opt/pdos
/var/pdos
You
have
the
option
of
changing
the
target
installation
directory
when
using
InstallShield
Multiplatform,
except
on
Solaris.
v
Uninstall
any
other
LDAP
clients
installed
on
the
system.
This
includes
the
Sun
ONE
Directory
Server
client,
the
Sun
LDAP
client,
which
is
commonly
installed
on
systems
that
use
the
Solaris
Operating
Environment
(referred
to
as
Solaris).
v
Verify
that
you
have
installed
the
necessary
operating
system
patches.
This
information
can
be
found
in
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Release
Notes.
Chapter
2.
Planning
to
install
9
v
If
you
are
upgrading
from
a
previous
version
of
IBM
Tivoli
Access
Manager
for
Operating
Systems,
see
“Upgrade
pre-installation
procedure.”
Directories
used
Tivoli
Access
Manager
for
Operating
Systems
stores
authorization
policy
information,
audit
logs,
and
error
logs
in
the
various
directories
under
/var/pdos.
Consider
creating
/var/pdos
as
a
separate
file
system
in
order
to
ensure
that
user
activity
that
might
cause
/var
to
become
full
does
not
impact
the
ability
to
enforce
authorization
policy.
It
is
also
advisable
to
make
/var/pdos/log
and
/var/pdos/audit
separate
file
systems
as
well.
Carefully
monitor
the
space
usage
of
the
/var/pdos,
/var/pdos/log,
and
/var/pdos/audit
directories
and
take
the
appropriate
action
if
available
free
space
is
limited.
Users
and
groups
used
Tivoli
Access
Manager
for
Operating
Systems
relies
on
the
existence
of
an
osseal
user
ID
and
the
osseal
and
ossaudit
groups.
If
an
osseal
or
ossaudit
group
entry
does
not
exist
at
the
time
IBM
Tivoli
Access
Manager
for
Operating
Systems
is
installed,
the
groups
are
created.
Similarly,
if
an
osseal
user
ID
does
not
exist,
one
is
created
during
installation.
The
osseal
user
ID
that
is
created
has
a
primary
group
of
osseal.
In
Network
Information
Services
(NIS)
environments,
the
osseal
user
ID
and
the
osseal
and
ossaudit
groups
must
be
created
locally
and
not
be
located
in
NIS.
However,
when
installing
on
a
system
configured
to
use
NIS,
the
user-creation
mechanisms
used
by
Tivoli
Access
Manager
for
Operating
Systems
can
result
in
these
groups
and
the
user
ID
being
created
after
the
+
entry
in
the
/etc/passwd
and
/etc/group
files.
You
must
reorder
the
entries
in
these
files
to
ensure
that
the
users
and
groups
created
by
Tivoli
Access
Manager
for
Operating
Systems
appear
before
the
+
in
these
files.
Otherwise,
the
osseal
user
ID
and
the
osseal
and
ossaudit
groups
are
not
usable
if
the
NIS
server
is
unavailable
and
Tivoli
Access
Manager
for
Operating
Systems
does
not
start.
Upgrade
pre-installation
procedure
If
you
are
upgrading
from
a
previous
version
of
Tivoli
Access
Manager
for
Operating
Systems,
perform
the
following
procedure
before
installing
this
new
version.
Note:
This
procedure
is
for
upgrades
to
Version
5.1
of
Tivoli
Access
Manager
for
Operating
Systems
only.
Upgrades
from
versions
3.8
and
4.1
are
supported.
There
is
no
support
for
upgrades
from
Version
3.7.
1.
Verify
that
you
have
installed
the
necessary
operating
system
patches
and
have
sufficient
space
to
install
the
product.
This
information
can
be
found
in
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Release
Notes.
2.
Configure
Tivoli
Access
Manager
for
Operating
Systems
so
that
the
daemons
do
not
autostart
on
reboot
and
that
login
activity
policy
enforcement
is
disabled.
Log
in
as
a
runtime
administrator
and
then
enter
the
following
command:
pdoscfg
-autostart
off
-login_policy
off
3.
You
must
stop
the
pdostecd
daemon
and
prevent
it
from
autostarting
as
well
by
entering
the
following
commands:
10
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
pdosteccfg
-autostart
off
rc.pdostecd
stop
4.
Stop
Tivoli
Access
Manager
for
Operating
Systems,
by
entering
the
following
command:
rc.osseal
stop
5.
Shut
down
and
reboot
the
system.
Verify
that
Tivoli
Access
Manager
for
Operating
Systems
is
not
active
by
entering
the
following
command:
pdosctl
-s
Note:
If
Tivoli
Access
Manager
for
Operating
Systems
has
been
active
at
anytime
since
the
last
reboot,
the
system
must
be
rebooted
before
you
install
and
start
this
new
version.
Rebooting
ensures
that
the
Tivoli
Access
Manager
for
Operating
Systems
components
that
run
in
the
user-level
application
space
and
those
that
run
in
the
UNIX
kernel
are
at
the
same
level.
After
this
new
version
is
installed,
if
any
previous
versions
of
the
kernel
components
are
still
loaded,
attempts
to
start
Tivoli
Access
Manager
for
Operating
Systems
will
fail
until
the
system
is
rebooted.
6.
Ensure
that
the
Tivoli
Access
Manager
policy
server
used
in
your
environment
is
at
version
5.1.
7.
Install
Tivoli
Access
Manager
for
Operating
Systems
following
the
procedure
described
in
Chapter
3,
“Installing,”
on
page
13.
If
you
are
installing
using
a
native
installation
utility,
ensure
that
you
are
upgrading
or
applying
the
appropriate
patches
to
the
prerequisite
software
on
the
system.
After
installing,
see
“Upgrade
post-installation
procedures”
on
page
40.
Chapter
2.
Planning
to
install
11
12
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Chapter
3.
Installing
This
chapter
explains
how
to
install
IBM
Tivoli
Access
Manager
for
Operating
Systems
on
AIX,
HP-UX,
Solaris,
and
Linux.
Types
of
installation
You
can
install
Tivoli
Access
Manager
for
Operating
Systems
in
one
of
the
following
three
ways:
InstallShield
Multiplatform
full
GUI
installation
Using
the
platform-specific
Tivoli
Access
Manager
for
Operating
Systems,
Version
5.1
CD,
you
run
the
install_amos_platform
command
to
install
and
initially
configure
Tivoli
Access
Manager
for
Operating
Systems
and
all
the
prerequisite
software
that
will
be
located
on
this
system.
If
a
previous
version
and
its
prerequisites
are
already
configured,
the
procedure
automatically
updates
your
installation
to
the
new
version.
See
“Installing
on
any
platforms
using
InstallShield
Multiplatform”
on
page
14
for
details.
InstallShield
Multiplatform
Install
also
performs
the
initial
configuration
of
Tivoli
Access
Manager
for
Operating
Systems
using
the
policy
defaults
provided
with
the
product.
InstallShield
Multiplatform
Silent
Mode
installation
Using
the
platform-specific
Tivoli
Access
Manager
for
Operating
Systems,
Version
5.1
CD,
you
run
the
install_amos_platform
command
and
specify
the
path
to
your
response
file
to
silently
install
and
initially
configure
Tivoli
Access
Manager
for
Operating
Systems
and
all
the
prerequisite
software
that
will
be
located
on
this
system.
If
a
previous
version
and
its
prerequisites
are
already
configured,
the
procedure
automatically
updates
your
installation
to
the
new
version.
Native
installation
Using
the
platform-specific
Tivoli
Access
Manager
for
Operating
Systems,
Version
5.1
CD,
you
use
the
native
software
installation
utility
provided
with
your
operating
system
to
install
Tivoli
Access
Manager
for
Operating
Systems.
This
method
assumes
that
you
are
familiar
with
the
native
installation
utility
and
have
used
it
to
install
software
in
the
past.
The
Tivoli
Access
Manager
Runtime
Environment
must
be
installed
and
configured
on
the
same
machine
where
Tivoli
Access
Manager
for
Operating
Systems
is
installed.
You
also
must
install
the
necessary
prerequisites
for
Tivoli
Access
Manager
for
Operating
Systems,
including
upgrading
to
the
appropriate
levels
and
installing
the
necessary
patches,
before
performing
a
native
installation.
These
prerequisites,
as
well
as
an
overview
of
the
installation
process
itself,
are
provided
in
the
following
sections,
based
on
your
operating
system
platform:
v
“Installing
on
AIX
using
native
installation”
on
page
29
v
“Installing
on
HP-UX
using
native
installation”
on
page
31
v
“Installing
on
Solaris
using
native
installation”
on
page
32
v
“Installing
on
Linux
using
native
installation”
on
page
34
©
Copyright
IBM
Corp.
2000,
2003
13
After
installing
Tivoli
Access
Manager
for
Operating
Systems,
you
must
configure
it
before
use.
See
Chapter
4,
“Configuring,”
on
page
49
for
details.
Note:
Care
must
be
taken
if
you
are
planning
to
install
Tivoli
Access
Manager
for
Operating
Systems
on
the
same
system
as
the
Tivoli
Access
Manager
policy
server
or
the
IBM
Directory
Server
(LDAP).
If
you
intend
to
install
in
this
environment
using
InstallShield
Multiplatform
(standard
or
silent
mode),
you
must
first
upgrade
the
policy
server
and
the
IBM
Directory
Server
to
the
level
supported
by
Tivoli
Access
Manager
for
Operating
Systems.
You
may
then
install
using
InstallShield
Multiplatform.
If
you
have
a
previous
version
of
Tivoli
Access
Manager
for
Operating
Systems
installed,
you
must
have
performed
the
steps
outlined
in
“Upgrade
pre-installation
procedure”
on
page
10
before
continuing.
After
upgrading
Tivoli
Access
Manager
for
Operating
Systems
using
an
installation
method
from
this
chapter,
see
“Upgrade
post-installation
procedures”
on
page
40
for
additional
tasks
that
need
to
be
performed.
Installing
on
any
platforms
using
InstallShield
Multiplatform
The
InstallShield
Multiplatform
procedure
is
provided
to
install
and
initially
configure
Tivoli
Access
Manager
for
Operating
Systems
with
a
minimum
amount
of
effort.
It
identifies
the
components
that
are
already
installed,
locates
on
the
installation
media
the
components
that
must
be
installed
,
and
then
installs
and
configures
them.
The
InstallShield
Multiplatform
program
operates
the
same
way
on
each
supported
platform
after
a
platform-specific
setup
program
initiates
the
process.
The
setup
program
attempts
to
locate
a
correct
version
of
the
Java
Runtime
Environment
(JRE)
on
the
target
system.
If
no
JRE
is
found,
the
setup
program
will
install
a
JRE
that
will
be
used
during
the
installation
process
and
then
removed
from
the
system.
If
you
want
to
use
a
custom
version
of
JRE,
use
the
syntax
that
calls
Java
directly.
Note:
Review
“Preparing
to
configure”
on
page
49
before
you
begin
the
installation
procedure.
Running
the
platform-specific
setup
program
Select
and
run
the
setup
program
for
your
platform.
The
setup
program
will
start
the
InstallShield
Multiplatform
installation
program.
AIX
1.
Mount
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
AIX
,
Version
5.1
CD.
2.
Change
the
working
directory
to
the
mount
point,
for
example:
cd
/cdrom
3.
Ensure
that
the
DISPLAY
environment
variable
is
set
correctly.
It
should
point
to
the
local
X
Server
running
on
your
workstation.
4.
Enter
one
of
the
following
commands:
install_amos_aix
or
if
you
want
to
use
a
custom
version
of
JRE
java
-cp
install_amos_setup.jar
run
14
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
HP-UX
1.
Mount
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
HP-UX
,
Version
5.1
CD.
2.
Change
the
working
directory
to
the
mount
point,
for
example:
cd
/cdrom
3.
Ensure
that
the
DISPLAY
environment
variable
is
set
correctly.
It
should
point
to
the
local
X
Server
running
on
your
workstation.
4.
Enter
one
of
the
following
commands:
install_amos_hp
or
if
you
want
to
use
a
custom
version
of
JRE
java
-cp
install_amos_setup.jar
run
Solaris
1.
Mount
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
Solaris,
Version
5.1
CD.
2.
Change
the
working
directory
to
the
mount
point,
for
example:
cd
/cdrom
3.
Ensure
that
the
DISPLAY
environment
variable
is
set
correctly.
It
should
point
to
the
local
X
Server
running
on
your
workstation.
4.
Enter
one
of
the
following
commands:
install_amos_solaris
or
if
you
want
to
use
a
custom
version
of
JRE
java
-cp
install_amos_setup.jar
run
Linux
on
x86
1.
Mount
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
Linux
on
xSeries,
Version
5.1
CD.
2.
Change
the
working
directory
to
the
mount
point,
for
example:
cd
/media/cdrom
3.
Ensure
that
the
DISPLAY
environment
variable
is
set
correctly.
It
should
point
to
the
local
X
Server
running
on
your
workstation.
4.
Enter
one
of
the
following
commands:
install_amos_Linux
or
if
you
want
to
use
a
custom
version
of
JRE
java
-cp
install_amos_setup.jar
run
Linux
on
zSeries
1.
Mount
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
Linux
on
zSeries,
Version
5.1
CD.
2.
Change
the
working
directory
to
the
mount
point,
for
example:
cd
/media/cdrom
3.
Ensure
that
the
DISPLAY
environment
variable
is
set
correctly.
It
should
point
to
the
local
X
Server
running
on
your
workstation.
4.
Enter
one
of
the
following
commands:
install_amos_zSeries
or
if
you
want
to
use
a
custom
version
of
JRE
java
-cp
install_amos_setup.jar
run
Chapter
3.
Installing
15
Linux
on
pSeries
and
iSeries
1.
Mount
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
Linux
on
pSeries
and
iSeries,
Version
5.1
CD.
2.
Change
the
working
directory
to
the
mount
point,
for
example:
cd
/media/cdrom
3.
Ensure
that
the
DISPLAY
environment
variable
is
set
correctly.
It
should
point
to
the
local
X
Server
running
on
your
workstation.
4.
Enter
one
of
the
following
commands:
install_amos_pSeries
or
if
you
want
to
use
a
custom
version
of
JRE
java
-cp
install_amos_setup.jar
run
Running
the
InstallShield
Multiplatform
installation
program
After
the
setup
program
has
completed,
it
starts
the
main
installation
procedure.
1.
The
language
selection
panel
is
displayed.
It
allows
you
to
select
the
language
in
which
the
installation
will
be
run
(English
is
the
default);
it
does
not
allow
you
to
select
the
languages
to
be
installed.
Highlight
the
appropriate
language
in
the
list
and
click
OK.
The
Tivoli
Access
Manager
for
Operating
Systems
opening
panel
is
displayed
while
the
installer
initializes.
Figure
2.
Tivoli
Access
Manager
for
Operating
Systems
Language
Selection
Panel
16
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
2.
The
welcome
panel
is
displayed.
It
presents
the
official
product
name
and
version.
Click
Next.
Figure
3.
Tivoli
Access
Manager
for
Operating
Systems
Welcome
Panel
Chapter
3.
Installing
17
3.
The
Software
License
Agreement
panel
is
displayed.
Read
the
agreement.
You
must
accept
the
agreement
in
order
to
install
the
product.
Click
Next.
(If
you
click
Cancel,
the
installation
will
not
continue.)
After
a
successful
installation,
the
license
files
can
be
found
at
/var/pdos_ismp/license.
Figure
4.
Tivoli
Access
Manager
for
Operating
Systems
Software
License
Agreement
Panel
18
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
4.
The
Tivoli
Common
Directory
information
panel
is
displayed.
Enable
logging
if
desired,
and
choose
a
directory.
Figure
5.
Tivoli
Common
Directory
information
panel
Chapter
3.
Installing
19
5.
The
Tivoli
Access
Manager
Runtime
Environment
configuration
panel
is
displayed.
Enter
the
required
information
in
the
fields
provided:
v
Tivoli
Access
Manager
host
name.
This
is
the
name
of
the
policy
server,
which
should
have
already
been
set
up
and
configured.
v
Tivoli
Access
Manager
listening
port.
The
default
value
is
7135.
v
Tivoli
Access
Manager
server
SSL
certificate
file.
You
must
enter
the
full
path
to
the
policy
server
CA
certificate.
(This
is
not
necessary
if
you
are
using
the
auto-download
feature.)
v
Tivoli
Access
Manager
server
local
domain
Click
Next.
These
values
are
validated,
so
a
running
server
must
be
specified
or
an
error
will
be
displayed.
Figure
6.
Tivoli
Access
Manager
runtime
environment
configuration
panel
20
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
6.
The
Tivoli
Access
Manager
LDAP
Options
panel
is
displayed.
Enter
the
required
information
in
the
fields
provided:
v
LDAP
server
host
name.
The
server
must
be
running.
v
LDAP
server
port.
Figure
7.
Tivoli
Access
Manager
LDAP
Options
panel
Chapter
3.
Installing
21
7.
The
installation
directory
panel
is
displayed.
Enter
the
directory
where
you
want
Tivoli
Access
Manager
for
Operating
Systems
to
be
installed.
Click
Next.
If
you
choose
to
accept
the
default,
/opt,
then
Tivoli
Access
Manager
for
Operating
Systems
and
all
its
prerequisite
files
will
be
installed
to
their
default
locations.
If
you
choose
a
different
location,
such
as
/bigdir,
then
Tivoli
Access
Manager
for
Operating
Systems
and
its
prerequisites
will
be
installed
as
follows.
The
default
locations
will
be
symbolic
links
to:
v
/bigdir/pdos
v
/bigdir/PolicyDirector
v
/bigdir/ldapc
v
/bigdir/gskit
The
symbolic
linking
option
is
not
supported
on
Solaris.
The
InstallShield
Multiplatform
panel
will
display
/opt
as
the
default
directory,
but
will
not
accept
input.
Table
3.
Installation
Locations
Platform
Installation
Locations
Default
Location
Custom
Location
AIX
/opt/pdos
/opt/PolicyDirector
/usr/ldap
/usr/opt/ibm/gskta
/bigdir/pdos
/bigdir/PolicyDirectory
/bigdir/ldapc
/bigdir/gskit
HP-UX
/opt/pdos
/opt/PolicyDirector
/usr/IBMldap
/opt/ibm/gsk7
/bigdir/pdos
/bigdir/PolicyDirectory
/bigdir/ldapc
/bigdir/gskit
Figure
8.
Tivoli
Access
Manager
for
Operating
Systems
Installation
Directory
Panel
22
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Table
3.
Installation
Locations
(continued)
Platform
Installation
Locations
Default
Location
Custom
Location
Linux
/opt/pdos
/opt/PolicyDirector
/usr/ldap
/usr/local/ibm/gsk7
/bigdir/pdos
/bigdir/PolicyDirectory
/bigdir/ldapc
/bigdir/gskit
Note:
If
a
prerequisite
is
already
installed
to
the
default
location,
then
it
will
not
be
linked.
The
location
scheme
presented
in
this
step
enables
you
to
install
Tivoli
Access
Manager
for
Operating
Systems
and
its
prerequisites
into
a
common
directory
in
situations
where
space
is
a
concern.
Most
installations
will
be
able
to
use
the
/opt
default.
Click
Next.
8.
The
Tivoli
Access
Manager
for
Operating
Systems
configuration
panel
is
displayed.
Chapter
3.
Installing
23
Enter
the
information
needed
to
configure
the
product
in
the
fields
provided:
v
branch
option
v
Tivoli
Access
Manager
local
domain
v
admin
user
ID
v
admin
user
password
v
LDAP
SSL
certificate
location
v
LDAP
suffix
v
Additional
response
file
to
pass
to
pdoscfg
Click
Next.
Figure
9.
Tivoli
Access
Manager
for
Operating
Systems
configuration
panel
24
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
9.
The
Tivoli
Access
Manager
for
Operating
Systems
Pre-summary
panel
is
displayed.
This
panel
provides
a
complete
description
of
the
next
installation
phase,
which
products
are
to
be
installed
and
whether
they
are
new
or
upgraded
versions.
If
any
of
the
information
displayed
is
incorrect,
use
the
Back
button
to
return
to
an
earlier
panel
and
make
revisions.
Click
Next.
Figure
10.
Tivoli
Access
Manager
for
Operating
Systems
pre-summary
panel
Chapter
3.
Installing
25
10.
The
Tivoli
Access
Manager
for
Operating
Systems
Post-summary
panel
is
displayed.
It
indicates
whether
or
not
the
installation
was
successful
and,
if
so,
provides
a
complete
listing
of
what
was
installed.
A
successful
installation
creates
the
following
directory
structure
on
all
platforms.
Table
4.
Installed
Directory
Structure
Directory
Description
/opt/pdos/bin
Tivoli
Access
Manager
for
Operating
Systems
binaries
/opt/pdos/lib
Tivoli
Access
Manager
for
Operating
Systems
libraries
/opt/pdos/sbin
Tivoli
Access
Manager
for
Operating
Systems
system
utilities
/opt/pdos/etc
Tivoli
Access
Manager
for
Operating
Systems
configuration
files
and
other
supporting
files
/opt/pdos/kernel
Tivoli
Access
Manager
for
Operating
Systems
operating
system
kernel
drivers
/opt/pdos/nls
Tivoli
Access
Manager
for
Operating
Systems
Message
Catalogs
/var/pdos
Tivoli
Access
Manager
for
Operating
Systems
log
files
and
other
dynamic
information
/var/pdos_ismp
ISMP
log
files
and
uninstaller
/var/ibm/tivoli/common/AOS/logs
Tivoli
common
log
directory,
if
enabled.
Figure
11.
Tivoli
Access
Manager
for
Operating
Systems
post-summary
panel
26
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Table
4.
Installed
Directory
Structure
(continued)
Directory
Description
/var/ibm/tivoli/common/AOS/ffdc
Tivoli
common
ffdc
library,
if
enabled.
/var/ibm/tivoli/common/AOS/scripts
Tivoli
common
scripts
directory,
if
enabled.
/usr/bin/pdos*
Symbolic
links
to
Tivoli
Access
Manager
for
Operating
Systems
binaries
in
directories
above
/usr/lib
Symbolic
links
to
Tivoli
Access
Manager
for
Operating
Systems
libraries
in
directories
above
Installing
using
InstallShield
Multiplatform
in
Silent
Mode
Tivoli
Access
Manager
for
Operating
Systems
can
also
be
installed
using
the
InstallShield
Multiplatform
silent
mode.
The
silent
installation
uses
an
InstallShield
Multiplatform
options
file.
The
file
contains
the
values
for
each
input
field
that
is
required
during
a
GUI
installation.
The
options
file
is
a
simple
text
file
with
one
option
per
line.
It
must
be
created
in
advance
of
running
the
silent
installation.
The
available
options
are
listed
below
with
some
sample
properties.
Note:
Enclose
option
values
in
quotation
marks,
especially
if
there
are
any
spaces
in
the
value
name.-W
AM_TCDPanel.useTcd="yes"
-W
AM_TCDPanel.tcdDir="/var/tcd/log"
-W
AMRTE_ServerOptionsUIPanel.hostName="amserver.company.com"
-W
AMRTE_ServerOptionsUIPanel.listeningPort="7135"
-W
AMRTE_ServerOptionsUIPanel.certFile=
-W
AMRTE_ServerOptionsUIPanel.localDomain="Default"
-W
AMRTE_LDAPOptionsUIPanel.ldapHost="ldapserver.company.com"
-W
AMRTE_LDAPOptionsUIPanel.ldapPort="389"
-W
AMOS_DestinationPanel.productInstallLocation="/opt"
-W
AMOS_ConfigOptions.localDomain="lab_domain"
-W
AMOS_ConfigOptions.policyBranch="lab_policy"
-W
AMOS_ConfigOptions.userAdmin="sec_master"
-W
AMOS_ConfigOptions.userPassword="root"
-W
AMOS_ConfigOptions.ldapSSLCertFile="/cert/amosintb/ldapcacert.b64"
-W
AMOS_ConfigOptions.ldapSuffix="ou=tivoli,o=ibm,c=us"
-W
AMOS_ConfigOptions.rspFile="/tmp/pdoscfg.rsp"
The
following
options
are
required:
-W
AMRTE_ServerOptionsUIPanel.hostName="amserver.company.com"
-W
AMRTE_ServerOptionsUIPanel.localDomain="Default"
-W
AMRTE_LDAPOptionsUIPanel.ldapHost="ldapserver.company.com"
-W
AMOS_DestinationPanel.productInstallLocation="/opt"
-W
AMOS_ConfigOptions.localDomain="lab_domain"
-W
AMOS_ConfigOptions.policyBranch="lab_policy"
-W
AMOS_ConfigOptions.userAdmin="sec_master"
-W
AMOS_ConfigOptions.userPassword="root"
-W
AMOS_ConfigOptions.ldapSSLCertFile="/cert/amosintb/ldapcacert.b64"
-W
AMOS_ConfigOptions.ldapSuffix="ou=tivoli,o=ibm,c=us"
The
following
options
will
revert
to
the
defaults
if
they
are
not
specified
(the
defaults
are
shown
in
bold):
-W
AMRTE_ServerOptionsUIPanel.listeningPort="7135"
-W
AMRTE_LDAPOptionsUIPanel.certFile=
-W
AMRTE_ServerOptionsUIPanel.ldapPort="389"
-W
AMOS_ConfigOptions.rspFile=
Chapter
3.
Installing
27
There
are
two
ways
to
generate
the
options
file
automatically.
To
generate
a
template
file
that
must
be
edited,
use
one
of
the
following
commands:
v
install_amos_platform
-options-template
template_file
v
java
-cp
install_amos_setup.jar
run
-options-template
template_file
The
installation
will
not
proceed
and
the
file
template_file
will
contain
lines
such
as
###
-W
AMOS_ConfigOptions.policyBranch=value.
The
file
must
be
edited
to
contain
actual
values
for
value.
Note:
Use
the
Java
command
if
you
are
using
a
specific
version
of
Java.
It
is
also
faster
because
the
other
command
first
looks
for
Java
before
running.
To
generate
a
record
file
that
captures
the
values
used
during
an
actual
installation,
use
one
of
the
following
methods:
v
install_amos_platform
-options-record
record_file
v
java
-cp
install_amos_setup.jar
run
-options-record
record_file
The
installation
will
proceed
normally
and
the
record_file
will
contain
the
actual
values
used
during
the
installation.
This
file
can
then
be
used
for
future
installations.
To
use
the
options
file,
follow
the
appropriate
platform-specific
procedures.
Note:
By
running
in
silent
mode,
you
accept
the
terms
of
the
license
agreement.
AIX
1.
Mount
the
Tivoli
Access
Manager
for
Operating
Systems
for
AIX,
Version
5.1
CD.
2.
Change
the
working
directory
to
the
mount
point,
for
example:
cd
/cdrom
3.
Enter
one
of
the
following
commands:
install_amos_aix
-silent
-options
option_file
or
java
-cp
install_amos_setup.jar
run
-silent
-options
option_file
HP-UX
1.
Mount
the
Tivoli
Access
Manager
for
Operating
Systems
for
HP-UX,
Version
5.1
CD.
2.
Change
the
working
directory
to
the
mount
point,
for
example:
cd
/cdrom
3.
Enter
one
of
the
following
commands:
install_amos_hp
-silent
-options
option_file
or
java
-cp
install_amos_setup.jar
run
-silent
-options
option_file
Solaris
1.
Mount
the
Tivoli
Access
Manager
for
Operating
Systems
for
Solaris,
Version
5.1
CD.
2.
Change
the
working
directory
to
the
mount
point,
for
example:
cd
/cdrom
3.
Enter
one
of
the
following
commands:
28
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
install_amos_solaris
-silent
-options
option_file
or
java
-cp
install_amos_setup.jar
run
-silent
-options
option_file
Linux
on
x86
1.
Mount
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
Linux
on
xSeries,
Version
5.1
CD.
2.
Change
the
working
directory
to
the
mount
point,
for
example:
cd
/media/cdrom
3.
Enter
one
of
the
following
commands:
install_amos_Linux
-silent
-options
option_file
or
java
-cp
install_amos_setup.jar
run
-silent
-options
option_file
Linux
on
zSeries
1.
Mount
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
Linux
on
zSeries,
Version
5.1
CD.
2.
Change
the
working
directory
to
the
mount
point,
for
example:
cd
/media/cdrom
3.
Enter
one
of
the
following
commands:
install_amos_zSeries
-silent
-options
option_file
or
java
-cp
install_amos_setup.jar
run
-silent
-options
option_file
Linux
on
pSeries
and
iSeries
1.
Mount
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
Linux
on
pSeries
and
iSeries,
Version
5.1
CD.
2.
Change
the
working
directory
to
the
mount
point,
for
example:
cd
/media/cdrom
3.
Enter
one
of
the
following
commands:
install_amos_pSeries
-silent
-options
option_file
or
java
-cp
install_amos_setup.jar
run
-silent
-options
option_file
If
the
installation
is
successful,
you
will
have
the
same
directory
structure
as
with
the
InstallShield
Multiplatform
GUI
installation.
Note:
By
running
in
silent
mode,
you
accept
the
terms
of
the
license
agreement.
Installing
on
AIX
using
native
installation
Tivoli
Access
Manager
for
Operating
Systems
can
be
installed
on
AIX
using
the
System
Management
Interface
Tool
(SMIT)
or
it
can
be
installed
from
the
command
line.
Chapter
3.
Installing
29
The
following
prerequisite
products,
located
on
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
AIX
CD,
must
be
installed
and
configured
before
installing
Tivoli
Access
Manager
for
Operating
Systems:
v
IBM
Global
Security
Kit
(GSkit)
v
IBM
Directory
Server
(LDAP)
Client
v
IBM
Directory
Secure
Max
Crypto
Client
v
Tivoli
Access
Manager
Runtime
Environment
Refer
to
Table
1
on
page
4
for
package
names,
version
numbers,
and
patch
levels.
Documentation
for
installing
these
products
can
be
found
in
the
Tivoli
Information
Center
at
the
following
URL:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Depending
on
your
system
settings,
prerequisite
products
might
be
installed
as
part
of
the
Tivoli
Access
Manager
for
Operating
Systems
installation
process.
Installing
on
AIX
using
SMIT
Use
these
steps
to
install
Tivoli
Access
Manager
for
Operating
Systems
on
AIX
using
SMIT:
1.
Insert
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
AIX
CD
into
the
CD-ROM
drive.
2.
Log
in
as
root.
3.
Enter
the
following
command
at
the
command
line:
smit
The
System
Management
Interface
Tool
panel
is
displayed.
4.
From
the
System
Management
menu,
click
Software
Installation
and
Maintenance.
5.
From
the
Software
Installation
and
Maintenance
menu,
click
Install
and
Update
Software.
6.
From
the
Install
and
Update
Software
menu,
click
Install
and
Update
from
LATEST
Available
Software.
7.
Specify
the
INPUT
device/directory
for
the
software
by
entering
the
name
of
the
directory
where
the
Tivoli
Access
Manager
for
Operating
Systems
package
is
located:
/dev/cd0.
Click
OK.
8.
The
Install
and
Update
from
LATEST
Available
Software
panel
is
redisplayed.
9.
Next
to
the
SOFTWARE
to
install
selection,
click
List.
The
Multi-select
List
panel
is
displayed.
Highlight
5.1
IBM
Tivoli
Access
Manager
for
Operating
Systems
Runtime.
Click
OK.
10.
The
Install
and
Update
from
LATEST
Available
Software
panel
is
displayed
again.
Click
OK.
11.
Confirm
your
installation
choices.
Click
OK.
During
installation,
the
Install
and
Update
from
LATEST
Available
Software
panel
displays
a
split
screen
that
shows
the
install
command
and
the
output
log
for
the
installation.
12.
When
installation
is
complete,
click
Done.
13.
Close
the
Install
and
Update
from
LATEST
Available
Software
panel.
The
System
Management
Interface
Tool
panel
is
displayed.
14.
Remove
the
CD
from
the
CD-ROM
drive.
30
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
After
installing
Tivoli
Access
Manager
for
Operating
Systems,
you
must
configure
it
before
use.
See
Chapter
4,
“Configuring,”
on
page
49
for
details.
Installing
on
AIX
from
the
command
line
To
install
Tivoli
Access
Manager
for
Operating
Systems
on
AIX
from
the
command
line,
use
these
steps:
1.
Insert
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
AIX
CD
into
the
CD-ROM
drive.
2.
Log
in
as
root.
3.
Enter
the
following
command
on
the
command
line,
replacing
/dev/cd0
with
the
mount
point
of
the
CD-ROM
drive
to
install
the
Tivoli
Access
Manager
for
Operating
Systems
runtime.
installp
-c
-a
-g
-X
-d
/dev/cd0/usr/sys/inst.images
PDOS.rte
4.
Remove
the
CD
from
the
CD-ROM
drive.
After
installing
Tivoli
Access
Manager
for
Operating
Systems,
you
must
configure
it
before
use.
See
Chapter
4,
“Configuring,”
on
page
49
for
details.
Note:
Use
of
the
installp
command
with
AIX,
Versions
5.1
and
5.2,
creates
installation
directories
that
have
a
timestamp
of
″Dec
31,
1969″.
This
is
a
known
issue.
The
timestamps
do
not
affect
the
operation
of
Tivoli
Access
Manager
for
Operating
Systems.
Installing
on
HP-UX
using
native
installation
Tivoli
Access
Manager
for
Operating
Systems
can
be
installed
on
HP-UX
using
swinstall,
or
it
can
be
installed
from
the
command
line.
The
files
must
be
installed
in
the
/opt/pdos
and
/var/pdos
directories.
Do
not
change
the
target
from
/.
The
following
prerequisite
products,
located
on
the
installation
CD,
must
be
installed
and
configured
before
installing
Tivoli
Access
Manager
for
Operating
Systems:
v
IBM
Global
Security
Kit
v
IBM
Directory
Server
Client
v
IBM
Tivoli
Access
Manager
runtime
environment
Refer
to
Table
1
on
page
4
for
package
names,
version
numbers,
and
patch
levels.
Documentation
for
installing
these
products
is
available
in
the
Tivoli
Information
Center
at
the
following
URL:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Installing
on
HP-UX
using
swinstall
To
install
Tivoli
Access
Manager
for
Operating
Systems
on
HP-UX,
complete
the
following
steps:
1.
Insert
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
HP-UX
CD.
2.
Log
on
as
root.
3.
Start
pfs_mountd
and
then
pfsd,
if
they
are
not
running.
Mount
the
CD
with
the
pfs_mount
command.
For
example,
enter
the
following
command
at
the
command
line:
pfs_mount
/dev/dsk/c0t0d0
/cd-rom
Chapter
3.
Installing
31
where
/dev/dsk/c0t0d0
is
the
CD-ROM
device
and
/cd-rom
is
the
mount
point.
4.
At
the
command
line,
enter:
swinstall
Click
Enter.
5.
The
SD
Install
–
Software
Selection
panel
and
Specify
Source
panel
are
displayed.
Select
Local
CDROM
from
the
Source
Depot
Type
list.
For
the
Source
Depot
path,
enter
/cd-rom/hp
where
cd-rom
is
the
mount
point
for
the
CD.
Click
OK.
6.
Continuing
on
the
SD
Install
–
Software
Selection
window,
mark
the
software
you
want
to
install
by
selecting
the
Tivoli
Access
Manager
for
Operating
Systems
package
PDOSrte.
Click
the
Actions
menu
and
select
Mark
for
Install.
7.
Click
the
Actions
menu
and
select
Install
(analysis).
The
Install
Analysis
panel
is
displayed.
When
status
is
Ready,
click
OK.
The
Confirmation
panel
is
displayed.
Click
Yes.
8.
The
Install
Window
panel
displays
the
status
of
the
installation
process.
When
the
status
is
Completed,
click
Done.
9.
Close
the
SD
Install
–
Software
Selection
window.
10.
Unmount
and
remove
the
CD
from
the
CD-ROM
drive.
After
installing
Tivoli
Access
Manager
for
Operating
Systems,
you
must
configure
it
before
use.
See
Chapter
4,
“Configuring,”
on
page
49
for
details.
Installing
on
HP-UX
from
the
command
line
To
install
Tivoli
Access
Manager
for
Operating
Systems
on
HP-UX
from
the
command
line,
follow
these
steps:
1.
Insert
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
HP-UX
CD.
2.
Log
on
as
root.
3.
Start
pfs_mountd
and
then
pfsd,
if
they
are
not
running.
Mount
the
CD
with
the
pfs_mount
command.
For
example,
at
the
command
line,
enter:
pfs_mount
/dev/dsk/c0t0d0
/cd-rom
where
/dev/dsk/c0t0d0
is
the
CD-ROM
device
and
/cd-rom
is
the
mount
point.
Click
Enter.
4.
At
the
command
line,
enter:
swinstall
-s
/cd-rom/hp
PDOSrte
where
/cd-rom/hp
is
the
directory.
5.
Unmount
and
then
remove
the
CD
from
the
CD-ROM
drive.
After
installing
Tivoli
Access
Manager
for
Operating
Systems,
you
must
configure
it
before
use.
See
Chapter
4,
“Configuring,”
on
page
49
for
details.
Installing
on
Solaris
using
native
installation
Tivoli
Access
Manager
for
Operating
Systems
can
be
installed
on
Solaris
using
Admintool,
or
it
can
be
installed
from
the
command
line.
32
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
The
following
prerequisite
products,
located
on
the
Installation
CD,
must
be
installed
and
configured
before
installing
IBM
Tivoli
Access
Manager
for
Operating
Systems:
v
IBM
Global
Security
Kit
v
IBM
Directory
Server
Client
v
Tivoli
Access
Manager
runtime
environment
Refer
to
Table
1
on
page
4
for
package
names,
version
numbers,
and
patch
levels.
Documentation
for
installing
these
products
is
available
in
the
Tivoli
Information
Center
at
the
following
URL:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Installing
on
Solaris
using
Admintool
Use
these
steps
to
install
Tivoli
Access
Manager
for
Operating
Systems
on
Solaris
using
Admintool:
1.
Insert
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
Solaris
CD.
2.
Log
on
as
root.
3.
At
the
command
line,
enter:
admintool
The
Admintool:
Users
panel
is
displayed.
4.
In
the
Admintool:
Users
Browse
menu,
select
Software.
The
Admintool:
Software
panel
is
displayed.
5.
Click
Edit
and
select
Add.
The
Admintool:
Set
Source
Media
window
is
displayed.
6.
Select
CD
with
Volume
Management
from
the
Software
Location
list
and
enter
/cdrom/cdrom0/solaris
in
the
CD
Path
field.
Click
OK.
The
Admintool:
Add
Software
panel
is
displayed.
7.
From
the
Admintool:
Add
Software
panel,
select
IBM
Tivoli
Access
Manager
for
Operating
Systems
runtime.
Click
Add.
8.
Confirmation
messages
are
displayed
before
packages
are
installed.
The
order
in
which
they
are
displayed
depends
on
the
order
in
which
the
packages
are
installed.
The
confirmation
message,
″Do
you
want
to
install
this
package?″
is
displayed
for
each
package.
Enter
Yes
when
the
message
is
displayed.
Click
Return.
9.
A
confirmation
message
is
displayed
after
one
of
the
packages
has
been
installed:
″Do
you
want
to
continue
with
installation?″
Enter
Yes
when
it
is
displayed.
Click
Return.
10.
A
confirmation
message
is
displayed
after
one
of
the
packages
has
been
installed
and
you
have
indicated
that
you
want
to
continue
with
the
installation:
″Do
you
want
to
install
these
conflicting
files?″
Enter
Yes
when
the
message
is
displayed.
Click
Return.
11.
A
confirmation
message,
″The
following
files
are
being
installed
with
setuid
and/or
setgid
permissions,″
and
other
information
is
displayed
for
the
runtime
package,
along
with
a
list
of
files,
and
the
question,
″Do
you
want
to
install
these
as
setuid/setgid
files?″
Enter
Yes.
Click
Return.
12.
Another
confirmation
message
is
displayed
for
the
runtime
packages
″This
package
contains
scripts
which
will
be
executed
with
super-user
permission
during
the
process
of
installing
this
package.
Do
you
want
to
continue
with
installation
of
package
name?″
Enter
Yes.
Click
Return.
Chapter
3.
Installing
33
13.
After
installation
is
complete,
click
Return.
The
Admintool:
Software
panel
is
displayed.
14.
Remove
the
CD
from
the
CD-ROM
drive.
After
installing
Tivoli
Access
Manager
for
Operating
Systems,
you
must
configure
it
before
use.
See
Chapter
4,
“Configuring,”
on
page
49
for
details.
Installing
on
Solaris
from
the
command
line
To
install
Tivoli
Access
Manager
for
Operating
Systems
on
Solaris
from
the
command
line,
use
these
steps:
1.
Insert
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
Solaris
CD.
2.
Log
on
as
root.
3.
At
the
command
line,
enter:
pkgadd
-d
/cdrom/cdrom0/solaris
-a
/cdrom/cdrom0/solaris/pddefault
PDOSrte
where
/cdrom/cdrom0/solaris
is
the
directory,
and
/cdrom/cdrom0/solaris/pddefault
is
the
script
in
the
same
directory
as
the
desired
package.
4.
Remove
the
CD
from
the
CD-ROM
drive
by
entering
the
following
at
the
command
line:
eject
After
installing
Tivoli
Access
Manager
for
Operating
Systems,
you
must
configure
it
before
use.
See
Chapter
4,
“Configuring,”
on
page
49
for
details.
Installing
on
Linux
using
native
installation
Tivoli
Access
Manager
for
Operating
Systems
can
be
installed
on
Linux
x86,
Linux
for
zSeries,
or
Linux
for
iSeries
and
pSeries,
using
the
Linux
native
installation
utility.
The
following
prerequisite
products,
located
on
the
Tivoli
Access
Manager
for
Operating
Systems
platform-specific
CD,
must
be
installed
and
configured
before
installing
Tivoli
Access
Manager
for
Operating
Systems:
v
IBM
Global
Security
Kit
v
IBM
Directory
Server
Client
v
Tivoli
Access
Manager
runtime
environment
Refer
to
Table
1
on
page
4
for
package
names,
version
numbers,
and
patch
levels.
Documentation
for
installing
these
products
can
be
found
in
the
Tivoli
Information
Center
at
the
following
URL:
http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
To
install
Tivoli
Access
Manager
for
Operating
Systems
on
Linux
from
the
command
line,
follow
these
steps:
1.
Insert
the
appropriate
IBM
Tivoli
Access
Manager
for
Operating
Systems
for
Linux
CD
(Linux
for
xSeries,
Linux
for
zSeries,
or
Linux
for
i/pSeries).
2.
Log
on
as
root.
3.
Mount
the
CD-ROM
drive
from
the
command
line,
using
a
command
such
as:
mount
/media/cdrom/
34
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
4.
Enter
the
following
command,
depending
on
your
Linux
platform
(Linux
for
xSeries,
Linux
for
zSeries,
or
Linux
for
i/pSeries):
v
For
Linux
for
xSeries:
rpm
-i
/media/cdrom/linux/PDOSrte-PDOSruntime-5.1.0-0.i386.rpm
v
For
Linux
for
zSeries:
rpm
-i
/media/cdrom/zSeries/PDOSrte-PDOSruntime-5.1.0-0.s390.rpm
v
For
Linux
for
i/pSeries:
rpm
-i
/media/cdrom/pSeries/PDOSrte-PDOSruntime-5.1.0-0.ppc.rpm
After
installing
Tivoli
Access
Manager
for
Operating
Systems,
you
must
configure
it
before
use.
See
Chapter
4,
“Configuring,”
on
page
49
for
details.
Installing
the
Tivoli
Management
Framework
integration
packages
If
you
intend
to
manage
Tivoli
Access
Manager
for
Operating
Systems
from
the
Tivoli
desktop,
you
must
install:
IBM
Tivoli
Access
Manager
for
Operating
Systems
Management
Tasks,
Version
5.1
This
product
must
be
installed
on
the
Tivoli
management
region
server.
This
component
provides
the
PDOS
Tasks
task
library
(the
names
of
the
tasks
have
not
yet
been
changed
to
match
the
new
product
name),
which
enables
you
to
manage
the
Tivoli
Access
Manager
for
Operating
Systems
runtime
on
UNIX
endpoints
and
managed
nodes
from
the
Tivoli
desktop.
If
you
intend
to
use
IBM
Tivoli
Enterprise
Console
or
IBM
Tivoli
Risk
Manager
with
Tivoli
Access
Manager
for
Operating
Systems,
you
must
install:
IBM
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration,
Version
5.1
This
product
must
be
installed
on
the
Tivoli
management
region
server,
the
Tivoli
Enterprise
Console
server,
and
on
gateways
managing
Tivoli
Access
Manager
for
Operating
Systems
endpoints.
This
component
should
be
installed
after
Tivoli
Enterprise
Console
has
been
installed.
This
component
uses
the
Tivoli
Enterprise
Console
logfile
adapter
to
send
security
events
that
are
critical
to
security
administrators.
The
adapter
formats
and
forwards
events
to
Tivoli
Enterprise
Console
or
to
Tivoli
Risk
Manager.
A
set
of
rules
and
associated
actions
is
provided,
where
appropriate,
for
the
supported
events.
Installing
the
Tivoli
Access
Manager
for
Operating
Systems
management
tasks
To
maintain
the
Tivoli
Access
Manager
for
Operating
Systems
environment
from
the
Tivoli
desktop,
you
should
install
the
AMOS
Management
Tasks
on
the
Tivoli
management
region
server.
Note:
If
you
are
upgrading
from
an
earlier
version
of
the
Tivoli
Access
Manager
for
Operating
Systems
Management
Tasks,
see
“Upgrading
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
management
tasks”
on
page
38
Desktop
To
install
the
AMOS
Management
Tasks,
perform
the
following
steps:
1.
Select
the
Install
→
Install
Product
option
from
the
Desktop
menu
to
display
the
Install
Product
panel.
2.
Select
Tivoli
Access
Manager
for
Operating
Systems
Management
Tasks,
Version
5.1
from
the
Select
Product
to
Install
scrolling
list.
Chapter
3.
Installing
35
3.
Select
the
managed
nodes
and
servers
on
which
to
install
the
module.
This
should
include
the
Tivoli
management
region
server.
The
target
machines
are
displayed
in
the
Clients
to
Install
On
scrolling
list.
4.
Click
the
Install
button
to
begin
installing
the
module.
The
installation
process
prompts
you
with
a
Product
Install
panel.
This
panel
provides
the
list
of
operations
that
take
place
during
the
installation
process.
It
also
warns
you
of
any
problems
that
you
should
correct
before
you
install
the
module.
5.
Click
the
Continue
Install
button
to
continue
the
installation
process
and
display
the
Product
Install
status
panel.
The
Product
Install
status
panel
presents
status
information
as
the
installation
proceeds.
When
the
installation
is
complete,
the
Product
Install
panel
displays
a
completion
message.
6.
Click
the
Close
button
to
close
the
panel.
Command
line
The
following
example
command
installs
the
AMOS
Management
Tasks.
See
the
Tivoli
Management
Framework
Reference
Manual
for
more
information
about
the
winstall
command.
winstall
–c
/cdrom
–s
colby
–i
PDOSTASK.IND
where:
–c
/cdrom
Specifies
the
path
to
the
installation
CD.
–s
colby
Specifies
the
managed
node
in
the
Tivoli
region
to
use
as
the
module’s
installation
server.
Normally,
the
module’s
server
is
the
Tivoli
management
region
server,
and
that
is
the
default
setting.
In
this
example,
the
server
name
is
colby.
–i
PDOSTASK.IND
Specifies
the
index
file
from
which
this
module
is
installed.
Installing
the
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration
The
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration,
Version
5.1,
component
provides
a
logfile
event
adapter
that
allows
Tivoli
Access
Manager
for
Operating
Systems
events
to
be
sent
to
the
Tivoli
Enterprise
Console.
Note:
Refer
to
the
Tivoli
Enterprise
Console
documentation
to
determine
the
operating
system
requirements
that
must
be
met
to
run
Tivoli
Enterprise
Console.
The
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration
component
can
be
installed
on
any
supported
Tivoli
Enterprise
Console
system.
If
you
are
upgrading
from
an
earlier
version
of
the
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration
component,
see
“Upgrading
the
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration”
on
page
39
To
take
advantage
of
this
component,
you
must
install
Tivoli
Enterprise
Console
before
installing
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration.
If
you
install
it
after,
you
must
reinstall
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration.
36
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
The
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration
package
must
be
installed
on
the
Tivoli
management
region
server
and
the
Tivoli
Enterprise
Console
event
server,
as
well
as
on
any
managed
node
that
is
a
gateway
to
a
Tivoli
Access
Manager
for
Operating
Systems
endpoint.
On
the
Tivoli
management
region
server,
tasks
are
installed
to
allow
you
to
configure
the
Tivoli
Enterprise
Console
event
server.
On
the
gateways,
files
for
distribution
to
the
Tivoli
Access
Manager
for
Operating
Systems
endpoints
are
installed.
On
the
Tivoli
Enterprise
Console
event
server,
the
appropriate
configuration
files
are
installed
to
allow
the
Tivoli
Enterprise
Console
to
recognize
and
process
Tivoli
Access
Manager
for
Operating
Systems
events.
An
adapter
configuration
profile,
named
PDOS-ACPROF
or
PDOS-RISKMGR-ACPROF,
is
created
in
the
profile
manager
and
a
tecad_logfile_pdos
or
tecad_logfile_pdos_riskmgr
record
is
added
to
that
profile
to
configure
the
logfile
adapter
on
the
endpoint.
More
information
on
installing
a
Tivoli
Enterprise
Console
event
server
and
using
the
adapter
configuration
facility
can
be
found
in
the
Tivoli
Enterprise
Console
User’s
Guide.
Note:
You
must
configure
the
Tivoli
Enterprise
Console
logfile
adapter
before
using
it.
Refer
to
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide
for
details.
Desktop
To
install
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration,
Version
5.1,
perform
the
following
steps
on
the
Tivoli
management
region
server,
the
Tivoli
Enterprise
Console
event
server,
and
on
gateways.
1.
Select
the
Install
→
Install
Product
option
from
the
Desktop
menu
to
display
the
Install
Product
panel.
2.
Select
Tivoli
Access
Manager
for
Operating
Systems
Console
Integration,
Version
5.1
from
the
Select
Product
to
Install
scrolling
list.
3.
Select
the
managed
nodes
and
servers
on
which
to
install
the
module.
This
list
should
include
the
Tivoli
management
region
server,
the
Tivoli
Enterprise
Console
event
server,
and
any
managed
node
that
acts
as
a
gateway
for
a
Tivoli
Access
Manager
for
Operating
Systems
endpoint.
The
target
machines
are
displayed
in
the
Clients
to
Install
On
scrolling
list.
4.
Click
the
Install
button
to
begin
installing
the
module.
The
installation
process
prompts
you
with
a
Product
Install
panel.
This
panel
provides
the
list
of
operations
that
take
place
during
the
installation
process.
It
also
warns
you
of
any
problems
that
you
should
correct
before
you
install
the
module.
5.
Click
the
Continue
Install
button
to
continue
the
installation
process
and
display
the
Product
Instal
status
panel.
The
Product
Install
status
panel
presents
status
information
as
the
installation
proceeds.
When
the
installation
is
complete,
the
Product
Install
panel
displays
a
completion
message.
6.
Click
the
Close
button
to
close
the
panel.
Command
line
Use
the
following
command
to
install
the
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration,
Version
5.1:
winstall
–c
/cdrom
–s
monterey
–i
PDOSTEC.IND
where:
Chapter
3.
Installing
37
–c
/cdrom
Specifies
the
path
to
the
installation
CD.
–s
monterey
Specifies
the
managed
node
where
the
component
is
to
be
installed.
In
this
example,
the
node
name
is
monterey.
–i
PDOSTEC.IND
Specifies
the
index
file
from
which
this
module
is
installed.
Note:
For
information
about
how
to
configure
the
pdostecd
daemon,
see
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide.
Upgrading
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
management
tasks
If
you
are
currently
maintaining
the
Tivoli
Access
Manager
for
Operating
Systems
environment
from
the
Tivoli
desktop,
you
should
upgrade
the
Tivoli
Access
Manager
for
Operating
Systems
Management
Tasks
on
the
Tivoli
management
region
server.
Desktop
To
upgrade
the
AMOS
Management
Tasks,
perform
the
following
steps:
1.
Select
the
Install
→
Install
Patch
option
from
the
Desktop
menu
to
display
the
Install
Patch
panel.
2.
Select
Tivoli
Access
Manager
for
Operating
Systems
Management
Tasks,
Upgrade
to
Version
5.1
from
the
Select
Patch
to
Install
scrolling
list.
3.
Select
the
managed
nodes
and
servers
on
which
to
install
the
module.
This
should
include
the
Tivoli
management
region
server.
The
target
machines
are
displayed
in
the
Clients
to
Install
On
scrolling
list.
4.
Click
the
Install
button
to
begin
installing
the
module.
The
installation
process
prompts
you
with
a
Patch
Install
panel.
This
dialog
provides
the
list
of
operations
that
take
place
during
the
installation
process.
It
also
warns
you
of
any
problems
that
you
should
correct
before
you
install
the
module.
5.
Click
the
Continue
Install
button
to
continue
the
installation
process
and
display
the
Patch
Instal
status
panel.
The
Patch
Install
status
panel
presents
status
information
as
the
installation
proceeds.
When
the
installation
is
complete,
the
Patch
Install
panel
displays
a
completion
message.
6.
Click
the
Close
button
to
close
the
panel.
Command
line
The
following
example
command
upgrades
the
Tivoli
Access
Manager
for
Operating
Systems
Management
Tasks.
See
the
Tivoli
Management
Framework
Reference
Manual
for
more
information
about
the
wpatch
command.
wpatch
–c
/cdrom
–s
colby
–i
PTASKU.IND
where:
–c
/cdrom
Specifies
the
path
to
the
installation
CD.
–s
colby
Specifies
the
managed
node
in
the
Tivoli
region
to
use
as
the
module’s
installation
server.
Normally,
the
module’s
server
is
the
Tivoli
management
region
server,
and
that
is
the
default
setting.
In
this
example,
the
server
name
is
colby.
–i
PTASKU.IND
Specifies
the
index
file
from
which
this
module
is
installed.
38
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Upgrading
the
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration
The
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration,
Version
5.1,
component
provides
a
logfile
event
adapter
that
allows
Tivoli
Access
Manager
for
Operating
Systems
events
to
be
sent
to
the
Tivoli
Enterprise
Console.
Note:
Refer
to
the
Tivoli
Enterprise
Console
documentation
to
determine
the
operating
system
requirements
that
must
be
met
to
run
Tivoli
Enterprise
Console.
The
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration
component
can
be
installed
on
any
supported
Tivoli
Enterprise
Console
system.
The
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration
package
must
be
installed
on
the
Tivoli
management
region
server
and
the
Tivoli
Enterprise
Console
event
server,
as
well
as
on
any
managed
node
that
is
a
gateway
to
a
Tivoli
Access
Manager
for
Operating
Systems
endpoint.
Desktop
To
upgrade
the
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration,
perform
the
following
steps:
1.
Select
the
Install
→
Install
Patch
option
from
the
Desktop
menu
to
display
the
Install
Patch
panel.
2.
Select
Install
PatchTivoli
Access
Manager
for
Operating
Systems
Console
Integration,
Upgrade
to
Version
5.1
from
the
Select
Product
to
Install
scrolling
list.
3.
Select
the
managed
nodes
and
servers
on
which
to
install
the
module.
This
list
should
include
the
Tivoli
management
region
server,
the
Tivoli
Enterprise
Console
event
server,
and
any
managed
node
that
acts
as
a
gateway
for
a
Tivoli
Access
Manager
for
Operating
Systems
endpoint.
The
target
machines
are
displayed
in
the
Clients
to
Install
On
scrolling
list.
4.
Click
the
Install
button
to
begin
installing
the
module.
The
installation
process
prompts
you
with
a
Patch
Install
panel.
This
dialog
provides
the
list
of
operations
that
take
place
during
the
installation
process.
It
also
warns
you
of
any
problems
that
you
should
correct
before
you
install
the
module.
5.
Click
the
Continue
Install
button
to
continue
the
installation
process
and
display
the
Patch
Install
status
panel.
The
Patch
status
panel
presents
status
information
as
the
installation
proceeds.
When
the
installation
is
complete,
the
Patch
Install
panel
displays
a
completion
message.
6.
Click
the
Close
button
to
close
the
panel.
Note:
For
information
about
how
to
configure
the
PDOSTECD
daemon,
see
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide.
Command
line
Use
the
following
command
to
upgrade
the
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration:
wpatch
–c
/cdrom
–s
monterey
–i
PDTECU.IND
where:
–c
/cdrom
Specifies
the
path
to
the
installation
CD.
Chapter
3.
Installing
39
–s
monterey
Specifies
the
managed
node
where
the
component
is
to
be
installed.
In
this
example,
the
node
name
is
monterey.
–i
PDTECU.IND
Specifies
the
index
file
from
which
this
module
is
installed.
Tivoli
Access
Manager
for
Operating
Systems
Event
Console
Integration,
Version
5.1,
updates
format
and
BAROC
files
to
include
new
types
of
events.
If
you
upgrade
Tivoli
Access
Manager
for
Operating
Systems
Event
Console
Integration,
Version
5.1,
you
must
take
the
following
steps
to
correctly
generate
and
process
the
new
events
in
Version
5.1:
1.
Run
the
Setup
TEC
Event
Server
for
PDOS
task
to
create
a
new
rule
base
on
the
Tivoli
Enterprise
Console
event
server.
If
you
want
to
create
the
new
rule
base
with
the
same
name
as
the
old
rule
base,
first
delete
the
rule
base
using
the
command
wrb
-delrb
rule_base_name,
and
delete
the
old
rule
base
directory
on
the
system
where
it
is
located.
Alternatively,
create
the
new
rule
base
with
a
new
name.
2.
Redistribute
the
PDOS-ACPROF
or
PDOS-RISKMGR-ACPROF
to
Tivoli
Access
Manager
for
Operating
Systems
endpoints.
Upgrade
post-installation
procedures
If
you
have
just
upgraded
a
previous
version
of
Tivoli
Access
Manager
for
Operating
Systems
to
this
version,
perform
the
following
procedure:
1.
If
you
disabled
autostart
and
login
activity
policy
enforcement
of
the
Tivoli
Access
Manager
for
Operating
Systems
daemons
before
upgrading,
re-enable
them
by
logging
in
as
root
and
entering
the
following
command:
pdoscfg
-autostart
on
-login_policy
on
2.
If
you
were
using
the
pdostecd
daemon
to
send
events
to
Tivoli
Enterprise
Console
and
had
the
daemon
enabled
for
autostart
before
upgrading,
re-enable
it
by
entering
the
following
command:
pdosteccfg
-autostart
on
Changes
were
made
to
the
initial
Tivoli
Access
Manager
for
Operating
Systems
policy.
This
is
the
policy
that
is
defined
by
default
when
the
first
Tivoli
Access
Manager
for
Operating
Systems
system
is
initially
configured
and
when
the
first
system
of
each
new
policy
branch
is
configured.
If
you
are
upgrading
from
Version
3.8,
refer
to
the
installation
guide
for
Tivoli
Access
Manager
for
Operating
Systems,
Version
4.1
,
for
instructions
on
upgrading
from
Version
3.8.
These
changes
were
not
automatically
applied
during
your
upgrade
of
Tivoli
Access
Manager
for
Operating
Systems.
You
should
review
the
changes
and
then
apply
them
to
your
existing
environment.
For
upgrading
from
Version
4.1
to
Version
5.1,
there
are
two
files
provided
that
contain
the
policy
updates.
They
each
contain
a
set
of
Tivoli
Access
Manager
pdadmin
commands
that
make
the
necessary
changes
to
upgrade
the
policy.
The
files
are:
osseal.once-only.u5100
Contains
the
policy
changes
that
must
be
applied
once
to
each
Tivoli
Access
Manager
policy
server
domain.
40
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
osseal.per-policy.u5100
Contains
the
policy
changes
that
must
be
applied
to
each
policy
branch.1.
Review
the
osseal.once-only.u5100
and
osseal.per-policy.u5100,
and
files
in
the
/opt/pdos/etc
directory
to
understand
the
nature
of
the
changes
being
made.
The
default
policy
established
by
Tivoli
Access
Manager
for
Operating
Systems
ensures
that
the
system
functions
properly
and
maintains
a
secure
environment.
The
existing
default
policy
should
not
be
modified.
Note:
If
you
use
Tivoli
Security
Manager
to
manage
the
Tivoli
Access
Manager
for
Operating
Systems
security
policy
and
you
have
changed
any
of
the
policy
initially
defined
when
Tivoli
Access
Manager
for
Operating
Systems,
Version
4.1,
was
installed
and
configured,
you
should
review
these
policy
upgrades
and
incorporate
them
into
your
security
profiles
as
appropriate.
2.
Apply
to
your
existing
policy
the
changes
that
affect
the
Tivoli
Access
Manager
policy
server
region
by
running
the
pdos_defpolicy_update
script
on
any
system
that
has
Tivoli
Access
Manager
for
Operating
Systems,
Version
5.1,
installed
and
configured:
pdos_defpolicy_update
-f
/opt/pdos/etc/osseal.once-only.u5100
You
are
prompted
for
the
Tivoli
Access
Manager
security
master
password.
3.
Apply
to
your
existing
policy
the
changes
that
affect
each
policy
branch
by
running
the
pdos_defpolicy_update
script:
pdos_defpolicy_update
-f
/opt/pdos/etc/osseal.per-policy.u5100
-branch
branch-name
where
branch-name
is
the
name
of
the
policy
branch.
If
you
run
the
script
on
a
system
that
is
configured
to
use
the
policy
branch,
you
do
not
need
to
specify
the
-branch
option.
You
are
prompted
for
the
Tivoli
Access
Manager
security
master
password.
4.
After
updating
the
default
policy
in
each
Tivoli
Access
Manager
policy
server
region,
in
every
policy
branch,
and
in
every
machine
in
the
policy
branch,
restart
Tivoli
Access
Manager
for
Operating
Systems
by
entering
the
following
command:
rc.osseal
start
Note:
If
the
previous
version
of
Tivoli
Access
Manager
for
Operating
Systems
has
been
active
at
any
time
since
the
last
reboot,
the
system
must
be
rebooted
before
starting
this
new
version.
Rebooting
ensures
that
the
Tivoli
Access
Manager
for
Operating
Systems
components
that
run
in
the
user-level
application
space
and
those
that
run
in
the
UNIX
kernel
are
at
the
same
level.
After
this
new
version
is
installed,
if
a
previous
version
of
the
kernel
components
is
still
loaded,
all
attempts
to
start
Tivoli
Access
Manager
for
Operating
Systems
will
fail
until
the
system
is
rebooted.
Enabling
language
support
IBM
Tivoli
Access
Manager
for
Operating
Systems
is
translated
into
the
following
languages:
v
Brazilian
Portuguese
v
Chinese
(simplified)
v
Chinese
(traditional)
v
French
Chapter
3.
Installing
41
v
German
v
Italian
v
Japanese
v
Korean
v
Spanish
The
translations
for
these
languages
are
provided
as
language
packages
on
the
Tivoli
Access
Manager
for
Operating
Systems
Language
Support
CD.
To
obtain
language
support
for
Tivoli
Access
Manager
for
Operating
Systems,
you
must
install
the
language
support
package.
If
you
do
not
install
the
language
support
package,
the
associated
product
displays
all
text
in
English.
If
language
support
is
installed
and
you
upgrade
the
product,
you
must
also
install
the
corresponding
language
support
product,
if
one
exists.
If
you
do
not
install
the
language
support
after
upgrading,
the
associated
product
might
display
some
fields
and
messages
in
English.
To
enable
these
languages
for
the
Tivoli
Access
Manager
for
Operating
Systems
Framework
Support
modules,
install
the
appropriate
language
support
pack
from
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
[
xxxxxx]
CD.
For
installation
procedures,
see
“Installing
the
Tivoli
Management
Framework
integration
packages”
on
page
35.
Substitute
the
desired
language
support
pack
names
for
the
product
names
shown
in
the
procedures.
Installing
the
language
packs
using
InstallShield
Multiplatform
The
IBM
Tivoli
Access
Manager
for
Operating
Systems
Language
Support
CD
contains
the
message
catalogs
for
the
various
languages
into
which
Tivoli
Access
Manager
for
Operating
Systems
is
translated.
Installation
of
the
language
packs
is
accomplished
by
InstallShield
Multiplatform
using
the
following
procedure:
1.
Mount
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Language
Support
CD.
2.
Change
the
working
directory
to
the
mount
point;
for
example:
cd
/cdrom
3.
Change
the
working
directory
to
the
AMOSNLS
directory:
cd
AMOSNLS
4.
Enter
the
following
command:
install_amos_lp
The
setup
script
determines
if
the
appropriate
level
of
Java
(Version
1.3.1)
is
installed.
If
it
is,
the
installation
program
is
initiated.
If
it
is
not,
follow
the
instructions
below
in
″Installing
Java
for
language
support
packages.″
Installing
Java
for
language
support
packages
Note:
The
language
support
package
can
be
installed
only
if
the
Tivoli
Access
Manager
for
Operating
Systems
daemons
are
not
running.
To
install
the
JRE
and
the
language
support
packages,
complete
the
following
procedure:
1.
Install
the
JRE
for
your
particular
platform:
v
On
AIX
systems,
follow
these
steps:
a.
Log
on
the
system
as
root.
42
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
b.
Mount
the
Tivoli
Access
Manager
for
Operating
Systems
Language
Support
CD.
c.
Change
the
working
directory
to:
/cdrom/usr/sys/inst.images
d.
At
the
command
prompt,
enter
the
following
command:
installp
-c
-a
-g
-X
-d
/dev/cd0
Java131.rte
v
On
HP-UX
systems,
follow
these
steps:
a.
Log
on
the
system
as
root.
b.
Mount
the
Tivoli
Access
Manager
for
Operating
Systems
Language
Support
CD.
c.
Change
the
working
directory
to:
/cdrom/hp
d.
Start
pfs_mountd
and
then
pfsd
in
the
background,
if
these
services
are
not
running,
and
then
mount
the
CD
with
the
pfs_mount
command.
e.
Enter
the
following
command:
swinstall
-s
/cd-rom/hp
rte_13_13108_1100.depot
B9789AA
where
/cd-rom/hp
is
the
directory.v
On
Linux
on
x86
systems,
follow
these
steps:
a.
Log
on
the
system
as
root.
b.
Mount
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Language
Support
CD.
c.
Change
the
working
directory
to
/cdrom/xSeries.
d.
Enter
the
following
command:
rpm
-i
IBMJava2-JRE-1.3.1-3.0.i386.rpm
v
On
Linux
for
zSeries
systems,
follow
these
steps:
a.
Log
on
the
system
as
root.
b.
Mount
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Language
Support
CD.
c.
Change
the
working
directory
to
/cdrom/zSeries.
d.
Enter
the
following
command:
rpm
-i
IBMJava2-JRE-1.3.1-3.0.s390.rpm
v
On
Linux
for
i/pSeries
systems,
follow
these
steps:
a.
Log
on
the
system
as
root.
b.
Mount
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Language
Support
CD.
c.
Change
the
working
directory
to
/cdrom/pSeries.
d.
Enter
the
following
command:
rpm
-i
IBMJava2-JRE-1.3.1-3.0.ppc.rpm
v
On
Solaris
systems,
follow
these
steps:
a.
Log
on
the
system
as
root.
b.
Mount
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Language
Support
CD.
c.
Change
the
working
directory
to
/cdrom/solaris.
d.
Enter
the
following
command:
pkgadd
-d.SUNWj3rt
Chapter
3.
Installing
43
2.
Click
Next
to
begin
the
installation.
The
Software
License
Agreement
dialog
is
displayed.
3.
To
accept
the
license
agreement,
select
I
accept
the
terms
in
the
license
agreement
and
then
click
Next.
A
dialog
showing
a
list
of
language
packages
is
displayed.
4.
Select
the
language
packages
that
you
want
to
install
and
click
Next.
A
dialog
showing
the
location
and
features
of
the
language
packages
you
selected
is
displayed.
5.
To
accept
the
language
packages
you
selected,
click
Next.
The
language
packages
you
selected
are
installed.
6.
Click
Finish
to
close
the
installation
program.
Installing
language
support
packages
for
Tivoli
Access
Manager
for
Operating
Systems
Framework
Support
modules
To
enable
the
language
support
for
Tivoli
Access
Manager
for
Operating
Systems
Framework
Support
modules,
install
the
appropriate
language
support
pack
from
the
Tivoli
Access
Manager
for
Operating
Systems
Language
Support
CD.
Desktop
To
install
the
Tivoli
Access
Manager
for
Operating
Systems
Framework
Support
modules,
install
the
appropriate
language
support
pack
from
the
Tivoli
Access
Manager
for
Operating
Systems
Language
Support
CD.
1.
Select
the
Install→Install
Product
option
from
the
Desktop
menu
to
display
the
Install
Product
panel.
2.
Select
the
Tivoli
Access
Manager
for
Operating
Systems
Framework
Support
,
Version
5.1,
of
the
desired
language
pack
from
the
Select
Product
to
Install
list.
3.
Select
the
managed
nodes
and
servers
on
which
to
install
the
module.
This
should
include
the
Tivoli
management
region
server.
The
target
machines
are
displayed
in
the
Clients
to
Install
On
list.
4.
Click
Install
to
begin
installing
the
module.
The
installation
process
prompts
you
with
a
Product
Install
panel.
This
panel
provides
the
list
of
operations
that
take
place
during
the
installation
process.
It
also
warns
you
of
any
problems
that
you
should
correct
before
you
install
the
module.
5.
Click
Continue
Install
to
continue
the
installation
process
and
display
the
Product
Install
status
panel.
The
Product
Install
status
panel
presents
status
information
as
the
installation
proceeds.
When
the
installation
is
complete,
the
Product
Install
panel
displays
a
completion
message.
6.
Click
Close
to
close
the
panel.
Command
Line
Enter
the
following
commands
to
install
the
Tivoli
Access
Manager
for
Operating
Systems
Framework
Support
modules
language
pack:
1.
Insert
the
CD.
2.
Change
the
working
directory:
cd
TASKNLS
3.
Enter:
winstall
-c
/cdrom/TASKNLS
-s
monterey
-i
LANGPACK.IND
where
v
-c
/cdrom/TASKNLS
specifies
the
path
to
the
installation
CD
and
directory.
44
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
v
-s
monterey
specifies
the
managed
node
where
the
component
is
to
be
installed.
In
this
example,
the
node
name
is
monterey.
v
-i
LANGPACK.IND
specifies
the
index
file
from
which
this
module
is
installed.
See
the
following
table
for
LANGPACK.IND
values.
Table
5.
LANGPACK.IND
Values
Language
LANGPACK.IND
Value
German
AMOS_DE.IND
Spanish
AMOS_ES.IND
French
AMOS_FR.IND
Italian
AMOS_IT.IND
Japanese
AMOS_JA.IND
Korean
AMOS_KO.IND
Brazilian
Portugese
AMOS_PTB.IND
Chinese
(simplified)
AMOS_ZHC.IND
Chinese
(traditional)
AMOS_ZHT.IND
Locale
environment
variables
As
with
most
current
operating
systems,
localized
behavior
is
obtained
by
specifying
the
desired
locale.
For
Tivoli
Access
Manager
for
Operating
Systems
software,
you
set
the
LANG
environment
variable
to
the
desired
locale
name
as
specified
by
POSIX,
X/Open,
or
other
open
systems
standards.
As
specified
by
open
systems
standards,
other
environment
variables
override
LANG
for
some
or
all
locale
categories.
These
variables
include
the
following:
v
LC_CTYPE
v
LC_TIME
v
LC_NUMERIC
v
LC_MONETARY
v
LC_COLLATE
v
LC_MESSAGES
v
LC_ALL
If
any
of
the
previous
variables
are
set,
you
must
remove
their
setting
for
the
LANG
variable
to
have
full
effect.
LANG
variable
Most
UNIX
systems
use
the
LANG
variable
to
specify
the
desired
locale.
Different
UNIX
operating
systems,
however,
require
different
locale
names
to
specify
the
same
language.
Be
sure
to
use
a
value
for
LANG
that
is
supported
by
the
operating
system
that
you
are
using.
You
can
obtain
the
locale
names
by
running
the
following
command:
locale
-a
Using
locale
variants
Although
Tivoli
Access
Manager
for
Operating
Systems
software
currently
provides
only
one
translated
version
for
each
language,
you
can
use
a
preferred
locale
variant,
and
Tivoli
Access
Manager
for
Operating
Systems
finds
the
corresponding
language
translation.
For
example,
Tivoli
Access
Manager
for
Chapter
3.
Installing
45
Operating
Systems
provides
one
translation
for
French,
but
each
of
the
following
locale
settings
finds
the
appropriate
translation:
v
fr
is
the
locale
name
for
standard
French
v
fr_FR
is
the
locale
name
for
French
in
France
v
fr_CA
is
the
locale
name
for
French
in
Canada
v
fr_CH
is
the
locale
name
for
French
in
Switzerland
Message
catalogs
Message
catalogs
are
typically
installed
in
a
top-level
/msg
directory
and
each
of
these
message
catalogs
is
installed
under
a
language-specific
subdirectory
as
follows:
/opt/pdos/nls/msg/locale
Tivoli
Access
Manager
for
Operating
Systems
recognizes
variations
in
locale
names
and
is
usually
able
to
map
the
specified
value
to
the
appropriate
message
catalog.
The
NLSPATH
variable
is
used
to
find
the
appropriate
message
catalog
directory,
as
specified
by
open
systems
standards.
For
example,
if
the
message
catalogs
are
in
/opt/pdos/nls/msg,
the
NLSPATH
variable
is
set
to
the
following:
/opt/pdos/nls/msg/%L/%N.cat
The
%L
directive
is
expanded
to
the
message
catalog
directory
that
most
closely
matches
the
current
user
language
selection,
and
%N.cat
expands
to
the
desired
message
catalog.
If
a
message
catalog
is
not
found
for
the
desired
language,
the
English
C
message
catalogs
are
used.
For
example,
suppose
you
specify
the
AIX
locale
for
German
in
Switzerland
as
follows:
LANG=De_CH.IBM-850
The
%L
directive
is
expanded
in
the
following
order
to
locate
the
specified
locale:
1.
de_CH
2.
de
3.
C
Because
Tivoli
Access
Manager
for
Operating
Systems
does
not
provide
a
German
in
Switzerland
language
package,
de_CH
is
not
found.
If
the
Tivoli
Access
Manager
for
Operating
Systems
German
language
package
is
installed,
de
is
used.
Otherwise,
the
default
locale
C
is
used,
causing
text
to
be
displayed
in
English.
Text
encoding
(code
set)
support
Different
operating
systems
often
encode
text
in
different
ways.
For
example,
PC
operating
systems
use
SJIS
(code
page
932)
for
Japanese
text,
but
UNIX
operating
systems
often
use
eucJP.
In
addition,
multiple
locales
can
be
provided
for
the
same
language
so
that
different
code
sets
can
be
used
for
the
same
language
on
the
same
machine.
This
can
cause
problems
when
text
is
moved
from
system
to
system
or
between
different
locale
environments.
46
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Tivoli
Access
Manager
for
Operating
Systems
addresses
these
problems
by
using
Unicode
and
UTF-8
(the
multi-byte
form
of
Unicode)
as
the
internal
canonical
representation
for
text.
Message
catalogs
are
encoded
using
UTF-8,
and
the
text
is
converted
to
the
locale
encoding
before
being
presented
to
the
user.
In
this
way,
the
same
French
message
catalog
files
can
be
used
to
support
a
variety
of
Latin
1
code
sets,
such
as
ISO8859-1,
Microsoft
1252,
IBM
PC
850,
and
IBM
MVS™
1047.
Location
of
code
set
files
Interoperability
across
your
secure
domain
depends
on
code
set
files,
which
are
used
to
perform
UTF-8
conversion
and
other
types
of
encoding-specific
text
processing.
These
files
are
installed
in
the
base_dir/opt/PolicyDirector/nls/TIS
subdirectory.
Chapter
3.
Installing
47
48
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Chapter
4.
Configuring
This
chapter
explains
how
to
configure
IBM
Tivoli
Access
Manager
for
Operating
Systems
on
AIX,
HP-UX,
Solaris,
and
Linux.
If
you
installed
using
native
installation,
you
must
configure
Tivoli
Access
Manager
for
Operating
Systems
as
described
in
this
chapter
before
using
it.
If
you
installed
using
either
mode
of
InstallShield
Multiplatform,
Tivoli
Access
Manager
for
Operating
Systems
has
been
initially
configured
for
you,
but
you
should
review
that
initial
configuration
and
make
changes
to
suit
your
environment.
The
configuration
command
is
pdoscfg.
Some
configuration
options
are
required;
others
are
optional.
This
command
can
also
be
used
to
reconfigure
certain
configuration
options
without
first
unconfiguring
Tivoli
Access
Manager
for
Operating
Systems
on
a
system.
The
following
sections
include
information
about:
v
Preparing
to
configure
Tivoli
Access
Manager
for
Operating
Systems
v
Using
Tivoli
Access
Manager
for
Operating
Systems
configuration
command
options
v
Configuration
options
v
Configuring
from
the
command
line
v
Configuring
using
a
response
file
Preparing
to
configure
Before
you
configure
and
run
Tivoli
Access
Manager
for
Operating
Systems
on
a
system,
you
should
carefully
consider
how
the
authorization
policy
will
be
set
up
and
which
policy
branch
name
and
domain
this
machine
will
be
configured
to
use.
To
ensure
that
the
authorization
policy
is
correctly
enforced,
careful
consideration
should
be
given
to
how
the
local
user
name
space
maps
to
the
Tivoli
Access
Manager
User
Registry
name
space.
For
more
information,
see
the
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide.
Before
you
configure
Tivoli
Access
Manager
for
Operating
Systems,
your
environment
must
be
in
a
certain
state
and
you
should
have
certain
information
about
your
system:
v
The
Tivoli
Access
Manager
policy
server,
Version
5.1,
should
be
configured
to
use
the
LDAP
user
registry.
v
The
Tivoli
Access
Manager
policy
server
and
LDAP
user
registry
should
be
running.
v
The
Tivoli
Access
Manager
Runtime
Environment
must
be
installed
and
configured
on
the
same
machine
where
Tivoli
Access
Manager
for
Operating
Systems
is
installed.
v
You
should
have
your
base64-encoded
LDAP
SSL
CA
certificate
file
from
the
LDAP
server
machine.
Note:
If
you
used
the
install_ldaps
program
to
install
and
configure
your
LDAP
server
and
you
chose
to
use
the
default
LDAP
SSL
CA
certificate
file
provided
by
Tivoli
Access
Manager,
you
must
obtain
the
©
Copyright
IBM
Corp.
2000,
2003
49
/etc/gsk/pd_ldapcert.arm
file
from
the
LDAP
server
and
use
that
file
during
Tivoli
Access
Manager
for
Operating
Systems
configuration.
v
You
should
know
your
LDAP
User
Registry
suffix.
v
You
should
know
the
name
of
the
policy
branch
under
which
you
are
configuring.
v
You
should
know
the
name
of
the
domain
in
which
you
are
configuring.
v
You
should
know
the
administrator
name
and
administrator
password
for
the
domain
in
which
you
are
configuring.
This
ID
and
password
replace
the
Tivoli
Access
Manager
security
master
ID
and
password.
Additionally,
you
should
review
the
options
that
can
be
used
with
the
configuration
command
to
determine
which
ones
to
customize
to
your
particular
situation.
Certain
options
must
be
specified
on
initial
configuration.
These
mandatory
configuration
options
are:
v
branch
v
suffix
v
ldap_ssl_cacert
v
local_domain
v
admin_name
v
admin_pwd
Note:
Because
an
ID
other
than
sec_master
can
now
be
used
to
configure,
you
must
ensure
that
the
ID
has
the
appropriate
Tivoli
Access
Manager
server
authority
to
configure
a
server
using
svrsslcfg
and
add
policy
specified
in
the
osseal.once-only,
osseal.per-policy,
osseal.per-machine
policy
scripts.
The
following
table
provides
guidelines
for
configuring
a
default
Tivoli
Access
Manager
server
installation.
If
custom
ACLs
are
used
instead
of
the
defaults,
the
permissions
must
be
applied
to
those
ACLs.
The
permissions
enable
you
to
delegate
Tivoli
Access
Manager
for
Operating
Systems
installation
and
configuration
authority
based
on
the
type
of
installation.
For
example,
the
initial
configuration
requires
a
user
with
authority
to
run
svrsslcfg
and
create
the
policy
in
all
the
above-mentioned
policy
files.
The
next
level
of
authority
only
has
to
run
svrsslcfg
and
the
policy
in
osseal.per-policy
and
osseal.per-machine
policy
files.
The
final
level
of
authority
needs
only
the
authority
to
run
svrsslcfg
and
the
osseal.per-machinee
policy
file.
You
can
also
grant
a
user
the
authority
to
configure,
but
not
unconfigure,
Tivoli
Access
Manager
for
Operating
Systems.
The
table
lists
the
permissions
required
on
the
ACLs
of
a
default
Tivoli
Access
Manager
server.
The
permissions
are
presented
with
the
object
name,
the
associated
ACL,
and
the
complete
set
of
permissions
allowed.
If
a
user
was
created
to
only
configure
Tivoli
Access
Manager
for
Operating
Systems,
only
a
subset
of
the
permissions
would
be
required.
Because
Tivoli
Access
Manager
for
Operating
Systems,
Version
5.1,
supports
multiple
domains,
each
administrative
ID
must
have
the
correct
permissions
in
each
domain
configured.
50
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Table
6.
ACL
Permissions
Required
Object
Description
ACL
Permissions
Needed
/
Top
of
the
object
tree
default-root
Tam
/Management
Does
not
control
access
to
any
objects
needed
by
pdoscfg,
but
contains
an
ACL
that
several
sub-objects
inherit
default-management
/Management/ACL
Controls
ACL
operations.
By
default,
it
inherits
from
the
default-management
ACL.
default-managment
Tamv
/Management/Action
Controls
Action
operations.
By
default,
it
inherits
from
the
default-management
ACL.
default-management
Tcv
/Management/Config
Controls
permissions
for
the
running
svrsslcfg
from
a
client
system.
It
has
its
own
ACL.
default-config
Tacmv
/Management/Groups
Controls
permissions
for
creating,
deleting,
and
modifying
groups.
By
default,
it
inherits
from
the
default-management
ACL.
default-management
TdmnVa
/Management/POP
Controls
permissions
for
operating
on
POPs.
By
default,
it
inherits
from
the
the
default-management
ACL.
default-management
TadmvB
/Management/Policy
Controls
access
to
the
get
and
set
policy
commands.
No
permissions
are
required
on
the
default-policy
ACL.
/Management/Replica
Controls
access
to
the
master
database
and
permission
to
replicate
it.
No
permissions
are
required
on
the
default-replica
ACL.
/Management/Server
Controls
access
to
the
pdadmin
server
command.
It
inherits
from
default-management;
no
specific
permissions
are
required.
/Management/Users
Controls
permissions
for
operating
on
user
objects.
It
inherits
from
default-managment.
default-management
TdmNvW
Note
that
some
of
the
permissions
overlap
on
the
default-management
ACL.
They
were
presented
for
each
object
for
reference.
If
you
do
not
supply
the
Tivoli
Access
Manager
administrator
name
and
password,
you
will
be
prompted
for
them.
After
you
configure
Tivoli
Access
Manager
for
Operating
Systems,
you
must
start
it.
See
Chapter
6,
“Starting
and
stopping,”
on
page
65
for
information
on
doing
this.
Using
the
configure
command
options
Tivoli
Access
Manager
for
Operating
Systems
configure
command
options
are
used
with
the
configure
command
pdoscfg.
If
you
want
to
reconfigure
the
-branch,
-suffix,
-local_domain,
-admin_name,
and
-admin_pwd
options,
you
must
first
unconfigure
Tivoli
Access
Manager
for
Chapter
4.
Configuring
51
Operating
Systems
and
then
run
the
configure
command
again.
If
you
want
to
reconfigure
the
-ssl_listening_port
and
-ldap_ssl_cacert
options,
you
must
stop
Tivoli
Access
Manager
for
Operating
Systems
before
running
the
configure
command.
pdoscfg
|
[–admin_cred_refresh
number_of_minutes]
|
[-admin_name
user_admin_name]
|
[-admin_pwd
user_admin_password]
|
[-audit_deny_actions
(osseal
action_group
|
osseal
action
bits)]
|
[–audit_level
(all
|
none
|
permit
|
deny
|
loginpermit
|
|
logindeny
|
admin
|
verbose
|
info
|
|
trace_exec
|
trace_file
|
trace_exec_l
|
trace_exec_root)]
|
[–audit_logflush
number_of_seconds]
|
[–audit_log_size
number_of_bytes]
|
[-audit_permit_actions
(osseal
action_group
|
osseal
action
bits)]
|
[–autostart
(on
|
off)]
|
–branch
policy_branch_name
|
[–cred_hold
number_of_minutes]
|
[–cred_response_wait
number_of_minutes]
|
[–critical_cred_group
critical_cred_group_name]
|
[–critical_cred_refresh
number_of_minutes]
|
[–delete
(comma_delimited_list_of_options)]
|
[–dns
(on
|
off)]
|
[–ffdc_capture
(on
|
off)]
|
[–help]
|
[-hostname
hostname]
|
[–kmsg_hnd_threads
number_of_threads]
|
–ldap_ssl_cacert
ldap_certificate_file_name
|
[-local_domain
domain-name]
|
[-lrd_config
(on
|
off)
|
[-lrd_admin_name
user_admin_name]
|
[-lrd_admin_pwd
user_admin_password]
|
[-lrd_local_domain
domain_name]
|
[–login_policy
(on
|
off)]
|
[-net_ACL_limited
(on
|
off)
|
[–operations]
|
[-pdosauditd_log_entries
number_of_log_entries
|
[-pdosauditd_logs
number_of_logs
|
[–pdosd_init_wait
time_in_minutes]
|
[–pdosd_log_entries
number_of_log_entries]
|
[–pdosd_logs
number_of_logs]
|
[-pdoslrd_log_entries
number_of_log_entries
|
[-pdoslrd_logs
number_of_logs
|
[–pdoswdd_log_entries
number_of_log_entries]
|
[–pdoswdd_logs
number_of_logs]
|
[–refresh_interval
number_of_minutes]
|
[–rspfile
file_name]
|
[–ssl_listening_port
port_to_listen_for_notification]
|
–suffix
policy_director_suffix
|
[–tcb_ignore_ctime
(on
|
off)]
|
[–tcb_interval
number_of_seconds]
|
[–tcb_max_file_size
number_of_megabytes]
|
[–tcb_monitor_threads
number_of_threads]
|
[-tcb_nocrc_on_exec
(on
|
off)]
|
[–uid
(on
|
off)]
|
[–usage]
|
[–user_cred_refresh
number_of_minutes]
|
[–version]
|
[–warning
(on
|
off)]
|
[–?]
Figure
12.
pdoscfg
Command
52
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Configure
options
Options
for
the
configure
command
are
described
in
this
section.
The
definition
and
default,
if
applicable,
for
each
option
is
given.
Information
about
minimum
and
maximum
values
is
given
in
the
appendix
on
Appendix
A,
“Configuration
options,”
on
page
79.
-admin_cred_refresh
Refresh
interval
of
administrator’s
credentials
in
minutes.
Default:
360
-admin_name
Tivoli
Access
Manager
administrator
name.
Default:
sec_master
–admin_pwd
The
Tivoli
Access
Manager
administrator's
password.
In
combination
with
-admin_name,
replaces
-sec_master_pwd
option.
–audit_deny_actions
The
osseal
action
group
[OSSEAL],
followied
by
a
list
of
osseal
action
bits
to
be
audited.
Valid
osseal
actions
are
DKNRUdloprwxCGL.
Default:
none
–audit_level
A
comma-separated
list
of
audit
levels.
The
levels
are
all,
none,
permit,
deny,
loginpermit,
logindeny,
admin,
verbose,
info,
trace_exec,
trace_exec_l,
trace_exec_root
or
trace_file.
Default:
none
-audit_logflush
Interval
in
seconds
that
the
pdosauditd
daemon
flushes
the
audit
records
to
the
active
audit
log.
Default:
5
–audit_log_size
Maximum
size
in
bytes
to
which
the
active
audit
log
can
grow
before
pdosauditd
rolls
over
to
use
a
new
active
audit
log.
Default:
1000000
–audit_permit_actions
The
osseal
action
group
[OSSEAL],
followed
by
a
list
of
osseal
action
bits
to
be
audited.
Valid
osseal
actions
are
DKNRUdloprwxCGL.
Default:
none
–autostart
Automatically
start
Tivoli
Access
Manager
for
Operating
Systems
when
the
system
starts.
Default:
on
–branch
Name
of
the
policy
branch
to
which
this
machine
subscribes.
–cred_hold
Maximum
amount
of
time
in
minutes
that
a
non-administrator
credential
is
cached
without
being
accessed.
This
value
must
be
greater
than
or
equal
to
the
-admin_cred_refresh
value
and
the
-user_cred_refresh
value.
Chapter
4.
Configuring
53
Default:
10080
–cred_response_wait
Minimum
length
of
time
to
wait
for
a
response
to
a
credential
request
before
entering
isolation
mode,
in
minutes.
Default:
2
–critical_cred_group
The
name
of
the
Tivoli
Access
Manager
group
whose
members
are
to
be
treated
as
critical
system
users
whose
credentials
should
always
be
available
in
the
credential
cache.
–critical_cred_refresh
Refresh
interval
of
-critical_cred_group
credentials,
in
minutes.
Default:
720
–delete
Comma-separated
list
of
options
to
remove
from
configuration
files.
Supported
options
are:
v
admin_cred_refresh
v
audit_level
v
audit_log_entries
v
audit_logs
v
audit_logflush
v
audit_log_size
v
audit_deny_actions
v
audit_permit_actions
v
cred_hold
v
cred_response_wait
v
critical_cred_group
v
critical_cred_refresh
v
dns
v
ffdc_capture
v
kmsg_hnd_threads
v
pdosd_log_entries
v
pdosd_logs
v
pdoswdd_log_entries
v
pdoswdd_logs
v
refresh_interval
v
tcb_ignore_ctime
v
tcb_interval
v
tcb_max_file_size
v
tcb_monitor_threads
v
tcb_nocrc_on_exec
v
uid
v
user_cred_refresh
v
warning
–dns
Enables
Tivoli
Access
Manager
for
Operating
Systems
to
store
the
IP
address
to
hostname
mapping
information.
54
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Default:
on
–ffdc_capture
Enables
the
capture
of
first
failure
data
after
abnormal
termination
of
the
core
Tivoli
Access
Manager
for
Operating
Systems
daemons.
Default:
on
–help
Displays
help
for
all
of
the
options.
To
display
help
for
one
option,
enter
–help
–option.
–hostname
The
hostname
that
will
be
used
by
the
Tivoli
Access
Manager
server
to
recognize
this
machine.
If
not
specified,
the
default
is
the
local
hostname
returned
by
the
operating
system.
–kmsg_hnd_threads
Number
of
threads
used
to
handle
authorization
requests.
This
must
be
a
positive
integer.
Increasing
this
value
on
multiprocessor
systems
with
more
than
8
processors
can
reduce
the
time
authorization
requests
take
and
can
improve
performance.
Specify
a
value
equal
to
the
number
of
processors
in
the
system
or
8,
whichever
is
greater.
The
maximum
recommended
number
of
threads
at
this
time
is
24.
Default:
8
–ldap_ssl_cacert
The
CA
certificate
of
the
LDAP
server
that
contains
the
Tivoli
Access
Manager
User
Registry.
This
certificate
is
required
for
the
mutual
authentication
that
occurs
between
Tivoli
Access
Manager
for
Operating
Systems
and
the
LDAP
server.
If
you
used
the
install_ldaps
program
to
install
and
configure
your
LDAP
server
and
you
chose
to
use
the
default
LDAP
SSL
CA
certificate
file
provided
by
Tivoli
Access
Manager,
you
must
obtain
the
/etc/gsk/pd_ldapcert.arm
file
from
the
LDAP
server
and
use
that
file
during
configuration
of
Tivoli
Access
Manager
for
Operating
Systems.
–local_domain
The
Tivoli
Access
Manager
secure
domain
that
the
pdosd
daemon
will
be
configured
into.
If
this
option
is
not
specified,
the
local
domain
will
default
to
the
secure
domain
that
the
Tivoli
Access
Manager
runtime
configuration
is
using.
(If
a
domain
was
not
specified
when
the
Tivoli
Access
Manager
runtime
was
configured,
its
local
domain
will
have
defaulted
to
the
management
(Default)
domain.)
The
Tivoli
Access
Manager
secure
domain
must
exist
and
the
administrator
name
and
password
specified
with
the
–admin_name
and
–admin_pwd
options
must
be
valid
for
this
domain.
–login_policy
Enable
system
login
and
password
restrictions.
After
enabling
login
policy,
any
graphical
login
methods,
such
as
dtlogin,
that
are
running
must
be
restarted
if
login
activity
policy
is
to
be
active
for
logins
using
those
methods.
When
the
graphical
login
program
is
restarted,
the
login
activity
policy
is
read
and
made
active.
Default:
on
Chapter
4.
Configuring
55
–lrd_admin_name
Specifies
the
Tivoli
Access
Manager
administrator
name
to
use
when
registering
the
pdoslrd
daemon
with
the
Tivoli
Access
Manager
policy
server.
–lrd_admin_pwd
Specifies
the
Tivoli
Access
Manager
administrator
password
to
use
when
registering
the
pdoslrd
daemon
with
the
Tivoli
Access
Manager
policy
server.
–lrd_config
Configure
or
unconfigure
the
pdoslrd
daemon.
Default:
off
–lrd_local_domain
The
Tivoli
Access
Manager
secure
domain
that
the
pdoslrd
daemon
will
be
configured
to
use.
If
the
pdoslrd
daemon
will
be
used
to
send
audit
data
to
a
Tivoli
Access
Manager
authorization
server
(pdacld)
as
a
remote
collection
point,
the
pdoslrd
daemon
must
be
configured
into
the
same
secure
domain
that
the
pdacld
daemon
is
configured
to
use.
In
an
environment
where
the
Tivoli
Access
Manager
policy
server
is
managing
multiple
secure
domains,
this
might
mean
that
the
pdoslrd
daemon
needs
to
be
configured
into
a
different
secure
domain
than
the
pdosd
daemon.
If
this
option
is
not
specified,
the
local
domain
will
default
to
the
secure
domain
the
pdosd
configuration
is
using.
This
Tivoli
Access
Manager
secure
domain
must
exist
and
the
administrator
name
and
password
specified
with
the
-lrd_admin_name
and
-lrd_admin_pwd
options
must
be
valid
for
this
domain.
–net_ACL_limited
Controls
whether
or
not
network
access
decisions
inherit
ACLs
attached
at
or
above
the
/OSSEAL/branch/NetIncoming
and
/OSSEAL/branch/NetOutgoing
points
in
the
policy
namespace.
Limiting
the
ACL
inheritance
allows
for
improved
performance
of
network
access
decisions
if
there
is
no
need
to
define
policy
at
these
junctions
in
the
policy
namespace.
Default:
off
–operations
Lists
the
supported
options.
–pdosauditd_log_entries
The
number
of
pdosauditd
log
entries
to
write
before
archiving
the
pdosauditd
log
file.
The
default
value
of
zero
means
that
the
number
of
entries
to
write
is
unlimited
and
the
pdosauditd
log
file
will
not
be
archived.
If
-pdosauditd_log_entries
is
non-zero
and
-pdosauditd_logs
is
non-zero,
the
pdosauditd
log
file
will
be
archived
when
the
number
of
entries
in
it
reaches
the
number
of
entries
specified
by
-pdosauditd_log_entries
or
when
the
pdosauditd
daemon
is
restarted.
If
-pdosauditd_log_entries
is
non-zero
and
-pdosauditd_logs
is
zero,
the
pdosauditd
log
file
will
be
recycled
when
the
number
of
entries
in
it
reaches
the
number
specified
by
-pdosauditd_log_entries
or
when
the
pdosauditd
daemon
is
restarted.
Default:
0
-pdosauditd_logs
The
number
of
pdosauditd
archive
log
files
to
use
before
recycling
the
56
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
pdosauditd
archive
log
files.
Setting
the
number
of
pdosauditd
archive
log
files
to
a
non-zero
value
has
an
effect
only
if
the
-pdosauditd_log_entries
is
non-zero.
The
pdosauditd
log
file
will
be
archived
when
the
number
of
entries
in
it
has
reached
the
number
of
entries
specified
by
-pdosauditd_log_entries
or
when
the
pdosauditd
daemon
is
restarted.
The
default
value
of
zero
means
never
archive
the
pdosauditd
log
file.
Default:
0
–pdosd_init_wait
The
maximum
number
of
minutes
to
wait
at
startup
for
the
background
pdosd
daemon
to
complete
initialization
and
enable
policy
enforcement.
Default:
5
–pdosd_log_entries
The
number
of
pdosd
log
entries
to
write
before
archiving
the
pdosd
log
file.
The
default
value
of
zero
means
that
the
number
of
entries
to
write
is
unlimited
and
the
pdosd
log
file
will
not
be
archived.
If
-pdosd_log_entries
is
non-zero
and
-pdosd_logs
is
non-zero,
the
pdosd
log
file
will
be
archived
when
the
number
of
entries
in
it
reaches
the
number
of
entries
specified
by
-pdosd_log_entries
or
when
the
pdosd
daemon
is
restarted.
If
-pdosd_log_entries
is
non-zero
and
-pdosd_logs
is
zero,
the
pdosd
log
file
will
be
recycled
when
the
number
of
entries
in
it
reaches
the
number
specified
by
-pdosd_log_entries
or
when
the
pdosd
daemon
is
restarted.
Default:
0
-pdosd_logs
The
number
of
pdosd
archive
log
files
to
use
before
recycling
the
pdosd
archive
log
files.
Setting
the
number
of
pdosd
archive
log
files
to
a
non-zero
value
has
an
effect
only
if
the
-pdosd_log_entries
is
non-zero.
The
pdosd
log
file
will
be
archived
when
the
number
of
entries
in
it
has
reached
the
number
of
entries
specified
by
-pdosd_log_entries
or
when
the
pdosd
daemon
is
restarted.
The
default
value
of
zero
means
never
archive
the
pdosd
log
file.
Default:
0
–pdoslrd_log_entries
The
number
of
pdoslrd
log
entries
to
write
before
archiving
the
pdoslrd
log
file.
The
default
value
of
zero
means
that
the
number
of
entries
to
write
is
unlimited
and
the
pdoslrd
log
file
will
not
be
archived.
If
-pdoslrd_log_entries
is
non-zero
and
-pdoslrd_logs
is
non-zero,
the
pdoslrd
log
file
will
be
archived
when
the
number
of
entries
in
it
reaches
the
number
of
entries
specified
by
-pdoslrd_log_entries
or
when
the
pdoslrd
daemon
is
restarted.
If
-pdoslrd_log_entries
is
non-zero
and
-pdoslrd_logs
is
zero,
the
pdoslrd
log
file
will
be
recycled
when
the
number
of
entries
in
it
reaches
the
number
specified
by
-pdoslrd_log_entries
or
when
the
pdoslrd
daemon
is
restarted.
Default:
0
–pdoslrd_logs
The
number
of
pdoslrd
archive
log
files
to
use
before
recycling
the
pdoslrd
archive
log
files.
Setting
the
number
of
pdoslrd
archive
log
files
to
a
non-zero
value
has
an
effect
only
if
the
-pdoslrd_log_entries
is
non-zero.
The
pdoslrd
log
file
will
be
archived
when
the
number
of
entries
in
it
has
Chapter
4.
Configuring
57
reached
the
number
of
entries
specified
by
-pdoslrd_log_entries
or
when
the
pdoslrd
daemon
is
restarted.
The
default
value
of
zero
means
never
archive
the
pdoslrd
log
file.
Default:
0
–pdoswdd_log_entries
The
number
of
pdoswdd
log
entries
to
write
before
archiving
the
pdoswdd
log
file.
The
default
value
of
zero
means
that
the
number
of
entries
to
write
is
unlimited
and
the
pdoswdd
log
file
will
not
be
archived.
If
-pdoswdd_log_entries
is
non-zero
and
-pdoswdd_logs
is
non-zero,
the
pdoswdd
log
file
will
be
archived
when
the
number
of
entries
in
it
reaches
the
number
of
entries
specified
by
-pdoswdd_log_entries
or
when
the
pdoswdd
daemon
is
restarted.
If
-pdoswdd_log_entries
is
non-zero
and
-pdoswdd_logs
is
zero,
the
pdoswdd
log
file
will
be
recycled
when
the
number
of
entries
in
it
reaches
the
number
specified
by
-pdoswdd_log_entries
or
when
the
pdoswdd
daemon
is
restarted.
Default:
0
–pdoswdd_logs
The
number
of
pdoswdd
archive
log
files
to
use
before
recycling
the
pdoswdd
archive
log
files.
Setting
the
number
of
pdoswdd
archive
log
files
to
a
non-zero
value
has
an
effect
only
if
the
-pdoswdd_log_entries
is
non-zero.
The
pdoswdd
log
file
will
be
archived
when
the
number
of
entries
in
it
has
reached
the
number
of
entries
specified
by
-pdoswdd_log_entries
or
when
the
pdoswdd
daemon
is
restarted.
The
default
value
of
zero
means
never
archive
the
pdoswdd
log
file.
Default:
0
–refresh_interval
Interval
in
minutes
that
the
Tivoli
Access
Manager
policy
server
is
polled
for
policy
updates,
if
it
has
not
received
any
updates
during
the
interval.
A
value
of
zero
indicates
that
policy
database
updates
are
not
received
by
polling.
Compare
-ssl_listening_port.
Default:
0
–rspfile
Name
of
file
containing
option
values
for
the
configuration.
–ssl_listening_port
Port
to
listen
for
policy
database
update
notifications.
A
value
of
zero
indicates
that
policy
database
updates
will
not
be
received
by
notification.
Compare
-refresh_interval.
Default:
7134
-suffix
The
LDAP
suffix
under
which
the
Tivoli
Access
Manager
users
and
groups
associated
with
Tivoli
Access
Manager
for
Operating
Systems
should
be
created
during
configuration.
An
example
suffix
is
ou=austin,o=ibm,c=us.
If
there
are
any
spaces
within
the
suffix,
enclose
it
in
quotation
marks
(″″).
-tcb_ignore_ctime
Causes
ctime
to
be
ignored
when
performing
Trusted
Computing
Base
(TCB)
signature
comparisons.
When
this
option
is
enabled,
a
change
in
ctime
does
not
cause
the
TCB
resource
to
become
untrusted.
Default:
off
58
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
-tcb_interval
Interval
in
seconds
during
which
all
TCB
files
are
checked
for
signature
changes.
The
workload
is
distributed
uniformly
(approximately)
over
this
interval.
Default:
1800
-tcb_max_file_size
Maximum
number
of
megabytes
of
a
file
considered
significant
for
calculating
a
checksum.
The
bytes
checked
are
distributed
throughout
the
file.
Default:
10
-tcb_monitor_threads
Number
of
threads
used
to
monitor
TCB
files
for
changes.
Setting
this
value
above
one
is
useful
only
on
multiprocessor
machines.
This
must
be
a
positive
integer.
Default:
1
-tcb_nocrc_on_exec
Causes
the
CRC
data
checksum
that
normally
occurs
as
part
of
the
authorization
check
associated
with
running
an
executable
file
that
is
registered
in
the
TCB
to
be
skipped.
Enabling
this
option
avoids
performing
the
CRC
check
on
large
binary
files.
Default:
off
-uid
Enables
caching
of
the
UID/GID
to
user/group
name
mapping
information.
Default:
off
-usage
Displays
help
on
the
command’s
usage.
-user_cred_refresh
Refresh
interval
of
user’s
credentials
in
minutes.
Default:
720
-version
Displays
the
version
of
the
pdoscfg
utility.
-warning
Enables
global
authorization
warning
mode.
Default:
off
-?
Displays
help
on
the
command’s
usage.
Configuring
from
the
command
line
For
initial
configuration
of
Tivoli
Access
Manager
for
Operating
Systems
from
the
command
line,
use
this
example:
pdoscfg
–ldap_ssl_cacert
/tmp/ldapcacert.b64
\
–branch
policy_branch_name
\
–suffix
o=tivoli
\
-local_domain
\
-admin-name
admin\
-admin-pwd
admin-pwd
Chapter
4.
Configuring
59
Configuring
using
a
response
file
Tivoli
Access
Manager
for
Operating
Systems
can
be
configured
using
a
response
file.
A
response
file
contains
the
information
that
you
would
normally
specify
on
the
command
line.
Using
a
response
file
enables
you
to
automate
your
configuration
process
by
eliminating
the
need
to
enter
the
information
at
the
command
line.
If
you
prefer
to
automate
only
part
of
the
process,
you
can
create
a
partial
response
file
that
contains
information
for
only
one
option
or
a
few
options.
You
can
then
specify
the
remaining
options
on
the
command
line.
Options
specified
on
the
command
line
override
the
values
provided
in
the
response
file.
Each
line
in
a
response
file
contains
an
attribute
and
an
associated
value.
The
value
is
used
by
the
configuration
program
as
if
it
were
input
on
the
command
line.
Creating
a
response
file
The
response
file
format
is
the
same
as
the
configuration
file
format.
The
response
file
contains
stanzas
of
attribute=value
pairs.
A
stanza
starts
with
a
line
containing
the
stanza
name
in
brackets
and
ends
either
when
another
line
begins
with
another
stanza
name
in
brackets
or
when
the
end
of
the
file
is
reached.
Each
stanza
contains
zero
or
more
attribute=value
pairs.
A
stanza
name
cannot
be
repeated
more
than
once
in
a
response
file.
Comments
can
be
added
to
a
response
file
by
using
the
character
#
before
the
comment.
A
response
file
looks
like
the
following
example:
[policy]
#Information
about
the
policy.
branch=policy_name
[ldap]
ssl-certificate=/tmp/ldapcacert.b64
[credentials]
admin-cred-refresh=30
[pdoscfg]
sec-master-pwd=cGo0sutbnielr
suffix=o=tivoli
[ssl]
ssl-listening-port=888
In
the
example,
the
stanza
name
lines
are
[policy],
[ldap],
[credentials],
[pdoscfg],
and
[ssl].
The
policy
stanza
contains
the
attribute=value
pair
branch=policy_name.
The
ldap
stanza
contains
the
attribute=value
pair
ssl-certificate=/tmp/ldapcacert.b64.
The
credentials
stanza
contains
the
attribute=value
pair
admin-cred-refresh=30.
The
pdoscfg
stanza
contains
the
attribute=value
pairs
sec-master-pwd=cGo0sutbnielr
and
suffix=o=tivoli.
The
ssl
stanza
contains
the
attribute=value
pair
ssl-listening-port=888.
The
example
response
file
has
one
comment:
#Information
about
the
policy.
A
response
file
can
also
be
created
by
concatenating
the
configuration
files
into
one
file.
The
configuration
files
that
you
use
are
in
the
/opt/pdos/etc
directory
and
include:
osseal.conf,
pdosd.conf,
pdosauditd.conf,
and
pdoswdd.conf.
Using
a
response
file
To
use
a
response
file
to
configure
IBM
Tivoli
Access
Manager
for
Operating
Systems,
type
the
response
file
name
on
the
command
line
after
the
pdoscfg
command
with
the
-rspfile
option.
For
example:
60
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
pdoscfg
-rspfile
/opt/pdos/etc/config.rsp
If
you
want
to
override
items
in
the
response
file
or
to
provide
additional
items
to
the
response
file,
type
the
response
file
name
on
the
command
line
after
the
pdoscfg
command
with
the
–rspfile
option
and
the
option
for
each
of
the
items
that
you
want
to
override
or
to
add
to
the
configuration.
For
example:
pdoscfg
-rspfile
/opt/pdos/etc/config.rsp
\
–uid
off
\
–audit_level
all
Mapping
command
line
options
to
attributes
in
response
file
The
response
file
has
stanzas
that
contain
sets
of
attribute=value
pairs.
Stanzas
and
attributes
map
to
the
command
line
options
as
shown
in
the
following
table.
Table
7.
Attribute
Equivalents
of
pdoscfg
Options
Stanza
Attribute
Option
[audit]
level
–audit_level
[authorization]
warning
–warning
[cache]
dns
–dns
uid
–uid
[credentials]
admin-cred-refresh
–admin_cred_refresh
cred-hold
–cred_hold
user-cred-refresh
–user_cred_refresh
cred-response-wait
–cred_response_wait
critical-cred-group
–critical_cred_group
critical-cred-refresh
–critical_cred_refresh
[ldap]
ssl-certificate
–ldap_ssl_cacert
[pdosauditd]
log-entries
–pdosauditd_log_entries
audit-logflush
–audit_logflush
logs
–pdosauditd_logs
audit-logsize
–audit_log_size
[pdoscfg]
sec-master-pwd
–sec_master_pwd
delete
–delete
suffix
–suffix
autostart
–autostart
login-policy
–login_policy
net-ACL-limited
–net_ACL_limited
[pdosd]
kmsg-handler-threads
–kmsg_hnd_threads
log-entries
–pdosd_log_entries
logs
–pdosd_logs
init-wait-minutes
–pdosd_init_wait
[pdoslrd]
log-entries
–pdoslrd_log_entries
logs
–pdoslrd_logs
[pdoswdd]
log-entries
–pdoswdd_log_entries
logs
–pdoswdd_logs
Chapter
4.
Configuring
61
Table
7.
Attribute
Equivalents
of
pdoscfg
Options
(continued)
Stanza
Attribute
Option
[policy]
branch
–branch
refresh-interval
–refresh_interval
[ssl]
ssl-listening-port
–ssl_listening_port
[tcb]
ignore-ctime
-tcb_ignore_ctime
interval
–tcb_interval
max-checksum-file-size
–tcb_max_file_size
monitor-threads
–tcb_monitor_threads
nocrc-on-exec
–tcb_nocrc_on_exec
[ffdc]
capture
–ffdc_capture
62
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Chapter
5.
Configuring
and
unconfiguring
the
pdostecd
daemon
This
chapter
briefly
describes
how
to
configure
and
unconfigure
the
pdostecd
daemon
on
AIX,
HP-UX,
Solaris,
and
Linux.
Configuring
pdostecd
Configure
the
pdostecd
daemon
only
if
you
intend
to
use
the
Enterprise
Console
Integration
component
of
the
Tivoli
Access
Manager
for
Operating
Systems.
You
must
configure
the
pdostecd
daemon
before
using
it
unless
both
of
the
following
statements
are
true:
v
You
installed
the
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration
component
from
the
Tivoli
desktop,
and
v
This
is
the
first
time
you
have
installed
Tivoli
Access
Manager
for
Operating
Systems
on
this
system,
or
this
is
an
upgrade
of
an
existing
system
that
had
patch
3.7-SEC-0003
or
later
already
applied.
The
pdostecd
daemon
configure
command
is
pdosteccfg.
Information
on
the
pdostecd
daemon,
the
pdosteccfg
command,
and
details
on
integrating
IBM
Tivoli
Access
Manager
for
Operating
Systems
with
Tivoli
Enterprise
Console
and
Tivoli
Risk
Manager
can
be
found
in
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide.
Preparing
to
configure
The
initial
configuration
of
the
pdostecd
daemon
defines
authorization
policy
in
the
Tivoli
Access
Manager
access
control
list
(ACL)
database
that
is
used
later
when
the
integration
with
Tivoli
Enterprise
Console
or
Tivoli
Risk
Manager
is
done.
You
must
know
the
Tivoli
Access
Manager
administrator
password
in
order
to
set
the
pdostecd
daemon
so
that
it
does
not
start
automatically.
The
initial
configuration
of
the
daemon
should
be
done
with
autostart
set
to
off.
Configuring
from
the
command
line
To
set
the
pdostecd
daemon
so
that
it
does
not
start
automatically,
log
on
as
root
and
enter
the
following
command:
pdosteccfg
-autostart
off
-admin_name
admin_name
-admin_pwd
admin_password
Note:
By
default,
pdostecd
is
configured
with
autostart
set
to
off
when
Tivoli
Access
Manager
for
Operating
Systems
is
configured.
Unconfiguring
pdostecd
The
pdostecd
daemon
unconfigure
command
is
pdostecucfg.
You
must
unconfigure
the
pdostecd
daemon
before
unconfiguring
Tivoli
Access
Manager
for
Operating
Systems.
©
Copyright
IBM
Corp.
2000,
2003
63
For
detailed
information
about
the
pdostecucfg
command,
the
pdostecd
daemon
itself,
and
the
integration
of
IBM
Tivoli
Access
Manager
for
Operating
Systems
with
Tivoli
Enterprise
Console
and
Tivoli
Risk
Manager,
see
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide.
Unconfiguring
from
the
command
line
To
unconfigure
the
pdostecd
daemon
on
the
last
machine
that
it
is
running
in
your
environment,
without
making
any
changes
to
authorization
policy
for
the
pdostecd
daemon,
enter
the
following
command:
pdostecucfg
-admin_name
admin_name
-admin_pwd
admin_password
To
unconfigure
the
pdostecd
daemon
on
this
machine
and
remove
the
specific
authorization
policy
about
the
pdostecd
daemon
defined
in
the
Tivoli
Access
Manager
ACL
database,
enter
the
following
command:
pdostecucfg
-remove_per_policy
on
-admin_name
admin_name
-admin_pwd
admin_password
64
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Chapter
6.
Starting
and
stopping
This
chapter
explains
how
to
start
and
stop
Tivoli
Access
Manager
for
Operating
Systems.
Note:
The
operations
outlined
in
this
chapter
can
be
done
only
by
a
Tivoli
Access
Manager
for
Operating
Systems
runtime
administrator.
Starting
Tivoli
Access
Manager
for
Operating
Systems
You
can
start
Tivoli
Access
Manager
for
Operating
Systems
manually
from
the
command
line
or
you
can
use
autostart.
Command
line
To
start
Tivoli
Access
Manager
for
Operating
Systems,
enter
the
following
command
on
the
command
line:
rc.osseal
start
Note:
If
this
is
the
first
time
that
Tivoli
Access
Manager
for
Operating
Systems
is
started
after
a
system
reboot,
the
command
must
be
performed
as
root.
Autostart
If
you
did
not
disable
autostart
at
initial
configuration,
Tivoli
Access
Manager
for
Operating
Systems
defaults
to
autostart
at
system
reboot.
To
stop
Tivoli
Access
Manager
for
Operating
Systems
from
starting
automatically
at
system
restart,
enter
the
following
command.
When
the
system
reboots,
Tivoli
Access
Manager
for
Operating
Systems
will
not
be
started
automatically.
pdoscfg
–autostart
off
If
you
have
autostart
disabled,
or
if
you
have
recently
enabled
autostart
but
do
not
want
to
reboot
the
system
at
this
time,
you
can
immediately
start
Tivoli
Access
Manager
for
Operating
Systems
by
logging
in
as
root,
entering
the
following
command:
rc.osseal
start
Protection
against
errors
during
initialization
Tivoli
Access
Manager
for
Operating
Systems
attempts
to
identify
common
environmental
errors
during
initialization
and
prevents
its
daemons
from
starting
if
these
conditions
exist.
Kernel
extension
must
be
loaded
The
kernel
extension
needed
by
Tivoli
Access
Manager
for
Operating
Systems
must
be
successfully
installed
before
the
daemons
are
started.
To
help
ensure
that
the
kernel
extension
is
installed,
Tivoli
Access
Manager
for
Operating
Systems
creates
a
temporary
file
called
/opt/pdos/etc/kosseal_starting___load.
(There
are
three
underscore
characters
between
the
last
two
words
in
the
file
name.)
This
file
is
removed
after
the
kernel
extension
is
successfully
loaded.
The
presence
of
this
temporary
file
prevents
the
Tivoli
Access
Manager
for
Operating
Systems
daemons
from
starting.
This
file
protects
your
system
against
©
Copyright
IBM
Corp.
2000,
2003
65
repeated
failures
when
Tivoli
Access
Manager
for
Operating
Systems
is
configured
to
start
automatically
but
the
loading
of
the
kernel
extensions
has
been
unsuccessful.
After
saving
diagnostic
data
about
this
error
and
reporting
the
problem
to
IBM
Tivoli
Software
Support,
you
can
delete
this
temporary
file
and
attempt
to
start
Tivoli
Access
Manager
for
Operating
Systems
again.
Users
and
groups
must
be
present
Tivoli
Access
Manager
for
Operating
Systems
relies
on
the
osseal
user
ID,
the
osseal
group,
and
the
ossaudit
group
being
available.
If
these
are
not
available,
it
does
not
start.
In
Network
Information
Services
(NIS)
environments,
the
osseal
user
ID
and
the
osseal
and
ossaudit
groups
must
be
created
locally
and
not
be
located
in
NIS.
However,
when
installing
on
a
system
configured
to
use
NIS,
the
user-creation
mechanisms
used
by
Tivoli
Access
Manager
for
Operating
Systems
can
result
in
these
groups
and
the
user
ID
being
created
after
the
+
entry
in
the
/etc/passwd
and
/etc/group
files.
You
must
reorder
the
entries
in
these
files
to
ensure
that
the
users
and
groups
created
by
Tivoli
Access
Manager
for
Operating
Systems
appear
before
the
+
in
these
files.
Otherwise,
the
osseal
user
ID
and
the
osseal
and
ossaudit
groups
are
not
usable
if
the
NIS
server
is
unavailable
and
Tivoli
Access
Manager
for
Operating
Systems
does
not
start.
Confirming
that
Tivoli
Access
Manager
for
Operating
Systems
is
running
To
confirm
that
Tivoli
Access
Manager
for
Operating
Systems
is
running,
enter
the
following
command:
pdosctl
–s
Stopping
Tivoli
Access
Manager
for
Operating
Systems
To
stop
Tivoli
Access
Manager
for
Operating
Systems,
enter
the
following
command:
rc.osseal
stop
Starting
and
stopping
the
PDOSTECD
daemon
The
starting
of
the
pdostecd
daemon
is
handled
as
part
of
setting
up
the
integration
of
Tivoli
Access
Manager
for
Operating
Systems
with
Tivoli
Enterprise
Console
or
Tivoli
Risk
Manager.
This
procedure
is
described
in
the
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide
and
not
included
in
this
document.
To
stop
the
pdostecd
daemon,
enter
the
following
command
and
click
Enter:
rc.pdostecd
stop
66
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Chapter
7.
Unconfiguring
This
chapter
explains
how
to
unconfigure
Tivoli
Access
Manager
for
Operating
Systems
on
AIX,
HP-UX,
Solaris,
and
Linux.
The
Tivoli
Access
Manager
for
Operating
Systems
unconfiguration
command
is
pdosucfg.
This
command
removes
the
Tivoli
Access
Manager
for
Operating
Systems
configuration
files,
disables
autostart
of
the
daemons
and
the
kernel,
and
unregisters
Tivoli
Access
Manager
for
Operating
Systems
with
Tivoli
Access
Manager.
The
following
sections
include
information
about:
v
Planning
to
unconfigure
Tivoli
Access
Manager
v
Using
the
unconfigure
command
options
v
Using
the
unconfigure
options
v
Using
a
response
file
to
unconfigure
v
Unconfiguring
associated
products
installed
by
InstallShield
Multiplatform
Preparing
to
unconfigure
Tivoli
Access
Manager
for
Operating
Systems
Before
you
unconfigure
Tivoli
Access
Manager
for
Operating
Systems,
your
environment
must
be
in
a
certain
state
and
you
need
to
have
some
information
about
your
system:
v
The
Tivoli
Access
Manager
policy
server
and
the
LDAP
Server
should
be
running.
v
The
Tivoli
Access
Manager
Runtime
Environment
should
be
installed
and
configured
on
the
same
machine
that
Tivoli
Access
Manager
for
Operating
Systems
is
installed
on.
v
You
should
know
the
Tivoli
Access
Manager
administrator
name
and
administrator
password.
v
Stop
Tivoli
Access
Manager
for
Operating
Systems.
See
Chapter
6,
“Starting
and
stopping,”
on
page
65
for
information
on
how
to
do
this.
v
Unconfigure
the
pdostecd
daemon,
if
it
was
configured.
See
“Unconfiguring
pdostecd”
on
page
63.
Unconfigure
command
options
The
Tivoli
Access
Manager
for
Operating
Systems
unconfigure
options
are
used
with
the
unconfigure
command
pdosucfg.
©
Copyright
IBM
Corp.
2000,
2003
67
Unconfigure
option
descriptions
Options
for
the
unconfigure
command
are
described
in
this
section.
The
definition
and
default,
if
applicable,
for
each
option
is
given.
Additional
information
about
acceptable
values
for
the
options
is
given
in
the
appendix
on
Appendix
B,
“Unconfigure
options,”
on
page
87.
–admin_name
Tivoli
Access
Manager
administrator
name.
Default:
sec_master
–admin_pwd
Tivoli
Access
Manager
administrator's
password.
In
combination
with
–admin_name,
replaces
–sec_master_pwd
option.
–help
Displays
help
for
all
of
the
options.
To
display
help
for
one
option,
enter
–help
–option.
–lrd_admin_name
Tivoli
Access
Manager
administrator
name
to
use
when
unregistering
pdoslrd.
–lrd_admin_pwd
Tivoli
Access
Manager
password
name
to
use
when
unregistering
pdoslrd.
–operations
Lists
the
supported
options.
–remove_once_only
Unregisters
the
Tivoli
Access
Manager
for
Operating
Systems
product
policy.
Attention:
Do
not
specify
this
option
if
other
Tivoli
Access
Manager
for
Operating
Systems
machines
are
configured
to
this
Tivoli
Access
Manager
policy
server,
because
it
would
make
the
other
machines
inoperable.
If
additional
policy
has
been
added,
you
might
have
to
remove
it
manually.
Default:
off
–remove_per_policy
Unregisters
the
Tivoli
Access
Manager
for
Operating
Systems
information
specific
to
the
policy
branch
that
this
machine
is
configured
to
use.
pdosucfg
|
[-admin_name
user_admin_name]
|
[-admin_pwd
user_admin_password]
|
[-help]
|
[-lrd_admin_name
user_admin_name]
|
[-lrd_admin_pwd
user_admin_password]
|
[-operations]
|
[-remove_once_only
(on
|
off)
]
|
[-remove_per_policy
(on
|
off)
]
|
[-rspfile
file_name
]
|
[-usage]
|
[-version]
|
[-?]
Figure
13.
pdosucfg
Command
68
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Attention:
Do
not
specify
this
option
if
other
Tivoli
Access
Manager
for
Operating
Systems
machines
are
configured
under
that
policy
branch
because
it
would
make
the
other
machines
inoperable.
If
additional
policy
has
been
added
under
that
policy
branch,
you
might
have
to
remove
it
manually.
Default:
off
–rspfile
Specifies
the
file
containing
option
values
for
the
unconfiguration.
–usage
Displays
help
on
the
command’s
usage.
–version
Displays
the
version.
–?
Displays
help
on
the
command’s
usage.
Using
a
response
file
to
unconfigure
Tivoli
Access
Manager
for
Operating
Systems
may
be
unconfigured
using
a
response
file.
Creating
a
response
file
The
format
of
the
unconfigure
response
file
is
the
same
as
the
format
for
a
configure
response
file.
The
contents
of
a
response
file
for
unconfiguring
Tivoli
Access
Manager
for
Operating
Systems
resembles
the
following
example:
[pdoscfg]
admin_name=admin_user_1
admin_pwd=cGo0sutbnielr
where
[pdoscfg]
is
the
stanza
name
and
admin_name=admin_user_1
admin_pwd=cGo0sutbnielr
are
the
attribute=value
pairs.
Using
a
response
file
To
use
a
response
file
to
unconfigure
Tivoli
Access
Manager
for
Operating
Systems,
enter
the
response
file
name
on
the
command
line
after
the
pdosucfg
command
with
the
–rspfile
option.
For
example:
pdosucfg
-rspfile
/opt/pdos/etc/unconfig.rsp
where
/opt/pdos/etc/unconfig.rsp
is
the
response
file
name.
If
you
want
to
override
items
in
the
response
file
or
to
provide
additional
items
to
the
unconfigure
command,
type
the
response
file
name
on
the
command
line
after
Chapter
7.
Unconfiguring
69
the
pdosucfg
command
with
the
–rspfile
option
and
the
option
for
each
of
the
items
that
you
want
to
override
or
to
add.
For
example:
pdosucfg
-rspfile
/opt/pdos/etc/unconfig.rsp
–remove_per_policy
off
Mapping
command
line
options
to
attributes
in
a
response
file
The
response
file
has
stanzas
that
contain
sets
of
attribute=value
pairs.
Stanzas
and
attributes
map
to
the
command
line
options
as
shown
in
the
following
table.
Table
8.
Attribute
Equivalents
of
pdosucfg
Options
Stanza
Attribute
Option
[pdoscfg]
remove-once-only
–remove_once_only
remove-per-policy
–remove_per_policy
Unconfiguring
associated
products
If
you
installed
using
InstallShield
Multiplatform,
the
following
products
might
have
been
installed
with
IBM
Tivoli
Access
Manager
for
Operating
Systems:
v
IBM
Global
Security
Toolkit
v
IBM
Directory
Server
v
Tivoli
Access
Manager
runtime
environment.
The
only
one
of
these
products
that
needs
to
be
unconfigured
is
the
Tivoli
Access
Manager
runtime
environment.
Attention:
Do
not
unconfigure
the
Tivoli
Access
Manager
runtime
environment
if
other
products
on
the
system
are
using
it.
The
steps
to
unconfigure
the
Tivoli
Access
Manager
runtime
environment
are
as
follows:
1.
Log
on
as
root.
2.
Enter
the
following
command
and
click
Enter.
pdconfig
3.
Choose
option
2
to
unconfigure
Tivoli
Access
Manager.
4.
A
list
of
configured
components
is
displayed.
Starting
at
the
first
one
listed,
unconfigure
each
one,
in
order,
until
you
have
unconfigured
the
entire
runtime
component.
Typically,
only
the
Tivoli
Access
Manager
runtime
is
listed;
however,
if
other
components
have
been
installed
and
configured,
they
need
to
be
removed
prior
to
removing
the
runtime.
Local
unconfigure
script
This
shell
script,
pdosucfg_local,
is
designed
to
create
a
reusable
template
for
installing
Tivoli
Access
Manager
for
Operating
Systems
on
multiple
machines.
To
create
the
template,
complete
the
following
procedure:
1.
Using
a
machine
that
has
Tivoli
Access
Manager
for
Operating
Systems
installed,
configured,
and
running,
create
a
copy
of
the
hard
drive
onto
another
file
system
or
even
another
disk
drive
mounted
on
/new.
For
example,
/
will
be
copied
to
/new.
2.
The
contents
under
/new
can
then
be
installed
on
another
system
and
you
have
a
clone
of
the
original
system.
Certain
operations
must
be
performed
to
/new
before
the
cloned
system
can
be
properly
started.
In
the
case
of
Tivoli
Access
70
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Manager
for
Operating
Systems,
you
must
ensure
that
the
product
appears
unconfigured
so
that
when
other
operations
are
complete
and
the
system
is
started,
Tivoli
Access
Manager
for
Operating
Systems
can
be
configured
using
the
pdoscfg
command
as
if
it
were
being
used
for
the
first
time.
3.
The
shell
script
accepts
one
parameter:
the
name
of
the
directory
path.
A
sample
usage
is
pdosucfg_local
/new.
This
command
performs
the
following
steps
under
/new:
a.
Ensures
that
the
files
controlling
the
autostart
feature
are
properly
cleaned
up.
b.
Ensures
that
the
files
controlling
the
login
policy
feature
are
properly
cleaned
up.
c.
Removes
the
.conf
files
created
during
configuration.
d.
Removes
the
.kdb
files
created
by
svrsslcfg
during
configuration.
e.
Removes
any
other
working
files
and
directories
created
by
Tivoli
Access
Manager
for
Operating
Systems
under
/var/pdos.
Chapter
7.
Unconfiguring
71
72
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Chapter
8.
Uninstalling
This
chapter
explains
how
to
uninstall
Tivoli
Access
Manager
for
Operating
Systems
on
AIX,
HP-UX,
Solaris,
and
Linux,
whether
the
product
was
installed
using
InstallShield
Multiplatform
or
a
native
installation
utility.
If
you
installed
Tivoli
Access
Manager
for
Operating
Systems
with
InstallShield
Multiplatform,
you
must
uninstall
with
it
as
well.
You
should
be
familiar
with
the
native
installation
and
uninstallation
utility
for
the
platform
where
you
have
installed
Tivoli
Access
Manager
for
Operating
Systems
if
you
used
a
native
installation
utility.
You
might
also
have
to
uninstall
one
or
more
associated
products
that
were
installed
along
with
Tivoli
Access
Manager
for
Operating
Systems
by
InstallShield
Multiplatform.
To
uninstall
Tivoli
Access
Manager
for
Operating
Systems
you
must:
v
Have
root
permission.
v
Unconfigure
the
pdostecd
daemon,
if
it
was
configured,
as
described
in
“Unconfiguring
pdostecd”
on
page
63.
v
Unconfigure
Tivoli
Access
Manager
for
Operating
Systems,
as
described
in
Chapter
7,
“Unconfiguring,”
on
page
67.
v
Uninstall
Tivoli
Access
Manager
for
Operating
Systems
following
the
procedures
outlined
in
this
chapter.
v
Reboot
your
system
after
uninstalling
Tivoli
Access
Manager
for
Operating
Systems
to
remove
the
kernel
extension.
v
If
you
installed
Tivoli
Access
Manager
for
Operating
Systems,
Version
5.1,
using
InstallShield
Multiplatform,
it
is
recommended
that
you
use
InstallShield
Multiplatform
to
uninstall
it.
Doing
so
ensures
that
the
InstallShield
Multiplatform
installation
registry
will
reflect
what
is
actually
installed
on
the
system.
If
the
osseal
group
entry,
the
ossaudit
group
entry,
or
the
osseal
user
ID
were
created
during
installation,
they
are
deleted
when
Tivoli
Access
Manager
for
Operating
Systems
is
uninstalled.
Uninstalling
with
InstallShield
Multiplatform
If
you
used
the
InstallShield
Multiplatform
to
install
Tivoli
Access
Manager
for
Operating
Systems,
you
must
also
use
it
to
uninstall
the
product.
The
installation
program
inserts
tags
into
the
native
product
registry,
which
it
removes
during
the
uninstall
process.
When
using
InstallShield
Multiplatform
to
uninstall
the
product,
only
Tivoli
Access
Manager
for
Operating
Systems,
Version
5.1,
is
uninstalled.
The
prerequisite
products,
GSKit,
LDAP,
and
Tivoli
Access
Manager
runtime,
are
not
uninstalled.
Note:
Before
starting
the
uninstall
process,
you
must
remove
any
prerequisite
software
and
associated
links.
The
InstallShield
Multiplatform
program
will
not
do
this.
You
must
use
your
operating
system’s
native
uninstall
utility
to
uninstall
the
prerequisite
software.
To
uninstall
Tivoli
Access
Manager
for
Operating
Systems,
follow
this
procedure:
©
Copyright
IBM
Corp.
2000,
2003
73
1.
Ensure
that
Tivoli
Access
Manager
for
Operating
Systems
has
been
properly
unconfigured.
See
Chapter
8,
″Unconfiguring″
for
details
on
how
to
properly
unconfigure
Tivoli
Access
Manager
for
Operating
Systems
2.
Enter
the
following
command:
java
-cp
/var/pdos_ismp/_uninstall/uninstall.jar
run
OR
java
-cp
/var/pdos_ismp/_uninstall/uninstall.jar
run
-silent
OR
/var/pdos_ismp/_uninstall/uninstaller.bin
Uninstalling
on
AIX
Tivoli
Access
Manager
for
Operating
Systems
can
be
uninstalled
on
AIX
using
SMIT,
or
it
can
be
uninstalled
from
the
command
line.
Uninstalling
on
AIX
using
SMIT
Follow
this
procedure
to
uninstall
Tivoli
Access
Manager
for
Operating
Systems
on
AIX
using
SMIT:
1.
Log
on
as
root.
2.
Enter
the
following
command:
smit
The
System
Management
Interface
Tool
panel
is
displayed.
3.
From
the
System
Management
window,
click
Software
Installation
and
Maintenance.
4.
From
the
Software
Installation
and
Maintenance
menu,
click
Software
Maintenance
and
Utilities.
5.
From
the
Software
Maintenance
and
Utilities
menu,
click
Remove
Installed
Software.
The
Remove
Installed
Software
pop-up
panel
is
displayed.
6.
Click
the
entry
field
for
Software
Name
and
enter
PDOS.rte.
7.
Before
uninstalling
the
selected
software,
SMIT
determines
if
it
is
possible
to
uninstall.
PREVIEW
only
should
be
set
to
yes.
Click
OK,
and
then
click
OK
on
the
confirmation
window.
During
the
Preview,
a
split
screen
shows
the
uninstall
command
and
the
output
log
for
the
preview
of
the
uninstallation.
8.
When
the
preview
is
complete,
click
Done.
9.
The
Remove
Installed
Software
window
is
displayed.
Specify
No
in
PREVIEW
only.
Click
OK.
10.
Click
OK
on
the
confirmation
window.
11.
During
the
uninstallation,
a
split
screen
shows
the
uninstall
command
and
the
output
log
for
the
uninstallation.
12.
When
the
uninstallation
is
complete,
the
Remove
Installed
Software
panel
is
displayed.
Click
Done.
13.
Close
the
Remove
Installed
Software
panel.
14.
Close
the
Software
Maintenance
Interface
Tool
panel.
15.
Reboot
when
uninstallation
is
complete.
74
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Uninstalling
on
AIX
using
the
command
line
To
uninstall
Tivoli
Access
Manager
for
Operating
Systems
on
AIX
from
the
command
line,
follow
this
procedure:
1.
Log
on
as
root.
2.
On
the
command
line,
enter:
installp
–u
–g
PDOS.rte
3.
Reboot
when
the
uninstall
process
is
complete.
Uninstalling
on
HP-UX
Tivoli
Access
Manager
for
Operating
Systems
can
be
uninstalled
on
HP-UX
using
swremove,
or
it
can
be
uninstalled
from
the
command
line.
Uninstalling
on
HP-UX
using
swremove
Use
these
steps
to
uninstall
Tivoli
Access
Manager
for
Operating
Systems
on
HP-UX
using
swremove:
1.
Log
on
as
root.
2.
On
the
command
line,
enter:
swremove
The
SD
Remove-Software
Selection
panel
is
displayed.
3.
Select
all
Tivoli
Access
Manager
for
Operating
Systems
packages
to
uninstall.
4.
In
the
Action
menu,
select
Mark
for
Remove.
5.
In
the
Action
menu,
select
Remove
(analysis).
The
Remove
(analysis)
pop-up
panel
is
displayed.
When
status
is
Ready,
click
OK.
6.
In
the
confirmation
pop-up
panel,
click
Yes.
The
Remove
panel
is
displayed.
7.
When
the
status
is
Completed,
click
Done.
8.
Close
the
SD
Remove-Software
Selection
panel.
9.
Reboot
when
the
uninstall
process
is
complete.
Uninstalling
on
HP-UX
using
the
command
line
To
uninstall
Tivoli
Access
Manager
for
Operating
Systems
on
HP-UX
from
the
command
line,
use
these
steps:
1.
Log
on
as
root.
2.
On
the
command
line,
enter:
swremove
PDOSrte
3.
Reboot
when
the
uninstall
process
is
complete.
Uninstalling
on
Solaris
Tivoli
Access
Manager
for
Operating
Systems
can
be
uninstalled
on
Solaris
using
Admintool,
or
it
can
be
uninstalled
from
the
command
line.
Uninstalling
on
Solaris
using
Admintool
Use
these
steps
to
uninstall
Tivoli
Access
Manager
for
Operating
Systems
on
Solaris
using
Admintool:
1.
Log
on
as
root.
2.
At
the
command
line,
enter:
admintool
Chapter
8.
Uninstalling
75
Click
Return.
The
Admintool:
Users
panel
is
displayed.
3.
In
the
Admintool:
Users
Browse
menu,
highlight
Software.
The
Admintool:
Software
pa;nel
is
displayed.
4.
In
the
scrollable
window
in
the
Admintool:
Software
panel,
locate
and
highlight
the
package
to
uninstall:
IBM
Tivoli
Access
Manager
for
Operating
Systems
Runtime.
5.
From
the
Edit
menu,
select
Delete.
6.
The
Admintool:
Warning
panel
is
displayed.
Click
Delete.
The
Admintool:
Delete
Software
panel
is
displayed.
7.
Confirmation
messages
are
displayed
before
packages
are
removed.
The
order
in
which
they
are
displayed
depends
on
the
order
in
which
the
packages
are
removed.
The
confirmation
message,
″Do
you
want
to
remove
this
package?″
is
displayed
for
each
package.
Type
Yes
when
it
is
displayed.
Click
Return.
8.
An
additional
confirmation
message
is
displayed
for
the
runtime
package:
″This
package
contains
scripts
which
will
be
executed
with
super-user
permission
during
the
process
of
removing
this
package.
Do
you
want
to
continue
with
removal
of
this
package?″
Enter
Yes.
Click
Return.
9.
Click
Return
when
complete.
10.
Close
the
Admintool:
Software
panel.
11.
Reboot
when
uninstallation
is
complete.
Uninstalling
on
Solaris
using
the
command
line
To
uninstall
Tivoli
Access
Manager
for
Operating
Systems
on
Solaris
from
the
command
line,
use
these
steps:
1.
Log
on
as
root.
2.
On
the
command
line,
enter:
pkgrm
PDOSrte
3.
Confirmation
messages
are
displayed
before
packages
are
removed.
The
order
in
which
they
are
displayed
depends
on
the
order
in
which
the
packages
are
removed.
The
confirmation
message,
″Do
you
want
to
remove
this
package?″
is
displayed
for
each
package.
Enter
Yes
when
it
is
displayed.
Click
Return.
4.
An
additional
confirmation
message
is
displayed
for
the
runtime
package:
″This
package
contains
scripts
which
will
be
executed
with
super-user
permission
during
the
process
of
removing
this
package.
Do
you
want
to
continue
with
removal
of
this
package?″
Enter
Yes.
Click
Return.
5.
When
the
uninstall
process
is
complete
for
each
package,
this
message
is
displayed:
″Removal
of
package
was
successful.″
6.
Reboot
when
the
uninstall
process
is
complete.
Uninstalling
on
Linux
Tivoli
Access
Manager
for
Operating
Systems
can
be
uninstalled
on
Linux
from
the
command
line,
as
follows:
1.
Log
on
as
root.
2.
Enter
the
following
command
on
the
command
line:
rpm
-e
PDOSrte-PDOSruntime
3.
Reboot
when
the
uninstall
process
is
complete.
76
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Uninstalling
language
support
packages
To
uninstall
language
support
packages,
do
the
following:
1.
Change
your
directory
to
the
location
where
the
uninstall.jar
file
is
located.
Enter
the
following:
cd
/opt/location
where
location
is
as
follows:
PDOssLP/osslp_uninst
Specifies
the
location
of
the
language
packages
for
Tivoli
Access
Manager
for
Operating
Systems.2.
To
uninstall
the
language
support
packages,
run
the
uninstall.jar
command
as
follows:
java
-cp
/opt/PDOssi_P/osrtelp_uninst/uninstall.jar
run
where
jre_path
is
the
path
where
the
Java
executable
is
located.
If
the
Java
executable
is
in
the
path,
you
do
not
have
to
specify
jre_path.
Uninstalling
associated
products
If
you
installed
Tivoli
Access
Manager
for
Operating
Systems
using
InstallShield
Multiplatform,
you
can
now
uninstall
the
other
products
that
might
also
have
been
installed.
These
products
include:
v
Tivoli
Access
Manager
Runtime
Environment
v
IBM
Directory
Server
v
IBM
Global
Security
Toolkit
To
uninstall
these
associated
products,
follow
the
procedure
outlined
for
your
operating
system
platform.
Note:
Ensure
that
no
other
products
on
the
system
are
using
these
products
before
uninstalling
them.
AIX
To
uninstall
these
associated
products
on
AIX,
do
the
following:
1.
Log
on
as
root.
2.
On
the
command
line,
enter:
smitty
maint
3.
Choose
the
Remove
Installed
Software
option.
4.
At
the
SOFTWARE
Name
prompt,
press
F4
to
display
a
list
of
packages.
Remove
the
following
packages
by
highlighting
the
entry
and
pressing
F7:
v
PD.RTE
v
ldap.client.adt
v
ldap.client.rte
v
ldap.max_crypto_client.adt
v
ldap.max_crypto_client.rte
v
gskta.rte
After
you
have
selected
all
the
packages,
click
Enter.
5.
At
the
PREVIEW
Only
(remove
operation
will
NOT
occur)
prompt,
change
the
value
to
No
by
clicking
the
Tab
key.
Chapter
8.
Uninstalling
77
6.
Click
Enter
to
remove
the
selected
components.
You
can
also
use
the
installp
command:
installp
-u
-g
PD.RTE
ldap.client.adt
ldap.client.rte
\
ldap.max_crypto_client.adt
ldap.max_crypto_client.rte
\
gskta.rte
HP-UX
To
uninstall
the
Tivoli
Access
Manager
Runtime
Environment,
the
IBM
Global
Security
Toolkit,
and
the
IBM
SecureWay
Directory
Client
on
HP-UX,
do
the
following:
1.
Log
on
as
root.
2.
On
the
command
line,
enter:
swremove
PDRTE
LDAPClient
gsk7bas
Solaris
To
uninstall
the
associated
products
on
Solaris,
follow
this
procedure:
1.
Log
on
as
root.
2.
On
the
command
line,
enter:
pkgrm
PDRTE
IBMldapc
gsk7bas
3.
The
pkgrm
commands
might
prompt
you
several
times.
Enter
Y
each
time.
Linux
To
uninstall
the
associated
products
on
Linux,
follow
this
procedure:
1.
Log
on
as
root.
2.
Remove
the
components
by
issuing
the
following
command
:
rpm
-e
PDRTE-PD
ldap-clientd
gsk7bas
This
command
works
for
Linux
for
x86,
zSeries,
pSeries,
and
iSeries.
Uninstalling
Tivoli
Management
Framework
integration
packages
To
uninstall
the
Tivoli
Access
Manager
for
Operating
Systems
Management
Tasks,
use
the
following
command:
wuninst
PDOSTASK
machine
–rmfiles
where
machine
is
the
name
of
managed
node
in
the
Tivoli
region
that
served
as
the
module’s
installation
server.
To
uninstall
the
Tivoli
Access
Manager
for
Operating
Systems
Enterprise
Console
Integration,
use
the
following
command:
wuninst
PDOSTEC
machine
–rmfiles
where
machine
is
the
name
of
managed
node
from
which
the
component
is
to
be
uninstalled.
78
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Appendix
A.
Configuration
options
Options
available
for
the
Tivoli
Access
Manager
for
Operating
Systems
configuration
command,
pdoscfg,
include:
Table
9.
Configuration
Options
Option
Description
Values
-admin_cred_refresh
Refresh
interval
of
administrator’s
credentials
in
minutes.
Minimum:
1
Maximum:
maxint
Default:
360
(6
hours)
-admin_name
User
administrator
name.
In
combination
with
admin_pwd,
replaces
sec_master_pwd
option.
-admin_pwd
User
administrator
password.
-audit_level
Specifies
the
global
audit
levels
in
effect
at
startup.
The
audit
levels
are
specified
in
a
comma-separated
list.
Valid
values
are
all,
none,
permit,
deny,
loginpermit,
logindeny,
admin,
verbose,
info,
trace_exec,
trace_exec_l,
trace_exec_root,
or
trace_file.
Default:
None
-audit_logflush
Interval
in
seconds
that
pdosauditd
daemon
flushes
the
audit
records
to
the
active
audit
log.
Minimum:
5
Maximum:
9999
Default:
5
-audit_log_size
Maximum
size
in
bytes
to
which
the
active
audit
log
can
grow
before
pdosauditd
rolls
over
to
use
a
new
active
audit
log.
Minimum:
1000000Maximum:
100000000
Default:
1000000
-autostart
Automatically
start
Tivoli
Access
Manager
for
Operating
Systems
when
the
system
starts.
on
|
off
Default:
on
-branch
Name
of
the
policy
branch
to
which
this
machine
subscribes.
-cred_hold
Maximum
amount
of
time
in
minutes
that
a
non-administrator
credential
is
cached
without
being
accessed.
This
value
must
be
greater
than
or
equal
to
the
admin_cred_refresh
value
and
the
user_cred_refresh
value.
Minimum:
1
Maximum:
maxint
Default:
10080
(one
week)
-cred_response_wait
Maximum
amount
of
time
to
wait
for
a
response
to
a
credential
request
before
entering
isolation
mode,
in
minutes.
Default:
2
-critical_cred_group
The
name
of
the
Tivoli
Access
Manager
group
whose
members
are
to
be
treated
as
critical
system
users
and
whose
credentials
should
always
be
available
in
the
credential
cache.
-critical_cred_refresh
Refresh
interval
of
critical_creds
user’s
credentials,
in
minutes.
Default:
720
©
Copyright
IBM
Corp.
2000,
2003
79
Table
9.
Configuration
Options
(continued)
Option
Description
Values
-delete
Comma-separated
list
of
options
to
remove
from
configuration
files.
admin_cred_refresh,
audit_level,
audit_log_entries,
audit_logflush,
audit_logs,
audit_log_size,
cred_hold,
dns,
kmsg_hnd_threads,
pdosd_log_entries,
pdosd_logs,
pdoswdd_log_entries,
pdoswdd_logs,
refresh_interval,
tcb_interval,
tcb_max_file_size,
tcb_monitor_threads,
uid,
user_cred_refresh,
warning
-dns
Enables
Tivoli
Access
Manager
for
Operating
Systems
to
store
the
IP
address
to
host
name
mapping
information.
on
|
off
Default:
on
-ffdc_capture
Enables
capture
of
first
failure
upon
abnormal
termination
of
the
Tivoli
Access
Manager
for
Operating
Systems
daemons.
Default:
on
-help
Displays
help
for
all
of
the
options.
To
display
help
for
one
option,
type:
–help
–<option>.
-hostname
Hostname
that
will
be
used
by
the
Tivoli
Access
Manager
server
to
recognize
this
machine.
If
not
specified,
the
default
is
the
local
hostname
returned
by
the
operating
system.
-kmsg_hnd_threads
Number
of
threads
used
to
handle
authorization
requests
from
the
kernel.
Must
be
a
positive
integer.
Increasing
this
value
on
multiprocessor
systems
with
more
than
8
processors
can
reduce
the
time
authorization
requests
take
and
improve
performance.
On
systems
with
more
than
8
processors,
specify
a
value
equal
to
the
number
of
processors
in
the
system,
otherwise
use
the
default
value.
The
maximum
recommended
number
of
threads
at
this
time
is
24.
Minimum:
1
Maximum:
maxint
Default:
8
80
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Table
9.
Configuration
Options
(continued)
Option
Description
Values
-ldap_ssl_cacert
The
CA
certificate
of
the
LDAP
Server
that
contains
the
Tivoli
Access
Manager
User
Registry.
This
certificate
is
required
for
the
mutual
authentication
that
occurs
between
Tivoli
Access
Manager
for
Operating
Systems
and
the
LDAP
Server.
If
you
used
the
ezinstall_ldap_server
script
to
install
and
configure
your
LDAP
server
and
you
chose
to
use
the
default
LDAP
SSL
CA
certificate
file
provided
by
Tivoli
Access
Manager,
you
must
obtain
the
/etc/gsk/pd_ldapcert.arm
file
from
the
LDAP
server
and
use
that
file
during
IBM
Tivoli
Access
Manager
for
Operating
Systems
configuration.
The
file
must
be
provided.
-local_domain
Specifies
the
Tivoli
Access
Manager
domain
to
use
for
server
registration.
-login_policy
Enable
systems
login
and
password
restrictions.
on
|
off
Default:
on
-lrd_admin_name
Specifies
the
Tivoli
Access
Manager
user
name
to
use
when
registering
pdoslrd.
-lrd_admin_pwd
Specifies
the
Tivoli
Access
Manager
password
name
to
use
when
registering
pdoslrd.
-lrd_config
Configure
or
unconfigure
the
pdoslrd
daemon.
-lrd_local_domain
The
Tivoli
Access
Manager
secure
domain
that
the
pdoslrd
daemon
will
be
configured
to
use.
If
the
pdoslrd
daemon
will
be
used
to
send
audit
data
to
a
Tivoli
Access
Manager
authorization
server
(pdacld)
as
a
remote
collection
point,
the
pdoslrd
daemon
must
be
configured
into
the
same
secure
domain
that
the
pdacld
daemon
is
configured
to
use.
In
an
environment
wehre
the
Tivoli
Access
Manager
policy
server
is
managing
multiple
secure
domains,
this
might
mean
that
the
pdoslrd
daemon
needs
to
be
configured
into
a
different
secure
domain
than
the
pdosd
daemon.
If
this
option
is
not
specified,
the
local
domain
will
default
to
the
secure
domain
that
the
pdosd
configuration
is
using.
The
Tivoli
Access
Manager
secure
domain
must
exit
and
the
administrator
name
and
password
specified
with
the
-lrd_admin_name
and
-lrd_admin_pwd
options
must
be
valid
for
the
domain.
Appendix
A.
Configuration
options
81
Table
9.
Configuration
Options
(continued)
Option
Description
Values
-net_ACL_limited
Controls
whether
or
not
network
access
decisions
inherit
ACLs
attached
at
or
above
the
/OSSEAL/branch/NetIncoming
and
/OSSEAL/branch/NetOutgoing
points
in
the
policy
namespace.
Limiting
the
ACL
inheritance
allows
for
improved
performance
of
network
access
decisions
if
there
is
no
need
to
define
policy
at
these
junctions
in
the
policy
namespace.
-operations
Lists
the
supported
options.
-pdosauditd_log
_entries
Number
of
pdosauditd
log
entries
to
write
before
archiving
the
pdosauditd
log
file.
The
default
value
of
zero
means
that
the
number
of
entries
to
write
is
unlimited
and
the
pdosauditd
log
file
will
not
be
archived.
If
-pdosauditd_log_entries
is
non-zero
and
-pdosauditd_logs
is
non-zero,
the
pdosauditd
log
file
will
be
archived
when
the
number
of
entries
in
it
reaches
the
number
of
entries
specified
by
-pdosauditd_log_entries
or
when
the
pdosauditd
daemon
is
restarted.
If
-pdosauditd_log_entries
is
non-zero
and
-pdosauditd_logs
is
zero,
the
pdosauditd
log
file
will
be
recycled
when
the
number
of
entries
in
it
reaches
the
number
specified
by
-pdosauditd_log_entries
or
when
the
pdosauditd
daemon
is
restarted.
Minimum:
0
Maximum:
Maxint
Default:
0
-pdosauditd_logs
Number
of
pdosauditd
archive
log
files
to
use
before
recycling
the
pdosauditd
archive
log
files.
Setting
the
number
of
pdosauditd
archive
log
files
to
a
non-zero
value
has
an
effect
only
if
the
-pdoslrd_log_entries
is
non-zero.
The
pdosauditd
log
file
will
be
archived
when
the
number
of
entries
in
it
has
reached
the
number
of
entries
specified
by
-pdoslrd_log_entries
or
when
the
pdosauditd
daemon
is
restarted.
The
default
value
of
zero
means
never
archive
the
pdosauditd
log
file.
Minimum:
0
Maximum:
99
Default:
0
-pdosd_init_wait
Time
(in
minutes)
to
wait
for
complete
initialization
(and
the
start
of
policy
enforcement)
by
pdosd.
For
systems
where
policy
enforcement
at
boot
times
is
important.
Minimum:
1
Maximum:
20
Default:
5
82
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Table
9.
Configuration
Options
(continued)
Option
Description
Values
-pdosd_log_entries
Number
of
pdosd
log
entries
to
write
before
archiving
the
pdosd
log
file.
The
default
value
of
zero
means
that
the
number
of
entries
to
write
is
unlimited
and
the
pdosd
log
file
will
not
be
archived.
If
-pdosd_log_entries
is
non-zero
and
-pdosd_logs
is
non-zero,
the
pdosd
log
file
will
be
archived
when
the
number
of
entries
in
it
reaches
the
number
of
entries
specified
by
-pdosd_log_entries
or
when
the
pdosd
daemon
is
restarted.
If
-pdosd_log_entries
is
non-zero
and
-pdosd_logs
is
zero,
the
pdosd
log
file
will
be
recycled
when
the
number
of
entries
in
it
reaches
the
number
specified
by
-pdosd_log_entries
or
when
the
pdosd
daemon
is
restarted.
Minimum:
1
Maximum:
20
Default:
5
-pdosd_logs
Number
of
pdosd
archive
log
files
to
use
before
recycling
the
pdosd
archive
log
files.
Setting
the
number
of
pdosd
archive
log
files
to
a
non-zero
value
has
an
effect
only
if
the
-pdosd_log_entries
is
non-zero.
The
pdosd
log
file
will
be
archived
when
the
number
of
entries
in
it
has
reached
the
number
of
entries
specified
by
-pdosd_log_entries
or
when
the
pdosd
daemon
is
restarted.
The
default
value
of
zero
means
never
archive
the
pdosd
log
file.
Minimum:
0
Maximum:
99
Default:
0
-pdoslrd_log_entries
Number
of
pdoslrd
log
entries
to
write
before
archiving
the
pdoslrd
log
file.
The
default
value
of
zero
means
that
the
number
of
entries
to
write
is
unlimited
and
the
pdoslrd
log
file
will
not
be
archived.
If
-pdoslrd_log_entries
is
non-zero
and
-pdoslrd_logs
is
non-zero,
the
pdoslrd
log
file
will
be
archived
when
the
number
of
entries
in
it
reaches
the
number
of
entries
specified
by
-pdoslrd_log_entries
or
when
the
pdoslrd
daemon
is
restarted.
If
-pdoslrd_log_entries
is
nonzero
and
-pdoslrd_logs
is
zero,
the
pdoslrd
log
file
will
be
recycled
when
the
number
of
entries
in
it
reaches
the
number
specified
by
-pdoslrd_log_entries
or
when
the
pdoslrd
daemon
is
restarted.
Minimum:
0
Maximum:
maxint
Default:
0
Appendix
A.
Configuration
options
83
Table
9.
Configuration
Options
(continued)
Option
Description
Values
-pdoslrd_logs
Number
of
pdoslrd
archive
log
files
to
use
before
recycling
the
pdoslrd
archive
log
files.
Setting
the
number
of
pdoslrd
archive
log
files
to
a
non-zero
value
has
an
effect
only
if
the
-pdoslrd_log_entries
is
non-zero.
The
pdoslrd
log
file
will
be
archived
when
the
number
of
entries
in
it
has
reached
the
number
of
entries
specified
by
-pdoslrd_log_entries
or
when
the
pdoslrd
daemon
is
restarted.
The
default
value
of
zero
means
never
archive
the
pdoslrd
log
file.
Minimum:
0
Maximum:
99
Default:
0
-pdoswdd_log
_entries
Number
of
pdoswdd
log
entries
to
write
before
archiving
the
pdoswdd
log
file.
The
default
value
of
zero
means
that
the
number
of
entries
to
write
is
unlimited
and
the
pdoswdd
log
file
will
not
be
archived.
If
-pdoswdd_log_entries
is
non-zero
and
-pdoswdd_logs
is
non-zero,
the
pdoswdd
log
file
will
be
archived
when
the
number
of
entries
in
it
reaches
the
number
of
entries
specified
by
-pdoswdd_log_entries
or
when
the
pdoswdd
daemon
is
restarted.
If
-pdoswdd_log_entries
is
non-zero
and
-pdoswdd_logs
is
zero,
the
pdoswdd
log
file
will
be
recycled
when
the
number
of
entries
in
it
reaches
the
number
specified
by
-pdoswdd_log_entries
or
when
the
pdoswdd
daemon
is
restarted.
Minimum:
0
Maximum:
maxint
Default:
0
-pdoswdd_logs
Number
of
pdoswdd
archive
log
files
to
use
before
recycling
the
pdoswdd
archive
log
files.
Setting
the
number
of
pdoswdd
archive
log
files
to
a
non-zero
value
has
an
effect
only
if
the
-pdoswdd_log_entries
is
non-zero.
The
pdoswdd
log
file
will
be
archived
when
the
number
of
entries
in
it
has
reached
the
number
of
entries
specified
by
-pdoswdd_log_entries
or
when
the
pdoswdd
daemon
is
restarted.
The
default
value
of
zero
means
never
archive
the
pdoswdd
log
file.
Minimum:
0
Maximum:
99
Default:
0
-refresh_interval
Interval
in
minutes
that
the
Tivoli
Access
Manager
management
server
is
polled
for
policy
updates,
if
it
has
not
received
any
during
the
interval.
A
value
of
zero
indicates
that
policy
database
updates
are
not
received
by
polling.
Compare
–ssl_listening_port.
Minimum:
0Maximum:
maxint/60
Default:
0
-rspfile
Name
of
file
containing
option
values
for
the
configuration.
84
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Table
9.
Configuration
Options
(continued)
Option
Description
Values
-ssl_listening_port
Port
to
listen
for
policy
database
update
notifications.
A
value
of
zero
indicates
that
policy
database
updates
will
not
be
received
by
notification.
Compare
–refresh_interval.
Minimum:
0
Maximum:
65535
Default:
7134
-suffix
The
LDAP
suffix
under
which
the
Tivoli
Access
Manager
for
Operating
Systems
users
and
groups
should
be
created
during
configuration.
-tcb_ignore_ctime
Causes
ctime
to
be
ignored
when
performing
Trusted
Computing
Base
(TCB)
signature
comparisons.
When
this
option
is
enabled,
a
change
in
ctime
does
not
cause
the
TCB
resource
to
become
untrusted.
on
|
off
Default:
off
-tcb_interval
Interval
in
seconds
during
which
all
TCB
files
are
checked
for
signature
changes.
The
workload
is
approximately
distributed
uniformly
over
this
interval.
Minimum:
1
Maximum:
maxint
Default:
1800
-tcb_max_file_size
Maximum
number
of
megabytes
of
a
file
considered
significant
for
calculating
a
checksum.
The
bytes
checked
are
distributed
throughout
the
file.
Minimum:
1
Maximum:
(2^44)
−
1
Default:
10
-tcb_monitor_threads
Number
of
threads
used
to
monitor
TCB
files
for
changes.
Setting
this
value
above
one
is
useful
only
on
multiprocessor
machines.
Must
be
a
positive
integer.
Minimum:
1
Maximum:
maxint
Default:
1
-tcb_nocrc_on_exec
Causes
the
CRC
data
checksum
that
normally
occurs
as
part
of
the
authorization
check
associated
with
running
an
executable
file
that
is
registered
in
the
TCB
to
be
skipped.
Enabling
this
option
avoids
performing
the
CRC
check
on
large
binary
files.
on
|
off
Default:
off
-uid
Enables
caching
of
the
UID/GID
to
user/group
name
mapping
information.
on
|
off
Default:
off
-usage
Displays
help
on
the
command’s
usage.
-user_cred_refresh
Refresh
interval
of
user’s
credentials
in
minutes.
Minimum:
1
Maximum:
maxint
Default:
720
-version
Displays
the
version
of
the
pdoscfg
utility.
-warning
Enables
global
authorization
warning
mode.
on
|
off
Default:
on
-?
Displays
help
on
the
command’s
usage.
Appendix
A.
Configuration
options
85
86
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Appendix
B.
Unconfigure
options
Options
available
for
the
Tivoli
Access
Manager
for
Operating
Systems
unconfigure
command,
pdosucfg,
include:
Table
10.
Unconfigure
Options
Option
Description
Value
–admin_name
User
administrator
name.
In
combination
with
admin_pwd
replaces
sec_master_pwd
option.
–admin_pwd
User
administrator
password
–help
Displays
help
for
all
of
the
options.
To
display
help
for
one
option,
type
–help
–<option>.
–lrd_admin_name
Specifies
the
Tivoli
Access
Manager
user
name
to
user
when
registering
PDOSLRD.
–lrd_admin_pwd
Specifies
the
Tivoli
Access
Manager
pasword
to
user
when
registering
PDOSLRD
–operations
Lists
the
supported
options.
–remove_only_once
Unregister
the
Tivoli
Access
Manager
for
Operating
Systems
product
policy.
Do
not
specify,
if
other
Tivoli
Access
Manager
for
Operating
Systems
machines
are
configured
to
this
Tivoli
Access
Manager
policy
server,
because
it
would
make
the
other
machines
inoperable.
If
additional
policy
has
been
added,
you
may
need
to
remove
it
manually.
on
|
off
Default:
off
–remove_per_policy
Unregister
the
policy
branch
specific
Tivoli
Access
Manager
for
Operating
Systems
information
that
this
machine
is
configured
to
use.
Do
not
specify,
if
other
Tivoli
Access
Manager
for
Operating
Systems
machines
are
configured
under
that
policy
branch
because
it
would
make
the
other
machines
inoperable.
If
additional
policy
has
been
added
under
that
policy
branch,
you
might
need
to
remove
it
manually.
on
|
off
Default:
off
–rspfile
file_name
Contains
values
that
are
used
in
the
unconfigure
process.
The
file
must
be
provided.
–usage
Displays
help
on
the
command’s
usage.
–version
Displays
the
version
of
the
pdosucfg
utility.
–?
Displays
help
on
the
command’s
usage.
©
Copyright
IBM
Corp.
2000,
2003
87
88
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Appendix
C.
Migrating
from
Tivoli
Access
Control
Facility
Tivoli
Access
Manager
for
Operating
Systems
includes
tools
that
can
help
migrate
policy
for
eTrust
Access
Control
for
UNIX.
These
tools
require
exported
data
from
the
eTrust
environment
in
the
form
provided
by
the
eTrust
Access
Control,
Version
5.0,
sedb2scr
program
and
can
convert
scripts
based
on
selang
commands
at
that
level.
The
migration
process
occurs
after
Tivoli
Access
Manager
for
Operating
Systems
has
been
installed
and
configured,
but
before
it
is
started.
The
focus
of
the
migration
process
is
defining
users
from
an
eTrust
Access
Control
for
UNIX
database
as
Tivoli
Access
Manager
users
and
the
redefining
eTrust
protection
in
terms
of
Tivoli
Access
Manager
for
Operating
Systems
namespace
entries,
access
control
lists
(ACLs),
and
protected
object
policies
(POPs).
The
migration
process
involves
transplanting
eTrust
scripts
to
Tivoli
Access
Manager
pdadmin
scripts
by
translating
eTrust
commands
to
Tivoli
Access
Manager
for
Operating
Systems
commands.
se2pdos
translation
utility
This
section
describes
the
translation
utility
se2pdos.
Most
command
line
parameters
are
optional.
If
you
are
translating
users
or
groups,
the
suffix
must
be
specified.
If
no
input
file
is
specified,
stdin
is
assumed.
Usage
se2pdos
[–f
input
file]
[–o
output
file]
[–e
error
file]
[–na]
[–nc]
[–nr]
[–s]
[–w
{012}]
[–i]
[–1][–p
branch]
[–g
"suffix"]
[–u
"suffix"]
[–?]
[–h]
[–V]
[–no]
[–nO]
Options
Table
11.
se2pdos
Translation
Utility
Options
Option
Description
Default
–f
input
file
Input
file
stdin
–o
output
file
Output
file
stdout
–e
error
file
Error/warning
log
Comments
in
translation
output
–nc
Do
not
create
objects
and
templates
for
resource
created
with
editres
or
editfile
commands
Create
objects
and
templates
for
editres
or
editfile
–nr
Do
not
translate
registry
commands
(resources)
Process
resource
commands
–na
Do
not
translate
registry
commands
(accessors)
Process
resource
commands
–p
branch
IBM
Tivoli
Access
Manager
for
Operating
Systems
policy
branch
name
Value
in
osseal.conf;
″default″
if
not
set
©
Copyright
IBM
Corp.
2000,
2003
89
Table
11.
se2pdos
Translation
Utility
Options
(continued)
Option
Description
Default
–s
Separate
registry
items
from
resource
items
Do
not
separate
items
(ignored
for
either
–na
or
–nr)
–w
#
Warning
level
0
=
Suppress
all
warnings
1
=
Report
possible
semantic
differences
2
=
Report
nonapplicable
items
Warning
level
1
–i
Interlace
original
script
Do
not
interlace
–1
Translate
each
line
independently
Translate
after
entire
script
has
been
read
–g
suffix
Suffix
for
groups
(required
unless
–na
or
–u
is
specified)
–u
value
(if
specified;
otherwise,
no
default)
–u
suffix
Suffix
for
users
(required
unless
–na
or
–g
is
specified)
–g
value
(if
specified;
otherwise,
no
default)
–?
Usage
n/a
–V
Version
n/a
–no
Ignore
all
entries
for
nobody.
If
–no
and
–nO
are
both
set,
the
–no
flag
is
silently
ignored.
–nO
Ignore
all
owner
entries.
Examples
This
section
contains
some
examples
of
how
to
use
the
translation
utility.
In
the
examples,
the
output
of
the
Tivoli
Access
Control
Facility
command
is
a
file
named
sedb2scr.out.
The
LDAP
suffixes
that
are
referenced
have
been
created.
Populate
a
Tivoli
Access
Manager
registry
To
generate
a
series
of
commands
that
will
initially
populate
a
Tivoli
Access
Manager
registry
with
Tivoli
Access
Control
Facility
users
and
groups,
enter
the
following
commands
at
the
command
line:
se2pdos
–nr
–s
–u
"ou=users,
o=IBM,
c=US"
–g
"ou=groups,
o=IBM,
c=US"
\
–f
sedb2scr.out
–o
se2pdos.out
pdadmin
–a
sec_master
–p
password
<se2pdos.out
The
–s
option
is
used
to
ensure
that
the
user
commands
are
generated
before
the
group
commands.
If
the
group
suffix
is
not
specified
or
is
the
same
as
the
user
suffix,
then
group
DN
is
appended
with
″group″.
For
example,
editgrp
("mygroup")
name(’My
group’)
owner(’root’)
then
se2pdos
–u"o=tivoli,c=us"
–f
mygroup.se
will
yield
90
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
group
create
mygroup
"cn=mygroup
group,
o=IBM,c=US"
"mygroup"
group
modify
mygroup
description
"My
group"
The
group
DN
is
modified
to
prevent
name
collisions
between
similarly
named
users
and
groups.
Populate
Tivoli
Access
Manager
policy
information
To
generate
a
series
of
commands
that
will
populate
Tivoli
Policy
Director
policy
information,
type
the
following
commands
at
the
command
line:
se2pdos
–na
–i
–f
sedb2scr.out
–o
se2pdos.out
pdadmin
–a
sec_master
–p
password
<
se2pdos.out
Using
the
–i
option
with
the
se2pdos
command
interlaces
Tivoli
Access
Control
Facility
and
IBM
Tivoli
Access
Manager
for
Operating
Systems
so
that
the
result
can
be
inspected
and
be
modified,
if
needed,
before
applying
it
to
pdadmin.
Migrating
Tivoli
Access
Control
facility
shell
scripts
To
generate
the
Tivoli
Access
Manager
for
Operating
Systems
equivalent
of
a
Tivoli
Access
Control
Facility
shell
script
named
kevinc.se,
enter
the
following
at
the
command
line:
se2pdos
–1
–f
kevinc.se
–o
kevinc.pdos
–u
"ou=users,
o=IBM,
c=us"
where
the
kevinc.se
script
is
used
to
create
a
user
and
define
policy
for
that
user
on
a
file
named
/home/kevinc/filea.
The
–1
option
is
recommended
when
translating
shell
scripts.
The
kevinc.se
script
might
consist
of
the
following:
editusr
("kevinc")
restrictions
(days(AnyDay)
time(AnyTime))
name(’Kevin
Cee’)
\
grace(1)
audit(FAILURE
LOGINFAILURE)
chusr
("kevinc")
owner(’root’)
join
("kevinc")
group(’staff’)
newres
FILE
("/home/kevinc/filea")
audit(FAILURE)
defaccess(NONE)
uid(’kevinc’)
authorize
FILE
("/home/kevinc/filea")
audit(FAILURE)
access(ALL)
uid(’kevinc’)
authorize
FILE
("/home/kevinc/filea")
audit(FAILURE)
access(ALL)
uid(’root’)
Appendix
C.
Migrating
from
Tivoli
Access
Control
Facility
91
92
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Appendix
D.
Notices
This
information
was
developed
for
products
and
services
offered
in
the
U.S.A.
IBM
may
not
offer
the
products,
services,
or
features
discussed
in
this
document
in
other
countries.
Consult
your
local
IBM
representative
for
information
on
the
products
and
services
currently
available
in
your
area.
Any
reference
to
an
IBM
product,
program,
or
service
is
not
intended
to
state
or
imply
that
only
that
IBM
product,
program,
or
service
may
be
used.
Any
functionally
equivalent
product,
program,
or
service
that
does
not
infringe
any
IBM
intellectual
property
right
may
be
used
instead.
However,
it
is
the
user’s
responsibility
to
evaluate
and
verify
the
operation
of
any
non-IBM
product,
program,
or
service.
IBM
may
have
patents
or
pending
patent
applications
covering
subject
matter
described
in
this
document.
The
furnishing
of
this
document
does
not
give
you
any
license
to
these
patents.
You
can
send
license
inquiries,
in
writing,
to:
IBM
Director
of
Licensing
IBM
Corporation
North
Castle
Drive
Armonk,
NY
10504-1785
U.S.A.
For
license
inquiries
regarding
double-byte
(DBCS)
information,
contact
the
IBM
Intellectual
Property
Department
in
your
country
or
send
inquiries,
in
writing,
to:
IBM
World
Trade
Asia
Corporation
Licensing
2-31
Roppongi
3-chome,
Minato-ku
Tokyo
106,
Japan
The
following
paragraph
does
not
apply
to
the
United
Kingdom
or
any
other
country
where
such
provisions
are
inconsistent
with
local
law:
INTERNATIONAL
BUSINESS
MACHINES
CORPORATION
PROVIDES
THIS
PUBLICATION
″AS
IS″
WITHOUT
WARRANTY
OF
ANY
KIND,
EITHER
EXPRESS
OR
IMPLIED,
INCLUDING,
BUT
NOT
LIMITED
TO,
THE
IMPLIED
WARRANTIES
OF
NON-INFRINGEMENT,
MERCHANTABILITY
OR
FITNESS
FOR
A
PARTICULAR
PURPOSE.
Some
states
do
not
allow
disclaimer
of
express
or
implied
warranties
in
certain
transactions,
therefore,
this
statement
might
not
apply
to
you.
This
information
could
include
technical
inaccuracies
or
typographical
errors.
Changes
are
periodically
made
to
the
information
herein;
these
changes
will
be
incorporated
in
new
editions
of
the
publication.
IBM
may
make
improvements
and/or
changes
in
the
product(s)
and/or
the
program(s)
described
in
this
publication
at
any
time
without
notice.
Any
references
in
this
information
to
non-IBM
Web
sites
are
provided
for
convenience
only
and
do
not
in
any
manner
serve
as
an
endorsement
of
those
Web
sites.
The
materials
at
those
Web
sites
are
not
part
of
the
materials
for
this
IBM
product
and
use
of
those
Web
sites
is
at
your
own
risk.
©
Copyright
IBM
Corp.
2000,
2003
93
IBM
may
use
or
distribute
any
of
the
information
you
supply
in
any
way
it
believes
appropriate
without
incurring
any
obligation
to
you.
Licensees
of
this
program
who
wish
to
have
information
about
it
for
the
purpose
of
enabling:
(i)
the
exchange
of
information
between
independently
created
programs
and
other
programs
(including
this
one)
and
(ii)
the
mutual
use
of
the
information
which
has
been
exchanged,
should
contact:
IBM
Corporation
2Z4A/101
11400
Burnet
Road
Austin,
TX
78758
U.S.A.
Such
information
may
be
available,
subject
to
appropriate
terms
and
conditions,
including
in
some
cases
payment
of
a
fee.
The
licensed
program
described
in
this
document
and
all
licensed
material
available
for
it
are
provided
by
IBM
under
terms
of
the
IBM
Customer
Agreement,
IBM
International
Program
License
Agreement
or
any
equivalent
agreement
between
us.
Any
performance
data
contained
herein
was
determined
in
a
controlled
environment.
Therefore,
the
results
obtained
in
other
operating
environments
may
vary
significantly.
Some
measurements
may
have
been
made
on
development-level
systems
and
there
is
no
guarantee
that
these
measurements
will
be
the
same
on
generally
available
systems.
Furthermore,
some
measurement
may
have
been
estimated
through
extrapolation.
Actual
results
may
vary.
Users
of
this
document
should
verify
the
applicable
data
for
their
specific
environment.
Information
concerning
non-IBM
products
was
obtained
from
the
suppliers
of
those
products,
their
published
announcements
or
other
publicly
available
sources.
IBM
has
not
tested
those
products
and
cannot
confirm
the
accuracy
of
performance,
compatibility
or
any
other
claims
related
to
non-IBM
products.
Questions
on
the
capabilities
of
non-IBM
products
should
be
addressed
to
the
suppliers
of
those
products.
All
statements
regarding
IBM’s
future
direction
or
intent
are
subject
to
change
or
withdrawal
without
notice,
and
represent
goals
and
objectives
only.
If
you
are
viewing
this
information
in
softcopy
form,
the
photographs
and
color
illustrations
might
not
appear.
Trademarks
The
following
terms
are
trademarks
of
International
Business
Machines
Corporation
in
the
United
States,
other
countries,
or
both:
AIX
DB2
IBM
IBM
logo
OS/390
SecureWay
Tivoli
Tivoli
logo
94
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Tivoli
Management
Environment
Tivoli
Enterprise
Console
zSeries
Lotus
is
a
trademarks
of
International
Business
Machines
Corporation
and
Lotus
Development
Corporation
in
the
United
States,
other
countries,
or
both.
Microsoft,
Windows,
Windows
NT,
and
the
Windows
logo
are
registered
trademarks
of
Microsoft
Corporation
in
the
United
States,
other
countries,
or
both.
Java
and
all
Java-based
trademarks
and
logos
are
trademarks
or
registered
trademarks
of
Sun
Microsystems,
Inc.,
in
the
United
States,
other
countries,
or
both.
UNIX
is
a
registered
trademark
of
The
Open
Group
in
the
United
States
and
other
countries.
Other
company,
product,
and
service
names
may
be
trademarks
or
service
marks
of
others.
Appendix
D.
Notices
95
96
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
Index
AACL
permissions
51
AdmintoolSolaris
33
AIXcommand
line
installation
31
native
installation
29
SMIT
30
uninstalling
74
associated
productsunconfiguring
70
uninstalling
77
attribute
equivalents
of
pdoscfg
61
attribute
equivalents
to
pdosucfg
70
attributesresponse
file
61,
70
autostart
65
Ccommand
pdoscfg
49
pdosteccfg
63
command
line
installationAIX
31
HP-UX
32
Linux
34
Solaris
34
commandspdoscfg
51
pdosucfg
67
configuration
command
options
51
configuration
options
53,
79
configuration
planning
49
configuring
49
command
line
59
creating
a
response
file
60
mapping
to
attributes
61
response
file
60
using
a
response
file
60
contents
list
2
creating
a
response
fileconfiguring
60
customer
supportURL
6
Ddaemon
configuring
pdostecd
63
Eeducation
URL
6
enabling
language
support
5,
41
error
protection
during
initialization
65
examples,
translation
utility
90
FFramework
CD
contents
5
Hhardware
requirements
7
HP-UXcommand
line
installation
32
native
installation
31
swinstall
31
uninstalling
75
Iinstallation
directories
used
10
on
multiple
machines
70
users
and
groups
used
10
installation
locations
22
installation
package
CD
contents
4
installation
type
8
InstallShield
Multiplatform
GUI
8,
13
InstallShield
MultiPlatform
Silent
Mode
8,
13
Native
8,
13
installed
directory
structure
26
installing
Javalanguage
support
packages
42
installing
language
packs
42
installing
Tivoli
Management
Frameworklanguage
support
packages
44
InstallShield
Multiplatform
14
platform
setup
14
running
16
JJava
42
LLANGPACK.IND
values
45
language
packsinstalling
42
language
supportenabling
5,
41
language
support
packagesinstalling
Java
42
installing
Tivoli
Management
Framework
44
uninstalling
77
Linuxcommand
line
installation
34
native
installation
34
uninstalling
76
list
of
CDs
2
local
unconfigure
script
70
locale
environment
variables
45
Mmanagement
taskscommand
line
installation
36
command
line
upgrade
installation
38
desktop
installation
35
desktop
upgrade
installation
38
manualsfeedback
vi
online
vi
mapping
command
line
options
61,
70
message
catalogs
46
migrating
from
Tivoli
Access
Control
Facility
7
migration
10,
40,
89
se2pdos
89
Tivoli
Access
Control
Facility
89
Nnative
installationAIX
29
HP-UX
31
Linux
34
Solaris
32
news
URL
6
Oonline
publications
vii
operating
system
information
vii
optionsconfiguration
53
se2pdos
89
translation
utility
89
Ppdoscfg
49,
51,
79
options
61
pdosteccfg
63
configuring
63
unconfiguring
63
pdostecdstarting
66
stopping
66
pdosucfg
67,
70,
87
options
67
planning
to
install
7
platform-specific
information
vii
policy
branch
9
pre-installation
upgrade
procedure
10
productinteraction
2
overview
1
publicationsfeedback
vi
online
vi
©
Copyright
IBM
Corp.
2000,
2003
97
Rresponse
file
60
attributes
61
creating
60
mapping
options
to
attributes
70
unconfiguring
69
running
confirmation
66
Sse2pdos
migration
89
options
89
Silent
Mode
27
SMIT
74
installing
on
AIX
30
software
prerequisites
7
software
requirements
7
software
support
viii
SolarisAdmintool
33
command
line
installation
34
native
installation
32
uninstalling
75
starting
Tivoli
Access
Manager
for
Operating
Systems
65
stopping
Tivoli
Access
Manager
for
Operating
Systems
66
svrsslcfg
50
swinstallinstalling
on
HP-UX
31
syntax,
translation
utility
89
Ttext
encoding
(code
set)
support
46
Tivoli
Access
Control
Facility
89
migrating
from
7
Tivoli
Desktop
35
Tivoli
Enterprise
Console
Integrationcommand
line
installation
37
command
line
upgrade
installation
39
desktop
installation
37
desktop
upgrade
installation
39
Tivoli
Management
Framework
35,
44
uninstalling
78
translation
utilityexamples
90
migration
89
options
89
syntax
89
usage
89
type
of
installation
8
InstallShield
Multiplatform
GUI
8,
13
InstallShield
MultiPlatform
Silent
Mode
8,
13
Native
8,
13
Uunconfigure
options
87
unconfiguring
67
response
file
attributes
70
using
a
response
file
69
unconfiguring
associated
products
70
uninstalling
73
AIX
74
associated
products
77
HP-UX
75
InstallShield
Multiplatform
73
language
support
packages
77
Linux
76
Solaris
75
Tivoli
Management
Framework
78
uninstalling
associated
productson
HP-UX
78
on
Linux
78
on
Solaris
78
upgradepre-installation
procedure
10
upgradingpost-installation
procedures
40
usagetranslation
utility
89
using
a
response
fileconfiguring
60
98
IBM
Tivoli
Access
Manager
for
Operating
Systems:
Installation
Guide
����
Printed
in
USA
SC23-4829-01
