Tivoli® Access Manager for Enterprise Single Sign-On
Provisioning Adapter Installation and Setup Guide
Version 6.0
SC32-2004-00
���
Tivoli® Access Manager for Enterprise Single Sign-On
Provisioning Adapter Installation and Setup Guide
Version 6.0
SC32-2004-00
���
Note:
Before using this information and the product it supports, read the information in “Notices,” on page 21.
First Edition (September 2006)
This edition applies to version 6, release 0, modification 0 of IBM Tivoli Access Manager for Enterprise Single
Sign-On (product number 5724-N70) and to all subsequent releases and modifications until otherwise indicated in
new editions.
© Copyright International Business Machines Corporation 2006. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
Table of Contents Welcome to TAM E-SSO: Provisioning Adapter ............................................. 2 Installation Overview................................................................................... 2 System Requirements and Supported Applications ...................................... 3
Minimum System Requirements ................................................................... 3 Software Requirements............................................................................... 3
Installation Steps......................................................................................... 5 Upgrade Notes ........................................................................................... 16 Uninstalling TAM E-SSO: Provisioning Adapter........................................... 16 Reference and Troubleshooting.................................................................. 17
Customization Notes..................................................................................17 Installation and Configuration Notes ............................................................19
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
Welcome to TAM E-SSO: Provisioning Adapter IBM Tivoli Access Manager for Enterprise Single Sign-On: Provisioning Adapter (TAM E-SSO: Provisioning Adapter) provides the ability for an administrator to automatically provision TAM E-SSO with a user’s ID and password by using a provisioning system. An administrator is able to add, modify and delete IDs and passwords for particular applications within the provisioning system and have the changes reflected in TAM E-SSO. From the provisioning system, all usernames and passwords inside of TAM E-SSO can also be deleted so that a user’s access to all protected applications is eliminated.
Installation Overview TAM E-SSO: Provisioning Adapter is installed as an add-on component to IBM Tivoli Access Manager for Enterprise Single Sign-On (TAM E-SSO). TAM E-SSO must be installed prior to installing TAM E-SSO: Provisioning Adapter. TAM E-SSO automatically recognizes TAM E-SSO: Provisioning Adapter once it is installed. The following is a brief overview of the steps that must be taken in order to successfully install TAM E-SSO: Provisioning Adapter. Each step is explained in detail in the Installation Steps section. If you are upgrading from TAM E-SSO: Provisioning Adapter 5.0, please refer to the Upgrade Notes.
• Review System Requirements
• Install TAM E-SSO: Provisioning Adapter Server o Installing the Server o Create or identify a User Account for Anonymous Logon o Enable SSL
• Install TAM E-SSO: Provisioning Adapter Client CLI (optional)
• Install TAM E-SSO: Provisioning Adapter Client (Support for TAM E-SSO
Agent) o Set CycleInterval Registry Key
2
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
System Requirements and Supported Applications Unless otherwise indicated, the information in this section applies to the TAM E-SSO: Provisioning Adapter Server.
Minimum System Requirements In order for TAM E-SSO: Provisioning Adapter to install and function properly, your system must meet at least the following requirements.
Pentium III class processor at 900MHZ
512MB RAM
Disk Space: a complete Installation requires ~3MB
o TAM E-SSO: Provisioning Adapter Support for SSO Agent requires < 1 MB of additional disk space.
Software Requirements In order for TAM E-SSO: Provisioning Adapter to install and function properly, your system must have the following applications installed:
Internet Explorer 6.0 or higher with 128-bit encryption or Mozilla Firefox 1.0+
Microsoft® .NET Framework 2.0 (installed by TAM E-SSO: Provisioning Adapter setup)
Microsoft Web Services Enhancements 3.0 (WSE 3.0) (installed by TAM E-SSO: Provisioning Adapter setup)
TAM E-SSO: Provisioning Adapter Support for TAM E-SSO Agent In order for the TAM E-SSO: Provisioning Adapter support for the TAM E-SSO Agent to function properly, TAM E-SSO version 5.0+ must be installed.
TAM E-SSO: Provisioning Adapter Server In order for TAM E-SSO: Provisioning Adapter Server to function properly, your system must have the following applications installed:
Microsoft Windows® 2000 Server or Windows Server 2003
Microsoft Internet Information Server version 5.0 or later (6.x recommended)
Microsoft Active Directory®, Microsoft ADAM, Sun Directory Server, or IBM LDAP Directory
Microsoft SQL Server 2000, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2005 Express Edition, or Microsoft SQL Server 2005 (only required if using Event Logging)
IIS Requirements: Microsoft Internet Information Server (IIS), version 5.0 or later. TAM E-SSO: Provisioning Adapter uses the IIS Web server to provide a browser-based interface for user enrollment, general setup and administrative tasks.
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
Notes: If Active Directory or ADAM is used, the anonymous account used in IIS must
have Administrative privileges and the server must be joined to the domain. If you are running Windows 2000 SP4, make sure that the ASPNET account
(or IWAM_Machine if ASPNET does not exist) has the privilege to impersonate a client after authentication. Please refer to http://support.microsoft.com/kb/821546 for more information.
TAM E-SSO: Provisioning Adapter Repository Requirements: TAM E-SSO: Provisioning Adapter can use any the following as the repository:
o Microsoft Active Directory or Active Directory Application Mode (ADAM). The Active Directory server or ADAM instance (that is, Active Directory running as a user service) can be on any server and in the same domain.
o Sun Directory Server o IBM LDAP Directory
Installer Requirements To install TAM E-SSO: Provisioning Adapter, you need to have Administrative privileges for the PM/IIS server. You need to provide the following information to configure a Directory server:
host Name of the server hosting the Directory server instance.
port Port number of Directory server instance.
name1[,name2,name3] Distinguished name of the Directory server domain root.
Certificate Requirements
An X.509 Certificate for SSL must be obtained from a Certificate Authority.
A Trusted Root CA Certificate should also be downloaded from your Certificate Authority into the list of trusted root CA’s on the local computer.
For more information see the Enable SSL section.
A certificate setup guide is provided with the TAM E-SSO: Provisioning Adapter documentation suite. If you do not have a certificate authority set up and want to use Microsoft Certificate Services to obtain certificates, please refer to the TAM E-SSO: Provisioning Adapter Certificate Setup Guide which walks you though obtaining the necessary certificates using Microsoft Certificate Services.
4
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
Installation Steps Follow these steps to install and configure TAM E-SSO: Provisioning Adapter.
Step 1: Review System Requirements Make sure you have carefully reviewed the system requirements on the previous page.
Step 2: Install TAM E-SSO: Provisioning Adapter Server Complete all the steps in this section to install and configure the TAM E-SSO: Provisioning Adapter server.
• Step 2a: Installing the Server
• Step 2b: Create or identify a User Account for Anonymous Logon
• Step 2c: Enable SSL
Step 2a. Installing the Server Follow these steps to install and configure the TAM E-SSO: Provisioning Adapter Server.
1. Close all programs.
2. Open the TAM E-SSO PA directory on the CD-ROM.
3. Double-click the TAM E-SSO PA Server.exe file to begin the installation.
4. The Welcome Panel appears. Click Next.
5. The License Agreement panel appears. Read the license agreement carefully. Click the I accept the terms in the license agreement button and click Next to continue.
6. The Customer Agreement Panel appears. Enter your User Name, Organization name, and select who to Install this application for: All Users or Only for you. Click Next.
7. The Setup Type Panel appears. Select Complete or Custom. Complete installs all program files. Custom allows you to choose what program files are installed and the location. Custom installations are only recommended for advanced users. Click Next.
8. TAM E-SSO: Provisioning Adapter is ready to be installed. Click Install. Wait for the installation to complete. When it is done, click Finish.
Step 2b. Create or Identify a User Account for Anonymous Logon
A dedicated Anonymous User account through which TAM E-SSO: Provisioning Adapter users and administrators access TAM E-SSO: Provisioning Adapter Web Services must be created or identified. This Anonymous User account should be a member of the Administrators group.
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
Note: Because the default Anonymous User account in IIS, IUSR_MACHINE_NAME, is not a member of the Administrator group, you must create or choose a domain user account that is an Administrator; this will allow the account to perform these tasks: 1. Change the web service account to use from the management console. 2. Read from and write to the directory service (if AD or ADAM). 3. Write to the local-machine registry (HKLM). To create a new user account or assign Administrator rights to an existing account, use the Active Directory Users and Computers console (for an Active Directory domain) or the Computer Management console (for non-AD domains).
The user account you create or choose is specified as the Anonymous User dialog of the Services tool during this step.
1. Click Start, point to Program Files, point to Administrative Tools, and click Internet Information Services.
2. Locate the TAM E-SSO: Provisioning Adapter Console node in the tree, right-click on it, and click Properties.
3. Click the Directory Security tab and click the Edit button next to Anonymous Access.
4. Check the Anonymous Access checkbox and type in the username and password of the anonymous user. The anonymous user must have local Administrative access.
Note: By default, the TAM E-SSO: Provisioning Adapter Management Console is not restricted. Any user with a credential in the backend storage can log in. If you want to restrict access to a particular group, please see the Additional Security Settings in the TAM E-SSO: Provisioning Adapter Administrator Guide. Give the IIS anonymous account access to ADAM
Note: This step only applies to ADAM users. Use the account chosen in Step 2b.
1. Click Start, point to Program Files, point to ADAM, and then click ADAM Tools Command Prompt.
2. Type:
"dsacls [\\SERVER:PORT\DISTINGUISHED_NAME] /g [USER]:ga /i:t"
For example:
"dsacls \\localhost:50000\ou=pm,dc=passlogix,dc=com /g PLX\PMWeb:ga /i:t"
3. To make sure the account was given access, type:
"dsacls \\SERVER:PORT\DISTINGUISHED_NAME"
The output shows the security information for the directory object. The TAM E-SSO: Provisioning Adapter Anonymous Account should appear in the list with full access.
6
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
Give the ASPNET account additional privileges
Note: The following step is for Windows 2000 Users only.
You must give ASPNET the “Act as part of the operating system” privilege:
1. Open the MMC console by clicking Start > Run. Type mmc and then click OK. The Microsoft Management Console opens.
2. On the File menu, click Add/Remove Snap-in.
3. On the Standalone tab, click Add.
4. In the Add Standalone Snap-in dialog, highlight Group Policy and click Add.
5. On the Group Policy dialog, select Local Computer and click Finish. Click OK.
Note: If you are installing the TAM E-SSO: Provisioning Adapter Console on a box that is a domain controller, instead of selecting Local Computer, click Browse and search for Default Domain Controller Policy. In the next step, in the MMC, Default Domain Controller Policy will appear instead of Local Computer Policy.
6. In the MMC, click the + sign to expand Local Computer Policy, and continue expanding Computer Configuration > Windows Settings > Security Settings > Local Policies. Double-click on User Rights Assignment.
7. Double-click Act as part of the operating system and click the Add User or Group button.
8. Select the ASPNET account and click OK. Click OK again.
Step 2c. Enable SSL
An X.509 Certificate for SSL must be obtained from a trusted Certificate Authority. This trusted CA must be installed in the list of trusted Root CAs.
The certificate must be valid for the current date and must contain the name of the website (machine name).
The following instructions assume that these certificates are available at known locations. Notes: The following articles from the Microsoft Web site can be referred to for information on installing certificates and setting up SSL: How to: Obtain an X.509 Certificate http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wse/html/1011e2ed-f3b0-4f3b-a5b7-8e1d8ae476d8.asp How to: Set Up SSL on a Web Server http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod30.asp
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
If you use Microsoft Certificate Services to obtain the X.509 certificate, choose a Server Authentication Certificate. Also, enable the Mark keys as exportable and Use local machine store options under the Key Options section.
1. Go to Control Panel Internet Information Services. Right click the v-GO PM Service web site. Select Properties.
2. Click the Directory Security tab and under Secure Communications, click Server Certificate.
8
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
3. The Web Server Certificate Wizard appears. This is where we will generate a request for a certificate. Click Next.
4. Select Assign an existing certificate and click Next.
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
5. Highlight the certificate to assign and click Next.
6. The default SSL port is 443. Leave the default and click Next.
7. Review the summary of your request. Click Next.
8. Click Finish.
9. The Directory Security tab will still be open. Under Secure Communications, click Edit.
10
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
10. On the Secure Communications dialog, check Require secure channel (SSL) and Require 128-bit encryption. Click OK to close the dialog.
11. On the Internet Information Services Tree (see screen in Step 1), select v-GO PM Console. Right click and select Properties. To enable SSL for the Console, repeat Steps 2 - 10. The next two steps ensure the Console can communicate with the Web service.
12. Select the ASP.NET tab (on the v-GO PM Console Properties dialog). Make
sure the ASP.NET version is set to 2.0.x. (Please note that if it was not set to 2.0, click Apply after changing the setting). Click Edit Configuration.
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
13. Under Application Settings, select localhost.UP and click Edit.
14. In the Value field, change the prefix of the URL to https. The console will now communicate over SSL with the Web service.
12
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
Step 3: Install the TAM E-SSO: Provisioning Adapter Client CLI
Note: This installation step is optional. The TAM E-SSO: Provisioning Adapter Client CLI/SDK is supplied as an integration component for Provisioning Solutions. The TAM E-SSO: Provisioning Adapter Server provides a Web service which allows integration with other 3rd party provisioning systems. The TAM E-SSO: Provisioning Adapter CLI is used to communicate with this Web service. It can be used as a traditional scripting tool or if preferred, the SDK library can be used to develop more complex integration solutions and connectors for the TAM E-SSO: Provisioning Adapter Server. Follow these steps to install and configure the TAM E-SSO: Provisioning Adapter CLI. For more information on the CLI syntax and usage, please refer to the TAM E-SSO: Provisioning Adapter CLI Guide.
1. Close all programs.
2. Open the TAM E-SSO PA directory on the CD-ROM.
3. Double-click the TAM E-SSO PA Client SDK.exe file to begin the installation.
4. The Welcome Panel appears. Click Next.
5. The License Agreement panel appears. Read the license agreement carefully. Click the I accept the terms in the license agreement button and click Next to continue.
6. The Customer Agreement Panel appears.
7. Enter your User Name, Organization name, and select who to Install this application for: All Users or Only for you. Click Next.
8. The Setup Type Panel appears. Select Complete or Custom. Complete installs all program files. Custom allows you to choose what program files are installed and the location. Custom installations are only recommended for advanced users. To install the Java CLI, the custom panel must be chosen. Installation choices for the Java CLI are for JDK 1.4 or 1.5.
9. Once you select the proper setup options, click Next.
10. TAM E-SSO: Provisioning Adapter is ready to be installed. Click Install.
11. Wait for the installation to complete. When it is done, click Finish.
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
Step 4: Install TAM E-SSO: Provisioning Adapter Support for TAM E-SSO Agent Follow these steps to install and configure the TAM E-SSO: Provisioning Adapter Support for TAM E-SSO Agent.
1. Close all programs.
2. Open the TAM E-SSO PA directory on the CD-ROM.
3. Double-click the TAM E-SSO PA Client.exe file to begin the installation.
4. The Welcome Panel appears. Click Next.
5. The License Agreement panel appears. Read the license agreement carefully.
Click the I accept the terms in the license agreement button and click
Next to continue.
6. TAM E-SSO: Provisioning Adapter is ready to be installed. Click Install.
7. Wait for the installation to complete. When it is done, click Finish.
14
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
Step 4a. Set CycleInterval Registry Key
In order for TAM E-SSO: Provisioning Adapter to function properly, the TAM E-SSO agent must synchronize to retrieve the provisioning instructions from the directory. When deploying, one of the decisions that must be made is the synchronization interval. The CycleInterval registry key is used to force synchronization to occur on a regular interval. If this is not set to a non-zero value, synchronization only occurs on some user action. This would not be the desired behavior with TAM E-SSO: Provisioning Adapter. It is recommended that this key is set to some value, for example 15 minutes. This would guarantee that the provisioning instructions get pulled down from the directory within 15 minutes (or whatever interval is set) of when they are put there by the TAM E-SSO: Provisioning Adapter Server. The CycleInterval registry key can be set through the TAM E-SSO Console: 1. Open the TAM E-SSO Administrative Console by clicking Start, point to
Programs Passlogix TAM E-SSO and click TAM E-SSO Console.
Expand TAM E-SSO, Global Agent Settings, expand Live, and click Synchronization.
Set the Interval for automatic re-sync setting to the desired value.
2. Click Tools Write Global Agent Settings to HKLM.
The Apply Settings dialog appears. Click Yes.
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
Note: This only applies to running TAM E-SSO agents. If a user doesn't have TAM E-SSO running, the provisioning instructions are not processed until the user starts TAM E-SSO. Processing the provisioning instructions requires that the user be authenticated to TAM E-SSO. If the user isn't authenticated to TAM E-SSO (for example, the timeout expired) then an authentication UI is presented and the synchronization process is blocked until the user authenticates.
Upgrade Notes If you are upgrading from TAM E-SSO: Provisioning Adapter 5.0, perform these steps: TAM E-SSO: Provisioning Adapter Server: Follow the instructions in the Install TAM E-SSO: Provisioning Adapter Server section. After running the installer, you must reset IIS and make sure that the anonymous accounts are still set. TAM E-SSO: Provisioning Adapter Agent: Before installing, shut down Agent. Follow the instructions in the Install TAM E-SSO: Provisioning Adapter Client (Support for TAM E-SSO Agent) section. After running the installer, restart the Agent.
Uninstalling TAM E-SSO: Provisioning Adapter Follow these steps to uninstall TAM E-SSO: Provisioning Adapter.
1. Click Start, point to Settings, and then click Control Panel.
2. Open Add/Remove Programs.
3. Select IBM Tivoli Access Manager for Enterprise Single Sign-On: Provisioning Adapter and click Remove.
4. Follow the prompts to uninstall TAM E-SSO: Provisioning Adapter.
5. Repeat Steps 3 and 4 for TAM E-SSO: Provisioning Adapter Agent for TAM E-SSO and TAM E-SSO: Provisioning Adapter Client CLI.
16
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
Reference and Troubleshooting
Customization Notes
Creating default access pages You can create HTML pages to provide end users with easy web access to TAM E-SSO: Provisioning Adapter Administrative Console. Here is an example of the HTML markup for an end user access page: <html> <head> <title>v-GO PM Console</title> <style> body { font-family:Verdana; font-size:12px; text-align:Center } h1 { font-size: 18px } </style> </head> <body> <h1>v-GO Provisioning Manager</h1> <!--substitute the host computer name for YOURHOST. If over SSL, use HTTPS instead of HTTP. --> <p> <a href="http://YOURHOST/v-GO PM Console/overview.aspx"> v-GO PM Administrative Console </a> </p> </body> </html> You can then create and distribute desktop shortcuts or Internet Explorer favorites to access this page. You can also make your access page the default (home) page for the host Web server ("yourHost," in the example URLs above). To do this, follow these steps:
1. Open IIS Manager.
2. Right-click the Default Web Site, and choose Properties from the shortcut menu.
3. Click the Documents tab.
4. Make sure the Enable default content page option is checked (note the name of the first-listed default page) then click OK.
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
5. Place your access page in the root folder of the default Web site and rename it as the default content page. Note the link URL can now be relative to the root (e.g., href="v-GO PM Console").
1. Use these URLs in an access page or shortcut to access Administrative Console functions; again substitute you host server name for "YOURHOST":
<a href="http://YOURHOST/v-GO PM Console/overview.aspx">Overview</a> <a href="http://YOURHOST/v-GO PM Console/storage.aspx">Storage Settings</a> <a href="http://YOURHOST/v-GO PM Console/users.aspx">Users</a> <a href="http://YOURHOST/v-GO PM Console/eventLog.aspx">Event Log</a> <a href="http://YOURHOST/v-GO PM Console/report.aspx">Report</a>
18
TAM E-SSO: Provisioning Adapter Installation and Setup Guide
Installation and Configuration Notes Please review the following installation and configuration notes:
o TAM E-SSO: Provisioning Adapter does not support File Sync
o Multiple Locators require an Entlist at each locator site
o Using AD/ADAM and IIS Web Services on different servers
o Windows Installer Error 1720
o Internet Security settings (Windows 2003 users)
o Internet Security settings (Windows Domain and Citrix MetaFrame users)
Multiple Locators require an Entlist at each locator site If two users are stored in different containers, a matching application configuration list (entlist) must exist in each locator site in order for provisioning to work down to the client. The matching entlists must exist under both containers that store the user credentials.
Using AD/ADAM and IIS Web Services on different servers If IIS and Active Directory (or the ADAM-instance) are on different computers, then you must provide the IIS Web services with a user account that is in the same domain as (or a trusted domain of) AD/ADAM, and that is provided with read/write access to the directory.
Windows Installer Error 1720 Error 1720 occurs during TAM E-SSO: Provisioning Adapter client software installation when the logged-on user does not have sufficient rights to install software on the workstation. You must log on to workstation as a user with Administrator rights or contact support personnel.
Internet Security settings (Windows 2003 users) The default settings for Windows 2003 Internet Security are more stringent than those for Windows 2000 and XP. If Internet Explorer Enhanced Security Configuration is enabled (on by default in Windows 2003), you must add the TAM E-SSO: Provisioning Adapter Web Console URL to the workstation's Trusted Sites Internet Zone or the Local Intranet Zone in order to use TAM E-SSO: Provisioning Adapter without issues.
Internet Security settings (Windows Domain and Citrix MetaFrame® users) In order for Windows domain users and Citrix MetaFrame users to access TAM E-SSO: Provisioning Adapter, you must add the TAM E-SSO: Provisioning Adapter Web service to the workstation's Local Intranet zone.
Appendix. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM® representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2006 21
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurements may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both:
AIX
DB2
developerWorks
eServer
IBM
iSeries
Lotus
Passport Advantage
pSeries
RACF
Rational
Redbooks
Tivoli
WebSphere
zSeries
Microsoft®, Windows®, Windows NT®, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
22 IBM Tivoli Access Manager for Enterprise Single Sign-On: Provisioning Adapter Installation and Setup Guide
Intel®, Intel Inside® (logos), MMX and Pentium® are trademarks of Intel
Corporation in the United States, other countries, or both.
UNIX® is a registered trademark of The Open Group in the United States and
other countries.
Linux® is a trademark of Linus Torvalds in the U.S., other countries, or both.
Java™ and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or
both.
Other company, product, and service names may be trademarks or service marks
of others.
Appendix. Notices 23
24 IBM Tivoli Access Manager for Enterprise Single Sign-On: Provisioning Adapter Installation and Setup Guide
����
Printed in USA
SC32-2004-00