advertisement
Tivoli
®
Identity Manager Server
Version 5.1
Installation and Configuration Guide
SC27-2410-01
Tivoli
®
Identity Manager Server
Version 5.1
Installation and Configuration Guide
SC27-2410-01
Note:
Edition notice
This edition applies to version 5.1 of Tivoli Identity Manager and to all subsequent releases and modifications until otherwise indicated in new editions.
This edition obsoletes and replaces SC32-1562-01
© Copyright International Business Machines Corporation 2009.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Preface . . . . . . . . . . . . . . vii
Publications and related information .
Tivoli Identity Manager library .
Prerequisite product publications .
Accessing publications online.
Conventions used in this book .
Definitions for HOME and other directory variables .
Operating system differences .
Chapter 1. Overview of the Tivoli Identity
Manager environment . . . . . . . . . 1
Tivoli Identity Manager components .
IBM Tivoli Directory Integrator .
WebSphere Application Server .
An HTTP server and WebSphere Web Server plug-in .
Tivoli Identity Manager Server .
Tivoli Identity Manager adapters .
Overview of the installation .
Planning activities for deployments at large sites .
Chapter 2. Installing and configuring a database . . . . . . . . . . . . . . 9
Before you install the database product .
Installing and configuring IBM DB2 Database .
Installing the required fix packs .
Configuring IBM DB2 Database .
Tuning the DB2 Database for performance .
Installing and configuring the Oracle database.
Creating the Tivoli Identity Manager database .
Tuning the Oracle database for performance .
Starting the Oracle product and the listener service .
Installing and configuring SQL Server 2005 on the
Preparing to install SQL Server 2005 .
Creating the Tivoli Identity Manager database .
© Copyright IBM Corp. 2009
Chapter 3. Installing and configuring a directory server . . . . . . . . . . . 27
Before you install the directory server product.
Installing and configuring IBM Tivoli Directory
Installing IBM Tivoli Directory Server .
Installing the required fix packs .
Configuring IBM Tivoli Directory Server.
Sun Enterprise Directory Server .
Installing Sun Enterprise Directory Server .
Configuring Sun Enterprise Directory Server .
Chapter 4. Optionally installing IBM
Tivoli Directory Integrator . . . . . . 39
Before you install the directory integrator product 39
Installing IBM Tivoli Directory Integrator .
Installing IBM Tivoli Directory Integrator .
Installing the required fix packs .
Installing agentless adapters .
Chapter 5. Installing and configuring
WebSphere Application Server . . . . 41
Before you install WebSphere Application Server .
Installing the WebSphere Application Server product 41
Installing WebSphere Application Server in a single-server environment .
Installing WebSphere Application Server in a cluster environment .
Tuning WebSphere Application Server for performance .
Chapter 6. Installing Tivoli Identity
Manager . . . . . . . . . . . . . . 51
Installing Tivoli Identity Manager in a single-server configuration .
Starting the installation wizard .
Completing the installation wizard pages .
Responding to major installation actions.
Verifying that the Tivoli Identity Manager Server is operational .
Installing Tivoli Identity Manager in a cluster configuration .
Overview of the installation program in a cluster configuration .
Starting the installation wizard .
Completing the installation wizard pages .
Responding to major installation actions.
Verifying that the Tivoli Identity Manager Server is operational .
Optional post-installation tasks .
Optionally installing a language pack.
iii
Optionally installing adapter profiles .
Changing cluster configurations after Tivoli
Identity Manager is installed .
Chapter 7. Configuring the Tivoli
Identity Manager Server . . . . . . . 75
Configuring the Tivoli Identity Manager database 75
Completing the database configuration windows 75
Manually starting the DBConfig database configuration tool .
Configuring the directory server .
Completing the directory server configuration windows .
Manually running the ldapConfig configuration tool .
Configuring commonly used system properties .
Manually starting the system configuration tool 82
Manually installing agentless adapters and adapter profiles .
Installing agentless adapters .
Installing agentless adapter profiles .
Modifying system properties during normal operation .
Modifying system properties with the system configuration tool .
Modifying system properties manually .
Modifying system properties with the Tivoli
Chapter 8. Performing a silent installation and configuration of Tivoli
Identity Manager . . . . . . . . . . 87
Performing a silent installation in a single-server environment .
Performing a silent installation in a cluster environment .
Configuring the database silently .
Configuring the directory server silently.
Configuring the system silently in a single-server environment .
Configuring the system silently in a cluster environment .
Chapter 9. Verifying and troubleshooting the installation . . . . 95
Correcting problems with starting the installation . 95
Tivoli Identity Manager configuration errors .
Ensuring that the WebSphere Application Server is running .
Verifying that the Tivoli Identity Manager Server is running .
Verifying that the database is running correctly 98
Verifying that the directory server is properly running .
Checking the Web browser operation .
Troubleshooting Tivoli Identity Manager within
Correcting connection scripting errors .
Determining the port number of the default host 104
Chapter 10. Upgrading to Tivoli
Identity Manager Version 5.1 . . . . . 105
Description of the upgrade process .
Processes and settings that the upgrade process preserves .
Processes and settings that are not preserved, or require manual upgrade .
Upgrading from Tivoli Identity Manager Version
4.6 or 5.0 to Version 5.1 or Version 5.1 on
Websphere Application Server 6.1 to Websphere
Upgrading a single-server configuration .
Upgrading a cluster configuration .
Clearing the service integration bus .
Determining that the WebSphere MQ message queue is empty .
Preserving customized data manually .
Manually applying Java security .
Customizing logos and style sheets .
Preserving WebSphere Application Server customizations .
Migrating notification templates .
Manually upgrading the access control items 123
Chapter 11. Uninstalling Tivoli Identity
Manager . . . . . . . . . . . . . 125
Steps to uninstall Tivoli Identity Manager .
Verifying that the Tivoli Identity Manager Server is uninstalled .
Manually removing components .
Manually removing the Tivoli Identity Manager
Server from the WebSphere Application Server . 126
Stopping and removing the Tivoli Identity
Removing other Tivoli Identity Manager configuration settings from the WebSphere
Manually removing other files or directories .
Reinstalling Tivoli Identity Manager .
Ensuring that Tivoli Identity Manager objects are removed from the Sun Enterprise Directory
iv
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Appendix A. Mapping Tivoli Identity
Manager application modules to IBM
HTTP Server . . . . . . . . . . . . 131
Appendix B. Configuring security for
Tivoli Identity Manager . . . . . . . 133
Configuring security for the directory server .
Configuring SSL for IBM Tivoli Directory Server 133
Configuring SSL for Sun Enterprise Directory
Configuring the SSL client to trust the LDAP server certificate .
Configuring security for WebSphere Application
Mapping an administrative user to a role .
Updating the system user and the EJB user .
Enabling Java 2 security by creating and modifying policy files .
Running Java 2 security on single-node deployments .
Running Java 2 security on multi-node deployments .
Increasing the timeout interval .
Enabling FIPS compliance for WebSphere
Running the cipher migration tool .
Appendix C. Installation images and fix packs . . . . . . . . . . . . . 143
Setting the SOAP timeout interval before installing fix packs .
Appendix D. Worksheets . . . . . . 145
Appendix E. Notices . . . . . . . . 151
Glossary . . . . . . . . . . . . . 155
Index . . . . . . . . . . . . . . . 161
Contents
v
vi
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Preface
This guide describes how to install and configure Tivoli Identity Manager.
Who should read this book
This book is intended for system and security administrators who install, maintain, or administer software on their computer systems. Readers are expected to understand system and security administration concepts. Additionally, the reader must understand administration concepts for the following types of products: v
Database servers v
Directory servers v
Application servers
Publications and related information
Read the descriptions of the Tivoli Identity Manager library. To determine which
additional publications you might find helpful, read the “Prerequisite product
Tivoli Identity Manager library
The publications in the Tivoli Identity Manager technical documentation library can be found at the following URL: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itim.doc/ welcome.htm
The publications in the Tivoli Identity Manager technical documentation library are organized into the following categories: v
Release information v
Online user assistance v
Server installation and configuration v
Problem determination v
Technical supplements v
Adapter installation and configuration
Release Information:
v
Tivoli Identity Manager Quick Start Guide
Helps you install a base configuration of Tivoli Identity Manager.
v
Tivoli Identity Manager Information Center
Provides software and hardware requirements for Tivoli Identity Manager and additional fix, patch, and other support information. This publication also includes known limitations, problems, and workarounds.
Online user assistance:
© Copyright IBM Corp. 2009
vii
Tivoli Identity Manager Information Center
provides online help topics and an information center for all Tivoli Identity Manager administrative tasks.
Server installation and configuration:
Tivoli Identity Manager Server Installation and Configuration Guide
provides installation and configuration information for Tivoli Identity Manager.
Problem determination:
Tivoli Identity Manager Problem Determination Guide
provides problem determination, and logging information for Tivoli Identity Manager.
Tivoli Identity Manager Messages Guide
provides message information for Tivoli
Identity Manager.
Database and schema information:
Tivoli Identity Manager Database and Schema Reference
describes some of the data structures used by Tivoli Identity Manager.
Technical supplements:
The following technical supplements are provided by developers or by other groups who are interested in this product: v
Redbooks and white papers are available on the Web at: http://www.redbooks.ibm.com/ v
Technotes are available on the Web at: http://www.redbooks.ibm.com/redbooks.nsf/tips/ v
Field guides are available on the Web at: http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html
v
For an extended list of other Tivoli Identity Manager resources, search the following IBM developerWorks Web site: http://www.ibm.com/developerworks/
Adapter installation and configuration:
The Tivoli Identity Manager Server technical documentation library also includes an evolving set of platform-specific installation documents for the adapter components of an IBM Tivoli Identity Manager implementation.
Locate adapter documentation on the Web at: http://publib.boulder.ibm.com/tividd/td/IdentityManager5.0.html
Performance and tuning:
IBM Tivoli Identity Manager Performance Tuning Guide
provides information to help you optimize the use of resources for Tivoli Identity Manager.
Skills and training:
Additional skills and technical training information might be available at the following Web sites:
viii
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
v
IBM Professional Certification at: http://www.ibm.com/certify/
Search on
″ identity manager
″ to locate available classes and certification offerings.
v
Virtual Skills Center for Tivoli Software on the Web at: http://www.cgselearning.com/tivoliskills/ v
Tivoli Education Software Training Roadmaps on the Web at: http://www.ibm.com/software/tivoli/education/eduroad_prod.html
v
Tivoli Technical Exchange on the Web at: http://www.ibm.com/software/sysmgmt/products/support/ supp_tech_exch.html
Prerequisite product publications
To use the information in this book effectively, you must have knowledge of the products that are prerequisites for Tivoli Identity Manager. Publications are available from the following locations: v
Operating systems
– AIX http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/ com.ibm.aix.doc/doc/base/aixinformation.htm
– Sun Solaris http://docs.sun.com/app/docs/prod/solaris.10
– Microsoft
®
Windows Server
™
2003
- Support http://www.microsoft.com/windowsserver2003/support/default.mspx
- Documentation http://www.microsoft.com/windowsserver2003/proddoc/default.mspx
– Red Hat Linux
™ http://www.redhat.com/docs/
– SUSE Linux
™ http://www.novell.com/documentation/suse.html
v
WebSphere Application Server
– Hardware and software requirements http://www.ibm.com/software/webservers/appserv/was/
– Support http://www.ibm.com/software/webservers/appserv/was/support/
– Information center http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp
v
IBM DB2 Database
™
– Support: http://www.ibm.com/software/data/db2/udb/support.html
– Information center: http://publib.boulder.ibm.com/infocenter/db2help/index.jsp
– Documentation http://www-306.ibm.com/software/data/db2/support/db2_9/ http://www.ibm.com/software/data/db2/udb/support/manualsv9.html
Preface
ix
– DB2
® product family: http://www.ibm.com/software/data/db2/
– Fix packs by version: http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg21255572
– System requirements: http://www.ibm.com/software/data/db2/udb/sysreqs.html
v IBM Tivoli Directory Server
– Support http://www.ibm.com/software/sysmgmt/products/support/
IBMDirectoryServer.html
– Information center http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/ com.ibm.IBMDS.doc_6.0/welcome.htm
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/ com.ibm.IBMDS.doc/welcome.htm
v
IBM Tivoli Directory Integrator
– Support http://www.ibm.com/software/sysmgmt/products/support/
IBMDirectoryIntegrator.html
– Information center http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/ com.ibm.IBMDI.doc/toc.xml
Related publications
Information that is related to Tivoli Identity Manager Server is available in the following publications: v
The Tivoli Software Library provides a variety of Tivoli publications such as white papers, datasheets, demonstrations, redbooks, and announcement letters.
The Tivoli Software Library is available on the Web at: http://www.ibm.com/software/tivoli/literature/ v
The
Tivoli Software Glossary
includes definitions for many of the technical terms related to Tivoli software. The
Tivoli Software Glossary
is available from the
Glossary
link of the Tivoli Software Library Web page at: http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm
Accessing publications online
IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli software information center
Web site. Access the Tivoli software information center at the following Web address: http://publib.boulder.ibm.com/tividd/td/tdprodlist.html
Click the
I
character in the A-Z list, and then click the
Tivoli Identity Manager
link to access the product library.
Note:
If you print PDF documents on other than letter-sized paper, set the option in the
File
→
window that allows Adobe Reader to print letter-sized pages on your local paper.
x
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Accessibility
The product documentation includes the following features to aid accessibility: v
Documentation is available in convertible PDF format to give the maximum opportunity for users to apply screen-reader software.
v
All images in the online documentation are provided with alternative text so that users with vision impairments can understand the contents of the images.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: v
Searching knowledge bases: You can search across a large collection of known problems and workarounds, Technotes, and other information.
v
Obtaining fixes: You can locate the latest fixes that are already available for your product.
v
Contacting IBM Software Support: If you still cannot solve your problem, and you need to work with someone from IBM, you can use a variety of ways to contact IBM Software Support.
Conventions used in this book
This book uses several conventions for highlighting terms and actions and for operating system-dependent commands and paths.
Typeface conventions
This book uses the following typeface conventions:
Bold
v
Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), and labels (such as
Tip:
) v
Keywords and parameters in text
Italic
v
Words defined in text v
Emphasis of words (words as words) v
New terms in text (except in a definition list) v
Variables and values that you must provide
Monospace v
Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v
Message text and prompts addressed to the user v
Text that the user must type v
Values for arguments or command options
Preface
xi
Definitions for HOME and other directory variables
The following table contains the default definitions that are used in this guide to represent the HOME directory level for various product installation paths. You can customize the installation directory and HOME directory for your specific implementation. If this is the case, you need to make the appropriate substitution for the definition of each variable represented in this table.
The value of
path
varies for these operating systems.
For Windows, the default path is
drive
:\Program Files.
For UNIX/Linux, the default path is /opt
Path Variable
DB_HOME
Default Definition
Windows:
path
\IBM\SQLLIB
DB_INSTANCE_HOME
ITDS_HOME
UNIX/Linux:
path
/ibm/db2/V9.1
Windows:
drive
:\
dbinstancename
Solaris:
/export/home/
dbinstancename
Other UNIX/Linux:
/home/
dbinstancename
Windows:
v
Version 6.0
path
\IBM\LDAP\V6.0
v
Version 6.1
path
\IBM\LDAP\V6.1
UNIX/Linux:
v Version 6.0
path
/ibm/ldap/V6.0
v Version 6.1
path
/ibm/ldap/V6.1
Description
The directory that contains the DB2
Database for Tivoli
Identity Manager.
The directory that contains the DB2 instance for Tivoli
Identity Manager.
The directory that contains the IBM
Tivoli Directory
Server code.
xii
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Path Variable
ITDS_INSTANCE_HOME
ITDI_HOME
ITIM_HOME
TIVOLI_COMMON_
DIRECTORY
WAS_HOME
WAS_PROFILE_HOME
Windows:
drive
:\
Default Definition
idsslapd-
instance_owner_name
The value of
drive
might be C:\ on
Windows systems. An example of
instance_owner_name
might be ldapdb2
.
For example, the log file might be
C:\idsslapd-ldapdb2\logs\ibmslapd.log.
Description
The directory that contains the IBM
Tivoli Directory
Server Version 6.0
or Version 6.1
instance.
UNIX/Linux:
/home/
instance_owner_name
/ idsslapd-
instance_owner_name
Solaris:
/export/home/
instance_owner_name
/ idsslapd-
instance_owner_name
An example of
instance_owner_name
might be ldapdb2
. For example, the log file might be /export/home/ldapdb2/ idsslapd-ldapdb2/logs/ibmslapd.log
Windows:
path
\IBM\TDI\V6.1.1
UNIX/Linux:
path
/IBM/TDI/V6.1.1
Windows:
path
UNIX/Linux:
path
\IBM\itim
/IBM/itim
Windows:
path
\IBM\tivoli\common
UNIX/Linux:
path
/IBM/tivoli/common
Windows:
path
\IBM\WebSphere\AppServer
UNIX/Linux:
path
/IBM/WebSphere/AppServer
Windows:
path
\IBM\WebSphere\AppServer\ profiles\
profile_name
UNIX/Linux:
path
/IBM/WebSphere/AppServer/ profiles/
profile_name
The directory that contains the IBM
Tivoli Directory
Integrator Server code. Also, where adapters are installed.
The base directory that contains the
Tivoli Identity
Manager code, configuration, and documentation.
The central location for all serviceabilityrelated files, such as logs and first-failure capture data.
The directory that contains the
WebSphere
Application Server code.
The directory that contains the
WebSphere
Application Server custom profile.
Preface
xiii
Path Variable
WAS_NDM_PROFILE_
HOME
Default Definition
Windows:
path
\IBM\WebSphere\AppServer\ profiles\Dmgr01
UNIX/Linux:
path
/IBM/WebSphere/AppServer/ profiles/Dmgr01
Description
The directory that contains the
WebSphere
Application Server
Network
Deployment
Manager profile.
Operating system differences
This guide uses the Windows convention for specifying environment variables and for directory notation.
When using the UNIX/Linux command line, replace
%
variable
%
with
$
variable
for environment variables, and replace each backslash (
\
) with a forward slash (
/
) in directory paths. The names of environment variables are not always the same in
Windows and UNIX/Linux. For example, %TEMP% in the Windows operating system is equivalent to /tmp in a UNIX/Linux operating system.
Note:
If you are using the bash shell on a Windows system, you can use the
UNIX/Linux convention for specifying file path notation.
xiv
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Chapter 1. Overview of the Tivoli Identity Manager environment
This book focuses on the tasks that you must complete in order to install and configure Tivoli Identity Manager.
To determine the supported release levels and fix pack specifications for the supported UNIX, Linux and Windows operating systems, refer to the
Tivoli Identity
Manager Information Center
, which takes precedence over this document.
Tivoli Identity Manager components
Tivoli Identity Manager provides life cycle management of user accounts on remote resources, using adapters to provide communication. The Tivoli Identity
Manager product: v
Provides user accounts to authorized users on one or more resources to which
Tivoli Identity Manager adapters are connected v Runs in a WebSphere Application Server environment, either in a single-server or a cluster configuration v
Stores historical and pending data in a database server v
Stores user account and organizational data in an LDAP directory server v
Stores Tivoli Identity Manager information used for auditing and reporting in the database v
Provides administration from a client interface in a Web browser that communicates through an HTTP server and WebSphere Web Server plug-in or a
WebSphere Application Server embedded HTTP transport.
Tivoli Identity Manager requires the installation and configuration of the following components: v A database server v
A directory server v
IBM Tivoli Directory Integrator (optional) v
WebSphere Application Server v
An HTTP server (optional) v
Tivoli Identity Manager Server v
Tivoli Identity Manager adapters
Database server products
Tivoli Identity Manager stores transactional and historical data in a database server. For example, the Tivoli Identity Manager provisioning processes use a relational database to maintain their current state as well as their history.
Computers that communicate with the database require a Java Database
Connectivity driver (JDBC driver). For example, a JDBC driver enables a Tivoli
Identity Manager Server to communicate with the data source. Tivoli Identity
Manager supports a JDBC type 4 driver to connect a Java-based application to a database.
© Copyright IBM Corp. 2009
1
The supported database products are IBM DB2 Database, Oracle DB, and MS SQL
Server database. The following information is about the type 4 JDBC drivers for each database product.
IBM DB2 Database
DB2 supports a Type 4 JDBC driver. The DB2 type 4 JDBC driver is bundled with the Tivoli Identity Manager installation program.
Oracle database
The Oracle database supports a Type 4 JDBC driver. The Tivoli Identity
Manager installation program prompts for the location and name of this
JDBC driver.
Before you install the Tivoli Identity Manager Server, obtain this JDBC driver from your Oracle Database Server installation in the
ORACLE_HOME
\jdbc\lib\ directory. Alternatively, you can download the driver from this Web site: http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/ index.html
For WebSphere Application Server version 6.1, the JDBC driver is ojdbc5.jar.
For WebSphere Application Server version 7.0, the JDBC driver is ojdbc6.jar.
Microsoft SQL Server database
The SQL Server database supports a Type 4 JDBC driver. The Tivoli
Identity Manager installation program prompts for the location and name of this JDBC driver.
You can download the driver from this Web site: http://msdn.microsoft.com/en-us/data/aa937724.aspx
For more information about supported database server products, refer to the
Tivoli
Identity Manager Information Center
.
Directory server products
Tivoli Identity Manager stores the current state of managed identities in an LDAP directory, including user account and organizational data. Tivoli Identity Manager supports the following products: v
IBM Tivoli Directory Server v
Sun Enterprise Directory Server
For more information about supported directory server products, refer to the
Tivoli
Identity Manager Information Center
.
IBM Tivoli Directory Integrator
IBM Tivoli Directory Integrator is an optional installation component that synchronizes identity data residing in different directories, databases, and applications. IBM Tivoli Directory Integrator synchronizes and manages information exchanges between applications or directory sources.
For more information about IBM Tivoli Directory Integrator, refer to the
Tivoli
Identity Manager Information Center
.
2
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
WebSphere Application Server
The WebSphere Application Server is the primary component of the WebSphere environment. The WebSphere Application Server runs a Java
™ virtual machine, providing the runtime environment for the enterprise application code. The application server provides containers that specialize in enabling the execution of specific Java application components.
The Tivoli Identity Manager application can run on a single-server configuration with the WebSphere Application Server base server. Tivoli Identity Manager can also run in a larger cluster configuration that is composed of one or more
WebSphere Application Servers and a deployment manager that manages the cluster.
For additional information about the WebSphere Application Server products, refer
to additional documentation cited in “Prerequisite product publications” on page ix.
An HTTP server and WebSphere Web Server plug-in
An HTTP server is an optional component that provides administration of Tivoli
Identity Manager through a client interface in a Web browser. Tivoli Identity
Manager requires the installation of a WebSphere Web Server plug-in with the
HTTP server. WebSphere Application Server provides separate installers to install the IBM HTTP Server and WebSphere Web Server plug-in. You can install these components either with the WebSphere Application Server or on a separate computer.
Note:
If an HTTP server is used, you must use the WebSphere Application Server
Administrative Console to map the Tivoli Identity Manager applications to
the HTTP Web server name. See Appendix A, “Mapping Tivoli Identity
Manager application modules to IBM HTTP Server,” on page 131 for more
information about mapping the applications.
Tivoli Identity Manager Server
The Tivoli Identity Manager Server and its adapters enable you to provision identities to a set of heterogeneous resources, which might be operating systems, data stores, or other applications.
Tivoli Identity Manager adapters
Tivoli Identity Manager adapters enable you to connect the Tivoli Identity Manager
Server to a set of heterogeneous resources, which can be operating systems, data stores, or other applications, in order to provision identities.
An adapter is a program that provides an interface between a managed resource and the Tivoli Identity Manager Server. Adapters function as trusted virtual administrators on the target platform for account management. For example, adapters perform such tasks as creating accounts, suspending accounts, and modifying account attributes.
A Tivoli Identity Manager adapter can be either agent-based or agentless:
Agent-based adapter
You install adapter code directly onto the managed resource with which it is designed to communicate.
Chapter 1. Overview of the Tivoli Identity Manager environment
3
Agentless adapter
Deploys its adapter code onto the Tivoli Identity Manager Server and the system hosting IBM Tivoli Directory Integrator. The adapter code is separate from the managed resource with which it is designed to communicate.
Note:
For agentless adapters, the SSH process or daemon must be active on the managed resource.
Configuration options
Before you install Tivoli Identity Manager, you must determine how to configure
WebSphere Application Server, either in a single-server or a cluster configuration.
Single-server configuration
A single-server configuration contains the WebSphere Application Server base server and Tivoli Identity Manager on one computer. Other required applications can run on the same computer or a different computer. You must ensure that the computer has the required memory, speed, and available disk space to meet the workload.
A single-server configuration requires the following components and products: v
A database server v
A directory server v
IBM Tivoli Directory Integrator (optional) v
WebSphere Application Server base server v
Tivoli Identity Manager Server v
Tivoli Identity Manager adapters
Cluster configuration
A cluster configuration contains WebSphere Application Server nodes, which are logical groups of one or more application servers on computers. Nodes reside within an administrative domain called a cell, which the deployment manager manages. A node agent manages all managed processes on the node by communicating with the deployment manager to coordinate and synchronize the configuration. The deployment manager is the administrative process that provides a centralized management view and control for all elements in the cell, including the management of clusters.
Tivoli Identity Manager assumes that the operating system is the same for each cluster member.
For example, all Tivoli Identity Manager cluster members run on the IBM AIX operating system. To avoid problems with identity feeds, do not use more than one operating system type within a Tivoli Identity Manager cluster.
Tivoli Identity Manager does not support a vertical cluster configuration, which has more than one cluster member within a WebSphere Application Server node.
For example, one cluster configuration might consist of one or more WebSphere
Application Server nodes, each node consisting of one computer, controlled by a deployment manager on a separate server. The remaining applications are configured on additional computers.
4
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
This task is an example cluster configuration: v
On the computer where you want to have the deployment manager, install the following components and products:
– The WebSphere Application Server deployment manager
– A JDBC driver, if required
– The Tivoli Identity Manager Server v
A cluster member is an instance of a WebSphere Application Server in a cluster.
On
each
cluster member, install the following components and products:
– WebSphere Application Server base server
– Tivoli Identity Manager Server
– A JDBC driver, if required v
On one or more additional computers that can be in or out of the cluster, install the following components and products:
– A database server
– A directory server
– IBM Tivoli Directory Integrator (optional)
– An IBM HTTP Server and WebSphere Web Server plug-in (optional)
This task is an example configuration only. An alternative topology might configure these components on computers that are all inside the cluster, and the deployment manager might reside on the same computer as the WebSphere
Application Server base server. You must ensure that the computer has the required memory, speed, and available space to meet the additional load.
Overview of the installation
The installation consists of a collection of activities.
The major steps to install and test Tivoli Identity Manager are:
1.
Determine the Tivoli Identity Manager Server topology. The information in this chapter describes the major configuration choices.
2.
Ensure that the operating system of each physical server is at the level that
Tivoli Identity Manager requires. For more information about software and hardware requirements, refer to the
Tivoli Identity Manager Information Center
.
3.
Ensure that the database server is installed and preconfigured. See Chapter 2,
“Installing and configuring a database,” on page 9 for steps to prepare the
database.
4.
Ensure that the directory server is installed and preconfigured. See Chapter 3,
“Installing and configuring a directory server,” on page 27 for steps to prepare
the directory server.
5.
Ensure that IBM Tivoli Directory Integrator is installed and preconfigured. See
Chapter 4, “Optionally installing IBM Tivoli Directory Integrator,” on page 39
for steps to prepare IBM Tivoli Directory Integrator.
6.
Determine that the WebSphere Application Server is ready. See Chapter 5,
“Installing and configuring WebSphere Application Server,” on page 41 for
steps to prepare the WebSphere Application Server in a single-cluster or cluster configuration.
7.
Install and configure Tivoli Identity Manager on one of these configurations: v
Single-server. Tivoli Identity Manager supports both regular and silent
installation. For more information about single-server install, see “Installing
Tivoli Identity Manager in a single-server configuration” on page 51.
Chapter 1. Overview of the Tivoli Identity Manager environment
5
v
Cluster. Tivoli Identity Manager supports both regular and silent installation.
For more information about cluster install, see “Installing Tivoli Identity
Manager in a cluster configuration” on page 60.
For steps to upgrade from an existing installation of Tivoli Identity Manager,
see Chapter 10, “Upgrading to Tivoli Identity Manager Version 5.1,” on page
For steps to perform a silent installation of Tivoli Identity Manager, see
Chapter 8, “Performing a silent installation and configuration of Tivoli Identity
8.
Verify the installation and troubleshoot to resolve any problems that happened
Planning activities for deployments at large sites
In large organizations, there are additional tasks that require planning before you deploy Tivoli Identity Manager. For more information, refer to the Planning section of the
Tivoli Identity Manager Information Center
To prevent initial deployment problems, consider providing a variation of the following planning activities that are appropriate for your site, in advance of installing Tivoli Identity Manager, and also subsequent fix packs: v
Establish a working practice that provides comprehensive and relevant Tivoli
Identity Manager information to all the specialists who install middleware. For example, have the team meet regularly to enumerate their problems and share their solutions.
v
To ensure coordination, designate one person as a focal point for concerns that flow between your site and IBM customer support specialists.
v
If possible, reduce the number of specialists who install and configure the applications. Encourage communication flow between specialists in the following ways.
– Provide a comprehensive library or list of FTP and Web sites for prerequisite installation and configuration information.
– Ensure that the specialists installing Tivoli Identity Manager have root or
Administrator authority for the prerequisite middleware on the middleware servers.
– Ensure that all elements of the system or solution have sufficient privileges to provide accounts.
– Support a centralized problem and solution database that identifies troubleshooting actions and assigns action owners.
– Maintain a common library of scripts that automate start up.
– Create a change control database that coordinates all customization activities.
– Determine a working practice in which specialists provide a record of critical values of configuration parameters like the ones that this publication provides. Ensure that all specialists have access to and use a common worksheet that centralizes the information.
For example, each installation chapter in this manual provides a checklist of prerequisites that must be installed, configured, and running before you begin
installation. Additionally, Appendix B, “Configuring security for Tivoli
Identity Manager,” on page 133 provides a centralized collection point for
6
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
critical values such as user IDs, passwords, and security settings. The
IBM
Tivoli Identity Manager Information Center
specifies prerequisite levels and fix packs or patches.
Chapter 1. Overview of the Tivoli Identity Manager environment
7
8
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Chapter 2. Installing and configuring a database
The Tivoli Identity Manager application stores transactional and historical data, including schedules, access control item definitions (ACIs), and audit data in a database. This chapter focuses on configuring a Tivoli Identity Manager database before Tivoli Identity Manager installation. For more information about supported database releases and required fix packs, refer to the
Tivoli Identity Manager
Information Center
.
The information in this chapter is not a substitute for the more extensive, prerequisite documentation that is provided by the database product. For more information that you must previously know, refer to these sources: v
IBM DB2 Database http://www.ibm.com/software/data/db2/udb/support.html
http://publib.boulder.ibm.com/infocenter/db2help/index.jsp (Information center) http://www.ibm.com/software/data/db2 http://www-1.ibm.com/support/docview.wss?rs=71&uid=swg27007053 http://www.ibm.com/software/data/db2/udb/sysreqs.html (Operating system prerequisites) http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/ v9pubs.d2w/en_main v
Oracle http://otn.oracle.com/documentation/index.html
http://otn.oracle.com/tech/index.html
v
Microsoft SQL Server 2005 http://www.microsoft.com/sql/ http://www.msdn.com/library/
Before you install the database product
Before you install the database product, complete these steps: v
Read the installation information that the database product provides.
v
Ensure that your installation meets the product hardware and software requirements.
v
Verify that all required operating system patches are in place.
v
Ensure that kernel settings are correct for some operating systems, such as the
Solaris operating system. Each database application specifies its own requirements, such as additional operating system values. Before installing the application, refer to its documentation for these additional settings. For example, these Web sites describe kernel settings that DB2 requires:
– AIX
None required.
– Solaris http://publib.boulder.ibm.com/infocenter/db2luw/v9/topic/ com.ibm.db2.udb.uprun.doc/doc/t0006476.htm
– Linux (Red Hat and SUSE)
© Copyright IBM Corp. 2009
9
http://publib.boulder.ibm.com/infocenter/db2luw/v9/topic/ com.ibm.db2.udb.uprun.doc/doc/t0008238.htm
– Windows
None required.
Installing and configuring IBM DB2 Database
This section describes installing and configuring the IBM DB2 Universal Database
(DB2). The configuration steps in this section create a database for later use by the
Tivoli Identity Manager Server installation program, which populates the database with data objects.
You can install DB2 on the same computer with Tivoli Identity Manager or on a separate computer. Installing DB2 on the same computer requires the installation of a Java Database Connectivity driver (JDBC driver, type 4). A JDBC driver enables
Tivoli Identity Manager to communicate with the data source. Installing DB2 automatically installs the type 4 JDBC driver.
Tivoli Identity Manager requires DB2 to run with a required level of the DB2 fix pack. For more information about installing DB2 and any fix packs, refer to the
Tivoli Identity Manager Information Center
and to documentation that the database product provides. For example, access these Web sites: http://www.ibm.com/software/data/db2/udb/support.html
http://www.ibm.com/software/data/db2/udb/support/downloadv9.html
Recording user data
The DB2 installation requires that you specify some system data, such as the DB2 administrator user ID and password. The installation wizard provides both status reports and an initial verification activity.
Recording user names and passwords on UNIX and Linux systems
Table 1 shows the default values that are created on UNIX and Linux systems.
Record this information, which is required to configure the DB2 database that
Tivoli Identity Manager uses. If you choose not to use the middleware configuration utility to create a DB2 instance, installing DB2 can create a default
DB2 instance.
Table 1. DB2 Database typical configuration parameters on UNIX and Linux systems
UNIX and Linux systems
DB2 administrator user ID and instance name
DB2 instance password
Description
The user ID that is used to connect to DB2 as the
DB2 administrator and instance owner.
The password for the administrator user ID.
Value
db2admin
Note:
If you do not use the middleware configuration utility, this value is db2inst1 by default.
A user-defined value.
10
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Table 1. DB2 Database typical configuration parameters on UNIX and Linux systems (continued)
UNIX and Linux systems
DB2 instance home directory
Description
The home directory of the DB2 administrator and instance owner.
Value
v AIX:
/home/db2admin v
Linux:
/home/db2admin v Linux for System p:
/home/db2admin v
Linux for System z:
/home/db2admin v
Solaris:
/export/home/ db2admin
Note:
If you do not use the middleware configuration utility, you might need to replace db2admin with db2inst1 .
Recording user names and passwords on Windows systems
Table 2 shows the default values that are created on Windows systems. If you
choose not to use the middleware configuration utility to create a DB2 instance, installing DB2 can also create the default DB2 instance. For more information about
Table 2. Field values on Windows systems
Windows systems
DB2 instance name
Description
The name of the DB2 instance.
Administrative user ID
Value
db2admin
Note:
DB2 defaults to an instance value of
DB2
.
db2admin
Password
DB2 instance home directory
The user ID that is used to connect to DB2 as the
DB2 administrator and instance owner.
The password for the administrator user ID.
The home directory of the DB2 administrator and instance owner.
A user-defined value
drive
:
For example,
C:
Verifying the installation
The installation wizard provides a status report when the installation is complete.
Additionally, run the DB2 First Steps operation to verify that the installation is successful. To start the operation, complete these steps: v
UNIX or Linux operating systems
Enter this command:
DB_INSTANCE_HOME
/sqllib/bin/db2fs
Chapter 2. Installing and configuring a database
11
Note:
For UNIX systems, the root user has to source the db2admin profile or switch to the instance owner before running this command. You have already created a DB2 instance.
v
Windows operating systems
Click
Start > Programs > IBM DB2 >
DB2 Copy Name
> Set-up Tools > First
Steps
.
For more information about verifying the DB2 installation, visit this Web site: http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp?topic=/ com.ibm.db2.udb.uprun.doc/doc/t0006838.htm
Installing the required fix packs
If your version of DB2 requires a fix pack, obtain and install the fixes that are available at these DB2 support Web sites: http://www.ibm.com/software/data/db2/udb/support.html
Verify that the correct fix pack is installed on both the database server and the database client computers.
If you created a DB2 instance during installation, you can use the following commands: v
On UNIX and Linux systems, log on as the DB2 instance user ID and enter the
db2level
command: su -
DB2_instance_ID
db2level
The value of
DB2_instance_ID
is the DB2 instance name such as
db2admin
.
v
On Windows, enter the
db2level
command from the DB2 command window: db2level
If you did not create a DB2 instance during installation, use the following commands: v
On UNIX and Linux systems, enter the
db2ls
command:
DB_HOME
/install/db2ls or
/usr/local/bin/db2ls v
On Windows, run the
regedit
command and look for the information in the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\IBM\DB2\InstalledCopies\
db2_name
\CurrentVersion
For more information about these steps, refer to the
Tivoli Identity Manager
Information Center
and to documentation that the DB2 fix pack provides.
Configuring IBM DB2 Database
The Tivoli Identity Manager installation product includes a middleware configuration utility that creates database instances and user IDs and configures parameters for DB2 and IBM Tivoli Directory Server. Default values are supplied for many of the typical parameters and all the advanced parameters. If an entered parameter, such as the DB2 instance ID, exists, the middleware configuration utility skips the task of creation. You can choose to keep those values, or provide values
12
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
of your own. Required fields are marked by an asterisk (*). You can revisit any panel in the deployment wizard by clicking the
Back
button until you reach the panel.
Note:
The middleware configuration utility stores by default any input you provide in a response file called db2ldap.rsp located in the system temp directory; for example, the /tmp directory. This file is normally cleaned up after the utility completes. If you cancel the utility before it completes, this file might not be erased.
Running the middleware configuration utility
You can run the middleware configuration utility to set DB2 parameters for later
Tivoli Identity Manager deployment. The middleware configuration utility: v
Creates user IDs if needed v
Creates DB2 instances if needed v
Creates databases if needed v
Tunes DB2 (buffer pool, log tuning) v
Configures some DB2 settings (DB2ENVLIST=EXTSHM, DB2COMM=tcpip)
The middleware configuration utility can be run manually or silently. For more
information about silent configuration, see “Configuring DB2 silently” on page 15.
Before you begin:
On Windows operating systems, you must be an administrator or have administrative authority.
On UNIX and Linux operating systems, you must be a root user. Additionally, the umask setting must be 022. To verify the umask setting issue the command: umask
To set the umask value to 022, issue the command: umask 022
Note:
Record the values you provide for the middleware configuration utility for later use with the DBConfig and ldapConfig utilities used during Tivoli
Identity Manager server installation.
Procedure:
To start the middleware configuration utility for DB2 manually, complete the following steps:
1.
Log on to an account with system administration privileges on the computer where DB2 is installed.
2.
Start the middleware configuration utility, located on the base directory of the
DVD or a download directory: v
AIX:
Start the middleware configuration utility by running the cfg_itim_mw_aix program.
v
Solaris:
Start the middleware configuration utility by running the cfg_itim_mw_solaris program.
v
Linux for xSeries:
Start the middleware configuration utility by running the cfg_itim_mw_xLinux program.
v
Linux for pSeries:
Start the middleware configuration utility by running the cfg_itim_mw_pLinux program.
v
Linux for zSeries:
Start the middleware configuration utility by running the cfg_itim_mw_zLinux program.
Chapter 2. Installing and configuring a database
13
v
Windows:
Start the middleware configuration utility by using the cfg_itim_mw.exe program if the Windows autorun feature is disabled.
Each platform requires a file called cfg_itim_mw.jar to go along with the native program. The JAR file and the native program must be in the same directory location.
3.
Select your language, and click
OK
.
4.
From the Product Configuration panel, check only
Configure IBM DB2
Database
, and click
Next
.
5.
You can receive a warning if DB2 is not at the correct level or not installed.
Action might be required to make sure DB2 is at the correct level. To bypass this warning, click
Next
.
6.
From the IBM DB2 Database Configuration Options panel, provide the following information, and then click
Next:
v
DB2 administrator ID or instance name
Provide the user ID that is used to connect to DB2 Database as the DB2 administrator. For example, db2admin
. If this value is new, the utility creates a user ID and instance name. If you provide an existing user ID and instance name, no new user ID or instance is created.
v
DB2 administrator password
Enter the password that you have set for the DB2 Database administrator account.
v
Password confirmation
Type the password again.
v
DB2 server database home
Provide the directory on which the DB2 instance resides. For example,
C: or
/home/
dbinstancename
.
v
DB2 database name
Provide the name of the database you are creating. For example, itimdb
.
v ITIM database user ID
Provide the user ID for the ITIM database you are creating. For example, itimuser
.
Note:
On Windows systems, disable password expiration for this user account after running the utility.
v
Password for ITIM database user ID:
Provide the password for the ITIM database user ID.
v
Password confirmation
Type the password again.
v
Group for the DB2 administrator
Select from the drop-down list a valid group, of which root is a member, to associate the DB2 administrator ID instance name. For example, bin . This value is available only for UNIX or Linux operating systems.
Note:
The dollar sign ($) has special meaning in the installer frameworks used by the middleware configuration utility. Avoid using $ in any field values. The installer framework or operating system platform might do variable substitution for the value.
7.
If you have changed the default DB2 instance name, or if a DB2 instance exists with that name, you are prompted with a warning message. If you are only
14
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
using the DB2 instance for Tivoli Identity Manager, click
Yes
. It is not recommended to share the instance with another program.
8.
Review your configuration options before clicking
Next
to begin the configuration process.
9.
The configuration can take up to several minutes to complete. After the configuration completes successfully, click
Finish
to exit the deployment wizard. This step concludes the middleware configuration process for DB2
Database. To verify the middleware configuration utility completed for DB2 without error, check the cfg_itim_mw.log in the system temp directory.
Configuring DB2 silently
To start the middleware configuration utility silently, complete these steps:
1.
Copy the sample response file cfg_itim_mw.rsp
(or cfg_itim_mw_windows.rsp
for Windows systems) to a directory on the target computer.
2.
Update the response file with the correct values. Make sure that the configureDB2 value is set to "yes". If you are not configuring the directory server at the same time, make sure that the configureLDAP value is set to "no".
3.
From a command window, run this command:
cfg_itim_mw
–W ITIM.responseFile=cfg_itim_mw.rsp –silent
Where
cfg_itim_mw
is: v
AIX:
cfg_itim_mw_aix v
Solaris:
cfg_itim_mw_solaris v
Linux for xSeries:
cfg_itim_mw_xLinux v
Linux for pSeries:
cfg_itim_mw_pLinux v
Linux for zSeries:
cfg_itim_mw_zLinux v
Windows:
cfg_itim_mw_windows
Note:
If you run the middleware configuration utility silently, the response file is updated during the configuration process.
Related topics
:
“Running the middleware configuration utility” on page 13
Manually configuring the DB2 server
You can manually configure the DB2 server. The DB2 settings described in this chapter are initial settings that might require runtime adjustment. For more information, refer to the
IBM Tivoli Identity Manager Performance Tuning Guide
technical supplement.
Configuring the DB2 server requires the following steps:
1.
“Creating a user on Windows and UNIX systems” or “Creating a user on a
2.
“Creating the Tivoli Identity Manager database” on page 16
3.
“Ensuring that TCP/IP communication is specified” on page 17
Creating a user on Windows and UNIX systems:
Create an operating system user named itimuser on the computer on which the DB2 server is installed. The
Tivoli Identity Manager Server uses the default user ID itimuser to access the database, although you have the option to create a user ID other than the default
Chapter 2. Installing and configuring a database
15
user ID or use an existing user ID. No special privileges are required for this user.
Ensure that a password change is not required at the next logon and that the password never expires.
To create a user, follow these steps:
1.
As root or as Administrator, start the system management tool for your operating system.
v AIX:
SMIT
or
SMITTY
v
Solaris:
System Management Console (SMC)
v Windows: Click
Start > Administrative Tools > Computer Management >
Local Users and Groups > Users
.
2.
Add a new user itimuser and set the user password.
3.
Exit the system management tool.
4.
Test the user access. Ensure that you can log on with the user ID itimuser without encountering a password reset.
5.
Proceed to the next step, “Creating the Tivoli Identity Manager database.”
Creating a user on a Linux system:
You can use the console command interface or the GUI utility to create a user on Linux. To create a user by using the console command interface on a Linux (Red Hat) operating system, enter the following command: useradd -d /home/itimuser -p
password
itimuser
The
-d switch specifies the home directory. The entry itimuser specifies the user
ID that is created.
Proceed to the next step, “Creating the Tivoli Identity Manager database.”
Creating the Tivoli Identity Manager database:
You can specify any name for the
Tivoli Identity Manager database, such as itimdb
. To create the Tivoli Identity
Manager database, follow these steps:
1.
Open a DB2 command window.
v UNIX: Log on as the DB2 instance owner and ensure that the db2profile has been sourced into the environment.
v
Windows: Click
Start > Run
, and enter
db2cmd
.
2.
In the DB2 command window, enter these commands to create the database: db2 create database
itim_dbname
using codeset UTF-8 territory us db2 connect to
itim_dbname
user
itim_dbadmin_name
using
itim_dbadmin_password
db2 create bufferpool ENROLEBP size automatic pagesize 32k db2 update db cfg for
itim_dbname
using logsecond 12 db2 update db cfg for
itim_dbname
using logfilsiz 10000 db2 update db cfg for
itim_dbname
using applheapsz 2048 db2 update db cfg for
itim_dbname
using app_ctl_heap_sz 1024 db2 update db cfg for
itim_dbname
using maxfilop 256 db2 update db cfg for
itim_dbname
using locklist 5000 db2 update db cfg for
itim_dbname
using auto_runstats off db2 update db cfg for
itim_dbname
using database_memory
itim_dbmemory
db2 alter bufferpool IBMDEFAULTBP size automatic db2 disconnect current
The value of
itim_dbname
is a name such as itimdb
. The value of
itim_dbmemory
is
40000 for a single-server installation,
COMPUTED for all platforms except AIX and Windows. For AIX and Windows, the value is
AUTOMATIC
. For more
16
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
information about performance parameter tuning for DB2, refer to the
IBM
Tivoli Identity Manager Performance Tuning Guide
.
3.
Stop and start the DB2 server to reset the configuration.
After you have created the Tivoli Identity Manager database and reset the configuration, stop and start the DB2 server to allow the changes to take effect.
Enter the following commands: db2stop db2start
If entering db2stop fails and the database remains active, enter db2 force application all to inactivate the database. Enter db2stop again.
Ensuring that TCP/IP communication is specified:
Installing DB2 specifies
TCP/IP communication by default. To confirm that TCP/IP communication is specified on the DB2 server and on the DB2 client, follow these steps:
1.
Enter the following command: db2set -all DB2COMM
2.
If a tcpip entry is not in the list that was returned, enter the following command, including tcpip
and
any other values that were returned in the list that the command provided: db2set DB2COMM=tcpip,
values_from_db2set_command
For example, if the
db2set -all DB2COMM
command returned values such as npipe and ipxspx in the list, specify these values again when you enter the
db2set
command the second time: db2set DB2COMM=tcpip,npipe,ipxspx
Determining the correct service listening port and service name
Running the middleware configuration utility configures the service listening port number and the database service name.
There is a service listening port associated with each DB2 instance. The port is used for establishing a DB2 connection from a DB2 application to the database owned by the instance. The default service port number for the DB2 default instance (DB2 on windows and db2inst1 on Unix), which is created on installing the DB2 server, is 50000. Running the middleware configuration utility to create a
DB2 instance, the default service port number of the instance is 50002. If you have migrated DB2 8.2 to DB2 9.1 or DB2 9.5 along with the DB2 instance, the DB2 migration utility might reset the service port of the instance as 60000.
To determine whether the correct service name or service listening port is defined, complete these steps:
1.
In the DB2 command window, enter these commands to check the service name: db2 connect to
itim_dbname
user
itim_dbadmin_id
using
itim_dbadmin_password
db2 get dbm cfg
Look for the SVCENAME attribute to locate the service name.
2.
Locate the statement that is like the following example, which specifies the current port number in the services file on the computer on which the DB2 server resides: v
Windows
– DB2 Version 9.1:
service_name
: 50000/tcp v
UNIX
– DB2 Version 9.1:
service_name
: 50000/tcp
Chapter 2. Installing and configuring a database
17
where
service_name
is the attribute you checked in the first step.
The services file has the following path: v
Windows
– %SYSTEMROOT%\system32\drivers\etc\services v
UNIX
– /etc/services
Related topics
:
See “Before you begin” on page 108 for topics related to DB2 migration.
Tuning the DB2 Database for performance
Performance issues can occur after you initially configure DB2. These tasks describe actions you can take to ensure DB2 performs correctly.
Configuring TCP KeepAlive settings
The failover design of the messaging engine relies upon the database connections being broken when a messaging engine instance fails. In order for failover to occur in high availability environments, ensure that the system notices the broken connection in a timely manner and releases database locks. This task is done by configuring the TCP KeepAlive settings. For example, if you run DB2 on Linux, login as a system administrator and complete these steps:
1.
Run the following commands on the computer where your DB2 Server resides: echo 30 > /proc/sys/net/ipv4/tcp_keepalive_intvl echo 30 > /proc/sys/net/ipv4/tcp_keepalive_time
Note:
These settings are also used by IPv6 implementations.
2.
You might need to restart the network for changes to take effect, such as running the following Linux command:
# /etc/init.d/network restart
These settings will be effective only after a restart of the computer.
Changing the DB2 application heap size
Loading many users can encounter performance issues. You might see this message:
Not enough storage available for processing the sql statements.
To provide additional storage space, change the DB2 application heap size to a larger value. Using the
IBM Tivoli Identity Manager Performance Tuning Guide
to tune
DB2 is recommended for all systems, both for production and test environments.
Installing and configuring the Oracle database
This section describes installing and configuring the Oracle database for Tivoli
Identity Manager.
In all cases, refer to the installation and migration guides that the Oracle
Corporation provides for complete information. For more information, refer to these Web sites: http://otn.oracle.com/documentation/index.html
18
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
http://otn.oracle.com/tech/index.html
http://otn.oracle.com/tech/linux/index.html
Before you create a database
To use multiple instances of Tivoli Identity Manager with the same Oracle
Database server, see “Multiple instances of Tivoli Identity Manager with an Oracle
Database server” before creating the database.
To create an Oracle database for Tivoli Identity Manager, complete these steps: v
“Installing the Oracle database server” on page 20
v
“Configuring the init.ora file” on page 20
v
“Setting environment variables” on page 21
v
“Backing up an existing database” on page 21
v
“Installing the Oracle JDBC driver” on page 21
Multiple instances of Tivoli Identity Manager with an Oracle
Database server
If you want to point several instances of Tivoli Identity Manager to multiple databases on the same Oracle server you need to copy and modify this code example in the $ITIM_home/config/rdbms/oracle/enrole_admin.sql file. This code needs to be added after the Tivoli Identity Manager installation has started (to create the $ITIM_home/config/rdbms/oracle/enrole_admin.sql file), but before submitting the dbConfig portion of the installation.
The value enrole1_data_001.dbf’ has been changed to enrole1_data_002.dbf’ in this example. This value needs to be modified incrementally in each copy of the code for each additional Tivoli Identity Manager instance being used on the same Oracle server.
Note:
The two lines where the code needs to be modified are highlighted in
bold
.
# pwd
/u02/enrole/config/rdbms/oracle
# more enrole_admin.sql
CREATE TABLESPACE enrole_data
DATAFILE 'enrole1_data_002.dbf'
SIZE 160M
AUTOEXTEND ON
NEXT 20M
MAXSIZE 1024M
DEFAULT STORAGE (INITIAL 10M
NEXT 1M
PCTINCREASE 10)
PERMANENT
ONLINE
LOGGING;
CREATE TABLESPACE enrole_indexes
DATAFILE 'enrole1_idx_002.dbf'
SIZE 160M
AUTOEXTEND ON
NEXT 20M
MAXSIZE 1024M
DEFAULT STORAGE (INITIAL 10M
NEXT 1M
PCTINCREASE 10)
PERMANENT
ONLINE
LOGGING;
Chapter 2. Installing and configuring a database
19
CREATE USER enrole IDENTIFIED BY enrole
DEFAULT TABLESPACE enrole_data
QUOTA UNLIMITED ON enrole_data
QUOTA UNLIMITED ON enrole_indexes;
GRANT CREATE SESSION TO enrole;
GRANT CREATE TABLE to enrole;
#
Installing the Oracle database server
You might install the Oracle database server on the same computer or on a computer that is separate from Tivoli Identity Manager. For more information about installing the Oracle database server, refer to documentation available at this
Web site: http://otn.oracle.com/tech/index.html
Note:
If you manually create the Oracle database for Tivoli Identity Manager, you must manually install the JVM feature, or any transactions from Tivoli
Identity Manager later fails. It is not required to manually create the database and install the JVM feature, however. You can use the Oracle
Database Configuration Assistant wizard to create the database and install the JVM feature.
Configuring the init.ora file
You must configure the init.ora file for the Tivoli Identity Manager database.
Complete these steps:
1.
Copy the init.ora file.
v
Windows a.
Under the
ORACLE_HOME
\admin\ directory, create a directory named
db_name
\pfile. The value of
db_name
might be itimdb
.
b.
Copy the sample initsmpl.ora file from the
ORACLE_HOME
\db_1\ admin\sample\pfile\ directory to the
ORACLE_HOME
\admin\
db_name
\ pfile directory.
c.
Rename the new init.ora file to a value of init
db_name
.ora.
v
UNIX
Copy the
ORACLE_HOME
/product/10.2.0/db_2/dbs/init.ora file to a new
ORACLE_HOME
/dbs/init
db_name
.ora file.
2.
Based on your environment requirements, tune the value of the following parameters in the init
db_name
.ora file: db_name=itimdb compatible=10.2.0.1.0
processes=150 shared_pool_size=50000000
Additionally, define three control files for the Tivoli Identity Manager database.
This example statement defines the control files for a UNIX operating system: control_files=(
ORACLE_HOME
/oradata/
db_name
/control01.ctl,
ORACLE_HOME
/oradata/
db_name
/control02.ctl,
ORACLE_HOME
/oradata/
db_name
/control03.ctl)
Using the
IBM Tivoli Identity Manager Performance Tuning Guide
to tune Oracle database is recommended for all systems, both for production and test environments.
3.
Manually create all the directories defined in the init
db_name
.ora file.
20
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Setting environment variables
Set the environment variables for Oracle by editing the
.profile
file. Required environment variables include
ORACLE_SID
and
ORACLE_HOME
, and include the library path, and the system path.
Source the profile on UNIX operating systems, which updates the environment variables in the current session, to ensure that Tivoli Identity Manager can communicate with the database. To source the profile, enter the following command:
# . /.profile
For more information, refer to the Oracle Web site.
Backing up an existing database
Perform a full backup of any existing database, and review the preliminary steps that the documentation from the Oracle Corporation provides for upgrading an
Oracle database, before you begin to install the Oracle product or upgrade an
existing database. For Web sites that provide this information, see “Installing the
Oracle database server” on page 20.
Installing the Oracle JDBC driver
IBM Tivoli Identity Manager Version 5.1 requires the Oracle 11g Release 1
(11.1.0.7.0) JDBC driver whether you are using an Oracle 10g or 11g database.
Copy the Oracle JDBC driver from the Oracle server directory or download it from the Oracle Web site into a directory on the computer on which Tivoli Identity
Manager is to be installed. The Tivoli Identity Manager installation program prompts for the directory containing the JDBC driver and the driver name. In a cluster configuration, the JDBC driver is required on the computer that has the deployment manager and on each Tivoli Identity Manager cluster member computer. For example, if Oracle database is installed on Linux, but Tivoli Identity
Manager is installed on Windows, create a directory
C:\itim_jdbcdriver\ and copy the JDBC driver file to that directory, then point to this directory during installation.
Creating the Tivoli Identity Manager database
Skip this step if you use the Oracle Database Configuration Assistant wizard, which creates the Tivoli Identity Manager database.
Manually create a Tivoli Identity Manager database using these steps:
1.
Create and start the database instance using these steps: v
Windows a.
Create the instance with this command on one line:
# oradim -new -sid
db_name
-pfile
ORACLE_HOME
\admin\
db_name
\pfile\ init
db_name
.ora
The value of the
-sid parameter specifies the database instance name. For example, the value of
db_name
might be itimdb
. The value of the
-pfile parameter specifies the file that you previously configured in
“Configuring the init.ora file” on page 20.
b.
Start the database instance with these commands:
# sqlplus "/ as sysdba"
SQL> startup nomount pfile=
ORACLE_HOME
\admin\
db_name
\pfile\init
db_name
.ora
c.
Verify that the Windows service OracleService
db_name
is started.
v
UNIX
Chapter 2. Installing and configuring a database
21
Start the database instance with these commands:
# ./sqlplus "/ as sysdba"
SQL> startup nomount pfile=
ORACLE_HOME
/dbs/init
db_name
.ora
2.
Use an SQL script like the following example to create your database. Change the values in the script to match any requirements at your site. In this example, the value of the
db_name
is an instance name such as itimdb
.
-Create database
CREATE DATABASE
db_name
CONTROLFILE REUSE
LOGFILE '/u01/oracle/
db_name
/redo01.log' SIZE 1M REUSE,
'/u01/oracle/
db_name
/redo02.log' SIZE 1M REUSE,
'/u01/oracle/
db_name
/redo03.log' SIZE 1M REUSE,
'/u01/oracle/
db_name
/redo04.log' SIZE 1M REUSE
DATAFILE '/u01/oracle/
db_name
/system01.dbf' SIZE 10M REUSE
AUTOEXTEND ON
NEXT 10M MAXSIZE 200M
CHARACTER SET UTF8;
-- Create another (temporary) system tablespace
CREATE ROLLBACK SEGMENT rb_temp STORAGE (INITIAL 100 k NEXT 250 k);
-- Alter temporary system tablespace online before proceeding
ALTER ROLLBACK SEGMENT rb_temp ONLINE;
-- Create additional tablespaces ...
-- RBS: For rollback segments
-- USERs: Create user sets this as the default tablespace
-- TEMP: Create user sets this as the temporary tablespace
CREATE TABLESPACE rbs
DATAFILE '/u01/oracle/
db_name
/
db_name
.dbf' SIZE 5M REUSE AUTOEXTEND ON
NEXT 5M MAXSIZE 150M;
CREATE TABLESPACE users
DATAFILE '/u01/oracle/
db_name
/users01.dbf' SIZE 3M REUSE AUTOEXTEND ON
NEXT 5M MAXSIZE 150M;
CREATE TABLESPACE temp
DATAFILE '/u01/oracle/
db_name
/temp01.dbf' SIZE 2M REUSE AUTOEXTEND ON
NEXT 5M MAXSIZE 150M;
-- Create rollback segments.
CREATE ROLLBACK SEGMENT rb1 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs;
CREATE ROLLBACK SEGMENT rb2 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs;
CREATE ROLLBACK SEGMENT rb3 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs;
CREATE ROLLBACK SEGMENT rb4 STORAGE(INITIAL 50K NEXT 250K) tablespace rbs;
-- Bring new rollback segments online and drop the temporary system one
ALTER ROLLBACK SEGMENT rb1 ONLINE;
ALTER ROLLBACK SEGMENT rb2 ONLINE;
ALTER ROLLBACK SEGMENT rb3 ONLINE;
ALTER ROLLBACK SEGMENT rb4 ONLINE;
ALTER ROLLBACK SEGMENT rb_temp OFFLINE;
DROP ROLLBACK SEGMENT rb_temp ;
Note:
Using the
IBM Tivoli Identity Manager Performance Tuning Guide
to tune the Oracle database is recommended for all systems, both for production and test environments.
3.
Install the JVM for the database. Use these commands:
# sqlplus "/ as sysdba"
SQL> @$ORACLE_HOME/rdbms/admin/catalog.sql
SQL> @$ORACLE_HOME/rdbms/admin/catproc.sql
SQL> @?/javavm/install/initjvm.sql
SQL> @?/xdk/admin/initxml.sql
SQL> @?/xdk/admin/xmlja.sql
SQL> @?/rdbms/admin/catjava.sql
22
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
SQL> connect system/
manager
SQL> @$ORACLE_HOME/sqlplus/admin/pupbld.sql
The value of the
manager
parameter is the password for the system user account.
Tuning the Oracle database for performance
This section describes some actions you can take to ensure the Oracle database functions properly.
Enabling XA recovery operations
Oracle requires the granting of special permissions to perform enable XA recovery operations. Failure to enable XA recovery can result in the following error:
WTRN0037: The transaction service encountered an error on an xa_recover operation.
As the database administrator, connect to the database and run the following commands: grant select on pending_trans$ to public; grant select on dba_2pc_pending to public; grant select on dba_pending_transactions to public; grant execute on dbms_system to
itim_db_user
; where
itim_db_user
is the user that owns the Tivoli Identity Manager database, such as itimuser
.
Stop and restart the database instance for these changes to take effect.
Configuring TCP KeepAlive settings
The failover design of the messaging engine relies upon the database connections being broken when a messaging engine incarnation fails. In order for failover to occur in high availability environments, ensure that the RDBMS detects the broken connection in a timely manner and releases database locks. This task is done by configuring the TCP KeepAlive settings. If you run Oracle on Windows Server, log in as a system administrator and complete these steps:
1.
Run regedit from
Start > Run
.
2.
Navigate to the following path in the left pane:
My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters
3.
Right click in the right pane and select
New > DWORD Value
.
4.
Enter the name as
KeepAliveInterval for the new parameter.
5.
Right click this new parameter and select
Modify
.
6.
Select
Base as Decimal
and enter the value as
30000
(30000 milliseconds = 30 seconds).
7.
Similarly, add another DWORD value with name
KeepAliveTime and set the value equal to 30000.
These settings will be effective only after a reboot of the computer.
Starting the Oracle product and the listener service
To start the Oracle database, complete these steps: v
Windows
Use the Services menu to start the Oracle database service called
OracleService
db_name
.
Chapter 2. Installing and configuring a database
23
v
UNIX
Enter these commands:
# su - oracle
# ./sqlplus "/ as sysdba"
# SQL> startup
To start the Oracle listener service, complete these steps: v Windows
Use the Services menu to start the Oracle TNS listener named
OracleOraDb10_home1TNSListener
. If the Oracle listener service is idle, start the listener.
v
UNIX
# su - oracle
# ./lsnrctl start
To ensure that Oracle processes are started, enter this command: ps -ef | grep ora
To ensure that the listener is running, enter this command:
# ./lsnrctl status
Installing and configuring SQL Server 2005 on the Windows operating system
This section describes installing and configuring SQL Server 2005 on the Windows operating system. Complete these steps: v
“Preparing to install SQL Server 2005”
v
v
“Configuring SQL Server 2005” on page 25
v
“Creating the Tivoli Identity Manager database” on page 25
Preparing to install SQL Server 2005
Complete the following procedures before installing SQL Server 2005 on a
Windows system:
1.
Obtain the latest SQL Server 2005 service pack.
2.
Log in to the Windows system with an Administrator account before launching the SQL Server 2005 installation.
Installing SQL Server 2005
You might install SQL Server 2005 on the same computer or on a computer that is separate from Tivoli Identity Manager. After installing SQL Server 2005, install the latest SQL Server 2005 service pack. For more information about installing SQL
Server 2005, refer to documentation available at these Web sites: http://www.msdn.com/library/ http://www.microsoft.com/Sqlserver/2005/en/us/default.aspx
Note:
When you install SQL Server 2005, you must set the codepage for the database to be case insensitive (CI).
24
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Configuring SQL Server 2005
You must complete several post-installation tasks to configure SQL Server 2005 for
Tivoli Identity Manager:
Configuring SQL Server 2005 for XA transactions
To configure SQL Server 2005 for XA transactions, complete these steps:
1.
Download and extract the JDBC driver from the following Web site: http://msdn2.microsoft.com/en-us/data/aa937724.aspx
2.
Assuming that you installed the MS SQL Server 2005 JDBC 1.2 driver at
JDBC_DRIVER_INSTALL_DIR
, follow the instructions in
Understanding XA
Transactions
by opening the
JDBC_DRIVER_INSTALL_DIR
\help\html\574e326f-
0520-4003-bdf1-62d92c3db457.htm file. Complete the instructions in these sections as follows: a.
Running the MS DTC Service b.
Configuring the JDBC Distributed Transaction Components
Note:
You do not have to complete the section titled
Configuring the
User-Defined Roles
because Tivoli Identity Manager creates the necessary ID and associate with the SqlJDBCXAUser role for you.
Installing the SQL Server JDBC driver
IBM Tivoli Identity Manager version 5.1 requires SQL Server 2005 JDBC Driver 1.2.
Copy the SQL Server JDBC driver from where SQL Server 2005 is installed or download it from the Microsoft Web site into a directory on the computer on which Tivoli Identity Manager is to be installed. The Tivoli Identity Manager installation program prompts for the directory containing the JDBC driver and the driver name. In a cluster configuration, the JDBC driver is required on the computer that has the deployment manager and on each Tivoli Identity Manager cluster member computer. For example, on the computer on which Tivoli Identity
Manager is to be installed, create a directory C:\itim_jdbcdriver\ and copy the
JDBC driver file to that directory, then point to this directory during installation.
Verify the security configuration for SQL Server 2005
To verify the security configuration for SQL Server 2005, complete these steps:
1.
Launch the Microsoft SQL Server Management Studio.
2.
Right click the SQL server root node, and click
Properties
.
3.
Select
Security
from the Select a page panel.
4.
Ensure that
SQL Server and Windows Authentication Mode
is selected.
5.
Click
OK
.
Creating the Tivoli Identity Manager database
You must complete several post-installation tasks to create the Tivoli Identity
Manager database.
1.
Launch the Microsoft SQL Server Management Studio.
2.
Navigate the tree, right-click on the
Databases
node, and select
New Database
.
3.
Under Database name, type in a database name such as itimdb
, and click
OK
.
4.
For data files and transaction logs enter the following values: v
Initial file size: 20 MB v
Automatically grow files v
Allow unrestricted file growth
Chapter 2. Installing and configuring a database
25
Note:
Ensure that the SQL server is in mixed authentication mode.
26
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Chapter 3. Installing and configuring a directory server
Tivoli Identity Manager stores user account and organizational data, but not scheduling and audit data, in a directory server. This chapter focuses on configuring the directory server for use by Tivoli Identity Manager. The supported combinations of directory servers and required fix packs are described in the
Tivoli
Identity Manager Information Center
.
The information in this chapter is not a substitute for the more extensive, prerequisite documentation that is provided by the directory server product itself.
For more information that you must previously know, refer to these sources: v
IBM Tivoli Directory Server
– Hardware and software requirements, and documentation http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/ com.ibm.IBMDS.doc_6.0/welcome.htm
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/ com.ibm.IBMDS.doc/toc.xml
– Fixes http://www.ibm.com/software/sysmgmt/products/support/
IBMDirectoryServer.html
Before you install the directory server product
Before you install the directory server product, complete these steps: v
Read the installation guide that the directory server product provides.
v
Ensure that your installation meets the directory server hardware and software requirements.
Installing and configuring IBM Tivoli Directory Server
You can install the IBM Tivoli Directory Server on the same computer with Tivoli
Identity Manager or on a separate computer. IBM Tivoli Directory Server version
6.1 and 6.2 support 64-bit on all operating system platforms. In addition, these versions also support 32-bit for Windows and Linux operating systems.
The IBM Tivoli Directory Server uses DB2 Database as a data store and WebSphere
Application Server for the Web Administration Tool.
Installing IBM Tivoli Directory Server
These steps provide information about installing IBM Tivoli Directory Server using the DVDs that are provided with the Tivoli Identity Manager product, which does not contain embedded middleware for DB2 and WebSphere Application Server. If you are using an IBM Tivoli Directory Server installation DVD that contains embedded middleware for DB2 and WebSphere Application Server, you have the option to install embedded DB2 and WebSphere Application Server for IBM Tivoli
Directory Server and your installation process might vary.
Note:
You cannot use embedded DB2 for the Tivoli Identity Manager database or embedded WebSphere Application Server for Tivoli Identity Manager.
© Copyright IBM Corp. 2009
27
To install IBM Tivoli Directory Server using the Tivoli Identity Manager product
DVD, complete these steps:
1.
Install DB2 from the DVD provided with the Tivoli Identity Manager product, if DB2 is not already installed.
2.
Install WebSphere Application Server from the DVD provided with the Tivoli
Identity Manager product. If you are installing Tivoli Identity Manager on the same computer as IBM Tivoli Directory Server, you must complete the
WebSphere Application Server installation first. For more information, see
“Installing WebSphere Application Server in a single-server environment” on page 42.
3.
Install IBM Tivoli Directory Server from the DVD provided with the Tivoli
Identity Manager product.
4.
During the IBM Tivoli Directory Server installation, you must select
Custom
as the installation type. Click
Next
.
5.
On the next panel, do not select DB2 Database, Embedded WebSphere
Application Server, or IBM Tivoli Directory Integrator. You must select IBM
Tivoli Directory Server 6.1. Other features are optional. Click
Next
.
6.
In the next panel, the installer detects your WebSphere Application Server. You might be prompted to select a custom location of the WebSphere Application
Server installation path. You can also choose to skip the deployment of Web
Administration Tools. Click
Next
.
7.
Review the summary and click
Install
to install IBM Tivoli Directory Server.
For information about installing the directory server, refer to documentation that the directory server product provides. For example, access this Web site: http://www.ibm.com/software/sysmgmt/products/support/
IBMDirectoryServer.html
Installing the required fix packs
If your version of the IBM Tivoli Directory Server requires a fix pack, obtain and install the fixes. For more information, refer to this support Web site: http://www.ibm.com/software/sysmgmt/products/support/
IBMDirectoryServer.html
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/ com.ibm.IBMDS.doc_6.0/welcome.htm
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/ com.ibm.IBMDS.doc/welcome.htm
Verify that the correct fix pack is installed on the IBM Tivoli Directory Server. To verify that the correct fix pack is installed on the IBM Tivoli Directory Server, issue the following command: v
AIX: lslpp -l 'idsldap*' v
Linux: rpm -qa | grep idsldap v
Solaris:
1.
Type pkginfo | grep IDSl to query the version for a particular package.
28
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
2.
Type pkgparam
package_name
VERSION for each installed package. For example, pkgparam IDSl64s61 VERSION for IBM Tivoli Directory Server version 6.1, or pkgparam IDSl32s60 VERSION for IBM Tivoli Directory Server version 6.0.
v
Windows:
1.
From the command line, type regedit
.
2.
Look in the following registry area:
– 6.1 My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\IBM\IDSLDAP\6.1
– 6.2 -
My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\IBM\IDSLDAP\6.2
For more information about these steps, refer to the
Tivoli Identity Manager
Information Center
and to the documentation that the IBM Tivoli Directory Server fix pack provides.
Configuring IBM Tivoli Directory Server
Setting up the IBM Tivoli Directory Server requires creating the LDAP suffix for your organization before you install the Tivoli Identity Manager Server. Setting up the IBM Tivoli Directory Server also requires configuring the Tivoli Identity
Manager referential integrity file. An LDAP suffix, also known as a naming context, is a distinguished name (DN) that identifies the top entry in a locally held directory hierarchy.
The Tivoli Identity Manager installation product includes a middleware configuration utility that creates database instances and user IDs and configures parameters for DB2 and IBM Tivoli Directory Server. Default values are supplied for many of the typical parameters and all the advanced parameters. If an entered parameter, such as the directory server administrator ID, exists, the middleware configuration utility will skip the task of creation. You can choose to keep those values, or provide values of your own. Required fields are marked by an asterisk
(*). You can revisit any panel in the deployment wizard by clicking the
Back
button until you reach the panel.
Note:
The middleware configuration utility stores by default any input you provide in a response file called db2ldap.rsp located in the system temp directory, for example the /tmp directory. This file is normally cleaned up after the utility completes. If you cancel the utility before it completes, this file might not be erased.
Running the middleware configuration utility
You can run the middleware configuration utility to set IBM Tivoli Directory Server parameters for later Tivoli Identity Manager deployment. The middleware configuration utility: v
Creates user IDs if needed v
Creates IBM Tivoli Directory Server instances if needed v Creates directory server databases if needed v
Tunes LDAP (buffer pool, log tuning) v
Adds the LDAP suffix v
Configures the non-SSL port v
IBM Tivoli Directory Server version 6.1 copies and configures the referential integrity plug-in.
IBM Tivoli Directory Server version 6.2 configures the referential integrity plug-in (included in version 6.2) for Tivoli Identity Manager.
Chapter 3. Installing and configuring a directory server
29
The middleware configuration utility can be run manually or silently. For more
information about silent configuration, see “Configuring IBM Tivoli Directory
Before you begin:
On Windows operating systems, you must be an administrator or have administrative authority.
On UNIX and Linux operating systems, you must be a root user. Additionally, the umask setting must be 022. To verify the umask setting issue the command: umask
To set the umask value to 022, issue the command: umask 022
Procedure:
To start the middleware configuration utility for IBM Tivoli Directory
Server manually, complete the following steps:
1.
Log on to an account with system administration privileges on the computer where IBM Tivoli Directory Server is installed.
2.
Start the middleware configuration utility from the DVD or a download directory: v
AIX:
Start the middleware configuration utility by running the cfg_itim_mw_aix program.
v
Solaris:
Start the middleware configuration utility by running the cfg_itim_mw_solaris program.
v
Linux for xSeries:
Start the middleware configuration utility by running the cfg_itim_mw_xLinux program.
v
Linux for pSeries:
Start the middleware configuration utility by running the cfg_itim_mw_pLinux program.
v
Linux for zSeries:
Start the middleware configuration utility by running the cfg_itim_mw_zLinux program.
v
Windows:
Start the middleware configuration utility by using the cfg_itim_mw.exe program if the Windows autorun feature is disabled.
Each platform requires a file called cfg_itim_mw.jar to go along with the native program. The JAR file and the native program must be in the same directory location.
3.
Select your language, and click
OK
.
4.
From the Product Configuration panel, check only
Configure IBM Tivoli
Directory Server
, and click
Next
.
5.
You can receive a warning if IBM Tivoli Directory Server is not at the correct level or not installed. Action might be required to make sure that IBM Tivoli
Directory Server is at the correct level. To bypass this warning, click
Next
.
6.
From the IBM Tivoli Directory Server configuration options panel, provide the following information, and then click
Next:
v
Directory server administrator ID and instance name
Provide the user ID that is used to connect to IBM Tivoli Directory Server as the directory server administrator. For example, itimldap
.
Note:
On Windows systems, disable password expiration for this user account after running the utility.
v
Directory server administrator password
Enter the password that you have set for the IBM Tivoli Directory Server administrator account.
30
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
v
Password confirmation
Type the password again.
v
Group for the DB2 administrator
Select from the drop-down list a valid group, of which root is a member, to associate the DB2 administrator ID. For example, bin
. This value is available only for UNIX/Linux.
v Directory server database home
Provide the directory on which the DB2 instance of directory server resides.
For example,
C: or
/home/
directory_server_instancename
.
v
Directory server database name
Provide the name of the database you are creating. For example, ldapdb2
.
v
Encryption seed
Provide an encryption key, which can be any word or phrase. The key is used to encrypt Tivoli Identity Manager passwords and other sensitive text.
The encryption seed must be at least 12 characters in length.
Note:
The dollar sign ($) has special meaning in the installer frameworks used by the middleware configuration utility. Avoid using $ in any field values. The installer framework or operating system platform might do variable substitution for the value.
7.
Provide the following LDAP information, and then click
Next
.
v
Administrator DN
The user ID that represents the principal distinguished name. This DN is the root suffix for Tivoli Identity Manager. For example, cn=root.
v
Administrator DN password
The password of the user ID that represents the principal distinguished name. For example, secret
.
v
Password confirmation
Type the password again.
v
User-defined suffix
Provide the LDAP suffix. This suffix can be any valid suffix and is used as the context root under which Tivoli Identity Manager information is located.
For example, choose dc=com
.
v
Non-SSL port
The port on which the directory server is listening. The default port is
389
.
Note:
This default port might conflict with other services. For example, a
Windows server could run Windows Active Directory services, which uses a default port of 389.
8.
Review your configuration options before clicking
Next
to begin the configuration process.
9.
The configuration can take up to several minutes to complete. Once the configuration completes successfully, click
Finish
to exit the deployment wizard. This task concludes the middleware configuration process for IBM
Tivoli Directory Server. To verify the middleware configuration utility completed for IBM Tivoli Directory Server without error, check the cfg_itim_mw.log in the system temp directory.
Configuring IBM Tivoli Directory Server silently
To start the middleware configuration utility silently, complete these steps:
Chapter 3. Installing and configuring a directory server
31
1.
Copy the sample response file cfg_itim_mw.rsp
(or cfg_itim_mw_windows.rsp
for Windows systems) to a directory on the target computer.
2.
Update the response file with the correct values. Make sure that the configureLDAP value is set to "yes". If you are not configuring the database server at the same time, make sure the configureDB2 value is set to "no".
3.
From a command window, run this command:
cfg_itim_mw
–W ITIM.responseFile=cfg_itim_mw.rsp –silent
Where
cfg_itim_mw
is: v
AIX:
cfg_itim_mw_aix v
Solaris:
cfg_itim_mw_solaris v
Linux for xSeries:
cfg_itim_mw_xLinux v
Linux for pSeries:
cfg_itim_mw_pLinux v
Linux for zSeries:
cfg_itim_mw_zLinux v
Windows:
cfg_itim_mw_windows
Note:
If you run the middleware configuration utility silently, the response file is updated during the configuration process.
Related topics
“Running the middleware configuration utility” on page 29
Verifying successful suffix object configuration
To verify the suffix object configuration in this example, enter this command: v
Windows systems:
ITDS_HOME
\bin\ldapsearch.cmd -h localhost -b dc=com "(objectclass=domain)" v
UNIX or Linux systems:
ITDS_HOME
/bin/ldapsearch.sh -h localhost -b dc=com "(objectclass=domain)"
The options are:
-h
Specifies an alternate host on which the LDAP server is running.
-b
Specifies the search base of the initial search, instead of the default.
The output confirms that you have configured permissions for dc=com and initialized the suffix with data.
dc=com objectclass=domain objectclass=top dc=com
Manually configuring the referential integrity plug-in on the IBM
Tivoli Directory Server
The referential integrity plug-in for Tivoli Identity Manager on the IBM Tivoli
Directory Server helps maintain consistency in references to objects that are deleted from the directory. The referential integrity plug-in is configured when you run the middleware configuration utility. The following steps explain how to manually configure the referential integrity plug-in on the IBM Tivoli Directory Server:
IBM Tivoli Directory Server versions 6.1:
1.
Stop the IBM Tivoli Directory Server.
32
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
2.
Copy the referential integrity plug-in file libdelref.* from the Middleware
Configuration DVD to the default installation directory for IBM Tivoli Directory
Server.
The referential integrity plug-in file is located on the Middleware Configuration
DVD under delref\
ITDS_VERSION
\
PLATFORM
\
LIB
where v
ITDS_VERSION
is ITDS6.1 for IBM Tivoli Directory Server version 6.1
v
PLATFORM
is aix, linux, win, plinux, sun, or zlinux v
LIB
is lib (for 32-bit binary files) or lib64 (for 64-bit binary files)
Plug-in files are also located on the respective Supplemental DVD2 (IBM Tivoli
Directory Server DVD) under delref\
LIB
\ directory.
The default installation directory for IBM Tivoli Directory Server is in the following location: v
Windows:
– 32-bit:
ITDS_HOME
\lib. For example, copy the file to the C:\Program
Files\IBM\LDAP\lib directory.
– 64-bit:
ITDS_HOME
\lib64. For example, copy the file to the C:\Program
Files\IBM\LDAP\lib64 directory.
v UNIX:
– 32-bit:
ITDS_HOME
/lib. For example, copy the file to the usr/IBM/LDAP/lib directory.
– 64-bit:
ITDS_HOME
/lib64. For example, copy the file to the usr/IBM/LDAP/lib64 directory.
On UNIX systems, ensure that the file permission on the referential integrity plug-in file is set to
-r-xr-xr-x
, via the chmod 755 command..
3.
Copy the timdelref.conf file from the Middleware Configuration DVD under the delref\etc directory to the
ITDS_INSTANCE_HOME
\etc directory. For example, copy the file to the C:\idsslapd-ldapdb2\etc directory.
4.
Edit the ibmslapd.conf configuration file for IBM Tivoli Directory Server in the following directory: v
UNIX:
ITDS_INSTANCE_HOME
/etc. For example, locate the file in the
/home/
instance_owner_name
/etc directory.
v Windows:
ITDS_INSTANCE_HOME
\etc. For example, locate the file in the
C:\idsslapd-idsinst\etc directory.
5.
In the configuration file, specify the referential integrity file for Tivoli Identity
Manager: a.
Locate the following line: ibm-slapdPlugin: database
path_to_rdbmfilename
rdbm_backend_init
The
path_to_rdbmfilename
variable is one of the following files: v
AIX: /lib/libback-rdbm.a
v UNIX other than AIX: /lib/libback-rdbm.so
v
Windows: \lib\libback-rdbm.dll
The Windows path is specified with a forward slash.
b.
Add the following line, all on one line, directly after the previous line (for
64-bit environments, replace lib with lib64): v
Solaris: ibm-slapdPlugin: preoperation
ITDS_HOME
/lib/
lib_filename
DeleteReferenceInit file="
ITDS_INSTANCE_HOME
/etc/timdelref.conf" dn="
itim_suffix
" v
UNIX other than Solaris:
Chapter 3. Installing and configuring a directory server
33
ibm-slapdPlugin: preoperation
ITDS_HOME
/lib/
lib_filename
DeleteReferenceInit file=
ITDS_INSTANCE_HOME
/etc/timdelref.conf dn=
itim_suffix
v
Windows: ibm-slapdPlugin: preoperation "
ITDS_HOME
/lib/
lib_filename
"
DeleteReferenceInit file="
ITDS_INSTANCE_HOME
/etc/timdelref.conf" dn=
itim_suffix
Notes:
1) The
ITDS_HOME
variable is the default installation directory for the
IBM Tivoli Directory Server. The
lib_filename
variable is the name of
the referential integrity plug-in filename, as identified in step 2 on page 33.
2)
The
itim_suffix
variable is a value such as dc=com.
3) On the Windows operating system, to specify the path to the libdelref.dll and the timdelref.conf files, ensure that you enclose the value of
lib_filename
in quotation marks. Additionally, specify the path to the libdelref.dll file with a forward slash (/).
6.
Save the changes that you made to the configuration file.
7.
Start the IBM Tivoli Directory Server.
8.
Determine whether the referential integrity plug-in is reconfigured and loaded appropriately. Locate the IBM Tivoli Directory Server log file for the configuration.
Windows:
ITDS_INSTANCE_HOME
\logs\ibmslapd.log. For example, the file is in the C:\idsslapd-ldapdb2\logs directory.
UNIX/Linux:
ITDS_INSTANCE_HOME
/etc/ibmslapd.log. On Linux, for example, the file is in the /home/ldapdb2/idsslapd-ldapdb2/etc/logs directory.
You see a message like this one:
Plugin of type PREOPERATION is successfully loaded from /usr/ldap/lib/libdelref.a
If you stop and start the IBM Tivoli Directory Server multiple times, more than one message occurs in the log file. Examine the timestamp on the most recent message in the file. If the operation does not succeed, ensure that the referential integrity plug-in and configuration files are in their target directories.
IBM Tivoli Directory Server versions 6.2:
1.
Stop the IBM Tivoli Directory Server.
2.
Copy the timdelref.conf file from the Middleware Configuration DVD under the delref\etc directory to the
ITDS_INSTANCE_HOME
\etc directory. For example, copy the file to the C:\idsslapd-idsinst\etc directory.
3.
Edit the ibmslapd.conf configuration file for IBM Tivoli Directory Server in the following directory: v UNIX:
ITDS_INSTANCE_HOME
/etc. For example, locate the file in the
/home/
instance_owner_name
/etc directory.
v
Windows:
ITDS_INSTANCE_HOME
\etc. For example, locate the file in the
C:\idsslapd-idsinst\etc directory.
4.
In the configuration file, specify the referential integrity file for Tivoli Identity
Manager (for 64-bit environments, replace lib with lib64):
34
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
a.
Locate the line that starts ibm-slapdPlugin: preoperation
\lib\libdelref.dll DeleteReferenceInit and edit the file and dn values.
If the line does not exist, add this sample and edit the file and dn values.
ibm-slapdPlugin: preoperation \lib\libdelref.dll DeleteReferenceInit file=
C:\idsslapd-ldaptest\etc\tdsdelref.conf
dn=
o=sample
where
C:\idsslapd-ldaptest\etc\tdsdelref.conf
is the path where you copied the timdelref.conf file and
o=sample
is the suffix you used for the Tivoli Identity
Manager LDAP database.
b.
Ensure that the ibm-slapdReferentialIntegrityPlugin attribute is set to true otherwise the plug-in does not get loaded. The default setting is false.
ibm-slapdReferentialIntegrityPlugin: TRUE c.
Save the changes that you made to the configuration file.
d.
Start the IBM Tivoli Directory Server.
e.
Determine whether the referential integrity plug-in is reconfigured and loaded appropriately. Locate the IBM Tivoli Directory Server log file for the configuration.
Windows:
ITDS_INSTANCE_HOME
\logs\ibmslapd.log. For example, the file is in the C:\idsslapd-ldapdb2\logs directory.
UNIX/Linux:
ITDS_INSTANCE_HOME
/etc/ibmslapd.log. On Linux, for example, the file is in the /home/ldapdb2/idsslapd-ldapdb2/etc/logs directory.
You see a message like this one:
Plugin of type PREOPERATION is successfully loaded from /usr/ldap/lib/libdelref.a
If you stop and start the IBM Tivoli Directory Server multiple times, more than one message occurs in the log file. Examine the timestamp on the most recent message in the file. If the operation does not succeed, ensure that the referential integrity plug-in and configuration files are in their target directories.
Manually tuning the IBM Tivoli Directory Server database
You can manually tune the performance of the DB2 instance that IBM Tivoli
Directory Server uses. Complete these steps:
1.
Open a DB2 command window.
v
UNIX: Log on as the DB2 instance owner and enter
db2
to open a DB2 command window.
v
Windows: Click
Start > Run
, and enter
db2cmd
. When the DB2 command window opens, enter
db2
.
2.
In the DB2 command window, enter these commands to tune the IBM Tivoli
Directory Server database instance: db2 connect to
itds_dbname
user
itds_dbadmin_name
using
itds_dbadmin_password
db2 alter bufferpool IBMDEFAULTBP size automatic db2 alter bufferpool ldapbp size automatic db2 update db cfg for
itds_dbname
using logsecond 12 db2 update db cfg for
itds_dbname
using logfilsiz 10000 db2 update db cfg for
itds_dbname
using database_memory
itds_dbmemory
db2 disconnect current
The value of
itds_dbname
is a name such as ldapdb2
. The value of
itds_dbmemory
is
40000 for a single-server installation,
COMPUTED for all platforms except AIX and Windows. For AIX and Windows, the value is
AUTOMATIC
. For more
Chapter 3. Installing and configuring a directory server
35
information about performance parameter tuning for DB2, refer to the
IBM
Tivoli Identity Manager Performance Tuning Guide
.
3.
Stop and start the DB2 server to reset the configuration.
After you have reset the configuration, stop and start the DB2 server to allow the changes to take effect. Enter the following commands: db2stop db2start
If entering db2stop fails and the database remains active, enter db2 force application all to deactivate the database. Enter db2stop again.
Sun Enterprise Directory Server
This section describes installing and configuring Sun Enterprise Directory Server.
Installing Sun Enterprise Directory Server
For the instructions and more information about installing the Sun Enterprise
Directory Server, refer to documentation available at these Web sites: http://www.sun.com/software/products/directory_srvr_ee/index.html
http://docs.sun.com/app/docs/coll/1224.4
http://docs.sun.com/app/docs/doc/820-2762/dsoutline?a=view http://www.sun.com/software/products/directory_srvr_ee/get.jsp
Configuring Sun Enterprise Directory Server
To configure the Sun Enterprise Directory Server, complete these steps:
1.
Create a Tivoli Identity Manager LDAP server instance. Issue the command: dsadm.sh create dsadm create -p
portnumber
-P
SSL-port instance-path
Where
portnumber
the port number for the Sun Enterprise Directory Server and
SSL-port
is the SSL port number for the Sun Enterprise Directory Server. For examples: v
For UNIX systems, dsadm.sh create –p 1389 –P 1363 /local/itimldap v
For Windows systems, dsadm.exe create –p 1389 –P 1363 C:\itimldap
2.
Start the Tivoli Identity Manager LDAP server. Issue the command: dsadm.sh start
instance-path
For example, dsadm.sh start /local/itimldap
3.
Create a root suffix. Issue the command: dsconf.sh create-suffix –h
host
–p
portnumber rootsuffix
For example, dsconf.sh create-suffix –h localhost –p 1389 dc=com
This command creates the root suffix dc=com on the Tivoli Identity Manager
LDAP server.
If you receive an
Unable to bind securely on
host
:
portNumber
message, use the –unsecured parameter: dsconf create-suffix -–unsecured –h localhost –p 1389 dc=com
36
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
4.
Create and save a file called dcequalscom.ldif with the following content: dn:dc=com dc:com objectclass:top objectclass:domain
5.
Import the dcequalscom.ldif file to the dc=com root suffix. Issue the command: dsconf.sh import -h
hostname
-p
portnumber path
/dcequalscom.ldif rootsuffix
For example, dsconf.sh import -h localhost -p 1389 /temp/dcequalscom.ldif dc=com
If you receive an
Unable to bind securely on
host
:
portNumber
message, use the -unsecured parameter: dsconf.sh import --unsecured -h localhost -p 1389 /temp/dcequalscom.ldif dc=com
6.
Restart the directory server.
Note:
Sun Enterprise Directory Server access control instructions might have enabled anonymous read access. To provide more secure data, modify the default access control instructions to disable anonymous read access. For more information, refer to the Sun Enterprise Directory Server documentation.
Chapter 3. Installing and configuring a directory server
37
38
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Chapter 4. Optionally installing IBM Tivoli Directory Integrator
IBM Tivoli Directory Integrator synchronizes and manages information exchanges between applications or directory sources. This chapter focuses on installing the
IBM Tivoli Directory Integrator for use by Tivoli Identity Manager. The supported versions and required fix packs for IBM Tivoli Directory Integrator are described in the
Tivoli Identity Manager Information Center
.
The information in this chapter is not a substitute for the more extensive, prerequisite documentation that is provided by the directory integrator product itself.
Before you install the directory integrator product
Before you install IBM Tivoli Directory Integrator, complete these steps: v
Read the installation guide that the directory integrator product provides.
v Ensure that your installation meets the directory integrator hardware and software requirements.
– IBM Tivoli Directory Integrator
- Hardware and software requirements, and documentation http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/ com.ibm.IBMDI.doc_6.1.1/welcome.htm
- Fixes http://www.ibm.com/software/sysmgmt/products/support/
IBMDirectoryIntegrator.html
Installing IBM Tivoli Directory Integrator
You can install the IBM Tivoli Directory Integrator on the same computer with
Tivoli Identity Manager or on a separate computer.
Installing IBM Tivoli Directory Integrator
For information about installing IBM Tivoli Directory Integrator, refer to documentation that the product provides. For example, access this Web site: http://www.ibm.com/software/sysmgmt/products/support/J958636N88774A05doc.html
Installing the required fix packs
If your version of the IBM Tivoli Directory Integrator requires a fix pack, obtain and install the fixes. For more information, refer to this support Web site: v
Support http://www.ibm.com/software/sysmgmt/products/support/
IBMDirectoryIntegrator.html
v
Information center http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?toc=/ com.ibm.IBMDI.doc/toc.xml
© Copyright IBM Corp. 2009
39
Installing agentless adapters
Adapters allow Tivoli Identity Manager to manage resources. Agent-based adapters require the installation of the adapter on the managed resource, and the installation of an adapter profile on the Tivoli Identity Manager server. Agentless adapters require adapter installation on the computer that hosts IBM Tivoli
Directory Integrator, and the installation of an adapter profile on the Tivoli Identity
Manager server.
You can install IBM Tivoli Directory Integrator on the same computer as Tivoli
Identity Manager or remotely. If you install Tivoli Identity Manager locally, the
Tivoli Identity Manager installation program automatically installs agentless adapters and you can also choose to automatically install agentless adapter profiles. If you install Tivoli Identity Manager remotely, you must manually install the agentless adapters on the computer that hosts IBM Tivoli Directory Integrator, and manually install agentless adapter profiles on the computer that hosts Tivoli
Identity Manager.
40
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Chapter 5. Installing and configuring WebSphere Application
Server
WebSphere Application Server delivers a secure, scalable application infrastructure for Tivoli Identity Manager Server. WebSphere Application Server can run in a single-server or a cluster server environment.
This chapter describes generic steps to create a WebSphere Application Server environment before you install the Tivoli Identity Manager Server in either the single-server or cluster configurations. The supported releases and required fix packs for WebSphere Application Server are described in the
Tivoli Identity Manager
Information Center.
Before you install WebSphere Application Server
Before you install WebSphere Application Server, complete the following tasks: v
Read the WebSphere Application Server installation guide.
v Determine whether you are installing WebSphere Application Server in a single-server or cluster environment.
v
Ensure that your system meets the product hardware and software requirements.
v
Ensure that all required operating system fix packs are in place. For more information about tuning operating systems for the WebSphere Application
Server, refer to this Web site: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/ com.ibm.websphere.nd.doc/info/ae/ae/tprf_tuneopsys.html
For more information about installing the WebSphere Application Server, refer to the following Web sites: v
Hardware and software requirements http://www.ibm.com/software/webservers/appserv/was/ v
Support http://www.ibm.com/software/webservers/appserv/was/support/ v
Information center http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp
Installing the WebSphere Application Server product
© Copyright IBM Corp. 2009
WebSphere Application Server Version 6 introduces the concept of a profile in which installing the product becomes a two-step process:
1.
Install a shared set of core product files using the WebSphere Application
Server installation product.
2.
Use profiles to define multiple application server runtime environments, each with its own administrative interfaces, that share the core files. Profiles are necessary for the environment to function. There are three types of profiles which can be created: v
Application server: Can run as a stand-alone node or run as part of a deployment manager cell.
v
Deployment manager: Provides centralized management of application servers.
41
v
Custom: Must be federated and then customized through the deployment manager. A custom profile does not have its own administrative console. It is managed under the deployment manager node.
For example, once the core files have been installed, create one or more deployment manager profiles, application server profiles, or custom profiles. A profile can be created at any time after installation by using the Profile Creation wizard GUI or the manageprofiles command.
Additional configuration steps are required if you want to install the IBM HTTP
Server and WebSphere Web Server plug-in.
For more information about installing the IBM HTTP Server, refer to the following
Web site: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/ index.jsp?topic=/com.ibm.websphere.ihs.doc/info/welcome_ihs.html
For more information about planning to install the WebSphere Web Server plug-in, refer to the following Web site: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/ index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tins_scenario5.html
Installing WebSphere Application Server in a single-server environment
To install WebSphere Application Server in a single-server environment, complete these steps:
1.
Install the WebSphere Application Server product from the root user on UNIX systems, or from a user with administrator authority on the Windows operating system.
2.
Start the WebSphere Application Server installation program.
3.
Select the
Application Server
profile.
4.
By default, administrative security is enabled. Enabling administrative security protects your server from unauthorized users.
5.
Enter any additional values that the WebSphere installation program requires.
6.
When installation is complete, download and install the Update Installer for
WebSphere Application Server from the product support Web site.
7.
Use the Update Installer to install a service pack containing a supported version of WebSphere Application Server. See "Software prerequisites" in the
Tivoli Identity Manager Information Center
. Make sure that you use the same operating system administrator account that you used for the installation.
8.
Ensure that you are using the IBM Java 2 Platform Standard Edition
Development Kit 1.5 Service Release 6 or later. Service Release 6 is needed if you intend to enable Java 2 security. You can download the service release and follow the instructions to apply the fix at the following WebSphere
Application Server fix pack Web site: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24017492
9.
After you apply the WebSphere Application Server fix pack, start the
WebSphere Application Server using the following command: v
Windows, run the following command:
–
WAS_PROFILE_HOME
\bin\startServer.bat
server_name
v
UNIX/Linux, run the following command:
–
WAS_PROFILE_HOME
/bin/startServer.sh
server_name
42
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
The value of
server_name
is the name of the WebSphere Application Server.
For example, server1
.
10.
Open the First Steps panel for WebSphere Application Server and click
Installation Verification
to verify that there are no installation problems. To run the first steps, use the following command: v
Windows:
–
WAS_PROFILE_HOME
\firststeps\firststeps.bat
v UNIX/Linux:
–
WAS_PROFILE_HOME
/firststeps/firststeps.sh
11.
Verify that the WebSphere Application Server fix pack is at the correct level.
Enter one of these commands: v
Windows:
WAS_PROFILE_HOME
\bin\versionInfo.bat
v
UNIX:
WAS_PROFILE_HOME
/bin/versionInfo.sh
For example, the version is like the following output: v
WebSphere Application Server base
Installed Product
-----------------------------------------------
Name IBM WebSphere Application Server
Version 6.1.0.23
ID BASE
12.
Use the following Web address to access the WebSphere administrative console: http://
hostname
:
port
/ibm/console
The value of
hostname
is either the fully qualified host name or the IP address of the computer on which you installed the WebSphere Application Server base product. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060. The port number might not be 9060 if there is another instance of the WebSphere Application
Server on the computer.
13.
Examine the SystemOut.log and SystemErr.log files in the
WAS_PROFILE_HOME
\logs\
server_name
to ensure that there are no other
problems. For more information, see “Log files” on page 104.
Once you have completed the installation, the next step is installing IBM Tivoli
Directory Server. For more information, see “Installing and configuring IBM Tivoli
Installing WebSphere Application Server in a cluster environment
To install WebSphere Application Server in a cluster environment, complete these steps:
1.
Install the WebSphere Application Server package, and create a deployment manager profile.
2.
Install the WebSphere Application Server package, create a custom profile, and federate the node to the cell managed by the deployment manager on each computer in the cluster.
3.
Optionally install and configure IBM HTTP Server and WebSphere Web Server plug-in.
Chapter 5. Installing and configuring WebSphere Application Server
43
Install the WebSphere Application Server deployment manager
To install WebSphere Application Server deployment manager, complete these steps:
1.
Install the WebSphere Application Server product from the root user on UNIX systems, or from a user with administrator authority on the Windows operating system.
2.
Start the WebSphere Application Server installation program.
3.
Select the
Deployment Manager
profile.
4.
By default, administrative security is enabled. Enabling administrative security protects your server from unauthorized users.
5.
Enter any additional values that the WebSphere installation program requires.
6.
When installation is complete, download and install the Update Installer for
WebSphere Application Server from the product support Web site.
7.
Use the Update Installer to install a service pack containing a supported version of WebSphere Application Server. See "Software prerequisites" in the
Tivoli Identity Manager Information Center
. Make sure that you use the same administrator account that you used for the installation.
8.
Ensure that you are using the IBM Java 2 Platform Standard Edition
Development Kit 1.5 Service Release 6 or later. Service Release 6 is needed if the user intends to enable Java 2 security. You can download the service release and follow the instructions to apply the fix at the following WebSphere
Application Server fix pack Web site: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24017492
9.
Start the deployment manager using the following command: v
Windows:
WAS_NDM_PROFILE_HOME
\bin\startManager.bat
v
UNIX/Linux:
WAS_NDM_PROFILE_HOME
/bin/startManager.sh
10.
Open the
First Steps
panel for WebSphere Application Server and click
Installation Verification
to verify that there are no installation problems. To run the
First Steps
panel, use the following command: v Windows:
–
WAS_NDM_PROFILE_HOME
\firststeps\firststeps.bat
v
UNIX/Linux:
–
WAS_NDM_PROFILE_HOME
/firststeps/firststeps.sh
11.
Verify that the WebSphere Application Server fix pack is at the correct level.
Enter one of these commands: v
Windows:
– Cluster member
WAS_PROFILE_HOME
\bin\versionInfo.bat
– Deployment manager
WAS_NDM_PROFILE_HOME
\bin\versionInfo.bat
v
UNIX:
– Cluster member
WAS_PROFILE_HOME
/bin/versionInfo.sh
– Deployment manager
WAS_NDM_PROFILE_HOME
/bin/versionInfo.sh
For example, the version is like the following output:
44
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
v
WebSphere Application Server base
Installed Product
-----------------------------------------------
Name IBM WebSphere Application Server
Version 6.1.0.23
ID BASE v
Deployment manager
Installed Product
-----------------------------------------------
Name IBM WebSphere Application Server Deployment Manager
Version 6.1.0.23
ID ND
12.
Use the following Web address to access the WebSphere administrative console: http://
hostname
:
port
/ibm/console
The value of
hostname
is either the fully qualified host name or the IP address of the computer on which you installed the WebSphere Application Server base product. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060. The port number might not be 9060 if there is another instance of the WebSphere Application
Server on the computer.
13.
Examine the SystemOut.log and SystemErr.log files in the
WAS_NDM_PROFILE_HOME
\logs\
dm_server_name
directory to ensure that there are no other problems.
Install the WebSphere Application Server product on each node member
Install WebSphere Application Server on each computer on which Tivoli Identity
Manager Server runs as a Tivoli Identity Manager cluster member and federate each node member to the cell.
To install WebSphere Application Server on each cluster member host, complete these generic steps:
1.
Install the WebSphere Application Server product from the root user on UNIX systems, or from a user with administrator authority on the Windows operating system.
2.
Start the WebSphere Application Server installation program.
3.
Select the
Custom
profile.
4.
In the
Federation
panel, complete these fields: a.
Type the host name or IP address of the deployment manager.
b.
Type the SOAP port of the deployment manager or accept the default port.
c.
If administrative security is enabled, type the deployment manager administrative user name and password.
5.
When installation is complete, download and install the Update Installer for
WebSphere Application Server from the product support Web site.
6.
Use the Update Installer to install a service pack containing a supported version of WebSphere Application Server. See "Software prerequisites" in the
Tivoli Identity Manager Information Center
. Make sure that you use the same administrator account that you used for the installation.
7.
Ensure that you are using the IBM Java 2 Platform Standard Edition
Development Kit 1.5 Service Release 6 or later. Service Release 6 is needed if
Chapter 5. Installing and configuring WebSphere Application Server
45
the user intends to enable Java 2 security. You can download the service release and follow the instructions to apply the fix at the following WebSphere
Application Server fix pack Web site: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24017492
8.
After you apply the WebSphere Application Server fix pack, verify the status of the WebSphere Application Server node agent using the following command: v
Windows systems:
WAS_PROFILE_HOME
\bin\startNode.bat
v UNIX or Linux systems:
WAS_PROFILE_HOME
/bin/startNode.sh
9.
Open the First Steps panel for WebSphere Application Server and click
Installation Verification
to verify that there are no installation problems. To run the first steps, use the following command: v
Windows:
–
WAS_PROFILE_HOME
\firststeps\firststeps.bat
v
UNIX/Linux:
–
WAS_PROFILE_HOME
/firststeps/firststeps.sh
Manually federate a WebSphere Application Server node member
This step is optional if you either used a custom profile but did not federate the node to the cell during installation, or you created a base WebSphere Application
Server profile, which does not federate the node member during installation. To manually federate a WebSphere Application Server node member, run the addnode command: v
Windows:
WAS_HOME
\bin\addNode.bat
dmgr_host portnumber
-profileName
profile_name
v
UNIX/Linux:
WAS_HOME
/bin/addNode.sh
dmgr_host portnumber
-profileName
profile_name
The value of
WAS_HOME
is the location of the WebSphere Application Server home directory where the WebSphere Application Server core files are installed.
The
dmgr_host
parameter is the host name of the computer on which the deployment manager is installed. The
portnumber
parameter specifies the SOAP port number that is assigned to the deployment manager. The default port number is 8887.
A node agent is created and started after a node is successfully added to a cell.
Verify the federation of nodes within the cell
To verify that all nodes have been federated and are running, complete these steps:
1.
Use the following Web address to access the WebSphere administrative console: http://
hostname
:
port
/ibm/console
The value of
hostname
is either the fully qualified host name or the IP address of the WebSphere Application Server deployment manager. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060. The port number might not be 9060 if there is another instance of the WebSphere Application Server on the computer.
2.
Click
System administration
from the Integrated Solutions Console root structure. Click
Nodes
. Verify that the manager node and federated nodes are listed and are available. You can also click
Nodeagent
to see the status of all nodeagents.
46
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Create the WebSphere clusters for the Tivoli Identity Manager application
Tivoli Identity Manager requires the creation of two server clusters in your
WebSphere Application Server environment. One cluster is used to host the Tivoli
Identity Manager application. The other cluster is used as a messaging service.
Before you create the cluster, make sure that all nodeagents are up. To create the
WebSphere Application Server clusters, complete these steps:
1.
Use the following Web address to access the WebSphere administrative console: http://
hostname
:
port
/ibm/console
The value of
hostname
is either the fully qualified host name or the IP address of the WebSphere Application Server deployment manager. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060. The port number might not be 9060 if there is another instance of the WebSphere Application Server on the computer.
2.
Click
Servers
from the Integrated Solutions Console root structure.
3.
For WebSphere Application Server 6.1 deployment manager console, Click
Clusters
, and click
New
.
For WebSphere Application Server 7.1 deployment manager console, Click
Clusters
, and click
WebSphere Application Server clusters
.
4.
Specify the name of the host application cluster. For example,
ITIM_Application_Cluster
. The cluster name must be unique within the cell.
Use the default check box settings, and click
Next
.
5.
Specify a member name for the first cluster member.
6.
Specify the node you want to use to host the first cluster member.
7.
Click the radio button adjacent to
Create the member using an application server template
and select default.
8.
Keep all other default settings and click
Next
.
9.
Create a cluster member for each additional node by specifying a member name, selecting a node, and clicking
Add Member
. Tivoli Identity Manager does not support multiple cluster members on a single node. Click
Next
when you have finished adding cluster members.
10.
Verify the summary of information and click
Finish
.
11.
Repeat this process for the messaging cluster, specifying unique names for the messaging cluster and cluster members, such as ITIM_Messaging_Cluster.
12.
When you have finished creating the second cluster, click on
Servers
from the
Integrated Solutions Console root structure. Click
Clusters
, and verify that your clusters appear.
13.
Click the name of each cluster, and click
Cluster members
to view detailed information about each cluster member.
Optionally installing and configuring IBM HTTP Server and
WebSphere Web Server plug-in
Although you can install the IBM HTTP Server and the WebSphere Web Server plug-in on the same computer that has the deployment manager, you might want to install the IBM HTTP Server and the WebSphere Web Server plug-in on a separate computer for additional security and load balancing.
For more information on installing IBM HTTP Server, refer to the following Web site: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/ index.jsp?topic=/com.ibm.websphere.ihs.doc/info/welcome_ihs.html
Chapter 5. Installing and configuring WebSphere Application Server
47
For more information planning to install the WebSphere Web Server plug-in, refer to the following Web site:http://publib.boulder.ibm.com/infocenter/wasinfo/ v6r1/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tins_scenario5.html
Change TCP KeepAlive settings on WebSphere Application
Server
The failover design of the messaging engine relies upon the database connections being broken when a messaging engine instance fails. In order for failover to occur in high availability environments, ensure that the system detects the broken connection in a timely manner and releases database locks. This task is done by configuring the TCP KeepAlive settings. For example, if you are using Linux, login as an administrator and complete these steps on all WebSphere Application Server nodes:
1.
Run the following command: echo 30 > /proc/sys/net/ipv4/tcp_keepalive_intvl
Note:
These settings are also used by IPv6 implementations.
2.
Ensure that the value of the heartbeat interval is set to 30 seconds: a.
From the WebSphere Application Server administrative console, click
Servers > Core groups > Core group settings > Default core group
.
b.
Under the Additional properties section, click
Custom properties
. Verify that this value is not blank. If it is not blank, change the values specified for the IBM_CS_FD_PERIOD_SECS custom property. This property specifies the time interval, in seconds, between consecutive heartbeats. The default value for this property is 30 seconds.
Note:
These settings are also used by IPv6 implementations.
Tuning WebSphere Application Server for performance
Performance issues can occur after you initially configure WebSphere Application
Server These tasks describe actions you can take to ensure WebSphere Application
Server performs correctly.
Disable Performance Monitoring Infrastructure (PMI) tracking
By default, WebSphere Application Server has the Performance Monitoring
Infrastructure (PMI) enabled and set at the Basic level. At this level,
URIRequestCount and URIServiceTime monitoring is enabled. These enablements cause performance problems when using the Console GUI due to the unique URLs that are generated for that interface. To prevent performance degradation, either disable PMI entirely or disable these specific PMI flags. Complete these steps:
1.
Log in to the WebSphere administrative console.
2.
From the left navigation pane, click
Monitoring and Tuning > Performance
Monitoring Infrastructure (PMI)
.
3.
Click the name of the server you want to manage.
4.
Select
Custom
and click the
Custom
link.
5.
Select Web Applications from the tree listing.
6.
Select
URIConcurrentRequests
.
7.
Select
URIRequestCount
.
8.
Select
URIServiceTime
.
9.
Click
Disable
at the top of the pane.
10.
Click
Save
to save the configuration.
48
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
11.
Repeat this procedure for each application server that run Tivoli Identity
Manager.
12.
Restart all application servers for the changes to take effect.
Chapter 5. Installing and configuring WebSphere Application Server
49
50
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Chapter 6. Installing Tivoli Identity Manager
This chapter describes tasks that install and configure the Tivoli Identity Manager
Server in a single-server or a cluster configuration. The installation program installs only the Tivoli Identity Manager Server.
You can also install and configure Tivoli Identity Manager silently. For more
information, see Chapter 8, “Performing a silent installation and configuration of
Tivoli Identity Manager,” on page 87.
Installing Tivoli Identity Manager in a single-server configuration
This section describes tasks that install and configure the Tivoli Identity Manager
Server in a single-server configuration. The installation program installs only the
Tivoli Identity Manager Server.
Before you begin
Before you begin to install Tivoli Identity Manager Server in a single-server environment, complete these tasks:
1.
Determine which product DVDs that you need to install Tivoli Identity
Manager. For an itemization of the DVD contents, refer to a text file such as itim-5.1-dvd-images-
operatingsystem
.txt that is provided with the DVD image.
2.
Ensure that free disk space and memory requirements are met. Additionally, ensure that there is adequate free disk space in the system temp directory and in the
WAS_PROFILE_HOME
directory. The target computer must meet the computer requirements described in the
Tivoli Identity Manager Information
Center
.
3.
Ensure that you have the needed administrative authority. On Windows systems, the logon user ID must be in the Administrators Group. On UNIX systems, the logon user ID must be root.
4.
Installing the Tivoli Identity Manager Server writes data to the Tivoli Identity
Manager database.
5.
If you are using IBM Tivoli Directory Server, ensure that you have run the middleware configuration utility or that the directory server has loaded the
6.
Ensure that the prerequisite applications as described in Table 3 are installed
and running:
Table 3. Prerequisite applications
Prerequisite
Database
Directory server
Directory integrator
(optional)
For more information, see
Chapter 2, “Installing and configuring a database,” on page 9
Chapter 3, “Installing and configuring a directory server,” on page 27
Chapter 4, “Optionally installing IBM Tivoli Directory
© Copyright IBM Corp. 2009
51
Table 3. Prerequisite applications (continued)
Prerequisite For more information, see
WebSphere Application
Server
Chapter 5, “Installing and configuring WebSphere Application
Only Tivoli Identity Manager and WebSphere Application Server require installation on the same computer. All other applications can be run locally or remotely to the computer on which Tivoli Identity Manager is installed. IBM
Tivoli Directory Integrator is an optional component.
7.
Ensure that the WebSphere Application Server can be stopped and started before you install the Tivoli Identity Manager Server. To be sure, stop and start
the WebSphere Application Server. See Chapter 5, “Installing and configuring
WebSphere Application Server,” on page 41 for more information about these
steps.
8.
Capture the details of your configuration. For a detailed list of configuration
parameters, see Appendix D, “Worksheets,” on page 145.
9.
If you are upgrading a version of Tivoli Identity Manager that is already on the
customizations and data.
Starting the installation wizard
To install the Tivoli Identity Manager Server in a single-server configuration, complete the following steps:
1.
Log on to an account with system administration privileges on the computer where the Tivoli Identity Manager Server is to be installed.
2.
Install the installation program, or insert the Tivoli Identity Manager product
DVD into the DVD drive. To locate the correct DVD for your environment,
refer to Appendix C, “Installation images and fix packs,” on page 143.
3.
To run the installation program, complete these steps: v
Windows: a.
Click
Start > Run
.
b.
Enter the drive and path where the installation program is located and then enter the following command: instwin.exe
The Welcome window opens.
v
UNIX/Linux: a.
Open a command shell prompt window, and navigate to the directory where the installation program is located.
b.
Enter the following command for the Tivoli Identity Manager installation program:
– AIX: instaix.bin
– Linux: instlinux.bin
– pLinux: instplinux.bin
– zLinux: instzlinux.bin
52
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
– Solaris: instsol.bin
The installation program starts and displays the Welcome window.
If you are running the installation program on a UNIX/Linux system that does not have at least 150MB of free space in the /tmp directory, you should set the IATEMPDIR environment variable to a directory on a disk partition with enough free disk space. To set the variable, enter one of the following commands at the command line prompt before running the installation program again:
– Bourne shell (sh), ksh, bash, and zsh:
$ IATEMPDIR=
temp_dir
$ export IATEMPDIR
– C shell (csh) and tcsh:
$ setenv IATEMPDIR
temp_dir
where
temp_dir
is the path to the directory, for example
/your/free/ directory
, where free disk space is available.
Completing the installation wizard pages
Use the first set of installation wizard pages to set up the installation.
The dollar sign ($) has special meaning in the installer frameworks used by Install
Anywhere. Avoid using $ in any field values. The installer framework or operating system platform might do variable substitution for the value.
To complete the installation wizard pages, complete these steps:
1.
To change the language that is used for the installation wizard pages, select another language from the drop-down list. This choice only affects the installation wizard and not the language version of Tivoli Identity Manager to be installed. Then, click
OK
.
Note:
The license is always shown in the system locale of the machine and not the installation language selected.
2.
Click
Next
to advance past the copyright and legal text.
3.
In the License Agreement window, read the license agreement and decide whether to accept its terms. Optionally click
Read non-IBM terms
to read the terms of any non-IBM products or
to print out the license agreement. To accept the terms and continue with the installation, select
Accept
, and then click
Next
.
4.
Accept the default
ITIM_HOME
installation directory, or select
Choose
to select another directory. Then, click
Next
.
5.
In the Installation Type window, select
Single WebSphere Application Server
.
Then, click
Next
.
6.
The WebSphere Application Server Installation Directory window appears and displays a value for the WebSphere Application Server installation directory, or
WAS_HOME
, directory.
There can be multiple installations of the WebSphere Application Server on a computer. If the directory displayed is not the directory in which you intend to install the Tivoli Identity Manager Server, click
Choose
, enter the correct directory value, and click
Next
.
7.
From the WebSphere profile selection panel, select the WebSphere Application
Server profile name in which Tivoli Identity Manager is to be installed from the list, and click
Next
.
Chapter 6. Installing Tivoli Identity Manager
53
8.
In the next window, verify the following WebSphere Application Server data: v
WebSphere Application Server name, which defaults to server1, where you intend to deploy the Tivoli Identity Manager Server.
v
Host name of the computer. Accept the displayed value unless the computer has multiple host names and the WebSphere Application Server is installed under a host name other than the displayed value.
Verify the WebSphere Application Server data and click
Next
.
9.
If WebSphere Application Server administrative security is on, you are prompted to specify the administrator user ID and password, then click
Next
.
10.
In the Database Type window, select one of the following database types, and then click
Next
: v
DB2 Database v
Oracle Database v
Microsoft SQL Server (only listed for Windows operating systems)
Caution windows open to prompt you to confirm that these conditions are true: v
If DB2 is selected, click
Continue
.
v If the Oracle database or the Microsoft SQL server is selected, a window prompts you for the location and name of the JDBC driver. Provide the location and name, and click
Next
. For more information see “Installing the
Oracle JDBC driver” on page 21 and “Installing the SQL Server JDBC driver” on page 25.
v
The directory server version is at the correct level. Confirm that the version is correct and click
Continue
.
11.
A Keystore Password window requires you to specify the keystore password.
The keystore password entered here is used to unlock the Tivoli Identity
Manager keystore file which stores the encryption key used to encrypt Tivoli
Identity Manager sensitive data. Then, click
Next
.
12.
A window appears to choose whether to install Agentless Adapters on IBM
Tivoli Directory Integrator.
The Tivoli Identity Manager installation program installs these POSIX adapters for the following managed resources: v
AIX v
HP-UX v
LDAP v
Linux v
Solaris
Installation programs for the agentless adapters that are installed by the Tivoli
Identity Manager installation program are located in the
ITIM_HOME
\config\ adapters directory so that you can reinstall adapters later if needed. Even though the Tivoli Identity Manager installation program installs POSIX adapters, it is recommended that you install the latest adapter profiles. For
Select an option, and click
Next
.
Note:
If IBM Tivoli Directory Integrator is installed remotely, select
Do Not
Install Agentless Adapters
.
54
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
13.
In the Directory Integrator Home Directory window, enter or confirm the correct directory value, optionally click
Choose
to enter an alternate location, and click
Next
.
14.
In the Tivoli Common Directory window, accept the default directory that the
Tivoli Identity Manager installation program defines, or choose a new one.
Then, click
Next
. Ensure that the directory has at least 25 MB of free space.
The Tivoli Common Directory is the central location for all serviceability-related files, such as logs and first-failure capture data.
15.
In the Single Server Pre-Installation Summary window, review the components to be installed, the Tivoli Identity Manager installation directory, your choice to install agentless adapters, the WebSphere Application Server installation directory, and the required and available free disk space. If everything is acceptable, click
Install
.
Note:
Once you click
Install
, if you click
Cancel
to cancel the installation you get a message indicating that Tivoli Identity Manager is not installed.
However files are not automatically cleaned up through this action, and this condition might result in a partial installation. Clean up any partial installation manually before running
Install
again.
16.
Responding to major installation actions
The Tivoli Identity Manager installation program opens a series of progress windows for additional, major installation actions. Some windows require your input. The installation program installs and configures Tivoli Identity Manager on the WebSphere Application Server, sets up the Tivoli Identity Manager database on the database server, and sets up the LDAP schema and a configuration of data on the directory server.
The major installation actions include these steps:
1.
Copying Tivoli Identity Manager files to the target computer.
The installation program copies Tivoli Identity Manager files to the
ITIM_HOME
directory.
2.
Ensuring that the WebSphere Application Server is running.
The WebSphere Application Server must be running to allow Tivoli Identity
Manager deployment and configuration to occur. The Tivoli Identity Manager installation program verifies the status of the WebSphere Application Server. If the WebSphere Application Server is not running, the Tivoli Identity Manager installation program attempts to start the WebSphere Application Server.
An error message appears if the Tivoli Identity Manager installation program fails to start the WebSphere Application Server. If an error occurs, you can do either of these steps: v Quit the installation program and complete these steps: a.
Resolve the problem that prevents starting the WebSphere Application
Server.
b.
Manually delete all files in the
ITIM_HOME
directory.
c.
Run the Tivoli Identity Manager installation program again.
v
Continue the installation program after you ensure that you can manually start and stop the WebSphere Application Server without error. Complete these steps: a.
Stop the WebSphere Application Server:
Chapter 6. Installing Tivoli Identity Manager
55
– Windows operating systems
"
WAS_PROFILE_HOME
\bin\stopServer.bat
servername
"
– UNIX or Linux operating systems
WAS_PROFILE_HOME
/bin/stopServer.sh
servername
v
Start the WebSphere Application Server:
– Windows operating systems
"
WAS_PROFILE_HOME
\bin\startServer.bat
servername
"
– UNIX or Linux operating systems
WAS_PROFILE_HOME
/bin/startServer.sh
servername
v
Proceed to the next step in the Tivoli Identity Manager installation program.
3.
Gathering database data and configuring the database.
In this step, the Tivoli Identity Manager installation program sets up the Tivoli
Identity Manager database. For more information, see “Configuring the Tivoli
Identity Manager database” on page 75.
If an error occurs, examine the error and provide a corrective action. There is more information in the
ITIM_HOME
\install_logs\dbConfig.stdout log file.
You might need to refer to documentation that the database product provides.
Continue the Tivoli Identity Manager installation program. When the installation completes, complete these steps: a.
Save the current log data by renaming the
ITIM_HOME
\install_logs\ dbConfig.stdout log file.
b.
Make sure that the Tivoli Identity Manager messaging engine is not running. Log in to the WebSphere administrative console, and complete these steps:
1) Click
Service Integration > Buses
.
2) Click itim_bus, if it exists.
3) In the Topology section, click
Messaging engines
.
For a single-server installation, you see an engine named
nodename.servername
-itim_bus.
For a cluster installation, you see n+1 messaging engines, where n is the number of Tivoli Identity Manager cluster members. An additional messaging engine is used for the Tivoli Identity Manager messaging cluster.
4) Select one or more messaging engines and click
Stop
.
c.
When the correction is complete, use this command to configure the Tivoli
Identity Manager database: v
Windows:
ITIM_HOME
\bin\DBConfig.exe
v
UNIX/Linux:
ITIM_HOME
/bin/DBConfig
New log data is recorded in the
ITIM_HOME
\install_logs\dbConfig.stdout
log file.
Note:
The
DBConfig
command creates the database table definitions that
Tivoli Identity Manager requires. Run this command only if the command failed to configure the database during installation. If the
Tivoli Identity Manager database tables have been previously set, running the
DBConfig
command first, drops all the existing Tivoli
Identity Manager tables.
4.
Gathering directory server data and configuring the directory server.
56
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
In this step, the Tivoli Identity Manager installation program sets up the LDAP schema and the default data entries for Tivoli Identity Manager. For more
information, see “Configuring the directory server” on page 76.
If an error occurs, record the error message that is displayed. The message might describe a problem in setting up the LDAP schema or creating a configuration of data on the directory server.
Continue the Tivoli Identity Manager installation program. When the installation completes, complete these steps: a.
Examine the errors and provide a corrective action. There is more information in the
ITIM_HOME
\install_logs\ldapConfig.stdout log file. You might also need to refer to documentation that the directory server product provides.
b.
Save the current log data by renaming the
ITIM_HOME
\install_logs\ ldapConfig.stdout log file.
c.
When the correction is complete, use this command to configure the directory server: v
Windows operating systems:
ITIM_HOME
\bin\ldapConfig.exe
v UNIX or Linux operating systems:
ITIM_HOME
/bin/ldapConfig
New log data is recorded in the
ITIM_HOME
\install_logs\ ldapConfig.stdout log file.
Note:
Running the
ldapConfig
command will restore default values that Tivoli
Identity Manager uses. If you have changed the value of any of these
Tivoli Identity Manager attributes, such as the password of the itim manager user ID, the value is overwritten. Do not run the
ldapConfig
command a second time, unless the LDAP configuration fails during the
Tivoli Identity Manager Server installation process.
5.
Gathering Tivoli Identity Manager data and configuring the Tivoli Identity
Manager Server.
The Tivoli Identity Manager installation program copies a set of Tivoli Identity
Manager property files to the
ITIM_HOME
\data directory. During this step, you can use the GUI to change some of the Tivoli Identity Manager properties.
For more information, see “Configuring commonly used system properties” on page 77.
The Tivoli Identity Manager installation program also configures the
WebSphere environment settings that the Tivoli Identity Manager Server requires. This step takes several minutes to complete.
If an error occurs, record the error message that is displayed. The message might describe a problem in configuring the WebSphere environment settings that the Tivoli Identity Manager Server requires.
Continue the Tivoli Identity Manager installation program. When the installation completes, complete these steps: a.
Examine the errors and provide a corrective action. There is more information in the
ITIM_HOME
\install_logs\runConfigFirstTime.stdout log file. You might also need to refer to documentation that the WebSphere product provides.
b.
When the correction is complete, use this command:
To update commonly-used Tivoli Identity Manager properties, run the following command:
Chapter 6. Installing Tivoli Identity Manager
57
v
Windows:
ITIM_HOME
\bin\runConfig.exe
v
UNIX/Linux:
ITIM_HOME
/bin/runConfig
The runConfig utility also accepts an
install
parameter. Use runConfig with the
install
parameter when there is a problem reported for runConfig during the Tivoli Identity Manager installation. Note that system configuration requires several minutes to complete if the
install
option is used.
v Windows:
ITIM_HOME
\bin\runConfig.exe install v
UNIX/Linux:
ITIM_HOME
/bin/runConfig install
New log data is recorded in the
ITIM_HOME
\install_logs\runConfig.stdout
log file.
6.
Deploying the Tivoli Identity Manager Server onto the WebSphere Application
Server.
The Tivoli Identity Manager application runs within the WebSphere Application
Server as an enterprise application. The Tivoli Identity Manager installation program uses the WebSphere command-line interface (wsadmin) to deploy the
Tivoli Identity Manager application onto the WebSphere Application Server.
Deploying the Tivoli Identity Manager application also performs certain configuration steps on the WebSphere Application Server. These steps require several minutes to complete.
When the deployment completes, the Tivoli Identity Manager files are in these directories: v
WAS_PROFILE_HOME
\installedApps\
cellname
\ITIM.ear
v
WAS_PROFILE_HOME
\config\cells\
cellname
\applications\ITIM.ear
Note:
For the deployment manager node, these files are only in the
WAS_NDM_PROFILE_HOME
\config\cells\
cellname
\applications\
ITIM.ear directory
If the log data indicates failure to establish a SOAP connection to the
WebSphere Application Server configuration manager, or some type of
WebSphere Application Server scripting error, complete these steps: a.
Exit the Tivoli Identity Manager installation program.
b.
Resolve the problem that prevents connection to the WebSphere Application
Server or a problem described as a scripting error. For more information, refer to the WebSphere documentation.
c.
Manually delete all files in the
ITIM_HOME
directory.
d.
Run the Tivoli Identity Manager installation program again.
If the log data indicates that failure is due to a timeout, continue the Tivoli
Identity Manager installation program.
If the Tivoli Identity Manager installation program has completed, delete the following directories if they exist: v
WAS_PROFILE_HOME
\installedApps\
cellname
\ITIM.ear
v
WAS_PROFILE_HOME
\config\cells\
cellname
\applications\ITIM.ear
Run one of the following commands to deploy the Tivoli Identity Manager
Server onto the WebSphere Application Server: v
If WebSphere administrative security and application security is on, run this command:
ITIM_HOME
\bin\setupEnrole install server:
server_name
user:
user_id
password:
pwd
ejbuser:
ejb_user_id
58
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
The value of
server_name
is the name of the WebSphere Application Server on which the Tivoli Identity Manager application is deployed. The value of
user_id
is the WebSphere administrator user ID, such as wasadmin
. The value of
pwd
is the password for the WebSphere administrator user ID, such as wasadmin
. The value of
ejb_user_id
is the Tivoli Identity Manager EJB user ID, which uses the WebSphere Application Server administrator user ID by default.
v
If WebSphere administrative security and application security is off, enter this command:
ITIM_HOME
\bin\setupEnrole install server:
server_name
The default of
server_name
is server1.
7.
Restart the WebSphere Application Server to make the new WebSphere
Application Server configuration available after completing the Tivoli Identity
Manager Server installation.
If an error message indicates failure to restart the WebSphere Application
Server, complete the installation and then attempt to restart the WebSphere
Application Server. To restart the WebSphere Application Server, complete these steps: a.
Stop the WebSphere Application Server: v Windows, run the following command:
–
WAS_HOME
\bin\stopServer.bat
server_name
v
UNIX/Linux, run the following command:
–
WAS_HOME
/bin/stopServer.sh
server_name
The value of
server_name
is the name of the WebSphere Application
Server. For example, server1
.
b.
Start the WebSphere Application Server: v
Windows, run the following command:
–
WAS_PROFILE_HOME
\bin\startServer.bat
server_name
v
UNIX/Linux, run the following command:
–
WAS_PROFILE_HOME
/bin/startServer.sh
server_name
The value of
server_name
is the name of the WebSphere Application
Server. For example, server1
.
For more information, see “Verifying that the Tivoli Identity Manager Server is operational.”
Verifying that the Tivoli Identity Manager Server is operational
To verify that the Tivoli Identity Manager Server and related processes are running, complete these steps:
1.
Ensure that the WebSphere Application Server is running.
Start the WebSphere administrative console. On a browser, enter this Web address: http://
hostname
:
port
/ibm/console
The value of
hostname
is the fully qualified host name or the IP address of the computer on which the WebSphere Application Server is running. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060. If you have multiple instances of the WebSphere
Application Server on the same computer, the port number might be a different value, such as 9061.
Chapter 6. Installing Tivoli Identity Manager
59
2.
On the WebSphere administrative console, click
Applications > Enterprise
Application
and verify that the Tivoli Identity Manager Server is running. For additional steps to verify that the Tivoli Identity Manager Server and other
processes are running, see Chapter 9, “Verifying and troubleshooting the installation,” on page 95.
3.
Log on to the Tivoli Identity Manager Server using the WebSphere embedded
HTTP transport. For example, at a browser window, enter this command: http://
hostname
:
port
/itim/console/
The value of
hostname
is the host name of the WebSphere Application Server.
The value of
port
is the default port number of the WebSphere virtual host. The default port number is 9080. If you have multiple installations of the
WebSphere Application Server on the same system, this port number might have a different value, such as 9081. The port number can be removed if an
HTTP server is used as the front-end proxy.
The browser displays the Tivoli Identity Manager logon window. Enter the
Tivoli Identity Manager Server administrator user ID ( itim manager
) and password (immediately after installation, the value is secret
).
4.
After successfully logging on to Tivoli Identity Manager Server using the
WebSphere embedded HTTP transport, attempt to log on to the Tivoli Identity
Manager Server using the IBM HTTP Server if the IBM HTTP Server and the
WebSphere Web Server plug-in are installed and configured. Log on at this address: http://
hostname
:
port
/itim/console
The value of
hostname
is the host name of the IBM HTTP Server. The value of
port
is the port number of the WebSphere virtual host. The default port number is 9080. The port number can be removed if an HTTP server is used as the front end proxy.
5.
After a first, successful logon, the logon window immediately prompts you to change the administrator password. Ensure that your password change is successful. After you change the password, you are ready to create your organization object and a user that is termed an ITIM User.
To perform optional post-installation tasks, see “Optional post-installation tasks” on page 71.
Installing Tivoli Identity Manager in a cluster configuration
This section describes installing and configuring the Tivoli Identity Manager in a
cluster configuration. Before continuing, read “Configuration options” on page 4.
For required application versions and fix packs, refer to the
Tivoli Identity Manager
Information Center
.
Before you begin
Before you begin to install Tivoli Identity Manager Server in a cluster configuration, complete these tasks:
1.
Determine which product DVDs that you need to install Tivoli Identity
Manager. For an itemization of the DVD contents, refer to a text file such as itim-5.0-dvd-images-
operatingsystem
.txt that is provided with the DVD image.
60
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
2.
Ensure that free disk space and memory requirements are met on every computer in the cluster. Additionally, ensure that there is adequate free disk space in the system temp directory and in the
WAS_PROFILE_HOME
and
WAS_NDM_PROFILE_HOME
directories. The target computers must meet the computer requirements described in the
Tivoli Identity Manager Information
Center
.
3.
Ensure that you have the needed administrative authority. On Windows systems, the logon user ID must be in the Administrators Group. On UNIX systems, the logon user ID must be root.
4.
Installing the Tivoli Identity Manager Server writes data to the Tivoli Identity
Manager database.
5.
In a cluster, the name of the Tivoli Identity Manager installation directory must be the same for all cluster members. Specify an identical directory to avoid later runtime difficulties in identity feed activities on different cluster member computers.
6.
If you are using IBM Tivoli Directory Server, ensure that you have run the middleware configuration utility or that the directory server has loaded the
7.
Ensure that the prerequisite applications are running that are described in
Table 4. Prerequisites that must be running
Prerequisite
Database
Directory server
Directory integrator (optional)
WebSphere Application Server
For more information
Chapter 2, “Installing and configuring a database,” on page 9
Chapter 3, “Installing and configuring a directory server,” on page 27
Chapter 4, “Optionally installing IBM Tivoli
Directory Integrator,” on page 39
Chapter 5, “Installing and configuring WebSphere
Application Server,” on page 41
Only Tivoli Identity Manager and WebSphere Application Server require installation on the same computer. All other applications can be run locally or remotely to the computer on which Tivoli Identity Manager is installed. IBM
Tivoli Directory Integrator is an optional component.
8.
Determine that the WebSphere Application Server cell and cluster are ready for Tivoli Identity Manager installation. Complete the steps to construct a
WebSphere Application Server cell and a cluster, described in “Installing
WebSphere Application Server in a cluster environment” on page 43.
These processes must be running before and after you install the Tivoli
Identity Manager Server: v
Deployment manager v
WebSphere Application Server node agents
9.
Capture the details of your configuration. For a detailed list of configuration
parameters, see Appendix D, “Worksheets,” on page 145.
10.
If you are upgrading a version of Tivoli Identity Manager that is already on
the computer, see Chapter 10, “Upgrading to Tivoli Identity Manager Version
5.1,” on page 105 for more information about protecting Tivoli Identity
Manager customizations and data.
Chapter 6. Installing Tivoli Identity Manager
61
Overview of the installation program in a cluster configuration
Installation in a cluster configuration requires that you install the Tivoli Identity
Manager Server on the following computers: v
The deployment manager
Install the Tivoli Identity Manager Server on the computer that has the deployment manager
before
you install the Tivoli Identity Manager Server on cluster nodes. The deployment of the Tivoli Identity Manager application and the configuration of the database and the directory server for Tivoli Identity
Manager occurs during this installation. The deployment manager distributes and expands the Tivoli Identity Manager application to all cluster member computers.
v
Cluster members
Repeat the steps in this chapter to install the Tivoli Identity Manager Server on each computer that is a cluster member. The installation program does these tasks:
– Copies Tivoli Identity Manager files to the target computer
– Configures the WebSphere Application Server that hosts the cluster member
Installing the Tivoli Identity Manager Server on clusters must be done sequentially, one computer at a time. Running the Tivoli Identity Manager installation program simultaneously on more than one computer might result in synchronization problems with the WebSphere master configuration file.
Note:
If the same computer has both the deployment manager and a Tivoli
Identity Manager cluster member, you
must
select both the deployment manager and the cluster member node types when you run the Tivoli
Identity Manager installation program.
Starting the installation wizard
To install Tivoli Identity Manager Server in a cluster configuration, complete the following steps:
1.
Log on to an account with system administration privileges on the computer where the Tivoli Identity Manager Server is to be installed.
2.
Install the installation program, or insert the Tivoli Identity Manager product
DVD into the DVD drive. To locate the correct DVD for your environment,
refer to Appendix C, “Installation images and fix packs,” on page 143.
3.
To run the installation program, complete these steps: v
Windows: a.
Click
Start > Run
.
b.
Enter the drive and path where the installation program is located and then enter the following command: instwin.exe
The Welcome window opens.
v UNIX/Linux: a.
Open a command shell prompt window, and navigate to the directory where the installation program is located.
b.
Enter the following command for the Tivoli Identity Manager installation program:
– AIX: instaix.bin
– Linux:
62
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
instlinux.bin
– pLinux: instplinux.bin
– zLinux: instzlinux.bin
– Solaris: instsol.bin
The installation program starts and displays the Welcome window.
If you are running the installation program on a UNIX/Linux system that does not have at least 150MB of free space in the /tmp directory, you should set the IATEMPDIR environment variable to a directory on a disk partition with enough free disk space. To set the variable, enter one of the following commands at the command line prompt before running the installation program again:
– Bourne shell (sh), ksh, bash, and zsh:
$ IATEMPDIR=
temp_dir
$ export IATEMPDIR
– C shell (csh) and tcsh:
$ setenv IATEMPDIR
temp_dir
where
temp_dir
is the path to the directory, for example
/your/free/ directory
, where free disk space is available.
Completing the installation wizard pages
Use the first set of installation wizard pages to set up the installation:
The dollar sign ($) has special meaning in the installer frameworks used by Install
Anywhere. Avoid using $ in any field values. The installer framework or operating system platform might do variable substitution for the value.
To complete the installation wizard pages, complete these steps:
1.
To change the language that is used for the installation wizard pages, select another language from the drop-down list. This choice only affects the installation wizard and not the language version of Tivoli Identity Manager to be installed. Then, click
OK
.
Note:
The license is always shown in the system locale of the machine and not the installation language selected.
2.
Click
Next
to advance past the copyright and legal text.
3.
In the License Agreement window, read the license agreement and decide whether to accept its terms. Optionally click
Read non-IBM terms
to read the terms of any non-IBM products or
to print out the license agreement. To accept the terms and continue with the installation, select
Accept
, and then click
Next
.
4.
Accept the default
ITIM_HOME
installation directory, or select
Choose
to select another directory. Then, click
Next
.
5.
In the Installation Type window, select
Regular WebSphere cluster
. Then, click
Next
.
6.
In the Installing Tivoli Identity Manager on a Cluster Environment window, read the conditions that apply to a cluster environment. Before continuing, apply any other changes that are necessary to configure the environment for these conditions. For example, verify that the deployment manager and all
Chapter 6. Installing Tivoli Identity Manager
63
Next
.
The Database Type window opens.
7.
In the Choose Cluster Node Type window, select one or both of these node types: v
Deployment manager
You must install Tivoli Identity Manager first on the computer that has the deployment manager.
v
Cluster member
Install Tivoli Identity Manager on every cluster member that does not reside on the same computer as the deployment manager, after you install Tivoli
Identity Manager on the computer that has the deployment manager. If you have the deployment manager and a Tivoli Identity Manager cluster member on the same computer, you
must
select both node types.
8.
The WebSphere Application Server Installation Directory window appears and displays a value for a
WAS_HOME
directory.
There can be multiple installations of the WebSphere Application Server on a computer. If the
WAS_HOME
directory is not the directory on which you intend to install the Tivoli Identity Manager Server, enter the correct directory value. Click
Next
.
9.
If you selected a cluster member for the Tivoli Identity Manager installation, select the WebSphere Application Server profile that hosts the cluster member.
10.
If you selected the deployment manager for the Tivoli Identity Manager installation, select the WebSphere Application Server profile name of the network deployment manager in which Tivoli Identity Manager is to be installed from the list, and click
Next
.
11.
If you selected the deployment manager for the Tivoli Identity Manager installation, caution windows open to prompt you to confirm that the directory server version is at the correct level. Confirm that the version is correct and click
Next
.
12.
In the data window that requests the cluster name, enter the names of both the Tivoli Identity Manager application cluster and the messaging cluster you created. Then, click
Next
.
13.
A window opens to prompt you to verify the host name of the computer.
Accept the displayed value unless the computer has multiple host names, and either the deployment manager or the WebSphere Application Server is installed under a host name other than the displayed value. Verify the
WebSphere Application Server data and click
Next
.
14.
If WebSphere Application Server administrative security is on, specify the administrator user ID and password, and click
Next
.
15.
In the Database Type window, select one of the following database types, and then click
Next
: v
DB2 Database v Oracle Database
If the Oracle database is selected, another window prompts you for the location and name of the Oracle JDBC driver. Provide the location and name, and click
Next
. For more information, see “Installing the Oracle JDBC driver” on page 21.
v
Microsoft SQL Server (only listed for Windows operating systems)
64
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
If the Microsoft SQL Server is selected, another window prompts you for the location and name of the JDBC driver. Provide the location and name, and click
Next
. For more information see “Installing the SQL Server JDBC driver” on page 25.
16.
If you are installing Tivoli Identity Manager on a cluster member, the
Directory Server Information window opens.
On cluster members, complete the window containing LDAP fields. This window does not appear during Tivoli Identity Manager installation on the computer that has the deployment manager.
Enter organization data in the fields in the window. For every cluster member, the information must be identical and must match the LDAP specification that was entered during Tivoli Identity Manager installation on the deployment manager. Click
Next
.
17.
A Keystore Password window requires you to specify the keystore password.
The keystore password entered here is used to unlock the Tivoli Identity
Manager keystore file which stores the encryption key used to encrypt Tivoli
Identity Manager sensitive data. When you have entered the password, click
Next
.
Tivoli Identity Manager creates the keystore file itim_keystore.jceks at the deployment manager node under the
WAS_NDM_PROFILE
\config\cells\
cell_name
\itim directory. This file then propagates to all cluster member nodes in the
WAS_PROFILE_HOME
\config\cells\
cell_name
\itim directory. The installer verifies the keystore password by attempting to open the keystore on installing Tivoli Identity Manager at the cluster member node (except in the case when the deployment manager node and cluster member node are on the same computer). If the password is not correct, or the keystore file is not present, an error message occurs. If the keystore file is not present, copy the file from the deployment manager node to the cluster member node, and click
Next
again.
18.
A window appears to choose whether to install agentless adapters on IBM
Tivoli Directory Integrator.
The Tivoli Identity Manager installation program installs these POSIX adapters for the following managed resources: v AIX v
HP-UX v
LDAP v
Linux v
Solaris
Installation programs for the agentless adapters that are installed by the Tivoli
Identity Manager installation program are located in the
ITIM_HOME
\config\ adapters directory. You can reinstall adapters later if needed. For more
Select an option, and click
Next
.
Note:
If IBM Tivoli Directory Integrator is installed remotely, select
Do Not
Install Agentless Adapters
.
19.
In the Location of IBM Tivoli Directory Integrator window, enter or confirm the correct directory value, click
Choose
, and click
Next
.
20.
In the Tivoli Common Directory window, accept the default directory for the
Tivoli Common Directory that the Tivoli Identity Manager installation program defines, or choose a new one. For more information about directory
Chapter 6. Installing Tivoli Identity Manager
65
paths, see “Definitions for HOME and other directory variables” on page xii.
Then, click
Next
. Ensure that the directory has at least 25 MB of free space.
The Tivoli Common Directory is the central location for all serviceability-related files, such as logs and first-failure capture data.
21.
In the Pre-install Summary window, review the components to be installed, the required free disk space, and the Tivoli Identity Manager installation directory. If everything is acceptable, click
Install
.
Note:
Once you click
Install
, if you click
Cancel
to cancel the installation you get a message indicating that Tivoli Identity Manager is not installed.
However files are not automatically cleaned up through this action.
This condition might result in a partial installation. Clean up any partial installation manually before running
Install
again.
22.
Responding to major installation actions
The Tivoli Identity Manager installation program opens a series of progress windows for additional, major installation actions. Some windows require your input. The installation program installs and configures the Tivoli Identity Manager application on the WebSphere Application Server, sets up the Tivoli Identity
Manager database on the database server, and sets up the LDAP schema and a configuration of data on the directory server.
The major installation actions include these steps:
1.
Copying Tivoli Identity Manager files to the target computer.
The installation program copies Tivoli Identity Manager files to the
ITIM_HOME
directory.
2.
If installation is on the deployment manager, the next step is gathering database data and configuring the database.
In this step, the Tivoli Identity Manager installation program sets up the Tivoli
Identity Manager database and configures the JDBC driver provider in the
WebSphere Application Server. For more information, see “Configuring the
Tivoli Identity Manager database” on page 75.
If an error occurs, examine the error and provide a corrective action. There is more information in the
ITIM_HOME
\install_logs\dbConfig.stdout log file.
You might need to refer to documentation that the database product or that the
WebSphere product provides.
Continue the Tivoli Identity Manager installation program. When the installation completes, complete these steps: a.
Save the current log data by renaming the
ITIM_HOME
\install_logs\ dbConfig.stdout log file.
b.
Make sure that the Tivoli Identity Manager messaging engine is not running. Log in to the WebSphere administrative console, and complete these steps:
1) Click
Service Integration > Buses
.
2) Click itim_bus, if it exists.
3)
In the Topology section, click
Messaging engines
.
For a single-server installation, you see an engine named
nodename.servername
-itim_bus.
66
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
For a cluster installation, you see n+1 messaging engines, where n is the number of Tivoli Identity Manager cluster members. An additional messaging engine is used for the Tivoli Identity Manager messaging cluster.
4) Select one or more messaging engines and click
Stop
.
c.
When the correction is complete, type this command to configure the Tivoli
Identity Manager database: v
Windows:
ITIM_HOME
\bin\DBConfig.exe
v UNIX/Linux:
ITIM_HOME
/bin/DBConfig
New log data is recorded in the
ITIM_HOME
\install_logs\dbConfig.stdout
log file.
Note:
The
DBConfig
command creates the database table definitions that
Tivoli Identity Manager requires. Run this command only if the command failed to configure the database during installation. If the
Tivoli Identity Manager database tables have been previously set, running the
DBConfig
command first, drops all the existing Tivoli
Identity Manager tables.
3.
If installation is on the deployment manager, the next step is gathering directory server data and configuring the directory server.
In this step, the Tivoli Identity Manager installation program sets up the LDAP schema and defines default settings for Tivoli Identity Manager. For more
information, see “Configuring the directory server” on page 76.
If an error occurs, record the error message. The message might describe a problem in setting up the LDAP schema or creating a configuration of data on the directory server.
Continue the Tivoli Identity Manager installation program. When the installation completes, complete these steps: a.
Examine the errors and provide a corrective action. There is more information in the
ITIM_HOME
\install_logs\ldapConfig.stdout log file. You might also need to refer to documentation that the directory server product provides.
b.
Save the current log data by renaming the
ITIM_HOME
\install_logs\ ldapConfig.stdout log file.
c.
When the correction is complete, use these commands to configure the directory server: v
Windows operating systems:
ITIM_HOME
\bin\ldapConfig.exe
v
UNIX or Linux operating systems:
ITIM_HOME
/bin/ldapConfig
New log data is recorded in the
ITIM_HOME
\install_logs\ ldapConfig.stdout log file.
Note:
Running the
ldapConfig
command will restore default values that
Tivoli Identity Manager uses. If you have changed the value of any of these Tivoli Identity Manager attributes, such as the password of the itim manager user ID, the value is overwritten. Do not run the
ldapConfig
command a second time, unless the LDAP configuration fails during the Tivoli Identity Manager Server installation process.
4.
If installation is on the deployment manager or on a cluster member, the Tivoli
Identity Manager installation program copies a set of Tivoli Identity Manager
Chapter 6. Installing Tivoli Identity Manager
67
property files to the
ITIM_HOME
directory. During this step, you can use the
GUI to change some of the Tivoli Identity Manager properties.
If the installation is on a cluster member, ensure that the directory and database connection information that you enter on the Directory tab and the Database tab match the information that you entered on these tabs when you configure the deployment manager. The default database user ID is itimuser
. The user ID password is the password that is used for the user ID itimuser during the deployment manager setup. The user ID and password used for the cluster member needs to be the same as the user ID and password used on the deployment manager. The Tivoli Identity Manager does not function properly if
The Tivoli Identity Manager installation program also configures the
WebSphere environment settings that the Tivoli Identity Manager Server requires. This step takes several minutes to complete.
If an error occurs, record the error message. The message might describe a problem in configuring the WebSphere environment settings that the Tivoli
Identity Manager Server requires.
Continue the Tivoli Identity Manager installation program. When the installation completes, complete these steps: a.
Examine the errors and provide a corrective action. There is more information in the
ITIM_HOME
\install_logs\runConfigFirstTime.stdout log file. You might also need to refer to documentation that the WebSphere product provides.
b.
When the correction is complete, enter one of the following commands:
To update commonly-used Tivoli Identity Manager properties, run the following command: v
Windows:
ITIM_HOME
\bin\runConfig.exe
v
UNIX/Linux:
ITIM_HOME
/bin/runConfig
The runConfig utility also accepts an
install
parameter. Use runConfig with the
install
parameter when there is a problem reported for runConfig during the Tivoli Identity Manager installation. Note that system configuration requires several minutes to complete if the
install
option is used.
v
Windows:
ITIM_HOME
\bin\runConfig.exe install v
UNIX/Linux:
ITIM_HOME
/bin/runConfig install
New log data is recorded in the
ITIM_HOME
\install_logs\runConfig.stdout
log file.
5.
Deploying Tivoli Identity Manager onto the deployment manager.
The Tivoli Identity Manager application runs within the WebSphere Application
Server as an enterprise application. The Tivoli Identity Manager installation program uses the WebSphere command-line interface (wsadmin) to deploy the
Tivoli Identity Manager application onto the deployment manager.
The Tivoli Identity Manager installation program also configures the
WebSphere environment settings that the Tivoli Identity Manager Server requires. The deployment takes several minutes to complete.
When the deployment completes, the Tivoli Identity Manager files are in the
WAS_NDM_PROFILE_HOME
\config\cells\
cellname
\applications\ITIM.ear
directory.
68
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
If the deployment fails, an error message provides the location of the setupEnrole.stdout log file. Examine the errors in the setupEnrole.stdout log file. Then, complete these tasks: v
If the log data indicates failure to create a SOAP connection to the deployment manager, or some type of deployment manager scripting error, complete these steps: a.
Exit the Tivoli Identity Manager installation program.
b.
Resolve the problem that prevents connection to the WebSphere
Application Server or a problem described as a scripting error. For more information, refer to the WebSphere documentation.
c.
Manually delete all files in the
ITIM_HOME
directory.
d.
Run the Tivoli Identity Manager installation program again.
v
If the log data indicates that failure is due to a timeout, continue the Tivoli
Identity Manager installation program. When installation finishes, complete these steps: a.
If the
WAS_NDM_PROFILE_HOME
\config\cells\
cellname
\applications\
ITIM.ear directory was created, delete the directory on the computer that has the deployment manager.
b.
Run one of the following commands to deploy the Tivoli Identity
Manager Server onto the deployment manager:
– If WebSphere administrative security and application security is on, run this command:
ITIM_HOME
\bin\setupEnrole install user:
user_id
password:
pwd
ejbuser:
ejb_user_id
The value of
server_name
is the name of the WebSphere Application
Server on which the Tivoli Identity Manager application is deployed.
The value of
user_id
is the WebSphere administrator user ID, such as wasadmin
. The value of
pwd
is the password for the WebSphere administrator user ID, such as wasadmin
. The value of
ejb_user_id
is the
Tivoli Identity Manager EJB user ID, which uses the WebSphere
Application Server administrator user ID by default.
– If WebSphere administrative security and application security is off, enter this command:
ITIM_HOME
\bin\setupEnrole install
6.
Restart the cluster. For more information, see “Starting clusters.”
7.
Verify that the Tivoli Identity Manager Server is working correctly. For more
information, see “Verifying that the Tivoli Identity Manager Server is operational” on page 70.
Starting clusters
When installation completes and configuration and security modification is done, restart all node agents where cluster members are running, then start your clusters.
On the WebSphere administrative console, complete these steps:
1.
Start both the Tivoli Identity Manager application and the Tivoli Identity
Manager messaging cluster.
a.
Click
Servers > Clusters
.
b.
Select the Tivoli Identity Manager clusters.
c.
Click
Start
. The Tivoli Identity Manager application starts when the clusters start.
Chapter 6. Installing Tivoli Identity Manager
69
Use the WebSphere administrative console to verify that all required cluster members are started. Complete these steps:
1.
Click
Applications > Enterprise Applications
. Examine the status of the Tivoli
Identity Manager application.
2.
Click
Servers > Application Servers
. Examine the status of the cluster members.
3.
Additionally, examine the log files for other problems. For more information,
If the status of the Tivoli Identity Manager application indicates a partial start, complete these steps:
1.
Locate the computer that has the cluster member that fails to start.
2.
Examine the following log files of the computer where the cluster member resides to determine whether the Tivoli Identity Manager server has started successfully: v
WAS_PROFILE_HOME
\logs\
server_name
\SystemOut.log
v
TIVOLI_COMMON_DIRECTORY
\CTGIM\logs\trace.log
3.
Correct the problem. Then, use the WebSphere administrative console to start the cluster member.
Verifying that the Tivoli Identity Manager Server is operational
To verify that the Tivoli Identity Manager Server and related processes are running, complete these steps:
1.
Start both clusters. For more information, see “Starting clusters” on page 69.
2.
Log on to Tivoli Identity Manager Server using the WebSphere embedded
HTTP transport. For example, at a browser window, enter this command: http://
hostname
:
port
/itim/console/
The value of
hostname
is the fully qualified name or IP address of the computer which hosts the WebSphere Application Server cluster member and the Tivoli
Identity Manager Server application. The value of
port
is the port number of the WebSphere virtual host. The default port number is 9080. If you have multiple instances of the WebSphere Application Server on the same computer, the port number might be a different value, such as 9081. The port number can be removed if an HTTP server is used as the front-end proxy. For more
information, see “Determining the port number of the default host” on page
The browser displays the Tivoli Identity Manager logon window. Enter the
Tivoli Identity Manager administrator user ID ( itim manager
) and password
(immediately after installation, the value is secret
).
3.
After a first, successful logon, the logon window immediately prompts you to change the administrator password. Ensure that your password change is successful. After you change the password, you are ready to create your organization object and a user that is called an ITIM User.
70
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Optional post-installation tasks
Optionally installing a language pack
After installing Tivoli Identity Manager, you can install a language pack that provides support for languages other than English.
To install the language pack, complete these steps:
1.
Before you run the Tivoli Identity Manager language pack setup program, ensure that the version of the Java Runtime Environment that Tivoli Identity
Manager requires is accessible from the command line. For more information, refer to the
Tivoli Identity Manager Information Center
.
For example, you can use the version of Java that comes with WebSphere
Application Server. Enter this command:
WAS_HOME
\java\bin\java -fullversion
You should receive a response similar to the following: java full version "1.5.0 IBM Windows 32 build pwi32devifx-20061107
(iFix 111765 SR3 + 111700)"
2.
Download the language pack installer jar file.
3.
Use command line mode to install the language pack using the itimlp_setup.jar
file. For example, enter this language pack command at a command prompt:
WAS_HOME
\java\bin\java –jar itimlp_setup.jar
For Linux, ensure you use the version of Java installed with WebSphere
Application Server, located in
WAS_HOME
/java/bin, to install the language pack.
The Tivoli Identity Manager language pack setup program starts. To complete the language pack installation, follow the instructions that appear in the setup program windows.
4.
Restart the WebSphere Application Server to make these changes effective, by completing these steps: a.
Stop the WebSphere Application Server:
Windows, run the following command:
–
WAS_HOME
\bin\stopServer.bat
server_name
UNIX/Linux, run the following command:
–
WAS_HOME
/bin/stopServer.sh
server_name
The value of
server_name
is the name of the WebSphere Application
Server. For example, server1
.
b.
Start the WebSphere Application Server:
Windows, run the following command:
–
WAS_PROFILE_HOME
\bin\startServer.bat
server_name
UNIX/Linux, run the following command:
–
WAS_PROFILE_HOME
/bin/startServer.sh
server_name
The value of
server_name
is the name of the WebSphere Application
Server. For example, server1
.
After the language pack has been successfully installed, you can change the language displayed in the Tivoli Identity Manager interface by changing the language preference for your browser: Make language preference changes prior to logging into Tivoli Identity Manager.
For Internet Explorer, complete the following steps:
Chapter 6. Installing Tivoli Identity Manager
71
1.
Select
Tools > Internet Options
2.
On the
General
tab, click
Languages
.
3.
Click
Add
, select languages to add, and click
OK
.
4.
Select a language and set the language priority using the buttons to move the priority up or down.
5.
Click
OK
.
6.
Click
OK
again to save your changes.
For Mozilla Firefox 2.0, complete the following steps:
1.
Select
Tools > Options
2.
On the
Advanced
tab, under the
Languages
section, click
Choose
.
3.
Select a language and click
Add
.
4.
Select a language and set the language priority using the buttons to move the priority up or down.
5.
Click
OK
to save your changes.
To uninstall the language pack from the system, change to the
ITIM_HOME
\timlp directory, and then enter this language pack command at a command prompt: java –jar timlp_uninstall.jar
Optionally installing adapter profiles
You can choose to install and import any adapter profiles that you did not install during the Tivoli Identity Manager installation process.
Note:
If you have upgraded from Tivoli Identity Manager version 5.0 to version
5.1 and are using a service instance that was created using a Tivoli Identity
Manager 5.0 profile, you must upgrade to the 5.1 adapter before you create groups on the service. The adapters for Tivoli Identity Manager 5.0 do not support group management.
For more information about the role of adapters, see “Tivoli Identity Manager adapters” on page 3
To install and import adapter profiles, complete these steps:
1.
Open and extract the compressed adapter file.
2.
Place the JAR file that contains the adapter profile in a temporary directory on the computer that is running Tivoli Identity Manager.
3.
As administrator, open the Tivoli Identity Manager user interface.
4.
Click
Configure System > Manage Service Types
.
5.
On the
Manage Service Types
window, click
Import
.
6.
On the
Service Definition File
field, click
Browse
. Then, locate the JAR file that contains the adapter profile.
7.
When the
Service Definition File
field contains the adapter profile file name, click
OK
.
8.
On the
Success
page, click
Close
.
9.
After installing Tivoli Identity Manager and installing the Tivoli Identity
Manager language pack, if the default language is not English and the adapter labels are displayed in English, complete these steps: a.
Click
Configure System > Manage Service Types
.
b.
Click
Import
on the Service Type table.
c.
Click
Browse
next to the
Service Definition File
field.
72
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
d.
Locate the timx_agents.jar file under the
ITIM_HOME
\timlp directory and click
OK
.
e.
Click
Close
on the Success page.
Changing cluster configurations after Tivoli Identity Manager is installed
This section describes expanding or reducing the members in a cluster for performance reasons after Tivoli Identity Manager is installed.
Expanding a cluster using a new computer
To add a new cluster member to an existing Tivoli Identity Manager cluster, complete these steps to add a computer with a WebSphere Application Server that was not previously in the WebSphere cell.
1.
Create a profile on a new computer and federate the new node into the cell.
There are two ways to complete this step: v
Create a custom profile
Create a custom profile on the new computer and federate the profile into the deployment manager cell.
v
Create a base profile
Create a base profile on the new computer and then run the
addNode
command to federate the new node into the cell. For more information, see
“Manually federate a WebSphere Application Server node member” on page
2.
Create a Tivoli Identity Manager cluster member on the new node. Repeat this procedure to create cluster members on both the application cluster and the messaging engine cluster. On the WebSphere administrative console, complete these steps: a.
Click
Servers > Cluster
.
b.
On the next window, click the Tivoli Identity Manager cluster name.
c.
Click
Cluster Members
, then click
New
.
d.
Select the node name that is the node that you added to the cell. Enter the node name. Then, click
Next
.
e.
Verify the summary window, then click
Finish
.
f.
Save the changes.
3.
Run the Tivoli Identity Manager installation program on the new computer, choosing cluster member installation.
4.
Run the following command on the deployment manager node to set the policy for the association of the messaging engine and the cluster member: v
Windows operating systems:
ITIM_HOME
\bin\runConfig.exe install v
UNIX or Linux operating systems:
ITIM_HOME
/bin/runConfig install
5.
Start the new cluster member. Click
Servers > Clusters
and select the cluster. In the cluster, click
Cluster Members
. Select the new member and click
Start
.
Removing cluster members
To remove cluster members, complete these steps:
1.
Run the Tivoli Identity Manager uninstallation program on the computer that has the cluster member that you intend to remove. For more information, see
Chapter 11, “Uninstalling Tivoli Identity Manager,” on page 125.
Chapter 6. Installing Tivoli Identity Manager
73
2.
On the WebSphere administrative console, delete the cluster members from both Tivoli Identity Manager clusters.
74
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Chapter 7. Configuring the Tivoli Identity Manager Server
Configuring the Tivoli Identity Manager Server has these steps: v
“Configuring the Tivoli Identity Manager database”
v
“Configuring the directory server” on page 76
v
“Configuring commonly used system properties” on page 77
v
“Modifying system properties during normal operation” on page 84
Optionally, you can configure security after installing Tivoli Identity Manager. For more information about configuring security post-install for Tivoli Identity
Manager, see Appendix B, “Configuring security for Tivoli Identity Manager,” on page 133.
Configuring the Tivoli Identity Manager database
The Tivoli Identity Manager installation program automatically uses the DBConfig database configuration tool during a single-server installation, or during a cluster installation on the deployment manager, to set up the database to work with Tivoli
Identity Manager. For more information about initial installation and configuration
for a database, see Chapter 2, “Installing and configuring a database,” on page 9.
Completing the database configuration windows
A database configuration window opens to allow you to configure the database property file and to set up tables in the Tivoli Identity Manager database. The fields that appear in the window might vary, depending on which database you
use. For more information about database fields, see “Recording user data” on page 10.
In the database configuration window, follow these steps:
1.
Complete the Identity Manager Database Information fields. The data is required to configure and connect to the Tivoli Identity Manager database. You can configure these fields: v
Host Name
Specify the name of the database host.
v
Port Number
Specify the port number of the database instance.
v
Database Name
For DB2 or Microsoft SQL databases:
Specify the database name.
For Oracle database:
a.
Click the radio button adjacent to
SID
or
Service Name
.
b.
Specify the Oracle system identifier (SID) or service name depending on the radio button you selected.
v
Admin ID
Specify the administrator ID for the database host. Ensure that the administrator ID has the rights to create tablespace and stop and start the database.
© Copyright IBM Corp. 2009
75
v
Admin Password
Specify the password for the administrator ID.
2.
Click
Test
to ensure that the connection to the database is active. When the database test is successful, the Tivoli Identity Manager User Password field becomes active and the Test button changes to Continue. The User ID field displays the default value itimuser
, although you can change this user ID.
Before you continue, ensure that the user ID itimuser exists.
3.
Enter the correct password for the existing database user ID that is named itimuser
, and then click
Continue
. The database configuration requires several minutes to complete.
Manually starting the DBConfig database configuration tool
The DBConfig command creates the database table definitions that Tivoli Identity
Manager requires. Run this command only if the command failed to configure the database during installation. If the Tivoli Identity Manager database tables have been previously set, running the DBConfig command first drops all of the previously existing Tivoli Identity Manager tables. If you run this command after installation, ensure the messaging engines under the service integration bus
(itim_bus) have been stopped from the WebSphere Application Server administrative console before running DBConfig.
Running the database configuration tool writes data to the
ITIM_HOME
\ install_logs\dbConfig.stdout log file. If you want to save the original file, back up the file before running the command. The database configuration requires several minutes to complete.
To manually start the database configuration tool (DBConfig), complete these tasks:
1.
Back up the
ITIM_HOME
\install_logs\dbConfig.stdout file.
2.
Run the following command: v
Windows:
ITIM_HOME
\bin\DBConfig.exe
v
UNIX/Linux:
ITIM_HOME
/bin/DBConfig
Note:
You must run the runConfig command after running DBConfig to ensure that database changes are updated.
If DBConfig has never run after an install completes, you must run the following commands to update changes: v
Windows operating systems:
ITIM_HOME
\bin\runConfig.exe install v
UNIX or Linux operating systems:
ITIM_HOME
/bin/runConfig install
Configuring the directory server
The Tivoli Identity Manager installation program automatically uses the ldapConfig database configuration tool during a single-server installation, or during a cluster installation on the deployment manager, to set up the directory server to work with Tivoli Identity Manager. For more information about initial
Running the
ldapConfig
command will restore default values that Tivoli Identity
Manager uses. If you have changed the value of any of these Tivoli Identity
76
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Manager attributes, such as the password of the itim manager user ID, the value is overwritten. Do not run the
ldapConfig
command a second time, unless the LDAP configuration fails during the Tivoli Identity Manager Server installation process.
Completing the directory server configuration windows
To configure the LDAP data repository with Tivoli Identity Manager values, complete these steps:
1.
Enter the values for the LDAP Server Information fields (Principal DN,
Password, Host Name, Port) to set up the connection to the directory server.
For example, the value of the
Host Name
field is the fully qualified host name of the computer on which the directory server is running.
2.
Click
Test
to ensure that the connection to the directory server can be established. When the test for a connection to the directory server is successful, the fields in the Identity Manager Directory Information section become active.
3.
Enter the values for the Identity Manager Directory Information fields. You can configure these fields: v
Number of hash buckets
Specify the number of hash buckets.
v
Name of Your Organization
Specify the name of your organization. For example, My Organization .
v
Default Org Short Name
Specify the short name of your organization. For example, myorg
.
v
Identity Manager DN Location
Specify the Tivoli Identity Manager suffix. For example, dc=com
.
When you are finished, click
Continue
.
Manually running the ldapConfig configuration tool
To avoid the loss of existing directory server data, you must
not
manually run this tool unless a directory server configuration problem occurs during installation.
Running the configuration tool writes data to the
ITIM_HOME
\install_logs\ ldapConfig.stdout log file. If you want to save the original file, back up the file before running the command. The directory server configuration requires several minutes to complete.
To manually start the ldapConfig configuration tool, complete these steps:
1.
Back up the
ITIM_HOME
\install_logs\ldapConfig.stdout file.
2.
Run the following command:
ITIM_HOME
\bin\ldapConfig
Configuring commonly used system properties
The Tivoli Identity Manager installation program automatically runs the runConfig system configuration tool to edit commonly used system properties for the Tivoli
Identity Manager Server and also to configure WebSphere Application Server settings for the Tivoli Identity Manager application. The Tivoli Identity Manager installation program runs the system configuration tool for both a single-server and cluster configuration, which includes the deployment manager and the cluster members.
The system configuration tool provides these windows:
Chapter 7. Configuring the Tivoli Identity Manager Server
77
v
v
v
v
v
v
v
You can run the system configuration tool manually. For more information, see
“Manually starting the system configuration tool” on page 82. For alternative ways
Related topics
:
Single-server installation: “Responding to major installation actions” on page 55
Cluster installation: “Responding to major installation actions” on page 66
General tab
Click the General tab. The General tab of the system configuration tool configures the general information about the Tivoli Identity Manager Server.
The following field values on the General tab are prefilled by the installation program: v
Scheduling information
– Heart Beat (seconds)
The Scheduling Information field displays information about how frequently a scheduling thread queries the scheduled message stores for events to process (Heart Beat). You might want to consider performance issues before you enable a more frequent beat. Only system administrators can modify the
Heart Beat, which is measured in seconds.
– Recycle Bin Age Limit (days)
When you delete Tivoli Identity Manager objects (such as organization units, persons, or accounts), the objects are not immediately removed from the system. Instead, they are moved to a recycle bin container. Emptying the recycle bin is a separate deletion process that involves running cleanup scripts.
The recycle bin is disabled by default but can be enabled by editing the enRole.properties file in the
ITIM_HOME
\data directory.
For example, to avoid assigning an old user ID to a new user, the assignment process might check the recycle bin to determine if an old user ID exists. You might set the value of the recycle bin interval to an interval that determines the length of time to retain old user IDs.
The Recycle Bin Age Limit field specifies the number of days that an object remains in the recycle bin of the system before it becomes available for deletion by cleanup scripts. The cleanup scripts can only remove those objects that are older than the age limit setting. For example, if the age limit setting is
62 days (the default value), only objects that have been in the recycle bin for more than 62 days can be deleted by cleanup scripts.
You can use the following scripts to either manually remove or to schedule the periodic cleanup of recycle bin entries with expired age limits:
78
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
- Windows:
ITIM_HOME
\bin\win\ldapClean.cmd
To schedule periodic cleanup, register the preceding command script with the Windows scheduler.
- UNIX:
ITIM_HOME
/bin/unix/ldapClean.sh
To schedule periodic cleanup, create a UNIX cron job such as the following example:
ITIM_HOME
/bin/unix/schedule_garbage.cron
Related topics
:
See “Configuring commonly used system properties” on page 77.
Directory tab
Click the Directory tab. The Directory tab of the system configuration tool displays directory connection information and LDAP connection pool information. The tab also has a Test button to test the connection to the directory server. If you update any field on this tab, click
Test
to ensure that the connection works.
The information is pre-filled for the deployment manager, but not for a WebSphere
Application Server. If necessary, modify the following information for the directory server: v
Principal DN and password that the Tivoli Identity Manager Server uses to log on to the directory server v
Host name or IP address for the directory server
For IPv6, literal addresses need to be enclosed in brackets. For example,
[abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd] where abcd is a hexadecimal number from 0000-FFFF.
v
Port number for the directory server v The LDAP connection pool information defines a pool of LDAP connections accessible by the Tivoli Identity Manager Server. After a connection is established and data is stored in the LDAP directory server, changing the host name or the port number might have detrimental effects.
– In the Maximum Pool Size field, specify the maximum number of connections that the LDAP Connection Pool can have at any time.
– In the Initial Pool Size field, specify the initial number of connections to be created for the LDAP Connection Pool.
– In the Increment Count field, specify the number of connections to be added to the LDAP Connection Pool every time a connection is requested after all connections are in use.
Related topics
:
See “Configuring commonly used system properties” on page 77.
Database tab
Click the Database tab. The Database tab displays general database information and database pool information. The tab also has a Test button to test the
Chapter 7. Configuring the Tivoli Identity Manager Server
79
connection to the database. If you update any field on this tab, click
Test
to ensure that the connection works. Changing the configuration after the system is set up can have detrimental effects.
Depending on the type of connection that is used, one of several windows is displayed when configuring database properties. The window in this example displays the Database tab when Tivoli Identity Manager does not use an Oracle
Client to connect to the Oracle database.
If this installation is on a cluster member, the information must match the database specification previously made for the deployment manager.
v
In the JDBC URL field, specify the URL value with type 4 JDBC Driver URL format.
For IPv6, literal addresses need to be enclosed in brackets. For example, jdbc:db2://[abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd]:50002/itimdb where abcd is a hexadecimal number from 0000-FFFF.
v
In the Database User and the User Password fields, specify the database account and password that Tivoli Identity Manager uses to log on to the database. The default user ID is itimuser , which is created by the Tivoli Identity Manager database configuration program (DBConfig). The account must have a valid user password.
v
The database pool information determines the number of JDBC connections. For
more information about supported JDBC drivers, see “Database server products” on page 1.
– In the Initial Capacity field, specify the initial number of JDBC connections.
– In the Maximum Capacity field, specify the maximum number of JDBC connections that the Tivoli Identity Manager Server can open to the database at any one time.
Related topics
:
See “Configuring commonly used system properties” on page 77.
Logging tab
Click the Logging tab.
The Logging tab of the system configuration tool enables you to set the level of tracing. Choose one of these values:
MIN
Writes less information to the log file. Use this setting for best performance.
MID
Writes an increased amount of information to the log file.
MAX
Writes the maximum amount of information to the log file. The increased amount of logging activity might affect performance. This setting is approximately the equivalent of VERBOSE.
Related topics
:
See “Configuring commonly used system properties” on page 77.
Mail tab
Click the Mail tab.
80
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
The Mail tab of the system configuration tool displays mail notification and gateway parameters: v
In the Tivoli Identity Manager Base URL field, specify the login Universal
Resource Locator (URL) for the Tivoli Identity Manager Server. This address is the first part of a URL that is sent to the recipient of mail messages at runtime.
The URL also points to the login page of the Tivoli Identity Manager administrative console.
The value is the URL of the proxy server (for example, the IBM HTTP Server).
Specify the host name (or IP address) and port in the base URL. Ensure that the value matches the published login URL to your Tivoli Identity Manager system.
– Single-server configuration base URL is the address of the Web server (for example, the IBM HTTP
Server) which by default uses port
80
.
– Cluster configuration base URL is the address of the Web server which load-balances to all application server instances in the cluster (not the base URL of a specific application server instance).
For IPv6, literal addresses need to be enclosed in brackets. For example, http://[abcd:abcd:abcd:abcd:abcd:abcd:abcd:abcd]:80 where abcd is a hexadecimal number from 0000-FFFF.
v
In the Mail From field, specify the address to the Tivoli Identity Manager system administrator e-mail address for your site. All e-mail is delivered from the
From parameter. You must change this address, otherwise you send spam to the e-mail address listed.
v
In the Mail Server Name field, specify the SMTP mail host that sends mail notification. SMTP mail servers are supported. The SMTP host is the mail gateway. For example, enter a host name such as swiftcreek.mycity.ibm.com
.
Related topics
:
See “Configuring commonly used system properties” on page 77.
UI tab
Click the UI tab.
The UI tab of the system configuration tool displays information to customize the
Tivoli Identity Manager Server GUI.
v
In the Customer Logo field, specify the path and file name of the logo graphic.
v
In the Customer Logo Link field, specify an optional URL link activated by clicking the logo image. System administrators can specify these two variables to replace the IBM logo with their company logo throughout the Tivoli Identity
Manager system. The default IBM logo file is the ibm_banner.gif file, which is located in the
WAS_PROFILE_HOME
\installedApps\
cellname
\ITIM.ear\ itim_console.war\html\images directory. In a cluster configuration, this default logo can be found in the node member workstation and not on the Deployment
Manager workstation.
v
In the List Page Size field, specify how many items that require a search in the directory are displayed on lists throughout the user interface. If the total number of items exceeds the set List Page Size, the list is spread over multiple pages. For
Chapter 7. Configuring the Tivoli Identity Manager Server
81
example, the value controls the size of the names list that appears when you browse the My Organization > Manage People tab in the Tivoli Identity
Manager GUI.
Related topics
:
See “Configuring commonly used system properties” on page 77.
Security tab
Click the Security tab. The Security tab of the system configuration tool displays information to manage database, LDAP, and application server user IDs and passwords that are stored in Tivoli Identity Manager properties files. The tab displays the encryption settings and application server user management preferences in Tivoli Identity Manager.
By default, passwords in the Tivoli Identity Manager property files are encrypted.
v
In the Encryption box, check the box to encrypt the passwords used for database and directory server connections and the password of the EJB user that is used for EJB authentication. The encryption flags are set to true. Clear the box to decrypt the passwords and set the flags to false. The flags are represented by the following properties in the enRole.properties file: enrole.password.database.encrypted
enrole.password.ldap.encrypted
enrole.password.appServer.encrypted
v
In the System User and System User Password fields, specify the system user and the system user password. The fields are pre-filled if WebSphere administrative security and application security is on, and an administrator user
ID and password have been entered. The fields are blank if WebSphere administrative security and application security is not on.
v
In the EJB User and EJB User Password fields, specify the EJB user and the EJB user password. The fields initially take the values of the System User and
Password fields.
If you define your own EJB user during installation to be different from the
System User, you might need to modify the EJB User and EJB User Password fields. If you change the value of the EJB user ID or the EJB password on this system configuration Security window and run runConfig as a stand-alone command, additional manual steps are required after Tivoli Identity Manager installation to map the security role to the Tivoli Identity Manager user in order
Note:
The EJB user password is restricted to 12 characters.
Related topics
:
See “Configuring commonly used system properties” on page 77.
Manually starting the system configuration tool
To update commonly-used Tivoli Identity Manager properties, run the following command: v
Windows:
ITIM_HOME
\bin\runConfig.exe
v
UNIX/Linux:
ITIM_HOME
/bin/runConfig
82
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
The runConfig utility also accepts an
install
parameter. Use runConfig with the
install
parameter when there is a problem reported for runConfig during the Tivoli
Identity Manager installation. Note that system configuration requires several minutes to complete if the
install
option is used.
v
Windows:
ITIM_HOME
\bin\runConfig.exe install v
UNIX/Linux:
ITIM_HOME
/bin/runConfig install
Running the system configuration tool writes log data to the
ITIM_HOME
\ install_logs\runConfig.stdout log file.
Manually installing agentless adapters and adapter profiles
Agentless adapter profiles are installed automatically by the Tivoli Identity
Manager installation program during a new installation. The adapter is installed depending on whether the IBM Tivoli Directory Integrator is installed on the same server as Tivoli Identity Manager. You can verify they installed correctly by looking for the POSIX adapters listed under Configure System > Service Types in the administrative console user interface. However, if either the adapters or profiles failed to install, you can install them manually.
The following tasks are for agentless adapter installation only. For information about installing agent-based adapters and adapter profiles, see the Installing section of the
Tivoli Identity Manager Information Center
.
Installing agentless adapters
Tivoli Identity Manager Version 5.1 supports both Tivoli Directory Integrator
Version 6.1.1 and 7.1. You can install agentless adapters for Tivoli Directory
Integrator interactively or silently.
To install agentless adapters interactively on Windows for example, run the following command to install the adapters:
WAS_HOME
\java\bin\java.exe -cp PosixAdapterInstall_
v
.jar run where
v
is the Tivoli Directory Integrator version. For example, use 70 for version
7.0 or 611 for version 6.1.1.
To install agentless adapters silently, complete these steps:
1.
Update the
ITIM_HOME
\config\adapters\response.txt file, replacing every occurrence of %1 with the value of
ITDI_HOME
.
2.
Run the following command to install the adapters: cd
ITIM_HOME
\config\adapters
"
WAS_HOME
\java\bin\java.exe" -cp PosixAdapterInstall_
v
.jar run
-silent -options response.txt
Installing agentless adapter profiles
It is recommended that you download the latest POSIX adapters from the adapter download site.
To install agentless adapter profiles, run the following commands: v
For Window operating systems: cd
ITIM_HOME
\config\adapters
"
ITIM_HOME
/bin/unix/config_remote_services.sh" -profile LdapProfile
-jar LdapProfile.jar
Chapter 7. Configuring the Tivoli Identity Manager Server
83
"
ITIM_HOME
/bin/unix/config_remote_services.sh" -profile PosixSolarisProfile
-jar PosixSolarisProfile.jar
"
ITIM_HOME
/bin/unix/config_remote_services.sh" -profile PosixLinuxProfile
-jar PosixLinuxProfile.jar
"
ITIM_HOME
/bin/unix/config_remote_services.sh" -profile PosixHpuxProfile
-jar PosixHpuxProfile.jar
"
ITIM_HOME
/bin/unix/config_remote_services.sh" -profile PosixAixProfile
-jar PosixAixProfile.jar
v For UNIX operating systems:
-bash-3.00# ./config_remote_services.sh -profile LdapProfile
-jar /opt/IBM/itim/config/adapters/LdapProfile.jar
-bash-3.00# ./config_remote_services.sh -profile PosixSolarisProfile
-jar /opt/IBM/itim/config/adapters/PosixSolarisProfile.jar
-bash-3.00# ./config_remote_services.sh -profile PosixLinuxProfile
-jar /opt/IBM/itim/config/adapters/PosixLinuxProfile.jar
-bash-3.00# ./config_remote_services.sh -profile PosixHpuxProfile
-jar /opt/IBM/itim/config/adapters/PosixHpuxProfile.jar
-bash-3.00# ./config_remote_services.sh -profile PosixAixProfile
-jar /opt/IBM/itim/config/adapters/PosixAixProfile.jar
Note:
You can also install them by selecting
Configure System > Manage Service
Types > Import
from the administrative console user interface.
Related topics
:
“Installing agentless adapters” on page 40
Modifying system properties during normal operation
You configure the Tivoli Identity Manager Server by managing system properties.
For example, a system property determines how the server responds to the correct completion of a challenge question. System properties can be modified at any time.
You might need to restart the Tivoli Identity Manager Server when changes are made to certain system properties such as the server startup modules, which are not recognized unless you restart the server. Restart the Tivoli Identity Manager
Server after modifying any property using the system configuration tool. Changes to other system properties can be recognized within 30 seconds. Logging properties can be changed without restarting the server and changes take effect within 5 minutes.
To modify system properties, use these choices: v
Use the system configuration tool, runConfig. For more information, see
“Modifying system properties with the system configuration tool” on page 85.
v
Change manually. For more information, see “Modifying system properties manually” on page 85.
v
Use the Tivoli Identity Manager Server GUI. For more information, see
“Modifying system properties with the Tivoli Identity Manager GUI” on page
84
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Modifying system properties with the system configuration tool
After installation, use the system configuration tool (runConfig) for the following tasks: v
Changing the password of the database user.
v
Specifying password encryption and updating Tivoli Identity Manager EJB user
IDs and passwords.
Modifying system properties manually
Alternatively, you can manually modify system properties by editing the appropriate property file.
System and supplemental property files are located on the Tivoli Identity Manager
Server in the
ITIM_HOME
\data directory. These files contain all the system and supplemental properties used by the server. For more information about system properties located in the enRole.properties file, refer to the
IBM Tivoli Identity
Manager Information Center
.
Modifying system properties with the Tivoli Identity Manager
GUI
You can also modify certain system properties from within the Configuration section of the main menu navigation bar in the Tivoli Identity Manager Server
GUI.
From the Set Systems Security tab, you can modify the following properties: v
Enable/disable password editing v
Password expiration period (number of days)
This property is only for the Tivoli Identity Manager Server account. The user has to change the password before this period is reached. Whenever a new password is set for the Tivoli Identity Manager Server account, the password expiration period is affected from that time. You can disable password expiration by setting this value to zero.
v
Password retrieval expiration period (number of hours)
After the new account is created, the user receives an e-mail with the URL link that provides the password. The user has to get the password before this password retrieval period expires.
v
Maximum number of invalid logon attempts
Sets the maximum number of invalid logon attempts. If exceeded, the account is suspended. The default setting is
″
0
″
(unlimited logon attempts).
From the Configure Forgotten Password Settings tab, you can modify the following properties: v
Lost password question behavior
Chapter 7. Configuring the Tivoli Identity Manager Server
85
86
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Chapter 8. Performing a silent installation and configuration of Tivoli Identity Manager
Tivoli Identity Manager can be run in a silent mode, which reads response files that contain input values to configure the directory server, database server,
WebSphere Application Server, and Tivoli Identity Manager. Silent installation is supported in both single-server and cluster environments, and for clean installation and upgrade. Example response files are provided in the base DVD in the response_files directory.
The installation program reads input from the two response files, installvariables.properties and configResponse.properties. The installvariables.properties file has the installer-related input values such as the installation directory, database type, directory server type, and so on. The configResponse.properties file has the properties required for database configuration, LDAP configuration, and system configuration programs with different prefixes for each configuration program:
Database configuration
dbConfigResponse.
propertyName
=
value
LDAP configuration
ldapConfigResponse.
propertyName
=
value
System configuration
sysConfigResponse.
propertyFileName
.
propertyName
=
value
© Copyright IBM Corp. 2009
There are different filenames for an upgrade scenario. The following set of response files are needed for clean installation and for the upgrade depending on the application server type: v
Clean installation:
– For single-server or deployment manager: installvariables.properties, configResponse.properties
– For cluster members: installvariables.properties, configResponseCM.properties
v
Upgrade:
– For single-server or deployment manager: installvariablesUpgrade.properties, configResponseUpgrade.properties
– For cluster members: installvariablesUpgrade.properties, configResponseCMUpgrade.properties
Notes:
1.
You can use a different file name for the installation response file (for example, installvariablesUpgrade.properties) because it can be passed to the installer with the "-f" flag, but the name of the configuration response file must always be configResponse.properties
2.
For the system configuration program, the configResponse.properties or configResponseUpgrade.properties template only contains the minimum set of required system properties (with prefix
″ sysConfigResponse
″
) . You can add additional system properties to the file if necessary. Use the convention: sysConfigResponse.
propertyFileName
.
propertyName
=
value
. For example, an
IBM Tivoli Directory Server configuration whose authorization ID is cn=root:
87
sysConfigResponse.enRoleLDAPConnection.java.naming.provider.url=ldap:
//hostname:389 sysConfigResponse.enRoleLDAPConnection.java.naming.security.principal=cn=root sysConfigResponse.enRoleLDAPConnection.java.naming.security.credentials=
xxxxxx
The system configuration program running in silent mode sets the values of the listed properties in the enRoleLDAPConnection.properties file.
3.
The silent installer reads the values from the configResponse.properties file and configures the Tivoli Identity Manager components. If a specific component configuration fails, then the utilities and the associated lax file can be found in
ITIM_HOME
\bin . Each component of the install can ran silently by modifying the
IS_SILENT=<true/false> property in the .lax file of the component.
Before you begin
Before you run the silent install, install and configure any necessary middleware, such as a directory server, database server, directory integrator, and application server. Ensure that all these components are working correctly and that you have entered the correct data; any errors in setting up the system can result in the failure of silent installation.
Performing a silent installation in a single-server environment
To perform a silent installation in a single-server environment, complete these tasks: v
Clean installation:
1.
Copy the response files installvariables.properties
and configResponse.properties
to a directory on the target computer.
2.
Update the response files with the correct values.
3.
Run
″ inst
platform
-i silent -f installvariables.properties
″ if you have the installer and the response files are at the same directory. The names for the system platform installer programs are:
– Windows: instwin.exe
– AIX: instaix.bin
– Linux: instlinux.bin
– Linux for System p: instplinux.bin
– Linux for System z: instzlinux.bin
– Solaris: instsol.bin
Note:
If you have the installer and the response files in the different directory or in the different drive, then you have to use the relative or absolute path for the installvariables.properties file and you have to use the absolute path for the configResponse.properties file. For example, if the response files are in the C:\temp directory on a
Windows machine, use this command: instwin.exe -i silent -f C:\temp\installvariables.properties
-DITIM_CFG_RESP_FILE_DIR=C:\temp
UNIX machines use a different installer command, such as instaix.bin
for AIX, and a different path.
v
Upgrade:
1.
Copy the response files installvariablesUpgrade.properties
and configResponseUpgrade.properties
to a directory on the target computer.
88
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
2.
Rename the configResponseUpgrade.properties
file as configResponse.properties
.
3.
Update the response files with the correct values.
4.
Run
″ inst
platform
-i silent -f installvariablesUpgrade.properties
″ if you have the installer and the response files are at the same directory. The names for the system platform installer programs are:
– Windows: instwin.exe
– AIX: instaix.bin
– Linux: instlinux.bin
– Linux for System p: instplinux.bin
– Linux for System z: instzlinux.bin
– Solaris: instsol.bin
Note:
If you have the installer and the response files in the different directory or in the different drive, then you have to use the relative or absolute path for the installvariables.properties file and you have to use the absolute path for the configResponse.properties file. For example, if the response files are in the C:\temp directory on a
Windows machine, use this command: instwin.exe -i silent -f C:\temp\installvariablesUpgrade.properties
-DITIM_CFG_RESP_FILE_DIR=C:\temp
UNIX machines use a different installer command, such as instaix.bin
for AIX, and a different path.
Silent installation might take some time to complete. To check on the installation progress, check the itim_install_activity.log file located in the
ITIM_HOME
\ install_logs directory.
Verify the installation and troubleshoot to resolve any problems that happened
Performing a silent installation in a cluster environment
To perform a silent installation in a cluster environment, complete these tasks: v
Clean installation:
– On the deployment manager:
1.
Copy the response files installvariables.properties
and configResponse.properties
to a directory on the target computer.
2.
Update the response files with the correct values.
3.
Run
″ inst
platform
-i silent -f installvariables.properties
″ if you have the installer and the response files are at the same directory. The names for the system platform installer programs are:
- Windows: instwin.exe
- AIX: instaix.bin
- Linux: instlinux.bin
- Linux for System p: instplinux.bin
- Linux for System z: instzlinux.bin
- Solaris: instsol.bin
Chapter 8. Performing a silent installation and configuration of Tivoli Identity Manager
89
Note:
If you have the installer and the response files in the different directory or in the different drive, then you have to use the relative or absolute path for the installvariables.properties file and you have to use the absolute path for the configResponse.properties file. For example, if the response files are in the C:\temp directory on a
Windows machine, use this command: instwin.exe -i silent -f C:\temp\installvariables.properties
-DITIM_CFG_RESP_FILE_DIR=C:\temp
UNIX machines use a different installer command, such as instaix.bin for AIX, and a different path.
– On the cluster members:
1.
Copy the response files installvariables.properties
and configResponseCM.properties
to a directory on the target computer.
2.
Rename the configResponseCM.properties
file as configResponse.properties
.
3.
Update the response files with the correct values.
4.
Run
″ inst
platform
-i silent -f installvariables.properties
″ if you have the installer and the response files are at the same directory. The names for the system platform installer programs are:
- Windows: instwin.exe
- AIX: instaix.bin
- Linux: instlinux.bin
- Linux for System p: instplinux.bin
- Linux for System z: instzlinux.bin
- Solaris: instsol.bin
Note:
If you have the installer and the response files in the different directory or in the different drive, then you have to use the relative or absolute path for the installvariables.properties file and you have to use the absolute path for the configResponse.properties file. For example, if the response files are in the C:\temp directory on a
Windows machine, use this command: instwin.exe -i silent -f C:\temp\installvariables.properties
-DITIM_CFG_RESP_FILE_DIR=C:\temp
UNIX machines use a different installer command, such as instaix.bin for AIX, and a different path.
v
Upgrade:
– On the deployment manager:
1.
Copy the response files installvariablesUpgrade.properties
and configResponseUpgrade.properties
to a directory on the target computer.
2.
Rename the configResponseUpgrade.properties
file as configResponse.properties
.
3.
Update the response files with the correct values.
4.
Run
″ inst
platform
-i silent -f installvariablesUpgrade.properties
″ if you have the installer and the response files are at the same directory. The names for the system platform installer programs are:
- Windows: instwin.exe
- AIX: instaix.bin
- Linux: instlinux.bin
90
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
- Linux for System p: instplinux.bin
- Linux for System z: instzlinux.bin
- Solaris: instsol.bin
Note:
If you have the installer and the response files in the different directory or in the different drive, then you have to use the relative or absolute path for the installvariablesUpgrade.properties file and you have to use the absolute path for the configResponse.properties
file. For example, if the response files are in the C:\temp directory on a Windows machine, use this command: instwin.exe -i silent -f C:\temp\installvariablesUpgrade.properties
-DITIM_CFG_RESP_FILE_DIR=C:\temp
UNIX machines use a different installer command, such as instaix.bin for AIX, and a different path.
– On the cluster members:
1.
Copy the response files installvariablesUpgrade.properties
and configResponseCMUpgrade.properties
to a directory on the target computer.
2.
Rename the configResponseCMUpgrade.properties
file as configResponse.properties
.
3.
Update the response files with the correct values.
4.
Run
″ inst
platform
-i silent -f installvariablesUpgrade.properties
″ if you have the installer and the response files are at the same directory. The names for each system platform installer programs are:
- Windows: instwin.exe
- AIX: instaix.bin
- Linux: instlinux.bin
- Linux for System p: instplinux.bin
- Linux for System z: instzlinux.bin
- Solaris: instsol.bin
Note:
If you have the installer and the response files in the different directory or in the different drive, then you have to use the relative or absolute path for the installvariablesUpgrade.properties file and you have to use the absolute path for the configResponse.properties
file. For example, if the response files are in the C:\temp directory on a Windows machine, use this command: instwin.exe -i silent -f C:\temp\installvariablesUpgrade.properties
-DITIM_CFG_RESP_FILE_DIR=C:\temp
UNIX machines use a different installer command, such as instaix.bin for AIX, and a different path.
Silent installation might take some time to complete. To check on the installation progress, check the itim_install_activity.log file located in the
ITIM_HOME
\ install_logs directory.
Verify the installation and troubleshoot to resolve any problems that happened
Chapter 8. Performing a silent installation and configuration of Tivoli Identity Manager
91
Configuring the database silently
If the database configuration failed during the silent installation, correct the database information in the response file. Follow these steps to then configure the database silently.
To configure the database using a response file:
1.
Copy the configResponse.properties file to a directory on the target computer.
2.
Update configResponse.properties file with correct database information.
3.
Edit the
ITIM_HOME
/bin/DBConfig.lax file to set the value for the following two properties:
IS_SILENT=true
RESPONSE_FILE=
full path to the configResponse.properties file
4.
Invoke the database configuration program:
ITIM_HOME/bin/DBConfig
The database configuration might take a few minute to complete. To monitor on the configuration progress, view the dbConfig.stdout file located in the
ITIM_HOME/install_logs directory.
Configuring the directory server silently
If the directory server configuration failed during the silent installation, correct the incorrect data parameters in the response file. Follow these steps to then configure the directory server silently.
To configure the directory server using a response file:
1.
Copy the configResponse.properties file to a directory on the target computer.
2.
Update configResponse.properties file with correct directory server information.
3.
Edit the
ITIM_HOME
/bin/ldapConfig.lax file to set the value for the following two properties:
IS_SILENT=true
RESPONSE_FILE=
full path to the configResponse.properties file
4.
Invoke the LDAP configuration program:
ITIM_HOME/bin/ldapConfig
The directory server configuration might take a few minute to complete. To monitor the configuration progress, view the ldapConfig.stdout file located in the
ITIM_HOME/install_logs directory.
Configuring the system silently in a single-server environment
If the system configuration failed during the silent installation, correct the incorrect data parameters in the response file. Follow these steps to then configure the system silently.
To configure the system using a response file:
1.
Copy the configResponse.properties file to a directory on the target computer.
2.
Update configResponse.properties file with correct information.
3.
Edit the
ITIM_HOME
/bin/runConfig.lax file to set the value for the following two properties:
IS_SILENT=true
RESPONSE_FILE=
full path to the configResponse.properties file
92
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
4.
Start the WebSphere Application Server.
5.
Invoke the system configuration program:
ITIM_HOME/bin/runConfig -install
The system configuration might take a few minute to complete. To monitor the configuration progress, view the runConfig.stdout file located in the
ITIM_HOME/install_logs directory.
Configuring the system silently in a cluster environment
If the system configuration failed during the silent installation, correct the incorrect data parameters in the response file. Follow these steps to then configure the system silently.
To configure the system using a response file:
1.
On the deployment manager, copy the configResponse.properties to a directory on the target computer.
2.
On the cluster member system copy the configResponseCM.properties file and rename it to configResponse.properties in a directory on the target computer.
3.
Update configResponse.properties file with correct information.
4.
Edit the
ITIM_HOME
/bin/runConfig.lax file to set the value for the following two properties:
IS_SILENT=true
RESPONSE_FILE=
full path to the configResponse.properties file
5.
Start the WebSphere deployment manager and all the node agents.
6.
Invoke the system configuration program:
ITIM_HOME/bin/runConfig -install
The system configuration might take a few minute to complete. To monitor the configuration progress, view the runConfig.stdout file located in the
ITIM_HOME/install_logs directory.
Chapter 8. Performing a silent installation and configuration of Tivoli Identity Manager
93
94
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Chapter 9. Verifying and troubleshooting the installation
This section describes how to correct problems with the Tivoli Identity Manager installation. It also explains how to verify that the Tivoli Identity Manager Server and its prerequisite processes are running correctly.
You can test whether the database, the directory server, and other programs that the Tivoli Identity Manager Server uses are correctly configured and are in full communication with each other.
Correcting problems with starting the installation
If you cannot start the Tivoli Identity Manager installation program, check these requirements: v
Is there enough real memory available to run the installation program? For more information, refer to the
IBM Tivoli Identity Manager Information Center
.
v Are the correct operating system levels, patches, and space requirements provided for the hardware and software prerequisites? For more information, refer to the
IBM Tivoli Identity Manager Information Center
.
v
Does the installation program have the correct file permissions to run?
Administrative privileges are required.
v
Is your firewall preventing processes that are active during installation from accessing external resources? For example, if you have a firewall that prevents ldapsearch from connecting to the directory server, the Tivoli Identity Manager installation fails.
v
If the installation is on a UNIX or Linux system, do you have the correct permissions and display variables set?
A common mistake is to log in to the desktop, omit disabling access control, and then telnet or SSH to a remote host on which you intend to install the Tivoli
Identity Manager Server. To correct this problem, complete these tasks:
1.
Run this command at the command shell of your desktop to disable access control for the X Server: xhost +
2.
After you telnet or SSH to the remote host, run this command to set the
DISPLAY environment variable: export DISPLAY=
hostname
:0.0
The value of
hostname
is the host name or IP address of your local desktop computer.
Tivoli Identity Manager configuration errors
Check the Tivoli Identity Manager activity summary log file
(itim_install_activity.log). If a non-fatal error is reported and it involves DBConfig, ldapConfig, or system configuration, you can use stand-alone Tivoli Identity
Manager configuration utilities to recover. For more information about these
utilities, see Chapter 7, “Configuring the Tivoli Identity Manager Server,” on page
© Copyright IBM Corp. 2009
95
Verifying the installation
This section describes verifying whether the database, the directory server, and other programs that the Tivoli Identity Manager Server uses are correctly configured and are in full communication with the Tivoli Identity Manager Server.
Ensuring that the WebSphere Application Server is running
The WebSphere Application Server on which the Tivoli Identity Manager application is deployed needs to be running.
To determine whether the WebSphere Application Server is running, enter this command: v
Windows operating systems:
WAS_PROFILE_HOME
\bin\serverStatus.bat -all v
UNIX or Linux operating systems:
WAS_PROFILE_HOME
/bin/serverStatus.sh -all
If you do not find the process running, run this command to start the server: v
Windows operating systems:
–
WAS_PROFILE_HOME
\bin\startServer.bat
server_name
v
UNIX or Linux operating systems:
–
WAS_PROFILE_HOME
/bin/startServer.sh
server_name
The value of
server_name
is the name of the WebSphere Application Server. For example, server1
.
Additionally, examine the log files in the logs directory for entries that indicate the status of server1. For example, examine the log files in the
WAS_PROFILE_HOME
\ logs\server1 directory.
Verifying that the Tivoli Identity Manager Server is running
To verify that the Tivoli Identity Manager Server and related processes are running, complete these steps:
1.
Ensure that the WebSphere Application Server is running.
Start the WebSphere administrative console. On a browser, enter this Web address: http://
hostname
:
port
/ibm/console
The value of
hostname
is the fully qualified host name or the IP address of the computer on which the WebSphere Application Server is running. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060.
2.
On the WebSphere administrative console, click
Applications > Enterprise
Applications
and verify that the Tivoli Identity Manager Server is running. If the Tivoli Identity Manager Server is not running, select the application, and then click
Start
.
If the Tivoli Identity Manager Server does not start, examine the following log files: v
WAS_PROFILE_HOME
\logs\
server_name
\SystemOut.log
The value of
profile_name
is the name of the WebSphere Application Server profile running Tivoli Identity Manager.
The value of
servername
is typically server1 for single-server environments.
v
TIVOLI_COMMON_DIRECTORY
\CTGIM\logs\trace.log
96
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
In this directory, also examine the msg.log file. Installing Tivoli Identity
Manager Server defines the value of
TIVOLI_COMMON_DIRECTORY
.
3.
Log on to the Tivoli Identity Manager Server using the WebSphere embedded
HTTP transport. For example, at a browser window, enter this command: http://
hostname
:
port
/itim/console
The value of
hostname
is the fully qualified host name or the IP address of the computer on which the WebSphere Application Server is running. The value of
port
is the port number of the WebSphere virtual host. The default port number is 9080. The port number can be removed if an HTTP server is used as the front-end proxy.
The browser displays the Tivoli Identity Manager login window. To log in to
Tivoli Identity Manager, enter the Tivoli Identity Manager Server administrator user ID ( itim manager
) and password (immediately after installation, the value is secret
).
4.
After a first, successful login, the login window immediately prompts you to change the administrator password. Ensure that your password change is successful.
Note:
It is recommended you create a backup administrator user ID with the same access rights as the "itim manager
″ user ID.
5.
If continued attempts fail to log on to Tivoli Identity Manager, determine whether the SystemOut.log file contains errors about referencing Tivoli Identity
Manager properties files.
Ensure that the
ITIM_HOME
\data directory contains the properties files.
Additionally, ensure that the WebSphere Application Server also references the
ITIM_HOME
\data directory. Complete these steps: a.
On the WebSphere administrative console, click
Servers > Application
Servers
.
b.
Select a server such as server1 and under
Server Infrastructure > Java and
Process Management,
click Process Definition.
c.
In the Process Definition, click
Java Virtual Machine
.
d.
Ensure that the Classpath field specifies the {
ITIM_HOME
}\data directory.
6.
If continued attempts fail, examine the status of the Tivoli Identity Manager middleware.
v
“Testing the database connection” on page 98
v
“Ensuring that the directory server is operational” on page 101
Checking the Tivoli Identity Manager bus and messaging engine
Before starting the Tivoli Identity Manager Server, use the WebSphere administrative console to check the status of the bus and messaging engine.
To check the bus and messaging engine, complete these steps:
1.
Start the WebSphere administrative console.
http://
hostname
:
port
/ibm/console
The value of
hostname
is the fully qualified host name or the IP address of the computer on which the WebSphere Application Server is running. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060.
2.
Click
Service Integration > Buses
.
3.
If the bus has been set, you see the itim_bus. Click
itim_bus
.
4.
In the Topology section, click
Messaging engines
.
Chapter 9. Verifying and troubleshooting the installation
97
For a single-server installation, you see an engine named
nodename.servername
itim_bus and the status of the engine is started.
For a cluster installation, you see n+1 messaging engines, where n is the number of Tivoli Identity Manager cluster members. An additional messaging engine is used for the Tivoli Identity Manager messaging cluster. All these engines need to be started.
If a message engine is not started, click the messaging engine name, and under the
Additional Properties section, click
Message store
to see the data source JNDI name. From this JNDI name, you can link the Tivoli Identity Manager data source defined under the Resources section and test the data source connection. If the
data source connection test fails, see “Testing the database connection” for more
information about how to resolve the issue. If the connection test succeeds, examine the
WAS_PROFILE_HOME
\logs\
server_name
\SystemOut.log file to determine the reason that the messaging engine cannot be started.
Verifying that the database is running correctly
Testing the database connection
Before starting the Tivoli Identity Manager Server, use the WebSphere administrative console to test the database connection. Complete these steps:
1.
Start the WebSphere administrative console.
http://
hostname
:
port
/ibm/console
The value of
hostname
is the fully qualified host name or the IP address of the computer on which the WebSphere Application Server is running. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060.
2.
Click
Resources > JDBC > Data Sources
.
3.
Select
ITIM Data Source
.
4.
Click
Test Connection
. A message appears that indicates the test result.
Repeat these steps for the
ITIM Bus DataSource
, and for clusters, additionally test the
ITIM BUS Shared DataSource
.
If any connections do not work, complete these steps:
1.
The CLASSPATH definition of the JDBC provider is set up during the Tivoli
Identity Manager installation. Verify that the CLASSPATH value is correct.
Complete these steps: a.
Start the WebSphere administrative console.
http://
hostname
:
port
/ibm/console
The value of
hostname
is the fully qualified host name or the IP address of the computer on which the WebSphere Application Server is running. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060.
b.
Click
Resources > JDBC > JDBC Providers > ITIM XA DB2 JDBC
Provider
.
c.
Examine the properties to verify that the CLASSPATH value is correct. For example, its value is like these values for DB2:
$ITIM_DB_JDBC_DRIVER_PATH\db2jcc.jar
$ITIM_DB_JDBC_DRIVER_PATH\db2jcc_license_cisuz.jar
$ITIM_DB_JDBC_DRIVER_PATH\db2jcc_license_cu.jar
98
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
To determine the value of $ITIM_DB_JDBC_DRIVER_PATH, click
Environment > WebSphere Variables
. Scroll through the list to locate the variable and confirm it is correct.
2.
Verify that the DB2 user ID and password are correct. Complete these steps: a.
Start the WebSphere administrative console.
http://
hostname
:
port
/ibm/console
The value of
hostname
is the fully qualified host name or the IP address of the computer on which the WebSphere Application Server is running. The value of
port
is the port number for the WebSphere administrative HTTP transport. The default value is 9060.
b.
Click
Resources > JDBC > Data Sources > ITIM Data Source
.
c.
Examine these fields to verify the correct values: v
Component-managed Authentication Alias
The value is itim-init
.
v
Container-managed Authentication Alias
The value is itim-init
.
d.
Under the Related Items category, click
JAAS - J2C authentication data
Examine the Alias list to ensure that an itim-init entry exists.
1) Click
itim-init
.
2) Verify that the value of the user ID field is identical to the Tivoli
Identity Manager Database User specified in
ITIM_HOME
\data\ enRole.properties file, for example, itimuser. Do not change this value.
3)
Note the password field. If you use this field to reset the password, ensure that the password value that you enter is identical to the value defined in the
ITIM_HOME
\data\enRoleDatabase.properties file.
3.
Ensure that other database settings are correct by checking the status of the
DB2 service listening port (typically 50000, 50002, or 60000) by using a utility such as netstat. The system etc directory contains a file called services which contains the actual port number being used. For more information, see
“Determining the correct service listening port and service name” on page 17.
4.
If DB2 is not listening on the port and you are using IPv6 and UNIX/Linux to connect to DB2, you might need to modify your /etc/hosts file. Complete these steps: a.
On the machine running IPv6, append these two lines to your /etc/hosts file:
IPv4_address hostname
IPv6_address hostname
For example, if the
hostname
is myhost
, the
IPv6_address
is
0000:ffff:ffff:0000:20e:cff:fe50:39c8 and the
IPv4_address
is
192.168.4.4
, then you need to append these two lines in the /etc/hosts file.
b.
Log in as the DB2 instance owner and restart the DB2 server by issuing the following commands: db2stop db2start c.
Ensure that DB2 is running on the IPv6 address by issuing the following command: netstat -an | grep db2port
For example, if the db2 is running on the port 50000, then you see the following line as the output:
Chapter 9. Verifying and troubleshooting the installation
99
tcp 0 0 :::50000 :::* LISTEN
Troubleshooting SQL Server 2005 issues
When the itim manager account logs in for the first time the user is typically prompted to change the password. This prompt might not work in case of SQL
Server 2005. In order to resolve this issue, complete these steps:
1.
After installing Tivoli Identity Manager, log in to the SQL Server 2005 host computer.
2.
Launch the Microsoft SQL Server Management Studio.
3.
Expand the SQL server in the object explorer.
4.
Expand
Databases
and move to the master database.
5.
Expand
Security > Schemas
.
6.
Right click
DBO
and click
Properties
7.
Click
Permissions
, click
Add
, and browse to add the required users.
8.
Grant all permissions to these required users and click
OK
.
9.
Restart the server, disconnect, and reconnect with user sa in mixed authentication mode.
Data Base Configuration is too restrictive for MS SQL Server
If Tivoli Identity Manager is configured with MSSQL Server 2005 as the Tivoli
Identity Manager database, you might receive the following message in trace.log
file. The error might occur the first time you access the Tivoli Identity Manager server after you perform the DBConfig operation javax.transaction.xa.XAException: java.sql.SQLException:
Failed to create the XA control connection.
Error: EXECUTE permission denied on object 'xp_sqljdbc_xa_init', database 'master', schema 'dbo'..
To resolve this issue, complete following steps:
Note:
In this task,
itimuser
is the database user configured for ITIM database, and
itimdb
is the name of the database configured for Tivoli Identity Manager.
1.
Stop the application server.
2.
Launch the Microsoft SQL Server Management Studio.
3.
Expand the SQL server in the object explorer.
4.
Expand Databases and delete
itimdb
.
5.
Delete the
itimuser
schema from master database: a.
Expand
Databases
>
System Databases
>
master
>
Security
>
Schemas
.
b.
Delete
itimuser
.
6.
Delete
itimuser
, ITIML000, ITIML001, and so forth login from
Security
>
Logins
.
7.
Create Database. SeeChapter 2, “Installing and configuring a database,” on page
8.
Perform
dbConfig
.
9.
Start the application server.
Note:
If name of the database or database user is changed, perform
runConfig
and restart the application server.
100
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Verifying that the directory server is properly running
Ensuring that the directory server is operational
This section describes the steps to ensure that the installed directory server for
Tivoli Identity Manager is running.
To determine whether the IBM Tivoli Directory Server is running, complete these steps: v On Windows systems, click
Start > Programs > Administrative Tools >
Services
. Locate the directory server entry, such as IBM Tivoli Directory Server
Instance V6.2 - ldapdb2
Ensure that the directory server service is started. If the service has not started, select it, and then select
Action > Start
from the main menu of the Services window.
v
On UNIX/Linux systems, ensure that the ibmslapd process is running. Enter this command: ps -ef | grep ibmslapd
The ps (process) command searches for processes. The grep command selects the processes that contain a string. The parameters in this example include:
-e
Select all processes.
-f
Display a full listing.
If the IBM Tivoli Directory Server is running, a process ID (PID) number is returned. If a PID number is not returned, the server must be restarted. First, stop the server: ibmslapd -I <instancename> -k
Restart the server: ibmslapd -I <instancename> v If the IBM Tivoli Directory Server is running, you must ensure that the IBM
Tivoli Directory Server is not in configuration mode only. Enter this command: ldapsearch -s base -b " " objectclass=* ibm-slapdisconfigurationmode
If the IBM Tivoli Directory Server is not in configuration mode, the value of the ibm-slapdisconfigurationmode parameter is FALSE. The ldapsearch command opens a connection to an LDAP server, binds, and performs a search. The -s parameter specifies the scope of the search to be base, one, or sub, which searches the base object, one level, or subtree. The -b parameter uses
searchbase
as the starting point for the search, instead of the default.
If problems continue, examine the ibmslapd.log file for messages that indicate whether the directory server is completely or partially started. The location of the log file depends on the IBM Tivoli Directory Server version:
Windows:
ITDS_INSTANCE_HOME
\logs\ibmslapd.log. For example, the file is in the
C:\idsslapd-ldapdb2\logs directory.
UNIX/Linux:
ITDS_INSTANCE_HOME
/etc/ibmslapd.log. On Linux, for example, the file is in the /home/ldapdb2/idsslapd-ldapdb2/etc/logs directory.
Checking the Web browser operation
This section describes potential problems associated with the Web browser.
Chapter 9. Verifying and troubleshooting the installation
101
Ensuring that the browser registers the Java plug-in
Tivoli Identity Manager uses applets that require the Java plug-in, which is provided by the Java 2 Runtime Environment, Standard Edition (JRE). The Java plug-in provides a connection between browsers and the Java platform, and enables applets to run within a browser. For more information about the version of the Java plug-in that Tivoli Identity Manager supports, refer to the
Tivoli Identity
Manager Information Center
.
If the Java plug-in is not installed on your system, or is not at a supported level, the browser prompts you to install the plug-in. For more information about these steps, refer to the
Tivoli Identity Manager Information Center
.
Microsoft Internet Explorer: Enabling active scripting
For Microsoft Internet Explorer, ensure that the Active Scripting item is enabled in the Scripting section of the Internet Options. Complete these steps:
1.
Click
Tools > Internet Options
on the main menu.
2.
On the Security tab, click the
Internet
icon, and then click the
Custom Level
button.
3.
In the Scripting, Active Scripting area, select
Enable
.
4.
Click
OK
.
5.
In the Internet Options window, click
OK
.
Using a supported browser
You might not be able to log on to Tivoli Identity Manager for various reasons. For example, you could be using an unsupported Web browser. For a list of supported browsers, refer to the
Tivoli Identity Manager Information Center
.
Avoiding two Web browser sessions on the same computer
Do not start two separate browser sessions from the same client computer. The two sessions are regarded as one session ID, which causes problems with data.
Troubleshooting Tivoli Identity Manager within WebSphere Application
Server
The Tivoli Identity Manager application runs within the WebSphere Application
Server as an enterprise application. The Tivoli Identity Manager installation program uses the WebSphere command-line interface (wsadmin) to deploy the
Tivoli Identity Manager application onto the WebSphere Application Server.
Deploying the Tivoli Identity Manager application also performs certain configuration steps on the WebSphere Application Server.
When the deployment completes, the Tivoli Identity Manager files are in these directories: v
WAS_PROFILE_HOME
\installedApps\
cellname
\ITIM.ear
v
WAS_PROFILE_HOME
\config\cells\
cellname
\applications\ITIM.ear
If the deployment fails, check the installation log files under
ITIM_HOME
\ install_logs\ starting with the itim_install_activity.log, and examine the setupEnrole.stdout log file.
102
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Correcting connection scripting errors
If the log data indicates a failure to establish a SOAP connection to the WebSphere
Application Server configuration manager, or some type of WebSphere Application
Server scripting error, complete these steps:
1.
Resolve the problem that prevents the connection to the WebSphere Application
Server or the problem described as a scripting error. For more information, refer to the WebSphere documentation.
2.
Run one of the following commands to deploy the Tivoli Identity Manager
Server onto the WebSphere Application Server: v
If WebSphere administrative security and application security is on, run this command (this command is one line):
ITIM_HOME
\bin\setupEnrole.exe install server:
name
user:
user_id
password:
pwd
ejbuser:
ejb_user_id
The value of
server_name
is the name of the WebSphere Application Server on which the Tivoli Identity Manager application is deployed. The value of
user_id
is the WebSphere administrator user ID, such as wasadmin
. The value of
pwd
is the password for the WebSphere administrator user ID, such as wasadmin
. The value of
ejb_user_id
is the Tivoli Identity Manager EJB user ID, which uses the WebSphere Application Server administrator user ID by default.
v If WebSphere administrative security and application security is off, enter this command:
ITIM_HOME
\bin\setupEnrole.exe install server:
name
Correcting timeout errors
If the log data indicates that the failure is due to a timeout error, continue the
Tivoli Identity Manager installation process.
If the Tivoli Identity Manager installation program has completed, delete the following directories if they exist: v
WAS_PROFILE_HOME
\installedApps\
cellname
\ITIM.ear
v
WAS_PROFILE_HOME
\config\cells\
cellname
\applications\ITIM.ear
Run one of the following commands to deploy the Tivoli Identity Manager Server onto the WebSphere Application Server: v
If WebSphere administrative security and application security is on, run this command:
– Windows operating systems:
ITIM_HOME
\bin\setupEnrole.exe install server:
name
user:
user_id
password:
pwd
ejbuser:
ejb_user_id
– UNIX or Linux operating systems:
ITIM_HOME
/bin/setupEnrole.sh install server:
name
user:
user_id
password:
pwd
ejbuser:
ejb_user_id
The value of
server_name
is the name of the WebSphere Application Server on which the Tivoli Identity Manager application is deployed. The value of
user_id
is the WebSphere administrator user ID, such as wasadmin
. The value of
pwd
is the password for the WebSphere administrator user ID, such as wasadmin
. The value of
ejb_user_id
is the Tivoli Identity Manager EJB user ID, which uses the
WebSphere Application Server administrator user ID by default.
v
If WebSphere administrative security and application security is off, enter this command:
– Windows operating systems:
Chapter 9. Verifying and troubleshooting the installation
103
Log files
ITIM_HOME
\bin\setupEnrole.exe install
server:name
– UNIX or Linux operating systems:
ITIM_HOME
/bin/setupEnrole.sh install
server:name
Determining the port number of the default host
If you have multiple instances of WebSphere Application Server running on the same computer, the port number might be a different value. To determine the port number of the default host, complete these steps:
1.
Log in to the WebSphere Application Server administrative interface.
2.
Click
Server > Application servers
.
3.
Click the server which hosts the Tivoli Identity Manager application cluster member.
4.
Under the Communications section, click the
Ports
link.
5.
Find the port number listed next to the WC_defaulthost port name. This port number is the one used to connect to Tivoli Identity Manager.
When the system configuration is complete, you can find the log files in Table 5 in
the directories specified.
Table 5. Installation log file names and directories
File names
log.txt
Description and location
Installation log file for WebSphere
Application Server.
v itim_install.stdout
v itim_install.stderr
Located in the system temp directory.
Standard out and error log files for Tivoli
Identity Manager.
Located in the system root directory.
Located in the
ITIM_HOME
\install_logs directory.
v dbConfig.stdout
v ldapConfig.stdout
v itim_installer_debug.txt
v runConfigFirstTime.stdout
v runConfig.stdout
v setupEnrole.stdout
v StartStopWas.stdout
v itim_install_activity.log
trace.log
msg.log
cfg_itim_mw.log
Located in the
TIVOLI_COMMON_DIRECTORY
\
CTGIM\logs\ directory.
The Tivoli Common Directory is the central location for all serviceability-related files, such as log files and first-failure capture data.
Located in the System %TEMP% directory.
The middleware configuration utility log file.
104
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Chapter 10. Upgrading to Tivoli Identity Manager Version 5.1
The Tivoli Identity Manager installation program upgrades a computer that has the following versions of Tivoli Identity Manager: v
Tivoli Identity Manager Version 4.6
v Tivoli Identity Manager Version 5.0
v
Tivoli Identity Manager Version 5.1 with WebSphere Application Server 6.1
Some manual steps are required to preserve or recustomize settings. This section describes upgrading both single-server and cluster configurations. For more information about prerequisite software that this release supports, refer to the
Tivoli
Identity Manager Information Center
.
Description of the upgrade process
The upgrade process has these major tasks:
1.
Migrate your operating system to a level that this release of Tivoli Identity
Manager supports, and ensure that the system has the required fix pack or patches. For more information about operating system requirements, see the
IBM Tivoli Identity Manager Information Center
Release Information.
Note:
If you are upgrading from Linux SUSE 9 to SUSE 10, make sure to back up your existing /etc/services file before the upgrade and copy the file back to the /etc directory after upgrade.
2.
Migrate your database to the supported version, and ensure that you can perform database commands.
3.
Migrate your directory server to the supported version, and ensure that you can perform directory server commands.
4.
If you are using IBM Tivoli Directory Integrator, migrate it to the supported version.
5.
If you are upgrading from Tivoli Identity Manager Version 4.6, install
WebSphere Application Server in a separate directory. Running WebSphere
Application Server upgrade utilities (WASPreUpgrade and WASPostUpgrade) is not recommended. To perform the installation, perform the following tasks: v
Single-server: Install WebSphere Application Server and any necessary fix packs for a stand-alone node.
v
Cluster: Install WebSphere Application Server and any necessary fix packs on the deployment manager node and each cluster member node, then federate the nodes to the cell and create a cluster.
If you do not want to disable the old version of WebSphere Application Server upon installing WebSphere Application Server, make sure to choose the option to allow coexistence with WebSphere Application Server Version 5.1. The
WebSphere Application Server detects any port conflicts with the older version.
documentation at this Web site: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp
If you are upgrading from Tivoli Identity Manager Version 5.0, apply any necessary fix packs to WebSphere Application Server.
© Copyright IBM Corp. 2009
105
6.
If you are upgrading from Tivoli Identity Manager Version 4.6, stop the old version of WebSphere Application Server where Tivoli Identity Manager is running: v
Single-server: Stop WebSphere Application Server Version 5.1.
v
Cluster: Stop WebSphere Application Server Version 5.1 on all nodes in the cell where Tivoli Identity Manager is running and stop the WebSphere
Application Server deployment manager.
7.
Upgrade the Tivoli Identity Manager Server using the Tivoli Identity Manager
Version 5.1 installation program.
The Tivoli Identity Manager installation program upgrades the database schema and data, the directory server schema and data, the WebSphere
Application Server configuration for Tivoli Identity Manager, the Tivoli Identity
Manager property files, and other Tivoli Identity Manager files. During the upgrade process, the
ITIM_HOME
\data directory is backed up to the
ITIM_HOME
\data\backup directory for later recovery if necessary.
If you are using IBM Tivoli Directory Integrator, you need to upgrade the adapters separately. See the IBM Tivoli Identity Manager Information Center
Adapter document for detailed instructions.
Note:
To perform the upgrade, you must select the current
ITIM_HOME
directory as the Tivoli Identity Manager Version 5.1 installation location.
After making an upgrade, you can validate the current Tivoli Identity
Manager version by examining the copyright notice in the header of the
Messages.properties file in the
ITIM_HOME
\data directory.
Processes and settings that the upgrade process preserves
The upgrade process preserves running workflow processes pending for approval or other related actions such as password changes. If you are upgrading from
Tivoli Identity Manager 4.6, for these workflow processes to continue to run after upgrade, you need to ensure that no messages are in the Java Message Service
The upgrade process preserves the following settings: v
Certificate-authority (CA) certificates. Tivoli Identity Manager demonstration certificates are updated.
v
Tivoli Identity Manager properties defined in the following files:
– enRole.properties
– enRoleAuthentication.properties
– enRoleDatabase.properties
– enRoleLDAPConnection.properties
– enRoleMail.properties
– enRoleLogging.properties
– enroleAuditing.properties
– enroleworkflow.properties
– ui.properties
– CustomLabels.properties
– CustomLabels_en.properties
– adhocreporting.properties
– crystal.properties
106
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
– SelfServiceScreenText.properties
– SelfServiceScreenText_en.properties
– SelfServiceHelp.properties
– SelfServiceUI.properties
– SelfServiceHomePage.properties
– scriptframework.properties
v The following workflow system files in the data\workflow_systemprocess directory:
– notifytemplate.html
Note:
The notification template has been modified since Tivoli Identity
Manager Version 5.0. To use the new template, rename notifytemplate.html.5.0 back to notifytemplate.html. For more
– addserviceselectionpolicy.xml
v
Any default notification templates stored in LDAP if they were modified in
Tivoli Identity Manager Version 4.6 or 5.0. If you are upgrading from Tivoli
Identity Manager 4.6 and none of the default notification templates were modified in Version 4.6, the upgrade process replaces all of them with the new templates. For more information about manual migration of notification
templates, see “Migrating notification templates” on page 118.
Processes and settings that are not preserved, or require manual upgrade
The upgrade process does
not
preserve the following workflow processes, which you must stop or allow to complete before you upgrade Tivoli Identity Manager: v
Policy Add/Modify/Remove v
Dynamic Role Add/Modify/Remove v Reconciliations v
Identity feeds
All other customized data and settings are lost after the upgrade process. For more
information, see “Preserving customized data manually” on page 117. These user
customizations are not preserved: v
Java security (for Tivoli Identity Manager 4.6 on WebSphere Application Server
5.1)
If you are upgrading from Tivoli Identity Manager 4.6, you need to manually apply the changes that you made for the previous IBM Development Kit for Java to the new IBM Development Kit for Java bundled with the WebSphere
Application Server.
v
Custom logos used in a Welcome page and XLS style sheets. If you modified the welcome page, you must reimplement the Styles.css file.
v EJB user ID and password (for Tivoli Identity Manager 4.6 on WebSphere
Application Server 5.1)
During upgrade the user enters the WebSphere Application Server administrator user ID and password. If you are running Tivoli Identity Manager 4.6 on
WebSphere Application Server 5.1, the user ID and password might be the same or different from this new entry. The default Tivoli Identity Manager EJB user ID and password on the
Security
tab of the system configuration GUI is set as the same as the WebSphere Application Server 6.1 administrative user ID and
Chapter 10. Upgrading to Tivoli Identity Manager Version 5.1
107
password. Change the EJB user ID and password if the user ID and password are different from the WebSphere Application Server administrative user ID and password.
v
Any customized WebSphere Application Server configurations. Examples include the ITIM_CLIENT role mapping, which must be remapped, and the shared library used by Tivoli Identity Manager through a WebSphere Application Server shared library definition.
v Crystal configuration
Back up all existing Crystal configuration scripts before performing the upgrade so the same scripts can be referenced later. For more information about Crystal
configuration, see “Configuring Crystal” on page 123.
Additionally, manually upgrade the following components: v
Tivoli Identity Manager jar files that the Tivoli Identity Manager client applications use.
Tivoli Identity Manager client applications must replace their current itim_api.jar, api_ejb.jar, itim_server_api.jar and jlog.jar files with those files from
Tivoli Identity Manager Version 5.1.
For any Tivoli Identity Manager client application that has a duplicate copy of
Tivoli Identity Manager properties files on the client side, take these steps:
1.
Rename the duplicate property files on the client application to preserve any manual changes that you might have made.
2.
Copy the property files from the Tivoli Identity Manager Server to the duplicate copy on the client application.
3.
If you manually changed the duplicate property files earlier, manually apply the changes again.
v
The HR Feed services forms in Tivoli Identity Manager 5.1 add a new check box for evaluating Separation Of Duty policies. To enable this feature, use
Configure
System -> Design Form
to include the new attribute
erevaluatesod
in the HR feed service definition form. The
erevaluatesod
attribute is of the type boolean and needs to be include as a check box on the form.
v
Tivoli Identity manager Version 5.1 has introduced new default access control items, however the upgrade process does not change the access control items for the existing organizations. You need to manually upgrade them. For more
details, see “Manually upgrading the access control items” on page 123.
Before you begin
Before upgrading Tivoli Identity Manager complete these steps:
1.
Reduce system activity before starting the upgrade process.
It is recommended that you avoid starting policy enforcements or reconciliation requests before upgrading Tivoli Identity Manager. Do not delete entries directly from the SCHEDULED_MESSAGES table in the Tivoli Identity
Manager database.
2.
Complete or stop the following workflow processes, which are not preserved during upgrade: v
Policy Add/Modify/Remove v
Dynamic Role Add/Modify/Remove v
Reconciliations v
Identity feeds
3.
Make sure that no new workflow requests are submitted before the upgrade process by shutting down API clients and turning off web access to the Tivoli
108
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Identity Manager application. If you are upgrading from Tivoli Identity
Manager 4.6, for running workflow processes to continue to run after upgrade,
how to check the JMS queues.
4.
Migrate the database server to the supported version. Then, back up the Tivoli
Identity Manager database, and ensure that the database server is running.
v DB2 Database
For information about upgrading DB2 Database, refer to this Web site: http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp
Note:
Upon upgrade of DB2 Database, the port number might change. Verify that the port number you are using. For more information, see
“Determining the correct service listening port and service name” on page 17.
v
Oracle
For information about upgrading Oracle, refer to this Web site: http://www.oracle-base.com/articles/11g/UpgradingTo11g.php
v
SQL Server 2005
For information about upgrading SQL Server 2005, refer to this Web site: http://www.microsoft.com/sql/solutions/upgrade/default.mspx
For information about configuring SQL Server 2005, see “Configuring SQL
5.
Migrate the directory server to the supported version. Then, back up the Tivoli
Identity Manager schema and data, and ensure that the directory server is running. For Tivoli Identity Manager Version 4.6 or 5.0 recovery purposes, export the Tivoli Identity Manager LDAP directory to an LDIF file. If you are running the IBM Tivoli Directory Server, configure the IBM Tivoli Directory
Note:
Migration is not necessary if you are using IBM Tivoli Directory Server
Version 6.1 or 6.2 or Sun Enterprise Directory Server 6.3, which are supported directory servers.
6.
Complete these steps for the WebSphere Application Server installation and configuration: v
Single-server: Install any necessary fix packs. If you are upgrading from
Tivoli Identity Manager 4.6, install the WebSphere Application Server and any necessary fix packs for a stand-alone node.
v
Cluster: Install any necessary fix packs. If you are upgrading from Tivoli
Identity Manager 4.6, install the WebSphere Application Server and any necessary fix packs on the deployment manager node and each cluster member node, then federate the nodes to the cell and create clusters for the
Tivoli Identity Manager application and the messaging engine.
7.
On a single-server configuration, and on each cluster member in a cluster configuration, complete these steps: a.
Back up the itim directory.
b.
If you are upgrading from Tivoli Identity Manager 4.6, access the
OLD_WAS_HOME
\installedApps\
cellname
\enRole.ear directory and store any customized files in a temporary holding area.
Chapter 10. Upgrading to Tivoli Identity Manager Version 5.1
109
c.
If you are upgrading from Tivoli Identity Manager 5.0, access the
WAS_HOME\installedApps\cellname\ITIM.ear directory and store any customized files in a temporary holding area.
8.
Ensure that the appropriate servers are running in the WebSphere environment.
Complete this step: v
Single-server configuration:
Start WebSphere Application Server with the latest fix packs that you installed (refer to the
Tivoli Identity Manager Information Center
for the most current fix pack and possible APARs).
v Cluster configuration:
Using the WebSphere administrative console, ensure that the deployment manager and all the nodes are federated and the node agents are running and that the latest fix packs have been installed (refer to the
Tivoli Identity
Manager Information Center
for the most current fix pack and possible
APARs).
9.
If you are upgrading from Tivoli Identity Manager 4.6, stop and remove the
Tivoli Identity Manager application enRole using the WebSphere administrative console for 5.1.
Upgrading from Tivoli Identity Manager Version 4.6 or 5.0 to Version
5.1 or Version 5.1 on Websphere Application Server 6.1 to Websphere
Application Server 7.0
These tasks can be use to upgrade a single-server configuration or a cluster configuration.
Note:
In Tivoli Identity Manager version 4.6 and earlier, the eralias attribute was the default basis for the global adoption policy. After version 5.0 the global adoption policy is based on the UID attribute. If you are upgrading to Tivoli
Identity Manager version 5.1 from version 4.6 or earlier, you need to preserve the existing adoption policy.
Upgrading a single-server configuration
The upgrade process performs these tasks in a single-server configuration:
1.
Backs up files in the
ITIM_HOME
\data directory.
2.
Replaces the files in the
ITIM_HOME
directory.
3.
Checks the WebSphere Application Server Version status and tries to start the
WebSphere Application Server if it is not running. Refer to the
Tivoli Identity
Manager Information Center
for the most current fix pack and possible APARs.
4.
Starts the system configuration tool (
runConfig
) to prompt the user to examine current system configuration values.
5.
Updates several Tivoli Identity Manager properties files. For more
information, see “Processes and settings that the upgrade process preserves” on page 106.
6.
Configures WebSphere Application Server for Tivoli Identity Manager Version
5.1.
7.
Upgrades the Tivoli Identity Manager database schema and data.
8.
Upgrades the Tivoli Identity Manager directory server schema and data.
9.
Deploys the Tivoli Identity Manager application (ITIM.ear) to WebSphere
Application Server.
110
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
10.
Stops and starts WebSphere Application Server as well as Tivoli Identity
Manager application.
To upgrade a single-server configuration, complete these steps:
1.
To run the installation program, complete these steps: v
Windows: a.
Click
Start > Run
.
b.
Enter the drive and path where the installation program is located and then enter the following command: instwin.exe
The Welcome window opens.
v
UNIX/Linux: a.
Open a command shell prompt window, and navigate to the directory where the installation program is located.
b.
Enter the following command for the Tivoli Identity Manager installation program:
– AIX: instaix.bin
– Linux: instlinux.bin
– pLinux: instplinux.bin
– zLinux: instzlinux.bin
– Solaris: instsol.bin
The installation program starts and displays the Welcome window.
If you are running the installation program on a UNIX/Linux system that does not have at least 150MB of free space in the /tmp directory, you should set the IATEMPDIR environment variable to a directory on a disk partition with enough free disk space. To set the variable, enter one of the following commands at the command line prompt before running the installation program again:
– Bourne shell (sh), ksh, bash, and zsh:
$ IATEMPDIR=
temp_dir
$ export IATEMPDIR
– C shell (csh) and tcsh:
$ setenv IATEMPDIR
temp_dir
where
temp_dir
is the path to the directory, for example
/your/free/directory , where free disk space is available.
2.
Select the appropriate language and click
OK
.
3.
Click
Next
to advance past the copyright and legal text.
4.
In the License Agreement window, read the license agreement and decide whether to accept its terms. If you do, select
Accept
and click
Next
.
5.
In the Choose Install Directory window, you
must
select the existing Tivoli
Identity Manager home directory that you want to upgrade. Accept the existing directory, or click
Choose
and select the correct directory. Then, click
Next
.
Chapter 10. Upgrading to Tivoli Identity Manager Version 5.1
111
6.
In the Upgrade IBM Tivoli Identity Manager window, click
Continue to Next
to start the upgrade.
7.
Read the caution windows to ensure that the prerequisite applications meet the requirements that Tivoli Identity Manager supports. Then, click
Next
.
8.
In the WebSphere Application Server installation directory window, specify the location of WebSphere Application Server. There can be multiple instances of the WebSphere Application Server on the computer. Click
Next
.
9.
In the next window, choose the WebSphere Application Server base profile where the Tivoli Identity Manager application is to be deployed. Click
Next
.
10.
If WebSphere Application Server administrative security is on, a WebSphere
Application Server user ID and password window is presented. Enter the user
ID and password and click
Next
.
11.
In the Java home window, note the directory to which Tivoli Identity Manager
Version 5.1 now points. You might need to manually migrate any files that reference the previous directory to reference the current directory. Click
OK
.
12.
If you use Oracle database or Microsoft SQL Server, a Where is the JDBC
Driver? Window is presented. Specify the JDBC driver location and name.
Click
Next
. For more information, see “Installing the Oracle JDBC driver” on
page 21 and “Installing the SQL Server JDBC driver” on page 25.
Note:
If you are upgrading from Tivoli Identity Manager 5.1 on WebSphere
Application Server 6.1.1 to Tivoli Identity Manager 5.1 on WebSphere
Application Server 7.0, the JDBC driver setup panel is not displayed.
Additional manual steps are needed for the Oracle database.
a.
After deploying Tivoli Identity Manager 5.1 on WebSphere
Application Server 7.0 Fix Pack 5, remove the ojdbc.jar file from
ITIM_HOME
/lib and replace it with ojdbc6.jar. Then, rename ojdbc6.jar to ojdbc.jar. This is necessary because WebSphere
Application Server 7.0 uses JDK1.6.
b.
Clear the service integration bus. See “Clearing the service integration bus” on page 116.
13.
In the Tivoli Common Directory window, accept the default directory for the
Tivoli Common Directory or specify a different directory. The Tivoli Identity
Manager installation program creates the CTGIM subdirectory to store serviceability-related files for Tivoli Identity Manager. Ensure that the directory has at least 25 MB of free space. Click
Next
.
14.
In the Pre-install Summary window, click
Install
.
15.
The installation program launches the system configuration tool
runConfig
to enable you to change configuration settings, if necessary. In the System
Configuration Tool window, examine the values of all parameters, which are preserved from the previous version of Tivoli Identity Manager.
On the Database tab, verify that the JDBC URL has the correct format of type
4 JDBC driver URL, and click
Test
to test the database connection.
Change the EJB user ID and password on the
Security
tab if the user ID and password are different from the WebSphere Application Server administrative user ID and password.
Verify the values and click
OK
. The system configuration requires several minutes to complete.
For more information about
runConfig
, see “Configuring commonly used system properties” on page 77.
16.
The installer invokes the database upgrade program to upgrade the database schema and data. You are prompted to provide the database administrative
112
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
user ID and password to create or ugrade the database schema required for the messaging engine. If the administrative user ID does not have the proper privileges to create the database schema, an error message is displayed during the upgrade. Run the
ITIM_HOME
\bin\
DBUpgrade
program after the upgrade completes and enter the correct database administrative ID. This program ensures that the database schema and tables for the messaging engine are created.
17.
The installer invokes the LDAP upgrade program to upgrade the LDAP schema and data silently.
Note:
For Sun Enterprise Directory Server 6.3, if the upgrade adds new indexes, you must index your data again after the upgrade to Tivoli
Identity Manager Version 5.1 has completed.
18.
After the installation has completed, you might have to manually update any customizations which were not preserved during the upgrade process. For
more information, see “Preserving customized data manually” on page 117.
Upgrading a cluster configuration
The upgrade process performs these tasks in a cluster configuration:
1.
Backs up files in the
ITIM_HOME
\data directory.
2.
Replaces the files in the
ITIM_HOME
directory.
3.
On the computer that has the deployment manager, does these tasks: a.
Deploys the Tivoli Identity Manager application to WebSphere Application
Server.
b.
Starts the system configuration tool (
runConfig
), which prompts the user to examine current system configuration values, updates several Tivoli Identity
Manager properties files, and configures WebSphere Application Server for
c.
Upgrades the Tivoli Identity Manager database schema and data.
d.
Upgrades the Tivoli Identity Manager directory server schema and data.
4.
On each computer that has a Tivoli Identity Manager cluster member, starts the system configuration tool (
runConfig
), which prompts the user to examine current system configuration values, updates several Tivoli Identity Manager properties files, and configures WebSphere Application Server for Tivoli
To upgrade a cluster configuration on the deployment manager, and on each cluster member computer, complete these steps:
1.
To run the installation program, complete these steps: v
Windows: a.
Click
Start > Run
.
b.
Enter the drive and path where the installation program is located and then enter the following command: instwin.exe
The Welcome window opens.
v
UNIX/Linux: a.
Open a command shell prompt window, and navigate to the directory where the installation program is located.
Chapter 10. Upgrading to Tivoli Identity Manager Version 5.1
113
b.
Enter the following command for the Tivoli Identity Manager installation program:
– AIX: instaix.bin
– Linux: instlinux.bin
– pLinux: instplinux.bin
– zLinux: instzlinux.bin
– Solaris: instsol.bin
The installation program starts and displays the Welcome window.
If you are running the installation program on a UNIX/Linux system that does not have at least 150MB of free space in the /tmp directory, you should set the IATEMPDIR environment variable to a directory on a disk partition with enough free disk space. To set the variable, enter one of the following commands at the command line prompt before running the installation program again:
– Bourne shell (sh), ksh, bash, and zsh:
$ IATEMPDIR=
temp_dir
$ export IATEMPDIR
– C shell (csh) and tcsh:
$ setenv IATEMPDIR
temp_dir
where
temp_dir
is the path to the directory, for example
/your/free/directory
, where free disk space is available.
2.
Select the appropriate language and click
OK
.
3.
Click
Next
to advance past the copyright and legal text.
4.
In the License Agreement window, read the license agreement and decide whether to accept its terms. If you do, select
Accept
and click
Next
.
5.
In the Choose Install Directory window, you
must
select the existing Tivoli
Identity Manager home directory that you want to upgrade. Accept the existing directory, or click
Choose.
and select the correct directory. Then, click
Next
.
6.
In the Upgrade IBM Tivoli Identity Manager? window, click
Continue to Next
to start the upgrade.
7.
Read the caution windows to ensure that the prerequisite applications meet
Tivoli Identity Manager requirements. Then, click
Next
.
8.
If the Tivoli Identity Manager cluster member is installed on the computer, specify the WebSphere Application Server installation directory, click
Next
.
Then select the WebSphere Application Server profile name and click
Next
.
9.
If the deployment manager is installed on the computer, specify the deployment manager installation directory, click
Next
. Then select the
WebSphere Deployment Manager profile name and click
Next
.
10.
If WebSphere Application Server administrative security is on, a WebSphere
Application Server user ID and password window is presented. Enter the user
ID and password and click
Next
.
114
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
11.
In the Java home window, notice the directory to which Tivoli Identity
Manager Version 5.1 now points. You might need to manually migrate any files that reference the previous directory to reference the current directory.
Click
OK
.
12.
If you use Oracle database or Microsoft SQL Server, a Where is the JDBC
Driver? Window is presented. Specify the JDBC driver location and name.
Click
Next
. For more information, see “Installing the Oracle JDBC driver” on
page 21 and “Installing the SQL Server JDBC driver” on page 25.
Note:
If you are upgrading from Tivoli Identity Manager 5.1 on WebSphere
Application Server 6.1.1 to Tivoli Identity Manager 5.1 on WebSphere
Application Server 7.0, the JDBC driver setup panel is not displayed.
Additional manual steps are needed for the Oracle database.
a.
After deploying Tivoli Identity Manager 5.1 on WebSphere
Application Server 7.0 Fix Pack 5, remove the ojdbc.jar file from
ITIM_HOME
/lib and replace it with ojdbc6.jar. Then, rename ojdbc6.jar to ojdbc.jar. This is necessary because WebSphere
Application Server 7.0 uses JDK1.6.
b.
Clear the service integration bus. See “Clearing the service integration bus” on page 116.
13.
In the Tivoli Common Directory window, accept the default directory for the
Tivoli Common Directory or specify a different directory. The Tivoli Identity
Manager installation program creates the CTGIM subdirectory to store serviceability-related files for Tivoli Identity Manager. Ensure that the directory has at least 25 MB of free space.
14.
In the Pre-install Summary window, read the summary. Then, click
Install
.
15.
The installation program launches the system configuration tool
runConfig
to enable you to change configuration settings, if necessary. In the System
Configuration Tool window, examine the values of all parameters, which are preserved from the previous version of Tivoli Identity Manager.
On the Database tab, verify that the JDBC URL has the correct format of type
4 JDBC driver URL, and click
Test
to test the database connection.
Change the EJB user ID and password on the
Security
tab if the user ID and password are different from the WebSphere Application Server administrative user ID and password.
Verify the values and click
OK
. The system configuration requires several minutes to complete.
For more information about
runConfig
, see “Configuring commonly used system properties” on page 77.
16.
On the deployment manager, the installer invokes the database upgrade program to upgrade the database schema and data. You are prompted to provide the database administrative user ID and password to create or ugrade the database schema required for the messaging engine. If the administrative user ID does not have the proper privileges to create the database schema, an error message is displayed during the upgrade. Run the
ITIM_HOME
\bin\
DBUpgrade
program after the upgrade completes and enter the correct database administrative ID. This program ensures that the database schema and tables for the messaging engine are created.
17.
On the deployment manager, the installer invokes the LDAP upgrade program to upgrade the LDAP schema and data silently.
Chapter 10. Upgrading to Tivoli Identity Manager Version 5.1
115
Note:
For Sun Enterprise Directory Server 6.3, if the upgrade adds new indexes, you must index your data again after the upgrade to Tivoli
Identity Manager Version 5.1 has completed.
18.
After the installation has completed, you might have to manually update any customizations which were not preserved during the upgrade process. For
more information, see “Preserving customized data manually” on page 117.
Clearing the service integration bus
This task is necessary, if you are upgrading Tivoli Identity Manager version 5.1
from WebSphere Application Server 6.1 to WebSphere Application Server 7.0 and are using an Oracle database.
Note:
Java Message Service (JMS) queues must be empty before performing this task, otherwise critical data might be lost. For more information, see
“Determining that the WebSphere MQ message queue is empty.”
On the target Tivoli Identity Manager Version 5.1 Oracle server:
1.
Start the Oracle database.
2.
Issue the following commands for each of the system integration bus (SIB) schemas in your environment: delete from
schema_name
.SIB000
delete from
schema_name
.SIB001
delete from
schema_name
.SIB002
delete from
schema_name
.SIBCLASMAP
delete from
schema_name
.SIBKEYS
delete from
schema_name
.SIBLISTING
delete from
schema_name
.SIBXACTS
delete from
schema_name
.SIBOWNER
delete from
schema_name
.SIBOWNERO
where the SIB schema,
schema_name
is:
Table 6. Service integration bus schema names
Tivoli Identity Manager environment
Single-server
Clustered
Schema name
ITIML000
ITIML000, ITIML001, ITIML002, ITIML003, and ITIMS000
Note:
The SIBOWNERO might not exist in all Tivoli Identity Manager environments. If it does not exist and the delete statement fails, you can ignore the failure message.
Determining that the WebSphere MQ message queue is empty
To determine if the number of messages in the workflow queues is zero and therefore empty, run the
WAS_MQ_HOME
\bin\runmqsc.exe utility and use the
display
command to show the status of the following queues: v
WQ_itim_ms, the mail services queue v
WQ_itim_rs, the remote services queue v WQ_itim_wf, the workflow queue v
WQ_itim_adhocSync, the custom report services queue v
WQ_itim_rs_pending, the remove services pending queue
116
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
v
WQ_itim_ps, the remote services queue v
WQ_itim_policy, the policy queue v
WQ_itim_policy_simulation, the policy simulation queue v
WQ_itim_import_export, the import/export queue
For example, in a single-server environment, assume that WebSphere MQ is deployed on the node named
″
A
″ and the server is named
″ server1
″
. Enter this command: runmqsc WAS_A_server1
In a clustered environment, enter this command: runmqsc WAS_A_jmsserver
The following command displays the status of the Tivoli Identity Manager workflow queue: display qlocal('WQ_itim_ms') curdepth maxdepth
Ensure that all message queues are empty. In the resulting display, the CURDEPTH attribute shows the number of messages in the queue. For example:
AMQ8409: Display Queue details.
QUEUE(WQ_itim_ms) MAXDEPTH(640000)
CURDEPTH(0)
If all queue depths (“CURDEPTH”) are zero, then no messages need processing, continue with the Tivoli Identity Manager upgrade. Do not restart WebSphere
Application Server 5.1. If you have current queue depths greater than zero, messages are still being processed. Wait and check the queue depths again.
To return to the pre-upgrade steps, see “Before you begin” on page 108.
Preserving customized data manually
To preserve customized data that is not preserved by the upgrade process, complete these manual steps if applicable.
Manually applying Java security
Manually apply the changes that you made for the previous IBM Development Kit for Java to the new IBM Development Kit for Java. For more information about
Customizing logos and style sheets
If you need to insert customized logos and style sheets in the
WAS_HOME
\
cellname
\ITIM.ear directory, restore these files from a backup location.
Preserving WebSphere Application Server customizations
You can preserve WebSphere customizations, such as specific JAR files using settings for a WebSphere Application Server shared library. For a shared library, you need to define the name of the shared library to the newly deployed Tivoli
Chapter 10. Upgrading to Tivoli Identity Manager Version 5.1
117
Identity Manager Version 5.1. For example, Tivoli Identity Manager Version 4.6 or
5.0 might load a shared library with a name such as user_shared_library.
Complete these tasks on the WebSphere administrative console to associate the previously defined shared library with Tivoli Identity Manager Version 5.1:
1.
Click
Applications > Enterprise Applications > ITIM
.
2.
Click
Shared library references
.
3.
Select the shared library, and click
OK
and
Apply
to apply the changes.
4.
Save the configuration.
5.
Restart the WebSphere Application Server to allow the changes to take effect.
You might need to preserve other WebSphere customizations.
Migrating notification templates
If you have updated the default templates in the Tivoli Identity Manager 4.6 or 5.0
environment, the Tivoli Identity Manager upgrade program does not overwrite
(upgrade) any notification templates . To migrate old notification templates to match those in Tivoli Identity Manager Version 5.1, you must manually update both the XML Text Template Language (XTTL) content and style.
The following table lists templates and their locations in the Tivoli Identity
Manager configuration file
″ tenant.tmpl
″
. Use this list as a reference for the updated default notification template content.
Table 7. Templates contained in tenant.tmpl
Template name Template DN
Todo Item Reminder Notification cn=Reminder,erglobalid=<%config.workflow
%>,ou=config,ou=itim, <%tenant.dn%>
Default Compliance Alert
Notification cn=Compliance,erglobalid=<%config.workflow
%>,ou=config,ou=itim, <%tenant.dn%>
Default New Account Notification cn=NewAccount,erglobalid=<%config.workflow
%>,ou=config,ou=itim, <%tenant.dn%>
Default New Password Account
Notification cn=NewPassword,erglobalid=<%config.workflow
%>,ou=config,ou=itim,<%tenant.dn%>
Default Change Account
Notification
Default Restore Account
Notification
Default Suspended Account
Notification
Default Deprovision Account
Notification
Default Activity Timeout
Notification
Default Process Timeout
Notification
Default Process Completion
Notification cn=ChangeAccount,erglobalid=<%config.workflow
%>,ou=config,ou=itim,<%tenant.dn%> cn=RestoreAccount,erglobalid=<%config.workflow
%>,ou=config,ou=itim,<%tenant.dn%> cn=SuspendedAccount,erglobalid=<
%config.workflow%>, ou=config,ou=itim,<
%tenant.dn%> cn=Deprovision,erglobalid=<%config.workflow
%>,ou=config,ou=itim, <%tenant.dn%> cn=ActivityTimeout,erglobalid=<%config.workflow
%>,ou=config,ou=itim,<%tenant.dn%> cn=ProcessTimeout,erglobalid=<%config.workflow
%>,ou=config,ou=itim,<%tenant.dn%> cn=ProcessCompletion,erglobalid=<
%config.workflow%>, ou=config,ou=itim,<
%tenant.dn%>
118
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Table 7. Templates contained in tenant.tmpl (continued)
Template name Template DN
Default ManualActivity
Notification
Default ManualActivityRFI
Notification
Default ManualActivityWorkOrder
Notification cn=ManualActivityApproval,erglobalid=<
%config.workflow%>,ou=config,ou=itim,<
%tenant.dn%> cn=ManualActivityRFI,erglobalid=<
%config.workflow%>, ou=config,ou=itim,<
%tenant.dn%> cn=ManualActivityWorkOrder,erglobalid=<
%config.workflow%>, ou=config,ou=itim,<
%tenant.dn%>
Updating XML Text Template Language (XTTL) contents
The new XTTL contents needed for the default workflow notification templates in
Tivoli Identity Manager Version 5.1 include: v
The following XTTL contents are needed for the default workflow notification templates if upgrading from Tivoli Identity Manager version 4.6 or 5.0:
Todo Item Reminder Notification
Remove:
<RE key="escalation_note"/> <escalationTime/>
Add:
<RE><KEY><JS> var currentDate = new Date(); var currentTime = currentDate.getTime(); if (currentTime < reminderCtx.getEscalationDate().getTime())
{ return "workitem_due_note";
} else
{ return "workitem_overdue_note";
}
</JS></KEY>
<PARM><escalationTime/></PARM>
</RE> v
The following XTTML contents are needed for default workflow notification templates if upgrading from Tivoli Identity Manger version 4.6. They are not required if upgrading from Tivoli Identity Manager version 5.0:
Default Compliance Alert Notification
Add:
<ITIMURL/>
Default New Account Notification
Add:
<ITIMURL/>
<JS>if (EmailContext.hasNewAccess()) {
'<RE key="accountNewAccess"/>:
<JS>EmailContext.getAccountNewAccessAsString();
</JS>\n';
}</JS>
Default New Password Account Notification
Add:
Chapter 10. Upgrading to Tivoli Identity Manager Version 5.1
119
<ITIMURL/>
Default Change Account Notification
Add:
<ITIMURL/>
<JS>if (EmailContext.hasNewAccess()) {
'<RE key="accountNewAccess"/>:
<JS>EmailContext.getAccountNewAccessAsString();
</JS>\n';
}</JS>
Default Restore Account Notification
Add:
<ITIMURL/>
Default Suspended Account Notification
Add:
<ITIMURL/>
Default Deprovision Account Notification
Add:
<ITIMURL/>
<JS>if (EmailContext.hasRemovedAccess()) {
'<RE key="accountRemovedAccess"/>:
<JS>EmailContext.getAccountRemovedAccessAsString();
</JS>\n';
}</JS>
Default Activity Timeout Notification
– Add:
<ITIMURL/>
<JS>if (EmailContext.hasRemovedAccess()) {
'<RE key="accountRemovedAccess"/>:
}</JS>
<JS>EmailContext.getAccountRemovedAccessAsString();
</JS>\n';
– Remove the following:
<RE key="description"/>:
<RE><KEY><JS>activity.description;</JS></KEY>
</RE>
– Modify the following:
<RE key="state"/>: <RE>
<KEY><JS>process.STATE_PREFIX+activity.state;</JS>
</KEY>
</RE>
<RE key="detail"/>:
<JS>Enrole.localize(process.resultDetail, "$LOCALE");
</JS>
Default Process Timeout Notification
– Add:
<ITIMURL/>
– Modify the following:
120
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
<RE key="detail"/>:
<JS>Enrole.localize(process.resultDetail, "$LOCALE");
</JS>
Default Process Completion Notification
– Add:
<ITIMURL/>
– Modify the following:
<RE key="detail"/>:
<JS>Enrole.localize(process.resultDetail, "$LOCALE");
</JS>
Default ManualActivityApproval Notification
– Add:
<ITIMURL/>
<JS>if (process.subjectAccess!=null) if
(process.subjectAccess.length>0) {
'<RE key="accessName"/>:
<JS>process.subjectAccess;</JS>\n';
}</JS>
– Modify the following:
<JS>if (process.parentId == '0') { 'left valign="middle"><td class="text-description" bgcolor="EBEDF3"><RE key="requestedBy"/>:</td><td width="773" class="text-description" bgcolor="white"><JS>process.requestorName;</JS></td></tr>';
}</JS>
Default ManualActivityRFI Notification
Add:
<ITIMURL/>
<JS>if (process.subjectAccess!=null) if
(process.subjectAccess.length>0) {
'<RE key="accessName"/>:
<JS>process.subjectAccess;</JS>\n';
}</JS>
Default ManualActivityWorkOrder Notification
No changes required.
For upgrades from Tivoli Identity Manager version 4.6, the following six new templates are added. For upgrades from Tivoli Identity Manager version 5.0, these templates are modified by the installation utility.
v
Decline Mark notification v
Decline Marked notification v
Decline Deletes Access notification v Decline Deleted Access notification v
Decline Marks Access notification v Decline Marked Access notification
To modify the contents of default workflow notification templates, log in to the
Tivoli Identity Manager Version 5.1 GUI administrative console with administrative permission and complete these steps:
1.
Go to
Configure System > Workflow Notification Properties
2.
Select the template to modify.
Chapter 10. Upgrading to Tivoli Identity Manager Version 5.1
121
3.
On the Notification Template page, modify the appropriate section of the notification template.
Updating notification template style
For upgrades from Tivoli Identity Manager version 4.6, the style of e-mail notifications (XHTML templates) has changed.
To design an XHTML template use the following cascading style sheet (CSS) file and images: v Imperative style sheet
BASE_URL
/console/css/imperative.css
v
Images
– Tivoli logo
BASE_URL
/console/html/images/left-tiv-1.gif
– IBM banner
BASE_URL
/console/html/images/ibm_banner.gif
– Background image
BASE_URL
/console/html/images/mid-part-1.gif
– Template body
BASE_URL
/console/html/images/portfolio_background.gif
Note:
The value of
BASE_URL
is http://
servername
:
port
/itim
The following colors are used to format the background: v
Title bar:
#a8a8a8 v
Tables containing values: gray and
EBEDF3 v
Copy Right Table:
#a8a8a8
To apply a style sheet, link the style sheet in the following way:
<link type="text/css" title="Styles" rel="stylesheet" href="
BASE_URL
/console/css/imperative.css" />
Note:
The value of
BASE_URL
is http://
servername
:
port
/itim
The
text-description
class of the above CSS is used to format the text in the e-mail notification. For example, to format the title, use the following code:
<!-- Title Bar -->
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr bgcolor="#a8a8a8">
<td height="20" width="8"></td>
<!-- ITIM Notification Label -->
<td height="20" class="
text-description
" width="979" valign="middle">
$TITLE
</td>
<td height="20" width="5"></td>
</tr>
</tbody>
</table>
To modify the contents of default workflow notification templates, log in to the
Tivoli Identity Manager Version 5.1 GUI administrative console with administrative permission and complete these steps:
1.
Go to
Configure System > Workflow Notification Properties
2.
Select the template to modify.
122
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
3.
On the Notification Template page, modify the appropriate section of the notification template.
Manually upgrading the access control items
The upgrade process does not affect the access control items for the existing organizations. The process does not add the new default access control items. Nor does it modify or delete the existing access control items. However, it does add the new default user groups, if they do not exist. New organizations created after the upgrade have all the default access control items and user groups.
Tivoli Identity Manager introduced the customizable persona-based console for managing the organizations in version 5.0. For an upgraded Tivoli Identity
Manager version 5.1 to use the new features, you must manually create the access control items for the targeted persona. For example, for an auditor to run all the ready-to-use reports and view all the reporting data, you need to have all the access control items for the Auditor principal listed in the Tivoli Identity Manager
Version 5.1 Information Center topic "Default access control items"
(
Administering
>
Security administration
).
For more details on how to create an access control item, refer to the Tivoli Identity
Manager Version 5.1 Information Center topic "Access control item management"
(
Administering
>
Security administration
).
Configuring Crystal
Perform these steps to configure Crystal following an upgrade to Tivoli Identity
Manager Version 5.1: v
WebSphere Application Server single-server:
1.
Ensure that correct values are present in the
ITIM_HOME
\data\ crystal.properties file.
2.
Edit and run the following script:
– Windows: importCrystalJars_WAS.bat
– UNIX/Linux: importCrystalJars_WAS.sh
3.
Edit and run the following script:
– Windows: CrystalTestWAS.bat
– UNIX/Linux: CrystalTestWAS.sh
4.
Edit and run the following script:
– Windows: buildCrystalWebArchive_WAS.bat
– UNIX/Linux: buildCrystalWebArchive_WAS.sh
5.
Edit and run the following script:
– Windows: CrystalUpgradeWAS.bat
– UNIX/Linux: CrystalUpgradeWAS.sh
v WebSphere Application Server cluster configuration:
– On the federated nodes, perform these steps:
1.
Ensure that correct values are present in the
ITIM_HOME
\data\ crystal.properties file.
2.
Edit and run the following script:
- Windows: importCrystalJars_WAS.bat
- UNIX/Linux: importCrystalJars_WAS.sh
– On the network deployment manager, perform these steps:
Chapter 10. Upgrading to Tivoli Identity Manager Version 5.1
123
1.
Ensure that correct values are present in the
ITIM_HOME
\data\ crystal.properties file.
2.
Edit and run the following script:
- Windows: importCrystalJars_WAS.bat
- UNIX/Linux: importCrystalJars_WAS.sh
3.
Edit and run the following script:
- Windows: CrystalTestWAS.bat
- UNIX/Linux: CrystalTestWAS.sh
4.
Edit and run the following script:
- Windows: buildCrystalWebArchive_WAS.bat
- UNIX/Linux: buildCrystalWebArchive_WAS.sh
5.
Edit and run the following script:
- Windows: CrystalUpgradeWAS.bat
- UNIX/Linux: CrystalUpgradeWAS.sh
For more information about Crystal configuration, refer to the
Tivoli Identity
Manager Information Center
.
124
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Chapter 11. Uninstalling Tivoli Identity Manager
Uninstalling Tivoli Identity Manager consists of using the Tivoli Identity Manager uninstallation program, which performs the following tasks: v
Removes all files in the
ITIM_HOME
directory that the Tivoli Identity Manager installation program created, including certificates in the
ITIM_HOME
\cert directory and the itimKeystore.jceks keystore file in the
ITIM_HOME
\config\ keystore directory.
v
Clears all configuration settings that were created for the Tivoli Identity
Manager Server on the WebSphere Application Server.
v
Removes the Tivoli Identity Manager Server that was deployed on these computers:
– Single-server configuration: Computer that has the WebSphere Application
Server.
– Cluster configuration: Computer that has the deployment manager.
In a cluster configuration, uninstalling the Tivoli Identity Manager Server from the deployment manager removes the availability of the Tivoli Identity
Manager Server to the cluster. The deployed Tivoli Identity Manager application files are automatically removed from Tivoli Identity Manager cluster members.
Reboot the Windows operating system after uninstallation to clean up any residual
Tivoli Identity Manager files which were not able to be removed during the uninstallation process.
What is not removed
Uninstalling the Tivoli Identity Manager Server does not modify existing database tables or the directory server schema and data. The Tivoli Identity Manager log files are not removed.
For more information about manually removing the database tables, directory
server schema, and log files, see “Manually removing components” on page 126.
Before you begin
Before you uninstall the Tivoli Identity Manager Server, complete these tasks: v
Single-server configuration
– Back up any certificates in the
ITIM_HOME
\cert directory and the itimKeystore.jceks keystore file in the
ITIM_HOME
\config\keystore directory.
– Ensure that the WebSphere Application Server is running.
v
Cluster configuration
– Back up any certificates in the
ITIM_HOME
\cert directory and the itimKeystore.jceks keystore file in the
ITIM_HOME
\config\keystore directory.
– If you are uninstalling the Tivoli Identity Manager Server from a cluster configuration, ensure that the node agents are running and that the deployment manager is also running.
© Copyright IBM Corp. 2009
125
Steps to uninstall Tivoli Identity Manager
You can uninstall Tivoli Identity Manager from UNIX, Linux or Windows operating systems by using the Tivoli Identity Manager uninstallation program directly, or from Windows operating systems by using Add/Remove Programs from the Windows Control Panel. If you are planning to reinstall Tivoli Identity
Manager, use the Tivoli Identity Manager uninstallation program directly.
To uninstall Tivoli Identity Manager, complete these steps:
1.
Uninstall the Tivoli Identity Manager Server using this command:
ITIM_HOME
\itimUninstallerData\Uninstall_ITIM v
Single-server configuration
Run the command on computer on which the Tivoli Identity Manager Server is installed.
v
Cluster configuration
Run the command on each cluster member first, and then run the command on the computer on which the deployment manager is installed.
2.
Complete the uninstallation wizard panels and confirm that you want to uninstall the Tivoli Identity Manager Server.
3.
Reboot the Windows system after uninstallation to clean up any residual Tivoli
Identity Manager files that were not able to be removed during uninstallation.
Verifying that the Tivoli Identity Manager Server is uninstalled
To verify that the Tivoli Identity Manager Server has been uninstalled and removed as an application from the WebSphere Application Server, complete these steps:
1.
Examine the
ITIM_HOME
directory and remove any residual Tivoli Identity
Manager directories, configuration files, and log files.
2.
Launch the WebSphere administrative console and log in.
3.
From the navigation tree, navigate to the target node, and click the
Applications > Enterprise Applications
link.
A list is displayed of the enterprise applications that are installed on the application server.
If you see an application named ITIM listed, the uninstallation process was unable to automatically remove the Tivoli Identity Manager Server from the
WebSphere Application Server. You can remove the application manually. For
Manually removing components
This section describes manually removing or stopping components that are not removed by the uninstallation process.
Manually removing the Tivoli Identity Manager Server from the
WebSphere Application Server
To uninstall the Tivoli Identity Manager Server in a single-server or a cluster configuration, complete these tasks:
1.
On the WebSphere administrative console, take these steps: a.
Select
Applications > Enterprise Applications
126
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
b.
Select the
ITIM
application.
c.
Click
Stop
.
d.
When the ITIM application stops, select the
ITIM
application again.
e.
Click
Uninstall
.
2.
Manually ensure that the ITIM.ear directory is removed. Take these steps: a.
Open the applications directory: v Single-server and each cluster member
WAS_PROFILE_HOME
\config\cells\
cellname
\applications
Notes:
1)
Cluster members do not have the application directory, if the .ear file is already removed.
2) The .ear file also needs to be removed from the
WAS_PROFILE_HOME
\ config\cells\
cellname
\installedApps\ITIM.ear
directory.
v
Deployment manager
WAS_NDM_PROFILE_HOME
\config\cells\
cellname
\applications b.
If the ITIM.ear directory exists, remove the directory.
Stopping and removing the Tivoli Identity Manager messaging engine
To stop and remove the Tivoli Identity Manager Server messaging engine in a single-server or a cluster configuration, complete these tasks on the WebSphere administrative console:
1.
Select
Service Integration > Buses
.
2.
Click
itim_bus
.
3.
In the Topology section, click on
Messaging engines
.
For a single-server installation, you see an engine named
nodename
.
servername
itim_bus.
For a cluster installation, you see n+1 messaging engines, where n is the number of Tivoli Identity Manager cluster members. An additional messaging engine is used for the Tivoli Identity Manager messaging cluster.
4.
Select one or more messaging engines and click
Stop
.
5.
Remove the itim_bus configuration from the WebSphere administrative console.
6.
In the Tivoli Identity Manager database, drop the tables and schema used by the messaging engines. Refer to the documentation for your database system for the appropriate commands. The file ITIM_HOME/config/rdbms/
dbtype
/ drop_itim_sib.ddl provides an example.
Removing other Tivoli Identity Manager configuration settings from the WebSphere Application Server
To manually remove other Tivoli Identity Manager configuration settings from the
WebSphere Application Server, complete the following tasks on the WebSphere administrative console: v
Remove the JDBC providers and data source.
v
Remove the JMS queue connection factories, queues, and activation specifications.
v
Remove the object cache instances.
v
Remove the security settings.
v
Remove the core group policies (cluster configurations only).
Chapter 11. Uninstalling Tivoli Identity Manager
127
v
Remove the shared libraries.
v
Remove the JVM classpath.
v
Remove the WebSphere variables.
Removing the JDBC providers and data sources.
To manually remove the JDBC provider and data source configuration settings from the WebSphere Application Server, complete the following steps on the
WebSphere administrative console:
1.
Click
Resources
>
JDBC
>
JDBC Providers
.
2.
Choose
All scopes
as the scope level.
3.
Select the JDBC provider names starting with
″
ITIM XA
″ or
″
ITIM non-XA".
4.
Click
Delete
. The JDBC providers and the associated data sources are both removed.
5.
Click
Save
to save the configuration.
Removing the JMS queue connection factories, queues, and activation specifications.
To manually remove the JMS queue connection factory, queue, and activation specification configuration settings from the WebSphere Application Server, complete the following steps on the WebSphere administrative console:
1.
Click
Resources
>
JMS
>
Queue connection factories
.
2.
Choose
All scopes
as the scope level.
3.
Select
ITIM Queue Connection Factory
and
ITIM Shared Queue Connection
Factory
.
4.
Click
Delete
.
5.
Click
Save
to save the configuration.
6.
Click
Resources
>
JMS
>
Queues
.
7.
Choose
All scopes
as the scope level.
8.
Select all the queue names starting with
″ itim
″
.
9.
Click
Delete
.
10.
Click
Save
to save the configuration.
11.
Click
Resources
>
JMS
>
Activation specifications
.
12.
Choose
All scopes
as the scope level.
13.
Select all the specification names starting with
″ itim".
14.
Click
Delete
.
15.
Click
Save
to save the configuration.
Removing object cache instances
To manually remove the object cache instance configuration settings from the
WebSphere Application Server, complete the following steps on the WebSphere administrative console:
1.
Click
Resources
>
Cache instances
.
2.
Choose
All scopes
as the scope level.
3.
Select
LdapCache
and
SecondaryLdapCache
.
4.
Click
Delete
.
5.
Click
Save
to save the configuration.
128
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Removing security settings
To manually remove the security configuration settings from the WebSphere
Application Server, complete the following steps on the WebSphere administrative console:
1.
Click
Security
>
Secure administration...
>
Java Authentication and
Authorizations
>
J2C authentication data
.
2.
Select
itim_init
and
itim_jms
.
3.
Click
Delete
.
4.
Click
Save
to save the configuration.
5.
Click
Security
>
Secure administration...
>
Java Authentication and
Authorizations
>
Application logins
.
6.
Select
ITIM
and
serviceLoginContext
.
7.
Click
Delete
.
8.
Click
Save
to save the configuration.
Removing core group policies (cluster environments only)
To manually remove the core group policy configuration settings from the
WebSphere Application Server, complete the following steps on the WebSphere administrative console:
1.
Click
Servers
>
Core group settings
.
2.
Click
DefaultCoreGroup
.
3.
Click
Policies
.
4.
Select all the policy names starting with
″ itim_bus
″
.
5.
Click
Delete
.
6.
Click
Save
to save the configuration.
Removing shared libraries
To manually remove the shared library configuration settings from the WebSphere
Application Server, complete the following steps on the WebSphere administrative console:
1.
Click
Environment
>
Shared Libraries
.
2.
Choose
All scopes
as the scope level.
3.
Select
ITIM_LIB
.
4.
Click
Delete
.
5.
Click
Save
to save the configuration.
Removing the JVM classpath
To manually remove the JVM classpath configuration settings from the WebSphere
Application Server, complete the following steps on the WebSphere administrative console:
1.
Click
Servers
>
Application servers
>
servername
>
Java and Process
Management
>
Process definition
>
Java Virtual Machine
.
2.
Remove
{
ITIM_HOME
}/data
from the classpath field.
3.
Click
Save
to save the configuration.
Note:
In a cluster configuration, repeat the steps for each member server of the application cluster.
Chapter 11. Uninstalling Tivoli Identity Manager
129
Removing WebSphere variables
To manually remove the WebSphere variable configuration settings from the
WebSphere Application Server, complete the following steps on the WebSphere administrative console:
1.
Click
Environment
>
WebSphere Variables
.
2.
Choose
All scopes
as the scope level.
3.
Select all variables with the name of
″
ITIM_HOME
″ and
″
ITIM_DB_JDBC_DRIVER_PATH
″
.
4.
Click
Delete
.
5.
Click
Save
to save the configuration.
Manually removing other files or directories
To clean up any residual Tivoli Identity Manager files that were not removed during uninstallation.
1.
Restart the operating system after uninstallation.
2.
Examine the
ITIM_HOME
directory and remove any residual Tivoli Identity
Manager directories, configuration files, log, .dll, .so, .a, and .jar files.
3.
Restart the operating system.
Reinstalling Tivoli Identity Manager
Clean up the database and the LDAP server before running the Tivoli Identity
Manager installation program again, for a cleaner installation. Ensure that the
Tivoli Identity Manager messaging engine is not running and reboot the Windows computer after uninstallation and before attempting to reinstall.
Ensuring that Tivoli Identity Manager objects are removed from the Sun Enterprise Directory Server
Before you reinstall Tivoli Identity Manager, ensure that any previous Tivoli
Identity Manager schema objects, object classes, and other attributes are removed from the Sun Enterprise Directory Server. Complete these steps:
1.
Start the Sun Enterprise Directory Server administration console.
2.
On the Configuration tab, remove the Tivoli Identity Manager suffix.
3.
On the Directory tab, complete these steps: a.
Remove the Tivoli Identity Manager domain.
b.
Click
Config > Plugins
. Then, open the properties for the referential integrity postoperation entry and delete all attributes that begin with the characters er
.
4.
Stop the directory server.
5.
Open the
ldapServerInstance
\config\schema\99user.ldif file. Then, remove all
Tivoli Identity Manager object classes and attribute types that begin with the characters er
.
6.
Start the directory server.
130
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Appendix A. Mapping Tivoli Identity Manager application modules to IBM HTTP Server
Use the WebSphere administrative console to map Tivoli Identity Manager applications to the IBM HTTP Web server.
1.
Log in to the WebSphere administrative console on the WebSphere Application
Server Network Deployment Manager for the Tivoli Identity Manager cluster using the WebSphere Application Server administrator credentials.
2.
Click
Applications > Application Types > WebSphere enterprise applications
in the task menu.
3.
Click
ITIM
in the Enterprise Applications list.
4.
Click
Manage Modules
.
5.
Select the ITIM Application Cluster name (not the JMS cluster name) and select the check boxes for these modules: v
PasswordSynch v ITIM_Console v
EnRole v ITIM_Self_Service v
ITIM_Self_Service_Help v
ITIM_Console_Help v
ITIM_Message_Help v
EHS3.01
v
PasswordReset
6.
Click
Apply
(next to the Clusters and servers field).
7.
Click OK.
8.
Click
Save configuration
in the message box.
© Copyright IBM Corp. 2009
131
132
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Appendix B. Configuring security for Tivoli Identity Manager
This section describes how to configure security for Tivoli Identity Manager and middleware components. For more security information, see the Additional
Security section of the
IBM Tivoli Identity Manager Information Center
.
Configuring security for the directory server
To have secure socket layer (SSL) communication between an LDAP server and
Tivoli Identity Manager, the LDAP server must be configured to use SSL for secure communications. If you are using IBM Tivoli Directory Server or Sun Enterprise
Directory Server to store Tivoli Identity Manager information, you must set the server to use SSL, and then configure the SSL certificates that you want to use.
This task is performed after installing Tivoli Identity Manager, and cannot be performed before a new installation. If you want to configure LDAP only through an SSL connection, skip the LDAP configuration during the installation, and run ldapConfig after the installation has completed.
Configuring SSL for IBM Tivoli Directory Server
To have secure socket layer (SSL) communication between the IBM Tivoli Directory
Server and Tivoli Identity Manager, IBM Tivoli Directory Server must be configured to listen on a port with a certificate defined. The certificate authority must be in the signer certificate database on the SSL client.
Use GSKit to create the key database file and certificates. Make sure to extract the server certificate (the one created for the LDAP server) for client use. The certificate must be copied to the machine where Tivoli Identity Manager is running. The location of the server certificate is required to set up a trusted certificate for Tivoli Identity Manager in a later task.
For more information about enabling SSL on LDAP for IBM Tivoli Directory
Server, see the documentation available at the following Web site: http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/ com.ibm.IBMDS.doc/admin_gd16.htm
Configuring SSL for Sun Enterprise Directory Server
For detailed information about setting up SSL on Sun Enterprise Directory Server, see the documentation available at the following Web site: http://docs.sun.com/app/docs/prod/s1dirsrv
Configuring the SSL client to trust the LDAP server certificate
The Tivoli Identity Manager Server operates as a Java application (not as an embedded part of WebSphere Application Server) and uses Java secure socket extension (JSSE) to implement SSL support. Consequently, SSL certificates and CA certificates are retrieved from a standard format Java truststore or keystore. The truststore and keystore use the same file formats that the Java virtual machine and
WebSphere Application Server use for other certificate configuration. You can use
© Copyright IBM Corp. 2009
133
standard Java tools to maintain the trust and keystores, including the IBM Key
Management tool and the Java keytool command-line utility.
To successfully configure the SSL connection between the Tivoli Identity Manager
Server and the LDAP Server, you must import the self-signed certificate (or CA certificate) created for the LDAP Server into the truststore that is used by JSSE (the
IBM JSSE, which is part of WebSphere Application Server). Additionally, you must first configure Tivoli Identity Manager to use SSL (configuring it to use the ldaps protocol instead of the ldap protocol) when communicating with the LDAP Server.
Installing the self-signed certificate in the JSSE truststore
For this task, the default truststore that is present in the JRE of the WebSphere
Application Server is used. Also, the iKeyman utility is used to configure the certificates. To install the self-signed certificate for the LDAP Server in the JSEE truststore, complete these steps:
1.
Start the ikeyman utility (ikeyman.bat or ikeyman.sh) located in the
WAS_HOME
\bin directory.
2.
From the Key Database File menu, select
New
.
3.
In the File Name field, type cacerts
.
Cacerts is the default name for the JRE certificates file.
4.
In the Location field, type
WAS_HOME
\java\jre\lib\security\.
5.
In the Password Prompt window, type the password for the keystore in the
Password and Confirm Password window. The default password is changeit
.
Click
OK
.
The next task is to add the certificate you created for the LDAP server into this certificate store. Complete these steps:
1.
In the main window, in the Key database content area, select
Signer
Certificates
from the drop-down list, and click
Add
.
2.
From the Data Type drop-down list, select
Binary Der data
.
3.
In the Certificate file name field, browse and locate the server certificate file that was created for the LDAP server. Verify that the appropriate directory is displayed in the Location field. Click
OK
.
4.
In the prompt that is displayed, type a label for this certificate. For example, type
LDAPCA
. Click
OK
.
The certificate is added for the LDAP Server. You can now close the ikeyman utility.
Configuring Tivoli Identity Manager to use SSL when communicating with the LDAP server
To configure Tivoli Identity Manager to use SSL when communicating with the
LDAP server, complete these steps:
1.
Edit the enRoleLDAPConnection.properties file in the
ITIM_HOME
\data directory, and make the following changes: a.
Set the port value on the java.naming.provider.url property to the SSL port number configured on directory server [LDAP]. For example, java.naming.provider.url=ldaps://localhost:636 b.
Set the value of the java.naming.security.protocol property to ssl. This setting indicates to the Tivoli Identity Manager Server to use SSL to communicate to LDAP. Alternately you can change the protocol in java.naming.provider.url from ldap to ldaps. For example, java.naming.security.protocol=ssl
134
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
2.
Save the changes.
Defining the truststore and password as a custom property on the JVM
Tivoli Identity Manager Server does not use the WebSphere Application Server SSL
Configuration Repositories settings in the WebSphere Administrative Console
Security | SSL
tab. Instead, you must configure the SSL settings using the following menus to specify the javax properties. Complete these steps:
1.
Select
Servers > Application Servers >
server_name
> Process Definition > Java
Virtual Machine > Custom Properties > New
.
2.
Define the name of the javax properties that you have changed using the
ikeyman key management tool. In “Installing the self-signed certificate in the
JSSE truststore” on page 134, you installed certificates into the truststore of the
JVM used by WebSphere Application Server. Alternately you can create your own certificate store location, for which you have to define some additional properties.
The following table provides information about the javax properties you need to define.
Table 8. JSSE SSL truststore properties
Property name
javax.net.ssl.trustStore
javax.net.ssl.
trustStorePassword javax.net.ssl.
trustStoreType javax.net.ssl.keyStore
javax.net.ssl.
keyStorePassword
Description Default value
File path of the truststore file. You can use the truststore to install CA certificates and client certificates. If you do not use javax.net.ssl.keyStore to specify a client certificate, you must use this truststore.
jre_install_dir
\lib\security\ cacerts
Example:
C:\Program
Files\WebSphere\AppServer\ java\jre\lib\security\ cacerts changeit Password that protects the truststore.
Key database type. This property is required for truststore. The value is specified when creating a self-signed certificate.
None.
File path of the keystore file. The keystore contains the certificate that is used by the Tivoli Identity
Manager Server. The certificate must be present either in the keystore or the truststore if the application operating as an SSL server (for example, an agent-based adapter) is set to require client authentication. If this property is not defined, the truststore must contain the certificate when client authentication is required.
None. The truststore file path is searched by default.
Password that protects the keystore.
changeit
Running ldapConfig and runConfig with SSL
Note:
If LDAP is configured to use SSL only, the ldapConfig utility does not work during a new Tivoli Identity Manager installation. You will have to skip
Appendix B. Configuring security for Tivoli Identity Manager
135
ldapConfig during installation and run it after performing the following steps, after the Tivoli Identity Manager installation has completed:
1.
Verify that enRoleLDAPConnections.properties, has java.naming.security.protocol set to
ssl
.
2.
Edit
ITIM_HOME
\bin\ldapConfig.lax and
ITIM_HOME
\bin\runConfig.lax and add the following property. Please note that the following property is one line.: lax.nl.java.option.additional=-Djavax.net.ssl.trustStoreType=
type_of_truststore
-Djavax.net.ssl.trustStore=
truststore_location
-Djavax.net.ssl.
trustStorePassword=
truststore_password
- Djava.ext.dirs=
WAS_HOME
\java\jre\lib\ext:
WAS_HOME
\plugins:
WAS_HOME
\lib:
WAS_HOME
\lib\ext
Note:
Skip this step if the CA certificate (which is required to verify the authenticity of the authority that has issued an LDAP server certificate) is installed in the truststore of the JVM that is used by ldapConfig/runConfig.
Running Fix pack installation or upgrading from previous versions with SSL configured between Tivoli Identity Manager and LDAP
If LDAP is configured to use SSL only with Tivoli Identity Manager, the following steps need to be performed to run the ldapUpgrade utility successfully during a fix pack installation.
1.
Verify that enRoleLDAPConnections.properties, has java.naming.security.protocol set to
ssl
.
2.
Edit
ITIM_HOME
\bin\ldapUpgrade.lax and
ITIM_HOME
\bin\runConfig.lax
and add the following property. Please note that the following property is one line.: lax.nl.java.option.additional=-Djavax.net.ssl.trustStoreType=
type_of_truststore
-Djavax.net.ssl.trustStore=
truststore_location
-Djavax.net.ssl.
trustStorePassword=
truststore_password
- Djava.ext.dirs=
WAS_HOME
\java\jre\lib\ext:
WAS_HOME
\plugins:
WAS_HOME
\lib:
WAS_HOME
\lib\ext
For example on a Windows system: lax.nl.java.option.additional=-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.trustStore=
C:\Progra~1\IBM\WebSphere\AppServer\java\jre\lib\security\cacerts
-Djavax.net.ssl.trustStorePassword=changeit
-Djava.ext.dirs= C:\Progra~1\IBM\WebSphere\AppServer\java\jre\lib\ext;
C:\Progra~1\IBM\WebSphere\AppServer\plugins;
C:\Progra~1\IBM\WebSphere\AppServer\lib;
C:\Progra~1\IBM\WebSphere\AppServer\lib\ext
You can test if this property is set correctly by copying the property into
ITIM_HOME\bin\ldapConfig.lax. Click
Test
on the ldapConfig screen. If the test returns a success message, the property is set correctly.
Note:
Do not click
Continue
on the ldapConfig screen. Click
Cancel
to exit.
Running the utilities that access the LDAP server with SSL
To successfully run the following utilities present in the
ITIM_HOME
\bin\
platform
directory: v addindex v addintegrity v config_remote_services v createLinks v ldapClean
136
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
v remove_service_profiles v loadDSMLSchema v serviceability you must perform these steps when SSL is configured:
1.
Verify that enRoleLDAPConnections.properties, has java.naming.security.protocol set to
ssl
.
2.
Open the utility file (for example, addindex.sh or addindex.cmd) with a text editor.
3.
Add the following properties as Java runtime properties (the following property is one line):
-Djavax.net.ssl.trustStoreType=
type_of_truststore
-Djavax.net.ssl.trustStore
=
truststore_location
-Djavax.net.ssl.trustStorePassword=
truststore_password
- Djava.ext.dirs=
WAS_HOME
\java\jre\lib\ext:
WAS_HOME
\plugins:
WAS_HOME
\lib:
WAS_HOME
\lib\ext
For example, ldapClean.sh modified for SSL would look like this example:
$JAVA -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStore=
/opt/ibm/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djava.ext.
dirs=/opt/IBM/WebSphere61/AppServer/java/jre/lib/ext:
/opt/IBM/WebSphere61/AppServer/plugins:/opt/IBM/WebSphere61/
AppServer/lib:/opt/IBM/WebSphere61/AppServer/lib/ext -cp $CLASSPATH com.ibm.itim.systemConfig.LdapSweeper
4.
Save the changes to the utility file.
Configuring security for WebSphere Application Server
If you chose to enable administrative security and application security on the
WebSphere Application Server, additional security configuration might be required.
Each of the following security tasks applies to both single and multi-node deployments. You can perform these additional security tasks: v
Map the itimadmin administrative user to the ITIM_SYSTEM role to further limit access.
v
If the System User or EJB User are modified outside of Tivoli Identity Manager, run the
runConfig
command to update the Tivoli Identity Manager configuration.
v
If you also enabled Java 2 security, modify the library.policy file and verify that the was.policy file exists.
v
Modify the token expiration to prevent accidental timeouts in a cluster configuration.
v
Enable FIPS compliance for WebSphere Application Server.
Mapping an administrative user to a role
You can map an administrative user to a Tivoli Identity Manager role. The installer typically performs this mapping during the installation process. However this task is required if you change the Tivoli Identity Manager EJB user ID after you install
Tivoli Identity Manager. Complete these steps:
1.
On the WebSphere administrative console, click
Applications > Enterprise
Applications
.
2.
Click
ITIM
.
3.
In Detail Properties, scroll down and click
Security role to user/group mapping
.
4.
Select the check box for
ITIM_SYSTEM
.
Appendix B. Configuring security for Tivoli Identity Manager
137
5.
Click
Lookup users
.
6.
Click
Search
.
7.
Select the EJB User (For example, wasadmin) from the list.
8.
Click
OK
.
9.
To prevent unauthorized access, clear the
Everyone?
or
All Authenticated?
check boxes.
10.
Save the configuration changes.
Updating the system user and the EJB user
If you changed the
System User
or to the
EJB User
fields, you must update Tivoli
Identity Manager configurations with these new values. Complete these steps:
1.
Start the system configuration tool. To do so, enter the following command: v
Windows
ITIM_HOME
\bin\runConfig v
UNIX
ITIM_HOME
/bin/runConfig.sh
2.
Select the
Security
tab.
3.
Update the
System User
field and its password with the wasadmin user ID that you created in the local OS registry.
4.
Update the
EJB User
field and its password with the itimadmin user ID that you created in the local operating system registry.
5.
Click
OK
.
Enabling Java 2 security by creating and modifying policy files
If you want to turn on Java 2 security, create the library.policy file and modify the was.policy file to add permissions to access any necessary resources.
Enabling Java 2 security for the Tivoli Identity Manager application also causes
Java 2 security to be enforced on all applications that are running on the
WebSphere Application Server. If you enable Java 2 security for the Tivoli Identity
Manager application, you should also appropriately configure all other applications running on the WebSphere Application Server to support Java 2 security.
Note:
Ensure that you are using the IBM Java 2 Platform Standard Edition
Development Kit 1.5 Service Release 6 or later. Service Release 6 is needed if you intend to enable Java 2 security. You can download the service release and follow the instructions to apply the fix at the following WebSphere
Application Server fix pack Web site: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24017492
Creating the library.policy file to enable Java 2 security
Create the library.policy file to add permissions to access any necessary resources.
To grant all permissions, complete these steps:
1.
Create and edit the library.policy file in the following directory location: v
WAS_PROFILE_HOME
/config/cell/
cellname
/nodes/
nodename
2.
Enter the following statement to the library.policy file: grant { permission java.security.AllPermission;
}
138
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Note:
This sample policy file provides blanket access to the Tivoli Identity
Manager shared library but does not provide any extra security. Set the policy file according to your security requirements by configuring this file correctly.
Ensuring that the was.policy file exists
The Tivoli Identity Manager installation program automatically creates a sample was.policy policy file with all the permissions that the Tivoli Identity Manager application needs to run with Java 2 security enabled.
Ensure that the was.policy file exists. If the file does not exist, create the file in the following directory on the node:
WAS_PROFILE_HOME
/config/cells/
cellname
/applications/ITIM.ear/ deployments/
application_name
/META-INF
The file contents are like these lines: grant codeBase "file::${application}" { permission java.security.AllPermission;
};
Note:
This sample policy file provides blanket access to Tivoli Identity Manager but does not provide any extra security. Set the policy file according to your security requirements by configuring this file correctly.
Running Java 2 security on single-node deployments
To run the Java 2 security component after installing and setting up Tivoli Identity
Manager in a single-node deployment, use the WebSphere administrative console to restart Tivoli Identity Manager and log in when prompted. Complete these steps:
1.
Click
Applications > Enterprise Applications
.
2.
Select the check box for
ITIM
and click
Stop
. Wait for the Tivoli Identity
Manager application to stop, then click
Start
.
Running Java 2 security on multi-node deployments
To run the Java 2 security component after installing and setting up Tivoli Identity
Manager on multi-node deployments, synchronize the nodes in the cell.
Synchronizing the nodes in the cell
Synchronize the deployment manager configuration with the nodes in the cell.
Restart the Tivoli Identity Manager cluster. Restart Tivoli Identity Manager with these steps:
1.
Click
Server > Clusters
.
2.
Select the check box next to the cluster name.
3.
Click
Stop
. Wait for the cluster to stop, and then click
Start
.
Increasing the timeout interval
Ensure that the token expiration value is large enough to prevent accidental timeouts in a cluster configuration.
Security uses a Lightweight Third Party Authentication (LTPA) token that expires after an interval of system inactivity. The default is 120 minutes, which might not be large enough to use with Tivoli Identity Manager. On some systems, the actual timeout interval might be shorter than the value that is specified. A timeout might
Appendix B. Configuring security for Tivoli Identity Manager
139
prevent you from logging on. When a timeout occurs, you must recycle the deployment manager, the cluster, and all node agents.
Complete these steps:
1.
Start the WebSphere administrative console.
2.
Click
Security > Secure administration, applications, and infrastructure >
Authentication mechanisms and expiration > Authentication expiration
.
3.
Set the token expiration interval to a value that exceeds the longest anticipated interval of system inactivity at your site.
Enabling FIPS compliance for WebSphere Application Server
Federal Information Processing Standards (FIPS) are guidelines that set best practices for software and hardware computer security products. Products that support FIPS standards can be set into a mode where the product only uses FIPS approved algorithms and methods. Security toolkits typically support both FIPS approved and non-FIPS approved functions. In FIPS mode, the product is incapable of using any non-FIPS approved methods.
To enable FIPS compliance for WebSphere Application Server, complete these steps:
1.
Add these IBM cryptographic providers as entries in the java.security
cryptographic provider list, as shown in this example.
security.provider.1=com.ibm.crypto.fips.provider.IBMJSSE2
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
The java.security file is located at
WAS_HOME
\java\jre\lib\security
This step ensures that Java uses these cryptographic providers for all cryptographic functions.
Note:
The order in which you specify the security providers is important. The security providers are processed in numeric order. The first security provider that supports the encryption method being requested is used.
On Solaris systems, the first provider must always be sun.security.provider.Sun.
2.
Enable FIPS in WebSphere Application Server. To enable FIPS for WebSphere
Application Server, complete these steps: a.
On the WebSphere administrative console, click
Security > SSL certificate and key management
.
b.
Select the check box next to
Use the United States Federal Information
Processing Standard (FIPS) algorithms
c.
Click
Apply
.
d.
Save the configuration changes.
3.
To set the environment variable to restrict the IBMJSSE2 provider to
FIPS-compliant algorithms, complete these steps: a.
On the WebSphere administrative console, click
Servers > Application servers
and click a server, such as server1
.
b.
In the
Server Infrastructure
field, click the link for
Java and Process
Management > Process Definition
c.
In the
Additional Properties
field, click the link for
Java Virtual Machine
d.
In the
Generic JVM Arguments
field, set the environment variable by adding the following statement:
140
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
-Dcom.ibm.jsse2.JSSEFIPS=true
For more information about enabling FIPS in WebSphere Application Server 6.1, see the documentation available at the following Web site: http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/ com.ibm.websphere.base.doc/info/aes/ae/tsec_fips.html
Running the cipher migration tool
A cipher migration utility,
changeCipher
, is provided to change cipher keys and transition from non-compliant FIPS algorithms to FIPS-compliant algorithms and keys. Using the new cipher key, the migration utility re-encrypts all data in the property files and in LDAP. The utility is found in the following location: v
Windows:
ITIM_HOME
\bin\win\changeCipher.cmd
v
UNIX/Linux:
ITIM_HOME
/bin/unix/changeCipher.sh
v
Run the utility once on a single server or at the deployment manager to migrate the data in the LDAP repository and in the property files. Also run the utility on each managed node (in a clustered environment) to migrate the property files on that node.
The following example shows the supported usage and command-line parameters for the
changeCipher
command:
changekey resume
{
keystore_name
} {
keystore_password
}
[-algorithm AES] [-keysize 128 | 192 | 256]
[-skiperrors]
[-skiperrors]
For example, to migrate cipher settings from PBEWithMD5AndDES to AES, run the following command: changeCipher changekey itimKeystore2.jceks sunshine
This command performs the following tasks: v
Generates a 128-bit AES key and writes it to the specified keystore v
Migrates encrypted data in the LDAP repository to the new cipher
Note:
The new encrypted data is longer in length. If the attribute length in
LDAP is too small you get an Object Class violation and the script ends.
v
Migrates the encrypted data in the property files to the new cipher v
Sets the new cipher settings to enrole.properties
While running, the tool creates and maintain a file which contains its current state information. This file is written to
ITIM_HOME
\temp\CipherMigrator.properties.
If an error occurs during migration (for instance, if the LDAP server goes down), correct the problem and invoke the tool with the resume parameter. This parameter tells the utility to pick up from where it left off before the error occurred.
The optional
–skiperrors parameter tells the tool to continue running even if it encounters data that cannot be decrypted with the old cipher. If specified, undecipherable LDAP data does not cause the tool to fail.
Back up all LDAP data before running the tool. There are a number of things that can go wrong when migrating LDAP data. For example, if the keystore file is
Appendix B. Configuring security for Tivoli Identity Manager
141
accidentally deleted before the LDAP migration is completed, some of the encrypted LDAP data becomes inaccessible. Backing up LDAP data along with the current keystore ensures you can return to a safe state.
Before running the tool, stop the Tivoli Identity Manager Server and ensure that there are no pending transactions in the database because encrypted data in the database is not migrated.
For each LDAP object it finds, the cipher migration utility decrypts the attribute using the old cipher and re-encrypts the attribute using the new cipher. No changes are made to attributes that are hashed.
By default, the Java Cryptography Extension (JCE) is shipped with restricted or limited strength ciphers. To use 192-bit and 256-bit Advanced Encryption Standard
(AES) encryption algorithms, you must apply unlimited jurisdiction policy files.
For more information, please see the following Web site: http://www.ibm.com/developerworks/java/jdk/security/index.html
142
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Appendix C. Installation images and fix packs
This section itemizes the installation images, and provides information on product fix packs.
Installation images
Refer to the
Tivoli Identity Manager Quick Start Guide
for the download location of the installation images that Tivoli Identity Manager provides. For more information about all supported platforms and their prerequisite applications, refer to the
Tivoli
Identity Manager Information Center
.
Setting the SOAP timeout interval before installing fix packs
To avoid timeout exception errors during fix pack installation, before every fix pack installation set the SOAP timeout interval to at least 15 minutes (900 seconds).
Complete these steps:
1.
Edit the soap.client.props file located in the
WAS_HOME
\profiles\
profile_name
\ properties directory.
2.
Set the com.ibm.SOAP.requestTimeout property to 900. For example, com.ibm.SOAP.requestTimeout=900
3.
Save the changes to the file.
Obtaining fix packs
A fix pack file for Tivoli Identity Manager has a name like the following example:
5.1.0-TIV-TIM-FP000n.pak
where
n
is an integer such as 1.
Tivoli Identity Manager fixes and information about fix pack installation are available at this Web site: http://www-306.ibm.com/software/sysmgmt/products/support/
IBMTivoliIdentityManager.html
© Copyright IBM Corp. 2009
143
144
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Appendix D. Worksheets
Before you begin to install and configure Tivoli Identity Manager, you can fill out these worksheets to identify the configuration parameters needed to complete the
Tivoli Identity Manager installation.
The value of
path
varies for these operating systems.
For Windows, the default path is
drive
:\Program Files.
For UNIX/Linux, the default path is /opt
Table 9. Tivoli Identity Manager typical database configuration parameters
Field name Description
Default or example value
Host name
Port number
Database name
Name of the computer that hosts the database.
Database service listening port.
Name of the Tivoli Identity
Manager database.
Examples: 50000,
50002, or 60000
Example: itimdb
Admin ID Database administrator user
ID.
Example: db2admin
Note:
If you do not use the middleware configuration utility, this value is dasusr1 by default on UNIX systems.
Admin password
Database user ID
Password for the database administrator user ID.
The account that Tivoli
Identity Manager uses to log in to the database.
Database password The password for the itimuser user ID.
Example: itimuser
Your value
© Copyright IBM Corp. 2009
Table 10. Tivoli Identity Manager typical directory server configuration parameters
Field name
Principal DN
Password
Host name
Port
Description
The user ID that represents the principal distinguished name.
The password of the user
ID that represents the principal distinguished name.
The host name of the directory server
Directory server listening port.
Default or example value
Example: cn=root
Example:
389
Your value
145
Table 10. Tivoli Identity Manager typical directory server configuration parameters (continued)
Field name Description
Default or example value
Number of hash buckets
Name of your organization
The number of hash buckets.
The name of the organization.
1
Example:
My
Organization
Default org short name
Identity Manager DN location
The short name of the organization.
The Tivoli Identity Manager suffix.
Example: myorg
Example: dc=com
Your value
Table 11. Tivoli Identity Manager typical pre-installation configuration parameters
Field name
ITIM_HOME
Description
The installation directory for the Tivoli Identity Manager
Server.
Default or example value
Windows:
path
\IBM\itim
UNIX/Linux:
path
/IBM/itim
Your value
WAS_HOME
The installation directory for
WebSphere Application
Server.
Windows:
path
\IBM\WebSphere\
AppServer
UNIX/Linux:
path
/IBM/WebSphere/
AppServer
WebSphere
Application Server profile name
The name of the WebSphere
Application Server profile.
v
Single-server:
AppSrv01 v
Deployment manager:
Dmgr01 v Cluster member:
Custom01
Example: server1
WebSphere
Application Server server name
The name of the WebSphere
Application Server server.
Computer host name The host name of the computer.
WebSphere
Application Server administrator user
ID
WebSphere
Application Server administrator password
User name that is used to administer WebSphere
Application Server. Used to restart secure WebSphere
Application Servers. This field is optional.
Password that is used with the WebSphere user name.
This field is optional.
Example: wsadmin
146
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Table 11. Tivoli Identity Manager typical pre-installation configuration parameters (continued)
Field name Description
Default or example value
Keystore password Used to unlock the Tivoli
Identity Manager keystore file which stores the encryption key used to encrypt Tivoli Identity
Manager sensitive data.
ITDI_HOME
The directory that contains the IBM Tivoli Directory
Integrator Server code. Also, where adapters are installed.
This field is optional depending on whether you are using IBM Tivoli
Directory Integrator.
TIVOLI_COMMON_
DIRECTORY
The central location for all serviceability-related files, such as logs and first-failure capture data.
Windows:
path
\IBM\TDI\V6.1.1
path
\IBM\TDI\V7.0
UNIX/Linux:
path
/IBM/TDI/V6.1.1
path
/IBM/TDI/V7.0
Windows:
path
\IBM\tivoli\ common
UNIX/Linux:
path
/IBM/tivoli/ common
Your value
Table 12. Tivoli Identity Manager typical system configuration parameters
Field name
Recycle bin age limit
(days)
Description
Heart beat (seconds) Defines how frequently a scheduling thread queries the scheduled message stores for events to process.
Specifies the number of days that an object remains in the recycle bin of the system before it becomes available for deletion by cleanup scripts.
62
Default or example value
30
100 Maximum pool size Specifies the maximum number of connections that the LDAP Connection Pool can have at any time.
Initial pool size Specifies the initial number of connections to be created for the LDAP Connection
Pool.
Increment count
Database pool initial capacity
Specifies the number of connections to be added to the LDAP Connection Pool every time a connection is requested after all connections are in use.
Specifies the initial number of JDBC connections.
50
3
5
Your value
Appendix D. Worksheets
147
Table 12. Tivoli Identity Manager typical system configuration parameters (continued)
Field name Description
Default or example value Your value
Database pool maximum capacity
Specifies the maximum number of JDBC connections that the Tivoli Identity
Manager Server can open to the database at any one time.
50
MIN Logging trace level Specifies the amount of information written to the log file.
Identity Manager
Base Server URL
Specifies the published login
Universal Resource Locator
(URL) for the Tivoli Identity
Manager Server. This is the first part of a URL that is sent to the recipient of mail messages at run time.
Mail from Specifies the Tivoli Identity
Manager system administrator e-mail address for your site.
Examples: http://hostname:9080
/itim/console
Example: [email protected]
Mail server name
Customer logo
Specifies the SMTP mail host that sends mail notification and functions as the mail gateway.
Specifies the path and file name of the logo graphic.
Example: smtp.mysite.com
ibm_banner.gif
Customer logo link Specifies an optional URL link activated by clicking the logo image.
List page size Specifies how many items that require a search in the directory are displayed on lists throughout the user interface.
Encryption www.ibm.com
50
True (On)
System user
Option to encrypt the passwords used for database and directory server connections and the password of the EJB user that is used for EJB authentication.
Specifies the system user and the system user password.
System user password
EJB user
Specifies the system user password.
Specifies the EJB user ID.
148
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Table 12. Tivoli Identity Manager typical system configuration parameters (continued)
Default or example value Your value Field name Description
EJB user password Specifies the EJB user password.
Note:
The EJB user password is restricted to 12 characters.
Appendix D. Worksheets
149
150
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Appendix E. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user’s responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2009
151
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (
® or
™
), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at
″
Copyright and trademark information
″ at http://www.ibm.com/legal/ copytrade.shtml.
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both: IBM,
IBM logo, AIX, DB2, Domino, Lotus, SecureWay, Tivoli, Tivoli logo, Universal
Database, WebSphere.
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United
States, other countries, or both.
152
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Cell Broadband Engine and Cell/B.E. are trademarks of Sony Computer
Entertainment, Inc., in the United States, other countries, or both and is used under license therefrom.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,
Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark
Office
IT Infrastructure Library is a registered trademark of the Central Computer and
Telecommunications Agency which is now part of the Office of Government
Commerce.
Java and all Java-based trademarks are trademarks of Sun
Microsystems, Inc. in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
Appendix E. Notices
153
154
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Glossary
A
access.
(1) The ability to read, update, delete, or otherwise use a resource. Access to protected resources is usually controlled by system software. (2) The ability to use data that is stored and protected on a computer system.
access control.
In computer security, the process of ensuring that users can access only those resources of a computer system for which they are authorized.
access control list.
In computer security, a list that is associated with a resource that identifies all the principals that can access the resource and the
permissions for those principals. See also permission and principal.
access control item (ACI).
Data that (a) identifies the permissions of principals and (b) is assigned to a resource.
account.
An entity that contains a set of parameters that define the application-specific attributes of a principal, which include the identity, user profile, and credentials.
ACI target.
The resource for which you define the access control items. For example, an ACI target can be a service.
activity.
In a workflow, the smallest unit of work.
When a request requires approval, information, or additional actions, the workflow for that request generates the appropriate activities that are presented
in the appropriate users’ to-do lists. See also workflow.
adapter.
(1) A set of software components that communicate with an integration broker and with applications or technologies in order to perform tasks, such as executing application logic or exchanging data.
(2) A transparent, intermediary software component that allows different software components with different interfaces to work together.
administrative domain.
A logical collection of resources that is used to separate responsibilities and
manage permissions. See also permission.
adopt.
To assign an orphan account to the appropriate owner. See also orphan account.
adoption rules.
The set of rules that determine which orphan accounts belong to which owners. See also
© Copyright IBM Corp. 2009
agent.
A process that manages target resources on behalf of a system such that the system can respond to requests.
aggregate message.
A collection of notification messages that are combined into a single e-mail, along with optional user defined text.
alias.
In identity management, an identity for a user, which might match the user ID. The alias can be used during reconciliation to determine who owns the account. A person can have several aliases, for example,
GSmith, GWSmith, and SmithG.
application server.
A server program in a distributed network that provides the execution environment for an application program.
application user administrator.
A type of person who uses Tivoli Identity Manager to set up and administer
(a) the services that are managed by Tivoli Identity
Manager or (b) the Tivoli Identity Manager users of those services.
approval.
A type of workflow activity that allows someone to approve or reject a request. See also
audit trail.
A chronological record of events or transactions. You can use audit trails for examining or reconstructing a sequence of events or transactions, managing security, and for recovering lost transactions.
authentication.
The process of verifying that an entity is the entity that it claims to be, often by verifying a user ID and password combination. Authentication does not identify the permissions that a person has in
the system. See also authorization.
authorization.
The process of granting a user, system, or process either complete or restricted access to an
object, resource, or function. See also authentication.
authorization owner.
A user who can manage access control items (ACIs) for a resource.
C
certificate.
In computer security, a digital document that binds a public key to the identity of the certificate owner, thereby enabling the certificate owner to be authenticated. A certificate is issued by a certificate authority and is digitally signed by that authority. See also certificate authority.
Certificate Authority (CA).
An organization that issues certificates. The CA authenticates the certificate
155
owner’s identity and the services that the owner is authorized to use, issues new certificates, renews existing certificates, and revokes certificates that belong to users who are no longer authorized to use them.
challenge-response authentication.
An authentication method that requires users to respond to a prompt by providing information to verify their identity when they log in to the system. For example, when users forget their password, they are prompted (challenged) with a question to which they must provide an answer
(response) in order to either receive a new password or receive a hint for specifying the correct password.
comma separated values (CSV) file.
See CSV file.
delegate administration.
The ability to apply all or a subset of administrator privileges to another user (the delegate administrator), such that the user can perform all or a subset of administrator activities for a specific set of the users.
deprovision.
To remove a service or component. For example, to deprovision an account means to delete an
account from a resource. See also provision.
digital certificate.
An electronic document that is used to identify an individual, server, company, or some other entity, and to associate a public key with the entity. A digital certificate is issued by a certification authority and is digitally signed by that authority. See
Common Criteria.
A standardized method, which is used by international governments, the United States federal government, and other organizations, for expressing security requirements in order to assess the security and assurance of technology products.
connector.
A plug-in that is used to access and update data sources. A connector accesses the data and separates out the details of data manipulations and
relationships. See also adapter.
Directory Access Markup Language (DAML).
An
XML specification that extends the functions of
Directory Services Markup Language (DSML) 1.0 in order to represent directory operations. In Tivoli
Identity Manager, DAML is mainly used for server to
agent communications. See also Directory Services
directory server.
A server that can add, delete, change, or search directory information on behalf of a client.
credentials.
Authentication information that is
associated with a principal. See also authentication and
CSV file.
A common type of file that contains data that is separated by commas.
Directory Services Markup Language v1.0 (DSMLv1).
An XML implementation that describes the structure of data in a directory and the state of the directory. DSML can be used to locate data into a directory. DSMLv1 is
an open standard defined by OASIS. See alsoDirectory
Services Markup Language v2.0.
D
DAML.
See Directory Access Markup Language.
data model.
A description of the organization of data in a manner that reflects the information structure of an enterprise.
Directory Services Markup Language v2.0 (DSMLv2).
An XML implementation that describes the operations that a directory can perform (such as how to create, modify, and delete data) as well as the results of those operations. Whereas DSMLv1 can be used to describe the structure of data in a directory, DSMLv2 can be used to communicate with other products about that data. DSMLv2 is an open standard defined by OASIS.
See also Directory Services Markup Language v1.0.
data warehouse.
(1) A subject-oriented collection of data that is used to support strategic decision making.
(2) A central repository for all or significant parts of the data that an organization’s business systems collect.
delegate (noun).
The user who is designated to approve requests or provide information for requests for another user.
distinguished name (DN and dn).
The name that uniquely identifies an entry in a directory. A distinguished name is made up of name-component pairs. For example: cn=John Doe,o=My Organization,c=US
delegate (verb).
(1) To assign all or a subset of administrator privileges to a user, such that the user can perform all or a subset of administrator activities for a specific set of users. (2) To designate a user to approve requests or provide information for requests for another user.
domain administrator.
The owner of an
administrative domain. See also administrative domain.
dynamic content tags.
A set of XML tags (based on the XML Text Template Language (XTTL) schema) that enables the administrator to provide customized information in a message, notification, or report. See
also XML Text Template Language.
delegate administrator.
The user who has all or a subset of administrator privileges over a specific set of users.
dynamic organizational role.
An organizational role that is assigned to a person by using an LDAP filter.
When a user is added to the system and the LDAP
156
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
filter parameters are met, the user is automatically added to the dynamic organizational role. See also
E
entitlement.
In security management, a data structure, service, or list of attributes that contains externalized security policy information.
entitlement workflow.
A workflow that defines the business logic that is used when provisioning a policy.
For example, an entitlement workflow is used to define
approvals for managing accounts. See also workflow.
entity.
An object about which you want to store information or manage. For example, a person and an account are both entities.
entity type.
Categories of managed objects. See also
escalation.
The process that defines what happens and who acts when an activity was not completed in the specified amount of time.
escalation limit.
The amount of time, for example, hours or days, that a participant has to respond to a request, before an escalation occurs. See also escalation.
event.
The encapsulated data that is sent as a result of an occurrence, or situation, in the system.
F
failover.
An automatic operation that switches to a redundant or standby system in the event of a software, hardware, or network interruption.
FESI.
See Free EcmaScript Interpreeter.
FESI extension.
A Java extension that can be used to enhance JavaScript code and then be embedded within a FESI script.
Free EcmaScript Interpreter (FESI).
An implementation of the EcmaScript scripting language, which is an ISO standard scripting language that is similar to the JavaScript scripting language.
G
group.
A collection of Tivoli Identity Manager users.
H
help desk assistant.
A person who uses Tivoli Identity
Manager to assist users and managers with managing their accounts and passwords.
I
identity.
The subset of profile data that uniquely represents a person or entity and that is stored in one or more repositories.
identity feed.
The automated process of creating one or more identities from one or more common sources of identity data.
identity policy.
The policy that defines the user ID to be used when creating an account for a user.
IIOP (Internet Inter-ORB Protocol).
A protocol used for communication between Common Object Request
Broker Architecture (CORBA) object request brokers
ITIM group.
A list of Tivoli Identity Manager accounts. Membership within an ITIM group determines the access to data within Tivoli Identity
Manager.
ITIM user.
A user who has a Tivoli Identity Manager account.
J
Java Database Connectivity.
See JDBC.
JDBC (Java Database Connectivity).
An industry standard for database-independent connectivity between the Java platform and a wide range of databases. The JDBC interface provides a call-level API for SQL-based and XQuery-based database access.
join directive.
The set of rules that define how to handle attributes when two or more provisioning policies are applied. Two or more policies might have overlapping scope, so the join directive specifies what actions to take when this overlap occurs.
L
LDAP (Lightweight Directory Access Protocol).
An open protocol that uses TCP/IP to provide access to directories that support an X.500 model and that does not incur the resource requirements of the more complex X.500 Directory Access Protocol (DAP). For example, LDAP can be used to locate people, organizations, and other resources in an Internet or intranet directory.
LDAP Data Interchange Format.
See LDIF.
LDAP directory.
A type of repository that stores information on people, organizations, and other resources and that is accessed using the LDAP protocol.
The entries in the repository are organized into a hierawrchical structure, and in some cases the hierarchical structure reflects the structure or geography of an organization.
Glossary
157
LDAP filter.
A search filter that narrows the results from an LDAP search.
LDIF (LDAP Data Interchange Format).
A file format that is used to describe directory information as well as changes that need to be applied to a directory, such that directory information can be exchanged between directory servers that are using LDAP.
life cycle.
Passage or transformation through different stages over time. For example markets, brands and offerings have life cycles.
life cycle rules.
A set of rules in a policy that determine which operations to use when automatically handling commonly occurring events, such as suspending an account that has been inactive for a period of time.
Lightweight Directory Access Protocol.
See LDAP.
location.
An entity that is a subdivision of an organization, usually based on geographical area.
M
mail.
A type of workflow activity that sends a notification to one or more users about a request.
managed resource.
An entity that exists in the runtime environment of an IT system and that can be managed.
manager.
A type of person who uses Tivoli Identity
Manager to manage their own accounts and passwords or the accounts and passwords of those people that they supervise.
manual service.
A type of service that requires manual intervention by the service owner to complete the provisioning request.
N
namespace.
(1) The set of unique names that a service recognizes. (2) Space reserved by a file system to contain the names of its objects.
nested group.
A group that is contained within
another group. See also group.
notification.
A message that is sent to users or systems that indicates that a change was made that might be of interest to the receiver.
O
object class.
(1) The specific type of object, or subcategory of classes, that an access control item can protect. For example, if the protection category is account, then the object class can be the type of account, such as an LDAP user account. See also
158
IBM Tivoli Identity Manager Server: Installation and Configuration Guide protection category. (2) An entity that defines the schema for a service or an account.
operation.
A specific action (such as add, multiply, or shift) that the computer performs when requested.
operational workflow.
A workflow that defines the lifecycle process for accounts, persons, and other
organization.
A hierarchical arrangement of organizational units, such that each user is included
once and only once. See also organizational unit.
organization tree.
A hierarchical structure of an organization that provides a logical place to create, access, and store organizational information.
organizational container.
An organization, organizational unit, location, business partner unit, or administration domain.
organizational role.
In identity management, a list of account owners that is used to determine which
entitlements are provisioned to them. See also dynamic
organizational role and static organizational role.
organizational unit.
A type of organizational container that represents a department or similar grouping of people.
orphan account.
On a managed resource, an account whose owner cannot be automatically determined by the provisioning system.
P
participant.
In identity management, an individual, a role, a group, or a JavaScript script that has the authority to respond to a request that is part of a
password.
In computer and network security, a specific string of characters that is used by a program, computer operator, or user to access the system and the information stored within it.
password retrieval.
In identity management, the method of retrieving a new or changed password by accessing a designated Web site and specifying a
shared secret. See also shared secret.
password strength rules.
The set of rules that a password must conform to, such as the length of the password and the type of characters that are allowed
(or not allowed) in the password.
password policy.
A policy that defines the password strength rules. A password strength policy is applied whenever a password is set or modified. See also password strength rules.
password synchronization.
The process of coordinating passwords across services and systems such that only a single password is needed to access those multiple services and systems.
permission.
Authorization to perform activities, such as reading and writing local files, creating network connections, and loading native code.
person.
An individual in the system that has a person record in one or more corporate directories.
personal profile.
The data that describes a user within the system, such as the user name, password, contact information, and so on.
plug-in.
A software module that adds function to an existing program or application.
policy.
A set of considerations that influence the behavior of a managed resource or a user.
post office.
A component that collects notifications from the appropriate workflow activities and distributes those notifications to the appropriate workflow participants.
principal.
(1) A person or group that has been granted permissions. (2) An entity that can communicate securely with another entity.
privilege.
profile.
Data that describes the characteristics of a user, group, resource, program, device, or remote location.
protection category.
The category of classes that an access control item can protect. For example, accounts or persons. See also object class.
provision.
(1) In identity management, to set up and maintain the access of a user to a system. (2) In identity management, to create an account on a managed resource.
provisioning.
In identity management, the process of providing, deploying, and tracking a service or component.
provisioning policy.
A policy that defines the access to various managed resources, such as applications or operating systems. Access is granted to all users, users with a specific role, or users who are not members of a specific role.
R
recertification.
The process of validating and possibly updating your credentials with a system, usually after a specified time interval.
recertification policy.
A policy that defines the life cycle rule for automatically validating accounts and users in the provisioning system after a certain period of time. See also life cycle rules.
reconciliation.
The process of synchronizing data in a central data repository with data on a managed resource.
registration.
The process of accessing a system and requesting an account on that system.
registry.
A repository that contains access and configuration information for users, systems, and software.
relationship.
A defined association between two or more data entities, which is used when defining a Free
EcmaScript Interpreter (FESI) extension or when customizing the graphical user interface.
relevant data.
The data that is used to complete a workflow activity in a workflow operation at runtime.
repository.
A persistent storage area for data and other application resources. Common types of repositories are databases, directories, and file systems.
request.
The item that initiates a workflow and instigates the various activities of a workflow. See also
request for information (RFI).
A workflow activity that requests additional information from the specified
participant. See also workflow.
resource.
A hardware, software, or data entity. See
restore.
To activate an account that was suspended.
rights.
rule.
A set of conditional statements that enable computer systems to identify relationships and execute automated responses accordingly.
S
schema.
The fields and rules in a repository that
comprise a profile. See also profile.
scope.
In identity management, the set of entities that a policy or an access control item (ACI) can affect.
Secure Sockets Layer (SSL).
A security protocol that provides communication privacy. With SSL, client/server applications can communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery.
Glossary
159
security.
The protection of data, system operations, and devices from accidental or intentional ruin, damage, or exposure.
security administrator.
A type of person who sets up and administers Tivoli Identity Manager for users, managers, help desk assistants, and application user administrators.
self-registration.
service.
A representation of a managed resource, application, database, or system.
service owner.
An individual who uses Tivoli Identity
Manager to set up and administer the accounts on the services that are managed by Tivoli Identity Manager.
service selection policy.
A policy that determines which service to use in a provisioning policy. See also
service type.
A category of related services that share
the same schemas. See also service.
shared secret.
An encrypted value that is used to retrieve the initial password of a user. This value is defined when the personal information for the user is initially loaded into the system.
single sign-on (SSO).
The ability of a user to log on once and access multiple applications without having to log on to each application separately.
static organizational role.
An organizational role that is manually assigned to a person. See also organizational role.
supervisor.
A role that identifies the person who supervises another set of users and who is often responsible for approving or rejecting requests that are made by those users.
suspend.
To deactivate an account so that the account owner cannot access the service.
system administrator.
An individual who is responsible for the configuration, administration, and maintenance of Tivoli Identity Manager.
T
tenant.
In a hosted service environment, a virtual enterprise instance of an application. Each tenant can share directory servers or relational databases while remaining completely separate service instances.
to-do list.
A collection of outstanding activities. See
topic.
The subject of a notification message, which allows messages to be grouped together based on the same task.
transition.
A connection between two workflow
U
universally unique identifier (UUID).
The 128–bit numerical identifier that is used to ensure that two entities do not have the same identifier. The identifier is unique for all space and time.
user.
(1) Any individual, organization, process, device, program, protocol, or system that uses the services of a computing system. (2) The individual who uses Tivoli
Identity Manager to manage their accounts and passwords.
V
view.
A collection of various graphical user interfaces for a product that represent the set of tasks that a particular type of user is allowed to perform.
Administrators can customize views to contain different collections of graphical user interfaces.
W
workflow.
The sequence of activities performed in accordance with the business processes of an enterprise.
work order.
A workflow activity that requires a participant to perform an activity outside of the scope of the system. See also workflow.
X
XML Text Template Language (XTTL).
An XML schema that provides a means for representing dynamic content within a message, notification, or report. The
XML tags are also called dynamic content tags. See also
160
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Index
Special characters
.profile file
IDI_HOME
IBM Tivoli Directory Integrator Server installation directory xiii
Numerics
50000, default DB2 listening port number 17
50002, default DB2 listening port number 17
60000, default DB2 listening port number 17
A
accessibility
account
adapter
agent-less or agent-based 4 definition 4 location 4
addserviceselectionpolicy.xml, workflow process file 107
administrative system management interface tool
system management tool
user
administrative security and application security
admintool, administrative tool (Solaris) 16
app_ctl_heap_sz example, update database 17, 36 applheapsz example, update database 17, 36
application server, WebSphere Application Server 3
audience, who should read this book vii
authentication alias, itim-init 99
authority
installing Tivoli Identity Manager Server 51, 61 logon user ID in Administrator Group 51, 61
root
B
backup
© Copyright IBM Corp. 2009 books
browser
active scripting 102 two session problems 102 using supported 102
C
CA certificate
certificate
CA, preserved during upgrade 106 demonstration, upgraded 106
identical directory requirement, cluster member 61
CLASSPATH
Classpath field, specifying data directory 97
cleanup
cron job 79 recycle bin age limit 79
client database
upgrading duplicate properties files 108
cluster configuration
WebSphere Application Server 5 definition 5
expanding
installation
sequence 62 sequential requirement 62
Tivoli Identity Manager Server 60
member
certificate files 61 certificate recognition 61
deployment manager installation deploys Tivoli Identity
identical database specification 80
identical directory requirement 61
identical LDAP specification 65
installation sequence after deployment manager 62
prerequisites
database 61 deployment manager 61 directory server 61
WebSphere Application Server base 61
161
cluster
(continued)
Tivoli Identity Manager installation
command db2
force application all 17, 36 update 17, 36
db2start 17, 36 db2stop 17, 36
line, Linux systems xiv line, Windows systems xiv
versionInfo.bat 43, 44 versionInfo.sh 44
configuration
DB2
Sun Enterprise Directory Server 36
Tivoli Identity Manager
WebSphere Application Server
configuration file
configuring SSL
IBM Tivoli Directory Server 133
Sun Enterprise Directory Server 133
conflict
connection
Maximum Pool Size 79 pool, LDAP 79
conventions home directory
HOME directory
conventions
(continued)
HOME directory
(continued)
typeface xi used in this document xi
variables, directory notation xiv
CTGIM, Tivoli Common Directory 55, 66
customer logo
CustomLabels_en.properties 106
D
data directory
specified by Classpath field 97
organizational, on directory server 2, 27
user account, on directory server 2, 27
database
itim_dbname
authentication alias, itim-init 99
client
configuration
connection
DB2
select during installation 54, 64
enRoleDatabase.properties file 99
installation 9 installation, configuration 9 installing 9
JDBC connections 80 login delay 80
name
Oracle
.profile file 21 environment variables 21
162
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
database
(continued)
Oracle
(continued)
JVM feature required by Tivoli Identity Manager 20
select during installation 54, 64
schema preserved during upgrade 106
select during installation 54, 64
session persistence
Oracle environment variables 21
SQL server, select during installation 54, 64
database creation
DB_HOME
DB2 installation directory xii definition xii
DB_INSTANCE_HOME
DB2 installation directory xii definition xii
db2
force application all, command 17, 36
DB2
client
command
db2 force application all 17, 36
db2start 17, 36 db2stop 17, 36 update 17, 36
configuration
service listening port number 17
db2admin, instance name on UNIX and Linux 10 db2admin, user ID on UNIX and Linux 10 deployment 10
First Steps 11 home directory for Windows 11 home directory on UNIX and Linux 11
instance name
instance, db2admin on UNIX and Linux 10
relation to Tivoli Identity Manager 10
user ID, db2admin on UNIX and Linux 10
wizard, verifying installation 11
db2 command
DB2 runtime client
DB2 Server
db2admin, instance user ID for UNIX and Linux 10 db2admin, user ID for UNIX and Linux 10
db2fs, command 12 db2level, command 12 db2ls, command 12
db2set
db2start, command 17, 36 db2stop, command 17, 36
dc=com
default
ibm_banner.gif 81 logo image file 81
demonstration certificate upgraded 106
deployment
IBM Tivoli Directory Integrator 39
IBM Tivoli Directory Server 27
WebSphere Web Server plug-in 42, 44
deployment manager
propagating Tivoli Identity Manager Server 62
running before installing Tivoli Identity Manager
directory
identical requirement, on cluster members 61
installation
IBM Tivoli Directory Integrator Server xiii
IBM Tivoli Directory Server xii
WebSphere Application Server base product xiii, xiv
names, operating system notation xiv
directory integrator
directory server
Index
163
directory server
(continued)
ibmslapd process 101 ibmslapd.log file 101
disabilities, using documentation xi
DN
top entry in a locally held directory hierarchy 29
documents
Tivoli Identity Manager library vii
domain
Dynamic Role Add/Modify/Remove, workflow process 107
environment variable
(continued)
F
First Steps
verifying WebSphere installation 43, 44, 46
fix pack
IBM Tivoli Directory Integrator 39
IBM Tivoli Directory Server 28
G
garbage cleanup
recycle bin age limit 79 schedule_garbage.cron 79
E
address for the Tivoli Identity Manager Server 81 mail gateway 81 system administrator address 81
EJB user
length limit 82 manual steps 82
embedded HTTP transport, WebSphere
encryption
enRole.properties
configuring Tivoli Identity Manager Server 78
enRoleDatabase.properties file 99
environment variable
Oracle 21 processes, Oracle 21 setting with .profile file 21
164
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
H
home directories
host name
HTTP
embedded HTTP transport, WebSphere 70
I
IBM HTTP Server
installing 48 separate computer recommended 48
IBM Tivoli Directory Integrator
deployment 39 fix pack 39 install, configure 39
IBM Tivoli Directory Server
LDAP suffix 29 referential integrity file 29 setting up 29
ibmslapd
process running 101 ibmslapd.log file 101
identical directory, cluster members 61
identity feed, lost if running during upgrade 107
image
Increment Count
Initial Pool Size
instaix.bin, installation program 52, 62, 111, 114
installation
directory
IBM Tivoli Directory Integrator Server xiii
IBM Tivoli Directory Server xii
WebSphere Application Server base product xiii, xiv
instzlinux.bin 53, 63, 111, 114
sequence
Sun Enterprise Directory Server 36
Tivoli Identity Manager Server
verifying
Tivoli Identity Manager Server 59, 70, 96
WebSphere installation 43, 44, 46
WebSphere Application Server 41
WebSphere Web Server plug-in 42, 44, 48
instance name
instwin.exe, installation program 52, 62, 111, 113
instzlinux.bin, installation program 53, 63, 111, 114
Internet Explorer, active scripting 102
ITDI_HOME
ITDS_HOME
IBM Tivoli Directory Server installation directory xii
ITIM_HOME
definition xiii directory xiii
itim_wf queue 116 itim_wf_pending queue 116
itim-init, authentication alias 99
itimadmin
itimdb database
setting initial values, SQL Server 2005 25
itimuser
password identical in enRoleDatabase.properties file 99
user
create 16 on DB2 server 16 privileges, no special 16
J
api_ejb.jar 108 itim_api.jar 108 itim_server_api.jar 108
jlog.jar 108 manual upgrade 108
Java 2 security
customization, upgrading manually 117
Java Runtime Environment
language pack 71 required level 71
java_pool_size parameter, Oracle 21
JDBC connection
K
kernel
L
language
pack
default not English 71 installing 71 jar file name 71
LDAP
connection increment 79 connection pool 79
Index
165
LDAP
(continued)
initial connections 79 maximum connections 79
suffix
IBM Tivoli Directory Server 29
initializing with data 32 verifying configuration 32
libdelref
success message 34, 35 testing configuration 34, 35
list page size, as search control 82
listener
logging
install 104 itim_installer_debug.txt 104 ldapConfig.stdout 104 log.txt 104
MIN 80 performance settings 80
runConfigTmp.stdout 104 setupEnrole.stdout 104
logo
customized lost during upgrade 107
customized, upgrading manually 117
logon
logs
installation 104 msg.log 104 trace.log 104
M
manuals
message
msg.log
in Tivoli Common Directory 104
verifying Tivoli Identity Manager Server 97
multi-node security
node synchronization 139 timeout interval 139
N
name
node
synchronization, multi-node deployment 139
notifytemplate.html, workflow process file 107
O
objectclass
online publications
operating system
Oracle
environment variables 21 init.ora file 21
JVM feature required by Tivoli Identity Manager 20
processes parameter 21 session persistence 21 shared_pool_size parameter 21
organization
P
password
editing 85 expiration period 85
itimuser user, password identical in enRoleDatabase.properties file 99
lost 85 retrieval expiration period 85
pdf format, for screen-reader software xi
performance
permissions
libdelref file 33 referential integrity file 33
planning
plug-in
default installation directory 33 file permissions 33
WebSphere Web Server plug-in 42, 44
Policy Add/Modify/Remove, workflow process 107
pool
166
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
port
in services file 17 service listening 17
prerequisite cluster
database 61 deployment manager 61 directory server 61
WebSphere Application Server base 61
single-server
database 52 directory server 52
IBM Tivoli Directory Integrator 52
WebSphere Application Server 52
Principal DN
privilege
problem determination browser
avoiding two sessions 102 using supported 102
database
database connection
directory server
ibmslapd.log 101 process ID (PID) 101
embedded HTTP transport, WebSphere
installation
DBConfig 56, 67 directory server configuration 57, 67
file permissions 95 hardware, software prerequisites 95
log files 58, 68, 95 permissions and display variables 95 real memory 95
WebSphere Application Server 56
SQL Server 2005
Tivoli Identity Manager
embedded HTTP transport, WebSphere 70
ITIM_HOME\data directory 97 msg.log file 97
problem determination
(continued)
Tivoli Identity Manager
(continued)
SystemOut.log file 96 trace.log file 96
WebSphere Application Server
server1 96 serverStatus command 96
process file, workflow
process, workflow
Dynamic Role Add/Modify/Remove, lost if running during upgrade 107
Policy Add/Modify/Remove, lost if running during upgrade 107
processes parameter, Oracle 21
properties
configuring with Tivoli Identity Manager GUI 85
enRoleDatabase.properties file 99
file
SystemOut.log file, indicating error 97
properties file
client, upgrading duplicate files 108
file
adhocreporting.properties 106 crystal.properties 106
CustomLabels_en.properties 106
scriptframework.properties 107
SelfServiceHelp.properties 107
SelfServiceHomePage.properties 107
SelfServiceScreenText_en.properties 107
SelfServiceScreenText.properties 107
ui.properties 106 preserved during upgrade 106
upgrade, preserved
adhocreporting.properties 106 crystal.properties 106
CustomLabels_en.properties 106
Index
167
properties file
(continued)
upgrade, preserved
(continued)
scriptframework.properties 107
SelfServiceHelp.properties 107
SelfServiceHomePage.properties 107
SelfServiceScreenText_en.properties 107
SelfServiceScreenText.properties 107
provisioning
publications
Tivoli Identity Manager library vii
Q
queue
itim_wf 116 itim_wf_pending 116 runmqsc.exe utility 116 workflow, determining status 116
R
reconciliation, lost if running during upgrade 107
referential integrity file
IBM Tivoli Directory Server 29
loading success message 34, 35
regular-cluster configuration
remote
requirement
root
logon user ID, to install Tivoli Identity Manager
using system management tool 16
runConfig
change password, itmuser user 85
command 77 configuring Tivoli Identity Manager Server 77
EJB user 85 password encryption 85 system properties 85
runmqsc.exe utility, for queue status 116
running process
running process
(continued)
using runConfig (System Configuration) 85
WebSphere Application Server 96
runtime
client
environment, WebSphere Application Server 3
S
scheduling
ldapClean 79 periodic cleanup 79
script
scriptframework.properties 107
security
EJB user 137 map administrative user to role 137
multi-node deployment
node synchronization 139 timeout interval 139
SelfServiceHelp.properties 107
SelfServiceHomePage.properties 107
SelfServiceScreenText_en.properties 107
SelfServiceScreenText.properties 107
sequence
installation, single-server 52
requirement, cluster installation 62
service pack, SQL Server 2005 24
serviceability-related files, Tivoli Common Directory 55, 66
session
persistence
Oracle environment variables 21
settings
DB2
preserved, upgrading Tivoli Identity Manager 106
WebSphere Application Server 41 settings for WebSphere Application Server 41
shared_pool_size parameter, Oracle 21
single-server configuration
WebSphere Application Server 4 definition 4
installation
168
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
single-server
(continued)
installation
(continued)
Tivoli Identity Manager Server 51
prerequisites
IBM Tivoli Directory Integrator 52
WebSphere Application Server 52
Solaris
source
SQL Server 2005
configuring 25 creating database 25
status
queues 116 runmqsc.exe utility, for queues 116
WebSphere Application Server 96
storage space
single-server configuration 51
Sun Enterprise Directory Server
system administrator e-mail address 81
system configuration tool
System Management Interface Tool (SMIT, AIX) 16
system properties
interval to recognize changes 84 logging 84
password
editing 85 expiration period 85 lost 85 retrieval expiration period 85
restart Tivoli Identity Manager Server 84
System user
SystemOut.log
errors and properties files 97
verifying Tivoli Identity Manager Server 96
T
tab
tab
(continued)
TCP/IP
testing
WebSphere Application Server 96
text, alternative for document images xi
thread
timeout interval, multi-node security 139
Tivoli Common Directory
serviceability-related files 55, 66
Tivoli Identity Manager Server configuration
installation, configuration 51
installing
uninstalling
additional products 125 database tables 125 directory server schema 125
Tivoli software information center x
TIVOLI_COMMON_DIRECTORY
trace.log
in Tivoli Common Directory 104
verifying Tivoli Identity Manager Server 96
tracing
MIN 80 performance settings 80
type
U
Index
169
uninstalling
Tivoli Identity Manager
additional products 125 database tables 125 directory server schema 125
utility for Tivoli Identity Manager 73
upgrading
customization
Java 2 security, manually 117 logos, manually 117
duplicate properties files on client side 108
Dynamic Role Add/Modify/Remove lost if running 107 identity feed lost if running 107
jar files for client, manually 108
Policy Add/Modify/Remove lost if running 107 reconciliation lost if running 107
steps
single-server configuration 111
tasks
single-server configuration 110
Tivoli Identity Manager version 4.6 to 5.1
CA certificates preserved 106 data directory 106 database schema 106
demonstration certificate upgraded 106
directory server 105 operating system requirements 105
property files 106 settings preserved 106 stopping WebSphere Application Server 106
WebSphere Application Server configuration 106
WebSphere Application Server installation 105
workflow files 107 workflow_systemprocess directory 107
Tivoli Identity Manager version 5.0 to 5.1
CA certificates preserved 106 data directory 106 database schema 106
demonstration certificate upgraded 106
directory server 105 operating system requirements 105
property files 106 settings preserved 106
WebSphere Application Server configuration 106
WebSphere Application Server installation 105
workflow files 107 workflow_systemprocess directory 107
user
account data, on directory server 27
itimuser
on DB2 server 16 privileges, no special 16
user
(continued)
password, verifying for database 99
user password
identical in enRoleDatabase.properties file 99
V
verifying database
installation
Tivoli Identity Manager Server 59, 70, 96
WebSphere Application Server 96
versionInfo.bat,command 43, 44 versionInfo.sh,command 44
W
WAS_HOME
WebSphere Application Server base installation directory xiii
WAS_NDM_PROFILE_HOME
WebSphere Application Server base installation directory xiv
WAS_PROFILE_HOME
WebSphere Application Server base installation directory xiii
was.policy file, permissions 138
wasadmin
Web address
WebSphere administrative console 43, 45, 46, 47
Web user interface (Tivoli Identity Manager) 85
WebSphere administrative console
WebSphere Application Server administrative security and application security
configuration
installation 41 installation, configuration 41 installing 41
WebSphere installation
custom installation recommended 42, 44
IBM HTTP Server installation 42, 44
WebSphere Web Server plug-in installation 42, 44
WebSphere Web Server plug-in
170
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
WebSphere Web Server plug-in
(continued)
installing 48 separate computer recommended 48
wizard
First Steps, WebSphere installation 43, 44, 46
Tivoli Identity Manager installation
workflow process file, preserved during upgrade
addserviceselectionpolicy.xml 107 notifytemplate.html 107
workflow process, lost if running during upgrade
Dynamic Role Add/Modify/Remove 107
worksheet
Index
171
172
IBM Tivoli Identity Manager Server: Installation and Configuration Guide
Program Number: 5724-C34
Printed in USA
SC27-2410-01
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
advertisement
Table of contents
- 5 Contents
- 9 Preface
- 9 Who should read this book
- 9 Publications and related information
- 9 Tivoli Identity Manager library
- 11 Prerequisite product publications
- 12 Related publications
- 12 Accessing publications online
- 13 Accessibility
- 13 Support information
- 13 Conventions used in this book
- 13 Typeface conventions
- 14 Definitions for HOME and other directory variables
- 16 Operating system differences
- 17 Chapter 1. Overview of the Tivoli Identity Manager environment
- 17 Tivoli Identity Manager components
- 17 Database server products
- 18 Directory server products
- 18 IBM Tivoli Directory Integrator
- 19 WebSphere Application Server
- 19 An HTTP server and WebSphere Web Server plug-in
- 19 Tivoli Identity Manager Server
- 19 Tivoli Identity Manager adapters
- 20 Configuration options
- 20 Single-server configuration
- 20 Cluster configuration
- 21 Overview of the installation
- 22 Planning activities for deployments at large sites
- 25 Chapter 2. Installing and configuring a database
- 25 Before you install the database product
- 26 Installing and configuring IBM DB2 Database
- 26 Recording user data
- 26 Recording user names and passwords on UNIX and Linux systems
- 27 Recording user names and passwords on Windows systems
- 27 Verifying the installation
- 28 Installing the required fix packs
- 28 Configuring IBM DB2 Database
- 29 Running the middleware configuration utility
- 31 Configuring DB2 silently
- 31 Manually configuring the DB2 server
- 33 Determining the correct service listening port and service name
- 34 Tuning the DB2 Database for performance
- 34 Configuring TCP KeepAlive settings
- 34 Changing the DB2 application heap size
- 34 Installing and configuring the Oracle database
- 35 Before you create a database
- 35 Multiple instances of Tivoli Identity Manager with an Oracle Database server
- 36 Installing the Oracle database server
- 36 Configuring the init.ora file
- 37 Setting environment variables
- 37 Backing up an existing database
- 37 Installing the Oracle JDBC driver
- 37 Creating the Tivoli Identity Manager database
- 39 Tuning the Oracle database for performance
- 39 Enabling XA recovery operations
- 39 Configuring TCP KeepAlive settings
- 39 Starting the Oracle product and the listener service
- 40 Installing and configuring SQL Server 2005 on the Windows operating system
- 40 Preparing to install SQL Server 2005
- 40 Installing SQL Server 2005
- 41 Configuring SQL Server 2005
- 41 Configuring SQL Server 2005 for XA transactions
- 41 Installing the SQL Server JDBC driver
- 41 Verify the security configuration for SQL Server 2005
- 41 Creating the Tivoli Identity Manager database
- 43 Chapter 3. Installing and configuring a directory server
- 43 Before you install the directory server product
- 43 Installing and configuring IBM Tivoli Directory Server
- 43 Installing IBM Tivoli Directory Server
- 44 Installing the required fix packs
- 45 Configuring IBM Tivoli Directory Server
- 45 Running the middleware configuration utility
- 47 Configuring IBM Tivoli Directory Server silently
- 48 Verifying successful suffix object configuration
- 48 Manually configuring the referential integrity plug-in on the IBM Tivoli Directory Server
- 51 Manually tuning the IBM Tivoli Directory Server database
- 52 Sun Enterprise Directory Server
- 52 Installing Sun Enterprise Directory Server
- 52 Configuring Sun Enterprise Directory Server
- 55 Chapter 4. Optionally installing IBM Tivoli Directory Integrator
- 55 Before you install the directory integrator product
- 55 Installing IBM Tivoli Directory Integrator
- 55 Installing IBM Tivoli Directory Integrator
- 55 Installing the required fix packs
- 56 Installing agentless adapters
- 57 Chapter 5. Installing and configuring WebSphere Application Server
- 57 Before you install WebSphere Application Server
- 57 Installing the WebSphere Application Server product
- 58 Installing WebSphere Application Server in a single-server environment
- 59 Installing WebSphere Application Server in a cluster environment
- 60 Install the WebSphere Application Server deployment manager
- 61 Install the WebSphere Application Server product on each node member
- 62 Manually federate a WebSphere Application Server node member
- 62 Verify the federation of nodes within the cell
- 63 Create the WebSphere clusters for the Tivoli Identity Manager application
- 63 Optionally installing and configuring IBM HTTP Server and WebSphere Web Server plug-in
- 64 Change TCP KeepAlive settings on WebSphere Application Server
- 64 Tuning WebSphere Application Server for performance
- 64 Disable Performance Monitoring Infrastructure (PMI) tracking
- 67 Chapter 6. Installing Tivoli Identity Manager
- 67 Installing Tivoli Identity Manager in a single-server configuration
- 67 Before you begin
- 68 Starting the installation wizard
- 69 Completing the installation wizard pages
- 71 Responding to major installation actions
- 75 Verifying that the Tivoli Identity Manager Server is operational
- 76 Installing Tivoli Identity Manager in a cluster configuration
- 76 Before you begin
- 78 Overview of the installation program in a cluster configuration
- 78 Starting the installation wizard
- 79 Completing the installation wizard pages
- 82 Responding to major installation actions
- 85 Starting clusters
- 86 Verifying that the Tivoli Identity Manager Server is operational
- 87 Optional post-installation tasks
- 87 Optionally installing a language pack
- 88 Optionally installing adapter profiles
- 89 Changing cluster configurations after Tivoli Identity Manager is installed
- 89 Expanding a cluster using a new computer
- 89 Removing cluster members
- 91 Chapter 7. Configuring the Tivoli Identity Manager Server
- 91 Configuring the Tivoli Identity Manager database
- 91 Completing the database configuration windows
- 92 Manually starting the DBConfig database configuration tool
- 92 Configuring the directory server
- 93 Completing the directory server configuration windows
- 93 Manually running the ldapConfig configuration tool
- 93 Configuring commonly used system properties
- 94 General tab
- 95 Directory tab
- 95 Database tab
- 96 Logging tab
- 96 Mail tab
- 97 UI tab
- 98 Security tab
- 98 Manually starting the system configuration tool
- 99 Manually installing agentless adapters and adapter profiles
- 99 Installing agentless adapters
- 99 Installing agentless adapter profiles
- 100 Modifying system properties during normal operation
- 101 Modifying system properties with the system configuration tool
- 101 Modifying system properties manually
- 101 Modifying system properties with the Tivoli Identity Manager GUI
- 103 Chapter 8. Performing a silent installation and configuration of Tivoli Identity Manager
- 104 Before you begin
- 104 Performing a silent installation in a single-server environment
- 105 Performing a silent installation in a cluster environment
- 108 Configuring the database silently
- 108 Configuring the directory server silently
- 108 Configuring the system silently in a single-server environment
- 109 Configuring the system silently in a cluster environment
- 111 Chapter 9. Verifying and troubleshooting the installation
- 111 Correcting problems with starting the installation
- 111 Tivoli Identity Manager configuration errors
- 112 Verifying the installation
- 112 Ensuring that the WebSphere Application Server is running
- 112 Verifying that the Tivoli Identity Manager Server is running
- 113 Checking the Tivoli Identity Manager bus and messaging engine
- 114 Verifying that the database is running correctly
- 114 Testing the database connection
- 116 Troubleshooting SQL Server 2005 issues
- 116 Data Base Configuration is too restrictive for MS SQL Server
- 117 Verifying that the directory server is properly running
- 117 Ensuring that the directory server is operational
- 117 Checking the Web browser operation
- 118 Ensuring that the browser registers the Java plug-in
- 118 Microsoft Internet Explorer: Enabling active scripting
- 118 Using a supported browser
- 118 Avoiding two Web browser sessions on the same computer
- 118 Troubleshooting Tivoli Identity Manager within WebSphere Application Server
- 119 Correcting connection scripting errors
- 119 Correcting timeout errors
- 120 Determining the port number of the default host
- 120 Log files
- 121 Chapter 10. Upgrading to Tivoli Identity Manager Version 5.1
- 121 Description of the upgrade process
- 122 Processes and settings that the upgrade process preserves
- 123 Processes and settings that are not preserved, or require manual upgrade
- 124 Before you begin
- 126 Upgrading from Tivoli Identity Manager Version 4.6 or 5.0 to Version 5.1 or Version 5.1 on Websphere Application Server 6.1 t
- 126 Upgrading a single-server configuration
- 129 Upgrading a cluster configuration
- 132 Clearing the service integration bus
- 132 Determining that the WebSphere MQ message queue is empty
- 133 Preserving customized data manually
- 133 Manually applying Java security
- 133 Customizing logos and style sheets
- 133 Preserving WebSphere Application Server customizations
- 134 Migrating notification templates
- 135 Updating XML Text Template Language (XTTL) contents
- 138 Updating notification template style
- 139 Manually upgrading the access control items
- 139 Configuring Crystal
- 141 Chapter 11. Uninstalling Tivoli Identity Manager
- 141 What is not removed
- 141 Before you begin
- 142 Steps to uninstall Tivoli Identity Manager
- 142 Verifying that the Tivoli Identity Manager Server is uninstalled
- 142 Manually removing components
- 142 Manually removing the Tivoli Identity Manager Server from the WebSphere Application Server
- 143 Stopping and removing the Tivoli Identity Manager messaging engine
- 143 Removing other Tivoli Identity Manager configuration settings from the WebSphere Application Server
- 144 Removing the JDBC providers and data sources.
- 144 Removing the JMS queue connection factories, queues, and activation specifications.
- 144 Removing object cache instances
- 145 Removing security settings
- 145 Removing core group policies (cluster environments only)
- 145 Removing shared libraries
- 145 Removing the JVM classpath
- 146 Removing WebSphere variables
- 146 Manually removing other files or directories
- 146 Reinstalling Tivoli Identity Manager
- 146 Ensuring that Tivoli Identity Manager objects are removed from the Sun Enterprise Directory Server
- 147 Appendix A. Mapping Tivoli Identity Manager application modules to IBM HTTP Server
- 149 Appendix B. Configuring security for Tivoli Identity Manager
- 149 Configuring security for the directory server
- 149 Configuring SSL for IBM Tivoli Directory Server
- 149 Configuring SSL for Sun Enterprise Directory Server
- 149 Configuring the SSL client to trust the LDAP server certificate
- 150 Installing the self-signed certificate in the JSSE truststore
- 150 Configuring Tivoli Identity Manager to use SSL when communicating with the LDAP server
- 151 Defining the truststore and password as a custom property on the JVM
- 151 Running ldapConfig and runConfig with SSL
- 152 Running Fix pack installation or upgrading from previous versions with SSL configured between Tivoli Identity Manager and LDA
- 152 Running the utilities that access the LDAP server with SSL
- 153 Configuring security for WebSphere Application Server
- 153 Mapping an administrative user to a role
- 154 Updating the system user and the EJB user
- 154 Enabling Java 2 security by creating and modifying policy files
- 154 Creating the library.policy file to enable Java 2 security
- 155 Ensuring that the was.policy file exists
- 155 Running Java 2 security on single-node deployments
- 155 Running Java 2 security on multi-node deployments
- 155 Synchronizing the nodes in the cell
- 155 Increasing the timeout interval
- 156 Enabling FIPS compliance for WebSphere Application Server
- 157 Running the cipher migration tool
- 159 Appendix C. Installation images and fix packs
- 159 Installation images
- 159 Setting the SOAP timeout interval before installing fix packs
- 159 Obtaining fix packs
- 161 Appendix D. Worksheets
- 167 Appendix E. Notices
- 168 Trademarks
- 171 Glossary
- 177 Index
- 177 Special characters
- 177 Numerics
- 177 A
- 177 B
- 177 C
- 178 D
- 180 E
- 180 F
- 180 G
- 180 H
- 180 I
- 181 J
- 181 K
- 181 L
- 182 M
- 182 N
- 182 O
- 182 P
- 184 Q
- 184 R
- 184 S
- 185 T
- 185 U
- 186 V
- 186 W