tivoli identity managerpublib.boulder.ibm.com/tividd/td/itim/sc32-1750-01/... · manager, node...

Tivoli® Identity Manager

Server Installation and Configuration Guide for WebSphere Environments

Version 4.6

SC32-1750-01

��

Note:

Before using this information and the product it supports, read the information in Appendix F, “Notices,” on page 145.

First Edition (June 2005)

This edition applies to version 4.6 of Tivoli Identity Manager and to all subsequent releases and modifications until

otherwise indicated in new editions.

This edition merges and replaces SC32-1148-02 and SC32-1147-03.

This product includes Adaptx, a free XSLT Processor. (C) 1998-2002 Keith Visco and Contributors.

© Copyright International Business Machines Corporation 2003, 2006. All rights reserved.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract

with IBM Corp.

Contents

Preface . . . . . . . . . . . . . . vii

Who should read this book . . . . . . . . . vii

Publications and related information . . . . . . vii

Tivoli Identity Manager library . . . . . . . vii

Prerequisite product publications . . . . . . ix

Related publications . . . . . . . . . . . x

Accessing publications online . . . . . . . xi

Accessibility . . . . . . . . . . . . . . xi

Support information . . . . . . . . . . . xi

Conventions used in this book . . . . . . . . xi

Typeface conventions . . . . . . . . . . xii

Operating system differences . . . . . . . xii

Definitions for HOME and other directory

variables . . . . . . . . . . . . . . xii

Special terms . . . . . . . . . . . . xiv

Chapter 1. Overview of the Tivoli Identity

Manager Environment . . . . . . . . . 1

Tivoli Identity Manager components . . . . . . 1

Adapters overview . . . . . . . . . . . 2

WebSphere Application Server products . . . . 2

Database server products . . . . . . . . . 3

Directory server products . . . . . . . . . 4

HTTP server and WebSphere Web Server plug-in 4

Configuration options . . . . . . . . . . . 4

Single-server configurations . . . . . . . . 4

Cluster configuration . . . . . . . . . . 5

Overview of the installation . . . . . . . . . 7

Planning activities for deployments at large sites . . 9

Chapter 2. Installing and configuring a

database . . . . . . . . . . . . . . 11

Before you install the database product . . . . . 11

Installing and configuring IBM DB2 Universal

Database . . . . . . . . . . . . . . . 12

Recording user data and ensuring that

installation succeeds . . . . . . . . . . 12

Installing the required fix packs . . . . . . 13

Configuring the DB2 server . . . . . . . . 13

Configuring the DB2 JDBC driver . . . . . . 16

Determining the correct service listening port and

service name . . . . . . . . . . . . . 18

Tuning performance . . . . . . . . . . 19

Installing and configuring the Oracle database . . . 19

Before you create a database . . . . . . . . 20

Creating the Tivoli Identity Manager database . . 21

Starting the Oracle product and the listener

service . . . . . . . . . . . . . . . 23

Installing and configuring SQL Server 2000 on the

Windows operating system . . . . . . . . . 23

Preparing to install SQL Server 2000 . . . . . 23

Installing SQL Server 2000 . . . . . . . . 23

Configuring SQL Server 2000 . . . . . . . 24

Chapter 3. Installing and configuring a

directory server . . . . . . . . . . . 25

Before you install the directory server product . . . 25

Installing and configuring IBM Tivoli Directory

Server . . . . . . . . . . . . . . . . 25

Installing IBM Tivoli Directory Server . . . . 25

Installing the required fix packs . . . . . . 26

Setting up the IBM Tivoli Directory Server . . . 26

Avoiding port conflicts . . . . . . . . . 31

Installing and configuring Sun ONE Directory

Server . . . . . . . . . . . . . . . . 31

Installing the Sun ONE Directory Server . . . . 31

Configuring the Sun ONE Directory Server . . . 32

Chapter 4. Installing and configuring

WebSphere Application Server . . . . 33

Before you install the WebSphere Application Server 33

Meeting installation requirements . . . . . . 33

Solaris: Setting additional kernel parameters for

WebSphere embedded messaging . . . . . . 33

AIX: Validating port 9090 is available for the

WebSphere Application Server administrative

host . . . . . . . . . . . . . . . . 34

UNIX: Creating groups and users before

installing WebSphere embedded messaging . . . 34

Installing the WebSphere Application Server base

product, IBM HTTP Server, and WebSphere Web

Server plug-in . . . . . . . . . . . . . 35

Installing the IBM HTTP Server . . . . . . . 36

Creating a cluster configuration . . . . . . . 36

Installing the deployment manager . . . . . 37

Installing the WebSphere Application Server base

product on each node . . . . . . . . . . 37

Adding nodes to a cell . . . . . . . . . 38

Verifying that the deployment manager, node

agents, and JMS servers are running . . . . . 38

Creating a cluster . . . . . . . . . . . 39

Resolving port conflicts . . . . . . . . . . 40

Optionally configuring security for Tivoli Identity

Manager . . . . . . . . . . . . . . . 40

Configuring security manually for single-node

deployments before installing Tivoli Identity

Manager . . . . . . . . . . . . . . 41

Configuring security manually for multi-node

deployments before installing Tivoli Identity

Manager . . . . . . . . . . . . . . 42

Disabling security . . . . . . . . . . . 45

Moving the HTTP server out of the cell for

additional security . . . . . . . . . . . 45

Chapter 5. Installing Tivoli Identity

Manager in a single-server

configuration . . . . . . . . . . . . 47

Before you begin . . . . . . . . . . . . 47

© Copyright IBM Corp. 2003, 2006 iii

Overview of the installation program in a

single-server configuration . . . . . . . . . 48

Starting the installation wizard . . . . . . . 50

Completing the installation wizard pages . . . 50

Responding to major installation actions . . . . 52

Verifying that the Tivoli Identity Manager Server

is operational . . . . . . . . . . . . . 56

UNIX: Sourcing the DB2 Universal Database

profile . . . . . . . . . . . . . . . 57

Optionally installing a language pack . . . . . 58

Preparing to install adapters . . . . . . . . 58

Chapter 6. Installing Tivoli Identity

Manager in a cluster configuration . . . 61

Before you begin . . . . . . . . . . . . 61

Overview of the installation program in a cluster

configuration . . . . . . . . . . . . . . 62

Starting the installation wizard . . . . . . . . 65

Completing the installation wizard pages . . . . 65

Responding to major installation actions . . . . . 68

Starting a cluster . . . . . . . . . . . . 72

Verifying that the Tivoli Identity Manager Server is

operational . . . . . . . . . . . . . . 72

UNIX: Sourcing the DB2 Universal Database profile 73

Optionally installing a language pack . . . . . . 74

Changing cluster configurations after Tivoli Identity

Manager is installed . . . . . . . . . . . 74

Expanding a cluster using a new computer . . . 74

Removing cluster members . . . . . . . . 75

Generating the WebSphere Web Server plug-in

configuration file . . . . . . . . . . . 75

Preparing to install adapters . . . . . . . . . 76

Chapter 7. Configuring the Tivoli

Identity Manager Server . . . . . . . 77

Configuring the Tivoli Identity Manager database 77

Completing the database configuration windows 77

Manually starting the DBConfig database

configuration tool . . . . . . . . . . . 78

Configuring the directory server . . . . . . . 79

Completing the directory server configuration

windows . . . . . . . . . . . . . . 79

Manually running the ldapConfig configuration

tool . . . . . . . . . . . . . . . . 79

Configuring commonly used system properties . . 80

Manually starting the system configuration tool 80

General tab . . . . . . . . . . . . . 80

Directory tab . . . . . . . . . . . . . 82

Database tab . . . . . . . . . . . . . 83

Logging tab . . . . . . . . . . . . . 84

Mail tab . . . . . . . . . . . . . . 84

UI tab . . . . . . . . . . . . . . . 85

Security tab . . . . . . . . . . . . . 86

Optionally configuring security after installing Tivoli

Identity Manager . . . . . . . . . . . . 87

Mapping an administrative user to a role . . . 88

Ensuring that the was.policy file exists . . . . 88

Updating the system user and the EJB user . . . 88

Running Java 2 security on single-node

deployments . . . . . . . . . . . . . 89

Running Java 2 security on multi-node

deployments . . . . . . . . . . . . . 89

Modifying system properties during normal

operation . . . . . . . . . . . . . . . 90

Modifying system properties with the system

configuration tool . . . . . . . . . . . 90

Modifying system properties manually . . . . 90

Modifying system properties with the Tivoli

Identity Manager GUI . . . . . . . . . . 91

Chapter 8. Troubleshooting and

verifying the installation . . . . . . . 93

Correcting problems starting the installation . . . 93

Verifying the installation . . . . . . . . . . 93

Testing the database connection . . . . . . 94

Ensuring that the directory server is running . . 95

Ensuring that the HTTP server is running . . . 96

Ensuring that WebSphere embedded messaging

is running . . . . . . . . . . . . . . 97

Ensuring that the WebSphere Application Server

is running . . . . . . . . . . . . . . 98

Checking the Web browser operation . . . . . 99

Troubleshooting the Tivoli Identity Manager

startup . . . . . . . . . . . . . . 100

Logs and directories . . . . . . . . . . . 102

Chapter 9. Uninstalling the Tivoli

Identity Manager Server . . . . . . . 105

What is not removed . . . . . . . . . . . 105

Before you begin . . . . . . . . . . . . 105

Steps to uninstall the Tivoli Identity Manager

Server . . . . . . . . . . . . . . . . 105

Verifying that the Tivoli Identity Manager Server is

uninstalled . . . . . . . . . . . . . . 106

Manually removing components . . . . . . . 106

Manually removing the Tivoli Identity Manager

Server from the WebSphere Application Server . 106

Manually removing other files or directories . . 106

Ensuring that Tivoli Identity Manager objects

are removed from the Sun ONE Directory

Server . . . . . . . . . . . . . . . 107

Appendix A. Installation images and

fix packs . . . . . . . . . . . . . 109

Installation images . . . . . . . . . . . 109

Verifying the fix pack level . . . . . . . . . 109

Obtaining fix packs . . . . . . . . . . . 110

Appendix B. Worksheets . . . . . . 111

Tivoli Identity Manager information for the

database . . . . . . . . . . . . . . . 111

Tivoli Identity Manager information for the

directory server . . . . . . . . . . . . . 112

Tivoli Identity Manager information . . . . . . 113

WebSphere Application Server: single-server

installation . . . . . . . . . . . . . . 114

WebSphere Application Server: cluster installation 114

iv IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments

Appendix C. Upgrading from Tivoli

Identity Manager Version 4.5.1 to

Version 4.6 . . . . . . . . . . . . 115

Processes and settings that the upgrade process

preserves . . . . . . . . . . . . . . . 117

Processes and settings that are not preserved, or

require manual upgrade . . . . . . . . . . 117

Before you begin . . . . . . . . . . . . 118

Upgrading a single-server configuration . . . . 119

Upgrading a cluster configuration . . . . . . 121

Post-migration tasks . . . . . . . . . . . 123

Preserving customized data manually . . . . . 123

Upgrading Crystal Reports . . . . . . . . . 124

Correcting upgrade problems . . . . . . . . 124

Appendix D. Steps that the installation

program takes to configure the

WebSphere environment . . . . . . 127

Before you begin . . . . . . . . . . . . 127

Configuring resources for the Tivoli Identity

Manager Server . . . . . . . . . . . . 128

Setting environment properties . . . . . . 128

Setting transaction service properties . . . . 129

Creating J2C authentication data entries . . . 129

Creating the JDBC driver and the WebSphere

Application Server data source . . . . . . 130

Creating Tivoli Identity Manager JMS objects at

the cell level . . . . . . . . . . . . . 131

Creating Tivoli Identity Manager JMS objects at

the server level . . . . . . . . . . . . 132

Creating message listener ports . . . . . . 134

Configuring the internal JMS server . . . . . 137

Updating the JVM classpath . . . . . . . 137

Overriding client encoding . . . . . . . . 138

Deploying and configuring the Tivoli Identity

Manager J2EE application . . . . . . . . . 138

Deploying Tivoli Identity Manager on the

WebSphere Application Server . . . . . . . 138

Configuring application classloader settings . . 139

Regenerating the WebSphere Web Server plug-in 139

Configuring the JAAS login module . . . . . 139

Configuring the JAAS login module for JNDI

feed . . . . . . . . . . . . . . . 139

Appendix E. Support information . . . 141

Searching knowledge bases . . . . . . . . . 141

Search the information center on your local

system or network . . . . . . . . . . . 141

Search the Internet . . . . . . . . . . 141

Obtaining fixes . . . . . . . . . . . . . 142

Contacting IBM Software Support . . . . . . 142

Determine the business impact of your problem 143

Describe your problem and gather background

information . . . . . . . . . . . . . 143

Submit your problem to IBM Software Support 144

Appendix F. Notices . . . . . . . . 145

Trademarks . . . . . . . . . . . . . . 146

Glossary . . . . . . . . . . . . . 149

Index . . . . . . . . . . . . . . . 155

Contents v

|||

vi IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments

Preface

This guide for the IBM

® Tivoli

® Identity Manager Server describes how to install

and configure the Tivoli Identity Manager Server in a WebSphere® environment.

Who should read this book

This book is intended for system and security administrators who install, maintain,

or administer software on their computer systems. Readers are expected to

understand system and security administration concepts. Additionally, the reader

must understand administration concepts for the following types of products:

v Database server

v Directory server

v Application server

v Messaging support

v IBM HTTP Server

Publications and related information

Read the descriptions of the Tivoli Identity Manager library. To determine which

additional publications you might find helpful, read the “Prerequisite product

publications” on page ix and the “Related publications” on page x. After you

determine the publications you need, refer to the instructions in “Accessing

publications online” on page xi.

Tivoli Identity Manager library

The publications in the Tivoli Identity Manager technical documentation library are

organized into the following categories:

v Release information

v Planning for installation, configuration, and customization

v Online user assistance

v Server installation and configuration

v Problem determination

v Technical supplements

v Adapter installation and configuration

Release Information:

v IBM Tivoli Identity Manager Release Notes

Provides software and hardware requirements for Tivoli Identity Manager, and

additional fix, patch, and other support information.

v IBM Tivoli Identity Manager Documentation Read This First Card

Lists the Tivoli Identity Manager publications.

Planning for installation, configuration, and customization:

IBM Tivoli Identity Manager Planning for Deployment Guide describes the

components, functions, and capabilities of the product, explains how the product

can impact the infrastructure of an organization, recommends guidelines for

© Copyright IBM Corp. 2003, 2006 vii

managing the implementation of the product, and recommends strategies for

integrating identity management capabilities into a production environment.

Online user assistance:

Provides online help topics and an information center for all Tivoli Identity

Manager administrative tasks. The information center includes information that

was previously provided in the IBM Tivoli Identity Manager Configuration Guide and

the IBM Tivoli Identity Manager Policy and Organization Administration Guide.

Server installation and configuration:

IBM Tivoli Identity Manager Server Installation and Configuration Guide for WebSphere

Environments provides installation and configuration information for Tivoli Identity

Manager.

Configuration information that was previously provided in the IBM Tivoli Identity

Manager Configuration Guide is now included in either the installation guide or in

the IBM Tivoli Identity Manager Information Center.

Problem determination:

IBM Tivoli Identity Manager Problem Determination Guide provides problem

determination, logging, and message information for the Tivoli Identity Manager

product.

Technical supplements:

The following technical supplements are provided by developers or by other

groups who are interested in this product:

v IBM Tivoli Identity Manager Performance Tuning Guide

Provides information needed to tune Tivoli Identity Manager Server for a

production environment. It is available on the Web at:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

Click the I character in the A-Z product list, and then, click the IBM Tivoli

Identity Manager link. Browse the information center for the Technical

Supplements section.

v Redbooks and white papers are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/IBMTivoliIdentityManager.html

Browse to the Self Help section, in the Learn category, and click the Redbooks

link.

v Technotes are available on the Web at:

http://www.redbooks.ibm.com/redbooks.nsf/tips/

v Field guides are available on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/Field_Guides.html

v For an extended list of other Tivoli Identity Manager resources, search the

following IBM developerWorks Web site:

http://www.ibm.com/developerworks/

Adapter installation and configuration:

viii IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments







The Tivoli Identity Manager Server technical documentation library includes

documentation for the adapter components of a Tivoli Identity Manager

implementation. Locate adapter documentation on the Web at:



Identity Manager link.

Locate Tivoli Identity Manager adapters on the Web at:

http://www.lotus.com/services/passport.nsf/WebDocs/Passport_Advantage_Home

Skills and training:

Education solutions for Tivoli Identity Manager cover these topics:

v Planning

v Basic and Advanced Administration

v Installation and Configuration

v Workflows

You also have the option of requesting custom training that is tailored to your

needs. For more information, road maps, and schedules, access this IBM Tivoli

Education Web site:

http://www.ibm.com/software/tivoli/education

You can also e-mail these education delivery addresses:

v Americas: [email protected]

v Asia Pacific: [email protected]

v Europe, the Middle East, and Africa (EMEA): [email protected]

Additional skills and technical training information might be available at these

Web sites

v IBM Professional Certification

http://www.ibm.com/certify/

Search on ″identity manager″ to locate available classes and certification

offerings.

v Virtual Skills Center for Tivoli Software on the Web at:

http://www.cgselearning.com/tivoliskills/

v Tivoli Technical Exchange on the Web at:

http://www.ibm.com/software/sysmgmt/products/support/supp_tech_exch.html

Prerequisite product publications

To use the information in this book effectively, you must have knowledge of the

products that are prerequisites for Tivoli Identity Manager Server. Publications are

available from the following locations:

v Operating systems

– IBM AIX®

Preface ix




http://www.ibm.com/software/tivoli/education

http://www.ibm.com/certify/

http://www.cgselearning.com/tivoliskills/



http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm

– Sun Solaris

http://docs.sun.com/db?q=solaris+9

– Red Hat Linux™

http://www.redhat.com/docs/

– Microsoft® Windows Server™ 2003

http://www.microsoft.com/windowsserver2003/proddoc/default.mspxv Database servers

– IBM DB2 Universal Database™

- Support: http://www.ibm.com/software/data/db2/udb/support.html

- Information center:

http://publib.boulder.ibm.com/infocenter/db2help/index.jsp

- Documentation: http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main

- DB2® product family: http://www.ibm.com/software/data/db2

- Fix packs:

http://www.ibm.com/software/data/db2/udb/support/downloadv8.html

- System requirements:

http://www.ibm.com/software/data/db2/udb/sysreqs.html– Oracle

http://www.oracle.com/technology/documentation/index.html

http://otn.oracle.com/tech/index.html

http://otn.oracle.com/tech/linux/index.html

– Microsoft SQL Server 2000

http://www.msdn.com/library/

http://www.microsoft.com/sql/v Directory server applications

– IBM Tivoli Directory Server Version 5.2: http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm Version 6.0: http://publib.boulder.ibm.com/infocenter/tiv2help/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xml

– Sun ONE Directory Server

http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52v IBM WebSphere® Application Server

Additional information is available in the product directory or Web sites. http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/

v WebSphere embedded messaging

http://www.ibm.com/software/integration/wmq/

v IBM HTTP Server

http://www.ibm.com/software/webservers/httpservers/library.html

Related publications

Information that is related to Tivoli Identity Manager Server is available in the

following publications:

x IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments

http://www16.boulder.ibm.com/pseries/en_US/infocenter/base/aix52.htm

http://docs.sun.com/db?q=solaris+9

http://www.redhat.com/docs/

http://www.microsoft.com/windowsserver2003/proddoc/default.mspx

http://www.ibm.com/software/data/db2/udb/support.html


http://www.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/v8pubs.d2w/en_main


http://www.ibm.com/software/data/db2


http://www.ibm.com/software/data/db2/udb/sysreqs.html





http://www.microsoft.com/sql/

http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm


http://publib.boulder.ibm.com/infocenter/tiv2help/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xml


http://docs.sun.com/app/docs/coll/S1_DirectoryServer_52

http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp

http://www.redbooks.ibm.com/

http://www.ibm.com/software/integration/wmq/

http://www-3.ibm.com/software/webservers/httpservers/library.html

v The Tivoli Software Library provides a variety of Tivoli publications such as

white papers, datasheets, demonstrations, redbooks, and announcement letters.

The Tivoli Software Library is available on the Web at:

http://www.ibm.com/software/tivoli/literature/

v The Tivoli Software Glossary includes definitions for many of the technical terms

related to Tivoli software. The Tivoli Software Glossary is available from the

Glossary link of the Tivoli Software Library Web page at:

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm

Accessing publications online

IBM posts publications for this and all other Tivoli products, as they become

available and whenever they are updated, to the Tivoli software information center

Web site. Access the Tivoli software information center at the following Web

address:


Click the I character in the A-Z list, and then click the IBM Tivoli Identity

Manager link to access the product library.

Note: If you print PDF documents on other than letter-sized paper, set the option

in the File → Print window that allows Adobe Reader to print letter-sized

pages on your local paper.

Accessibility

The product documentation includes the following features to aid accessibility:

v Documentation is available in convertible PDF format to give the maximum

opportunity for users to apply screen-reader software.

v All images in the documentation are provided with alternative text so that users

with vision impairments can understand the contents of the images.

Support information

If you have a problem with your IBM software, you want to resolve it quickly. IBM

provides the following ways for you to obtain the support you need:

v Searching knowledge bases: You can search across a large collection of known

problems and workarounds, Technotes, and other information.

v Obtaining fixes: You can locate the latest fixes that are already available for your

product.

v Contacting IBM Software Support: If you still cannot solve your problem, and

you need to work with someone from IBM, you can use a variety of ways to

contact IBM Software Support.

For more information about these ways to resolve problems, see Appendix E,

“Support information,” on page 141.

Conventions used in this book

This reference uses several conventions for special terms and actions and for

operating system-dependent commands and paths.

Preface xi

http://www.ibm.com/software/tivoli/literature/

http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm


Typeface conventions

This guide uses the following typeface conventions:

Bold

v Lowercase commands and mixed case commands that are otherwise

difficult to distinguish from surrounding text

v Interface controls (check boxes, push buttons, radio buttons, spin

buttons, fields, folders, icons, list boxes, items inside list boxes,

multicolumn lists, containers, menu choices, menu names, tabs, property

sheets), labels (such as Tip:, and Operating system considerations:)

v Keywords and parameters in text

Italic

v Words defined in text

v Emphasis of words (words as words)

v New terms in text (except in a definition list)

v Variables and values you must provide

Monospace

v Examples and code examples

v File names, programming keywords, and other elements that are difficult

to distinguish from surrounding text

v Message text and prompts addressed to the user

v Text that the user must type

v Values for arguments or command options

Changed text

Changed text is indicted by a vertical line (|) in the margin.

Operating system differences

This guide uses the UNIX® convention for specifying environment variables and

for directory notation.

When using the Windows® command line, replace $variable with %variable% for

environment variables and replace each forward slash (/) with a backslash (\) in

directory paths. The names of environment variables are not always the same in

Windows and UNIX. For example, %TEMP% in the Windows operating system is

equivalent to $tmp in a UNIX operating system.

Note: If you are using the bash shell on a Windows system, you can use the UNIX

conventions.

Definitions for HOME and other directory variables

The following table contains the default definitions that are used in this guide to

represent the HOME directory level for various product installation paths. You can

customize the installation directory and HOME directory for your specific

implementation. If this is the case, you need to make the appropriate substitution

for the definition of each variable represented in this table.

The value of path varies for these operating systems:

v Windows: drive:\Program Files

v AIX: /usr

v Other UNIX: /opt

xii IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments

||

Path Variable Default Definition Description

DB_INSTANCE_HOME Windows:

path\IBM\SQLLIB

UNIX:

v AIX, Linux: /home/dbinstancename

v Solaris: /export/home/dbinstancename

The directory that

contains the

database for Tivoli

Identity Manager.

LDAP_HOME v For IBM Tivoli Directory Server Version

5.2

Windows:

path\IBM\LDAP

UNIX:

– AIX, Linux: path/ldap

– Solaris: path/IBMldaps

v For IBM Tivoli Directory Server Version

6.0

Windows:

path\IBM\LDAP\V6.0

UNIX:

– AIX, Solaris: path/IBM/ldap/V6.0

– Linux: opt/ibm/ldap/V6.0

v For Sun ONE Directory Server

Windows:

path\Sun\MPS

UNIX:

/var/Sun/mps

The directory that

contains the

directory server

code.

IDS_instance_HOME For IBM Tivoli Directory Server Version

6.0

Windows:

drive\

ibmslapd-instance_owner_name

The value of drive might be C:\ on

Windows systems. An example of

instance_owner_name might be ldapdb2.

For example, the log file might be

C:\idsslapd-ldapdb2\logs\ibmslapd.log.

UNIX:

INSTANCE_HOME/idsslapd-instance_name

On Linux and AIX systems, the default

home directory is the

/home/instance_owner_name directory. On

Solaris systems, for example, the directory

is the /export/home/ldapdb2/idsslapd-ldapdb2 directory.

The directory that

contains the IBM

Tivoli Directory

Server Version 6.0

instance.

Preface xiii

Path Variable Default Definition Description

HTTP_HOME Windows:

path\IBMHttpServer

UNIX:

path/IBMHttpServer

The directory that

contains the IBM

HTTP Server code.

ITIM_HOME Windows:

path\IBM\itim

UNIX:

path/IBM/itim

The base directory

that contains the

Tivoli Identity

Manager code,

configuration, and

documentation.

WAS_HOME Windows:

path\WebSphere\AppServer

UNIX:

path/WebSphere/AppServer

The WebSphere

Application Server

home directory

WAS_MQ_HOME Windows:

path\ibm\WebSphere MQ

UNIX:

path/mqm

The directory that

contains the

WebSphere MQ

code.

WAS_NDM_HOME Windows:

path\WebSphere\DeploymentManager

UNIX:

path/WebSphere/DeploymentManager

The home directory

on the deployment

manager

Tivoli_Common_Directory Windows:

path\ibm\tivoli\common\CTGIM

UNIX:

path/ibm/tivoli/common/CTGIM

The central location

for all

serviceability-related

files, such as logs

and first-failure data

capture

Special terms

The following special term is used in this information:

UNIX and Linux

The term UNIX means both UNIX and Linux systems. A Linux-specific

label is used only when required for clarity.

xiv IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments

Chapter 1. Overview of the Tivoli Identity Manager

Environment

This section provides a brief, high-level description of Tivoli Identity Manager

components and prerequisite products, including an overview of basic

configurations that you must consider before installing Tivoli Identity Manager.

This publication includes instructions for the supported UNIX, Linux, and

Windows operating systems. Not all of this information may be appropriate for

your choice of operating system or combination of products. To determine the

supported combinations of prerequisite products, release levels, and fix pack

specifications, refer to the IBM Tivoli Identity Manager Release Notes, which takes

precedence over this document.

This book focuses on the tasks that you must complete in order to configure and

use Tivoli Identity Manager, such as creating a database or an LDAP suffix. This

book provides links to the more extensive, prerequisite information that you must

obtain and the steps that you must complete to install middleware, before you can

install Tivoli Identity Manager.

Tivoli Identity Manager components

Tivoli Identity Manager provides life cycle management of user accounts on

remote resources, using adapters to provide communication. The Tivoli Identity

Manager product:

v Provides user accounts to authorized users on one or more resources to which

Tivoli Identity Manager adapters are connected

v Runs in a WebSphere Application Server environment, either in a single-server

or clustered configuration

v Stores historical and pending data in a database server

v Stores user account and organizational data in an LDAP directory server

v Provides administration from a client interface in a Web browser that

communicates through an HTTP server, such as IBM HTTP Server, and a

WebSphere Web Server plug-in

A basic configuration is similar to Figure 1 on page 2.

© Copyright IBM Corp. 2003, 2006 1

Adapters overview

The Tivoli Identity Manager Server and its adapters enable you to provision

identities to a set of heterogeneous resources, which may be operating systems,

data stores, or other applications. Adapters were called agents in previous Tivoli

Identity Manager releases.

An adapter is a program that provides an interface between a managed resource

and the Tivoli Identity Manager Server. Adapters function as trusted virtual

administrators on the target platform for account management. For example,

adapters perform such tasks as creating accounts, suspending accounts, and

modifying account attributes.

A Tivoli Identity Manager adapter can be either agent-based or agentless:

Agent-based adapter

Deploys its adapter code onto the managed resource with which it is

designed to communicate.

Agentless adapter

Deploys only on the server, separate from the managed resource with

which it is designed to communicate.

WebSphere Application Server products

The WebSphere Application Server is the primary component of the WebSphere

environment. The WebSphere Application Server runs a Java™ virtual machine,

Tivoli Identity Managerdatabase

IBM HTTP ServerWebSphere WebServer Plug-in

WebSphere Application ServerTivoli Identity Manager ServerJDBC driver

Managed resourceTivoli Identity Manageradapter

Client(browser) } }

}

LDAPdata store

Figure 1. Tivoli Identity Manager components

2 IBM Tivoli Identity Manager: Server Installation and Configuration Guide for WebSphere Environments

providing the runtime environment for the enterprise application code. The

application server provides containers that specialize in enabling the execution of

specific Java application components.

The Tivoli Identity Manager application runs on a single-server configuration with

the WebSphere Application Server base product. Tivoli Identity Manager

application also runs in a larger cluster configuration that is composed of one or

more WebSphere Application Servers and a deployment manager that manages a

cluster.

Additional server processes run in a WebSphere Application Server environment,

such as the Java Message Service (JMS, sometimes called the jmsserver process or

the JMS server) that provides the WebSphere embedded messaging. The JMS server

enables the Tivoli Identity Manager application to exchange information with other

applications by sending and receiving data as messages.

For additional information about the WebSphere Application Server products, refer

to additional documentation cited in “Prerequisite product publications” on page

ix.

Database server products

Tivoli Identity Manager stores transactional and historical data in a database

server. For example, the Tivoli Identity Manager provisioning processes use a

relational database to maintain their current state as well as their history.

Computers that communicate with the database require a Java Database

Connectivity driver (JDBC driver). A JDBC driver is used to connect a Java-based

application to a database. For example, a JDBC driver enables a Tivoli Identity

Manager Server on a local computer or on another computer to communicate with

the data source. Tivoli Identity Manager supports JDBC driver types that connect

to corresponding databases.

The supported JDBC drivers include:

DB2 Universal Database

DB2 UDB supports a Type 2 JDBC driver. Several DB2 products include

this driver. Installing the DB2 UDB server automatically installs the JDBC

driver. To enable Tivoli Identity Manager to access a remote DB2 UDB

server, install this DB2 runtime client, which also includes the JDBC driver.

Oracle database

The Oracle database supports a Type 4 (Oracle thin) JDBC driver. No JDBC

driver configuration is required when the Oracle database is on a remote

computer. The Tivoli Identity Manager installation program requires the

location of this JDBC driver.

Before you install the Tivoli Identity Manager Server, obtain this JDBC

driver (ojdbc14.jar) from your Oracle Database Server installation in the

ORACLE_HOME/ora92/jdbc/lib/ directory. Alternatively, you can

download the driver from this Web site:

http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/index.html

Microsoft SQL Server 2000 database

The SQL Server 2000 database supports a Type 4 JDBC driver. No JDBC

driver configuration is required when the SQL Server 2000 database is on a

Chapter 1. Overview of the Tivoli Identity Manager Environment 3



remote computer. The Tivoli Identity Manager package includes this driver

and the installation program installs the driver automatically.

For more information on supported database server products, refer to the IBM

Tivoli Identity Manager Release Notes.

Directory server products

Tivoli Identity Manager stores the current state of the managed identities in an

LDAP directory, including user account and organizational data.

For more information on supported directory server products, refer to the IBM

Tivoli Identity Manager Release Notes.

HTTP server and WebSphere Web Server plug-in

An HTTP server, such as IBM HTTP Server, and a WebSphere Web Server plug-in

enable access to the Tivoli Identity Manager Server. The WebSphere Web Server

plug-in is a component that is installed onto an HTTP server. The WebSphere Web

Server plug-in handles the assignment of tasks to specific cluster members, taking

incoming requests and transporting them to the appropriate Web resource. The

plug-in allows the Web server to communicate requests for dynamic content, such

as servlets, to the WebSphere Application Server.

Configuration options

Before you install the Tivoli Identity Manager application, you must determine

how to configure WebSphere Application Server, either in a single-server or a

cluster configuration.

Single-server configurations

A single-server configuration includes the WebSphere Application Server base

product and other required applications on one computer. You must ensure that

the computer has the required memory, speed, and available disk space to meet

the workload.

A single-server configuration requires the following components and products:

v WebSphere Application Server base product, which includes the WebSphere

embedded messaging server and client

v Tivoli Identity Manager Server

v An HTTP server

v The WebSphere Web Server plug-in

v A directory server

WebSphere Application ServerTivoli Identity Manager ServerIBM HTTP ServerWebSphere Web Server plug-inLDAP data storeTivoli Identity Manager databaseJDBC driver

}

Figure 2. Single-server configuration on one computer


v A database server

v A JDBC driver

Optionally, you can install the WebSphere Application Server base product and the

Tivoli Identity Manager Server on one computer and install all other required

applications on one or more additional computers, in a configuration similar to

Figure 3.

In this configuration, the computer that has the Tivoli Identity Manager Server

requires the following components and products:

v WebSphere Application Server base product, which includes the WebSphere


v A JDBC driver

The following components and products run on additional computers:

v A database server

v A directory server

v An HTTP server

v A WebSphere Web Server plug-in

For tuning recommendations that place applications on separate computers, refer

to the IBM Tivoli Identity Manager Performance Tuning Guide technical supplement.

For more information on a single-server configuration, see Chapter 5, “Installing

Tivoli Identity Manager in a single-server configuration,” on page 47.

Cluster configuration

A cluster configuration contains WebSphere Application Server nodes, which are

logical groups of one or more application servers on a computer. Nodes reside

within an administrative domain called a cell, which the deployment manager

manages. A node agent manages all managed processes on the node by

communicating with the deployment manager to coordinate and synchronize the

configuration. The deployment manager is the administrative process that provides

a centralized management view and control for all elements in the cell, including

the management of clusters.

IBM HTTP ServerWebSphere Web Server plug-in

WebSphere Application ServerTivoli Identity Manager ServerJDBC driver

Tivoli Identity Managerdatabase LDAP

data store

}

Figure 3. Single-server configuration on multiple computers


The Tivoli Identity Manager application assumes that these common features

describe every cluster member:

v The operating system is the same.

For example, all Tivoli Identity Manager cluster members run on the IBM AIX

operating system. To avoid problems with secure communication and certificate

configuration, do not use more than one operating system type within a Tivoli

Identity Manager cluster.

v The ITIM_HOME directory is identical. For example, the ITIM_HOME directory

on every cluster member that runs on the IBM AIX operating system is

/usr/IBM/itim.

The Tivoli Identity Manager application does not support a vertical cluster

configuration, which has more than one cluster member within a WebSphere

Application Server node.

In a configuration such as Figure 4 on page 7, each computer shape represents one

WebSphere node on one computer. The configuration specifies the deployment

manager on one computer. The remaining applications are configured on

additional computers.

WebSphere Application Server also permits you to install both the WebSphere

Application Server base product and the deployment manager on the same

computer. You must ensure that the computer has the required memory, speed,

and available space to meet the additional load.

The following describes the cluster configuration in Figure 4 on page 7:

v On the computer where you want to have the deployment manager, install the

following components and products:

– The deployment manager

– The Tivoli Identity Manager Server

– A JDBC driverv A cluster member is an instance of a WebSphere Application Server in a cluster.

On each cluster member, install the following components and products:

– WebSphere Application Server base product, which includes the WebSphere


– Tivoli Identity Manager Server

– A JDBC driverv On one or more additional computers that are not in the cluster, install the

following components and products:

– A database server

– A directory server

– An HTTP server and the WebSphere Web Server plug-in

This is an example configuration only. An alternative topology might configure

these components on computers that are all inside the cluster.


For more information on configuring clusters, see “Creating a cluster

configuration” on page 36.

Overview of the installation

The installation has an extended sequence of activities that are illustrated in

Figure 5 on page 8.

Tivoli Identity Manager cell

Tivoli Identity Manager cluster

WebSphere Application Server baseTivoli Identity Manager ServerJDBC driver

}}

}IBM HTTP ServerWebSphere Web

Server plug-in

WebSphereApplication ServerNetwork DeploymentJDBC driver

}


LDAPdata store

Figure 4. Cluster configuration on multiple computers


The process varies depending on whether installation is for a single-server or

cluster configuration.

The major steps to install, configure, and test Tivoli Identity Manager are:

1. Determining the Tivoli Identity Manager Server topology. The information in

this chapter describes the major configuration choices.

6.Install Tivoli Identity

Manager Server

7.Configure database,

LDAP, WebSphereApplication Server

8.Test Tivoli IdentityManager Server

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

2.Operating

systemready?

1.Configuration

known?

3.Database

ready?

4.Directory

serverready?

5.WebSphereApplication

Serverready?

Updateoperating system

Specifyconfiguration

Install, configuredatabase for

Tivoli Identity Manager

Install, configuredirectory server

Install, configureWebSphere

Application Server

Figure 5. Major steps in installation


2. Ensuring that the operating system is at the level that Tivoli Identity Manager

requires. For more information on software and hardware requirements, refer to

the IBM Tivoli Identity Manager Release Notes.

3. Ensuring that the database server is installed and preconfigured. See Chapter 2,

“Installing and configuring a database,” on page 11 for steps to prepare the

database.

4. Ensuring that the directory server is installed and preconfigured. See Chapter 3,

“Installing and configuring a directory server,” on page 25 for steps to prepare

the directory server.

5. Determining that the WebSphere Application Server is ready. See Chapter 4,

“Installing and configuring WebSphere Application Server,” on page 33 for

steps to prepare the WebSphere Application Server in a single-server or cluster

configuration.

6. Installing the Tivoli Identity Manager application on one of these

configurations:

v Single-server. For more information, see Chapter 5, “Installing Tivoli Identity

Manager in a single-server configuration,” on page 47.

v Cluster. For more information, see Chapter 6, “Installing Tivoli Identity

Manager in a cluster configuration,” on page 61.

For steps to upgrade an existing installation of Tivoli Identity Manager, see

Appendix C, “Upgrading from Tivoli Identity Manager Version 4.5.1 to Version

4.6,” on page 115.

7. Configuring the database, the directory server, and the WebSphere Application

Server for the Tivoli Identity Manager Server. For more information, see

Chapter 7, “Configuring the Tivoli Identity Manager Server,” on page 77.

8. Resolving problems that happened during installation and startup. For more

information, see Chapter 8, “Troubleshooting and verifying the installation,” on

page 93.

Planning activities for deployments at large sites

In large organizations, there are additional tasks that require planning before you

deploy Tivoli Identity Manager. For more information, refer to the IBM Tivoli

Identity Manager Planning for Deployment Guide.

To prevent initial deployment problems, consider providing a variation of the

following planning activities that are appropriate for your site, in advance of

installing Tivoli Identity Manager and also subsequent cumulative fixes:

v Establish a working practice that provides comprehensive and relevant Tivoli

Identity Manager information to all of the specialists who install middleware.

For example, have the team meet regularly to enumerate their problems and

share their solutions.

v To ensure coordination, designate one person as a focal point for concerns that

flow between your site and IBM customer support specialists.

v If possible, reduce the number of specialists who install and configure the

applications. If specialists cannot be reduced in number, encourage

communication flow between specialists:

– Provide a comprehensive library or list of FTP or Web sites for prerequisite

installation and configuration information.

– Ensure that the specialist installing Tivoli Identity Manager has root or

Administrator authority for the prerequisite middleware.


– Ensure that all elements of the system or solution have sufficient privileges to

provide accounts.

– Support a centralized problem and solution database that identifies

troubleshooting actions and assigns action owners.

– Maintain a common library of scripts that automate start up.

– Create a change control database that coordinates all customization activities.

– Determine a working practice in which specialists provide a record of critical

values in the worksheets similar to the ones that this publication provides.

Ensure that all specialists have access to and use a common worksheet that

centralizes the information.

For example, each installation chapter in this manual provides a checklist of

prerequisites that must be installed, configured, and running before you begin

installation. Additionally, Appendix B, “Worksheets,” on page 111 provides a

centralized collection point for critical values such as user IDs, passwords,

and security settings. The IBM Tivoli Identity Manager Release Notes specifies

prerequisite levels and fix packs or patches.


Chapter 2. Installing and configuring a database

The Tivoli Identity Manager application stores transactional and historical data,

including schedules, access control item definitions (ACIs), and audit data in a

database. This chapter focuses on configuring a Tivoli Identity Manager database

prior to Tivoli Identity Manager installation. The supported releases and required

fix packs for the supported databases are described in the IBM Tivoli Identity

Manager Release Notes.

The information in this chapter is not a substitute for the more extensive,

prerequisite documentation that is provided by the database product. For more

information that you are assumed to know, refer to these sources:

v IBM DB2 Universal Database


http://publib.boulder.ibm.com/infocenter/db2help/index.jsp (Information

center)



http://www.ibm.com/software/data/db2/udb/sysreqs.html (Operating system

prerequisites)


v Oracle




v Microsoft SQL Server 2000



Before you install the database product

Before you install the database product, complete these steps:

v Read the installation information that the database product provides.

v Ensure that your installation meets the product hardware and software

requirements.

v All required operating system patches are in place.

v Ensure that kernel settings are correct for some operating systems, such as the

Solaris operating system. Each database application specifies its own

requirements, such as additional operating system values. Before installing the

application, refer to its documentation for these additional settings. For example,

these Web sites describe kernel settings that DB2 UDB requires:

– AIX

None required.

– Linux

http://publib.boulder.ibm.com/infocenter/db2help/topic/com.ibm.db2.udb.doc/start/t0008238.htm






http://www.ibm.com/software/data/db2/udb/sysreqs.html










– Solaris


Installing and configuring IBM DB2 Universal Database

This section describes installing and configuring IBM DB2 Universal Database (DB2

UDB). The configuration steps in this section create a new database for later use by

the Tivoli Identity Manager Server installation program, which populates the

database with data objects.

You can install DB2 UDB on the same computer with Tivoli Identity Manager or

on a separate computer. If you install DB2 UDB on a separate computer, you must

install a DB2 runtime client on the computer on which you install Tivoli Identity

Manager. For more information, see “Configuring the DB2 JDBC driver” on page

16.

Tivoli Identity Manager requires DB2 UDB to run with a required level of the DB2

fix pack. For more information on installing DB2 UDB and any fix packs, refer to

the IBM Tivoli Identity Manager Release Notes and also to documentation that the

database product provides. For example, access these Web sites:



Recording user data and ensuring that installation succeeds

The DB2 UDB installation requires that you specify some system data, such as the

DB2 administrator user ID and password. The installation wizard provides both

status reports and an initial verification activity.

Recording user names and passwords on UNIX systems

Installing DB2 UDB creates the default DB2 instance. Table 1 shows the default

values that are created. Record this information, which is required to configure the

DB2 UDB database that Tivoli Identity Manager uses. For an example of the

database tab that requires this information, see Figure 17 on page 83. For

worksheets that describe database fields required for the Tivoli Identity Manager

configuration, such as the database name, see “Tivoli Identity Manager information

for the database” on page 111.

Table 1. Field values on UNIX systems

Fields on UNIX systems Value

DB2 instance name (user ID) db2inst1

DB2 instance password A user-defined value

DB2 instance home directory v UNIX: /home/db2inst1

v Solaris: /export/home/db2inst1

Recording user names and passwords on Windows systems

Installing DB2 UDB creates the default DB2 instance. Table 2 on page 13 shows the

default values that are created.






Table 2. Field values on Windows systems

Fields on Windows systems Value

DB2 instance name DB2

Administrative user ID db2admin

Password A user-defined value

Verifying the installation

The installation wizard provides a status report when the installation is complete.

Additionally, run the DB2 First Steps operation to verify the installation is

successful. To start the operation, complete these steps:

v Windows

Click Start –> Programs –> IBM DB2 –> Set-up Tools –> First Steps.

v UNIX

Enter this command:

– AIX

/usr/opt/db2_08_01/db2fs

– Other UNIX

/opt/IBM/db2/V8.1/db2fs

Installing the required fix packs

If your version of DB2 UDB requires a fix pack, obtain and install the fixes that are

available at these DB2 UDB support Web sites:



Verify that the correct fix pack is installed on both the database server and the

database client computers.

v On Windows, enter the db2level command:

db2level

v On UNIX systems, log on as the DB2 instance owner and enter the db2level

command:

su - DB2_instance_ID

db2level

The value of DB2_instance_ID is the DB2 instance owner such as db2inst1.

For more information on these steps, refer to the IBM Tivoli Identity Manager Release

Notes and also to documentation that the DB2 UDB fix pack provides.

Configuring the DB2 server

Configure the DB2 server before you install the Tivoli Identity Manager Server. The

DB2 UDB settings described in this chapter are initial settings that might require

runtime adjustment. For more information, refer to the IBM Tivoli Identity Manager

Performance Tuning Guide technical supplement.

Configuring the DB2 server requires the following steps:

1. “Creating a user on Windows and UNIX systems” on page 14 or “Creating a

user on a Linux system” on page 14

Chapter 2. Installing and configuring a database 13



2. “Creating the Tivoli Identity Manager database”

3. “Ensuring that TCP/IP communication is specified” on page 15

4. “AIX only: Setting EXTSHM for DB2 UDB connections” on page 15

Creating a user on Windows and UNIX systems

Create an operating system user named enrole on the computer on which the DB2

server is installed. The Tivoli Identity Manager Server uses the user ID enrole to

access the database. No special privileges are required for this user. Ensure that a

password change is not required at the next logon and that the password never

expires.

To create a user, follow these steps:

1. As root or as Administrator, start the system management tool for your

operating system.

v AIX: SMIT or SMITTY

v Solaris: admintool

v Windows: Click Start –> Administrative Tools –> Computer Management

–> Local Users and Groups –> Users.2. Add a new user enrole and set the user’s password.

3. Exit the system management tool.

4. Test the user access. Ensure that you can log on with the user ID enrole

without encountering a password reset.

5. Proceed to the next step, “Creating the Tivoli Identity Manager database.”

Creating a user on a Linux system

You can use the console command interface or the GUI utility to create a user on

Linux. To create a user by using the console command interface on a Linux (Red

Hat) operating system, enter the following command:

adduser -d /home/enrole -p password enrole

The -d switch specifies the home directory. The entry enrole specifies the user ID

that is created.

Proceed to the next step, “Creating the Tivoli Identity Manager database.”

Creating the Tivoli Identity Manager database

You can specify any name for the Tivoli Identity Manager database, such as

itimdb. To create the Tivoli Identity Manager database, follow these steps:

1. Open a DB2 UDB command window.

v UNIX: Log on as the DB2 instance owner and enter db2 to open a DB2

command window.

v Windows: Click Start –> Run, and enter db2cmd. When the DB2 command

window opens, enter db2.2. In the DB2 command window, enter these commands to create the database:

create db itim_dbname using codeset UTF-8 territory US

update db cfg for itim_dbname using applheapsz 2048

update db cfg for itim_dbname using app_ctl_heap_sz 1024

The value of itim_dbname is a name such as itimdb. For more information, refer

to the IBM Tivoli Identity Manager Performance Tuning Guide technical

supplement.

3. Stop and start the DB2 server to reset the configuration.


After you have created the Tivoli Identity Manager database and reset the

configuration, stop and start the DB2 server to allow the changes to take effect.

Enter the following commands:

db2stop

db2start

If entering db2stop fails and the database remains active, enter db2 force

application all to inactivate the database. Enter db2stop again.

Ensuring that TCP/IP communication is specified

Installing DB2 UDB specifies TCP/IP communication by default. To confirm that

TCP/IP communication is specified on the DB2 server and also on the DB2 client,

follow these steps:

1. Enter the following command:

db2set -all DB2COMM

2. If a tcpip entry is not in the list that was returned, enter the following

command, including tcpip and any other values that were returned in the list

that the command provided:

db2set DB2COMM=tcpip,values_from_db2set_command

For example, if the db2set -all DB2COMM command returned values such as

npipe and ipxspx in the list, specify these values again when you enter the

db2set command the second time:

db2set DB2COMM=tcpip,npipe,ipxspx

If the operating system is AIX, proceed to the next step, “AIX only: Setting

EXTSHM for DB2 UDB connections.” Otherwise, proceed to “Configuring the DB2

JDBC driver” on page 16.

AIX only: Setting EXTSHM for DB2 UDB connections

If the DB2 server is on the AIX operating system, ensure that you set the EXTSHM

environment variable to ON. This action increases the number of shared memory

segments to which a single process can be attached.

Tivoli Identity Manager processes might not be able to connect with DB2 UDB if

DB2 UDB runs out of shared memory segments on the AIX operating system. The

Tivoli Identity Manager log file contains the following error message:

[IBM][CLI Driver]SQL1224N A database agent could not be started to

service a request, or was terminated as a result of a database system

shutdown or a force command. SQLSTATE=55032

The EXTSHM environment variable must be exported both in the shell where the

client application is started and also in the shell where the database is started. A

client application can be the WebSphere Application Server, the node agent, or the

deployment manager.

To export the EXTSHM environment variable, complete these steps:

1. On the shell where the WebSphere Application Server is started, set the

environment variable EXTSHM by entering the following statement:

export EXTSHM=ON

Also add this statement to the etc/profile file of the root user from which the

WebSphere Application Server is started.

2. On the shell where the database is started, such as a shell of db2inst1, enter the

following commands to configure the EXTSHM environment variable:

export EXTSHM=ON

db2set DB2ENVLIST=EXTSHM


3. To ensure that the environment variable is always set, also add the following

line to the DB_INSTANCE_HOME/SQLLIB/userprofile file:

export EXTSHM=ON

Configuring the DB2 JDBC driver

In a single-server configuration, the DB2 server might be on a remote computer on

which Tivoli Identity Manager Server is not installed. Alternatively, the DB2 server

might be on the local computer, on which you install Tivoli Identity Manager

Server. If the DB2 server is on a remote computer, you must install and configure

the DB2 runtime client. You should also install the required fix pack.

In a cluster configuration, assuming that the DB2 server is on a remote computer,

you must install and configure the DB2 runtime client and apply the required fix

pack on these computers:

v The computer that has the deployment manager.

v Each cluster member on which you expect to install Tivoli Identity Manager

Server.

Installing and configuring the DB2 runtime client

Complete these steps to install and configure the DB2 runtime client:

1. Install and configure the DB2 runtime client and the required fix pack.

2. Catalog the database. The catalog operation creates a database alias on the local

DB2 client for the actual database on the DB2 server. An application running on

the same system as the database client uses the database alias defined in the

catalog to access the database.

Complete the following steps:

a. Open a DB2 UDB command window.

v UNIX: Log on as the DB2 instance owner and enter db2 to open a DB2

command window.

v Windows: Click Start –> Run, and enter db2cmd. When the DB2

command window opens, enter db2.b. In the command window, enter this command on one line to define the

communication protocol and the local node alias:

catalog tcpip node local_db2node_alias remote db2server_hostname

server service-name|portnumber

The parameters and variables include:

node local_db2node_alias

A local alias for the node to be cataloged. This is an arbitrary name

on the user’s workstation that is used to identify the node.

remote db2server_hostname

The host name or IP address of the node on which the target

database resides.

server service-name|portnumber

The service name or the port number of the DB2 server instance.

The default value of the DB2 UDB port number is 50000. For more

information, see “Determining the correct service listening port and

service name” on page 18.Use TCP/IP as the communication protocol. Do not use other protocols

such as named pipes or NetBIOS.

c. Enter the following command on one line to define the local database alias:


catalog database database_name as local_database_alias

at node local_db2node_alias

The parameters and variables include:

database database_name

The name of the database on a remote computer. The value of

database_name is the value of itim_dbname, such as itimdb that was

specified when the database was created on the DB2 server.

local_database_alias

An arbitrary local alias for the remote database.

node local_db2node_alias

A local alias for the node. This is the local node alias that is set in

the previous step 2b on page 16.d. To test that the cataloging command was successful, enter the following

command:

connect to itim_dbname user db_admin_name using db2_admin_pwd

The value of itim_dbname is a name such as itimdb. The value of

db_admin_name is db2inst1 on UNIX systems, and db2admin on Windows

systems.

If the connection is successful, information is returned that identifies a local

database alias, such as itimdb. If the connection fails, complete these steps:

1) Ensure that connect command uses the correct values for the user ID

and password.

2) Ensure that connect command uses the correct value for the database

name.

3) Ensure that the TCP/IP communication protocol is defined in

DB2COMM. For more information, see “Ensuring that TCP/IP

communication is specified” on page 15.

4) Ensure that the correct database service name and listening port are

used, and that the listening port is active. For more information, see

“Determining the correct service listening port and service name” on

page 18.

Enabling encrypted data transmission between the DB2 server

and client

To specify the authentication type to use encrypted data for incoming connections

at the database server, update the configuration of the srvcon_auth value to enable

the DATA_ENCRYPT attribute. For example, type this command at a DB2

command window on the DB2 server:

update database manager configuration using srvcon_auth data_encrypt

Additionally, to enable the DB2 client to send encrypted data to the DB2 server,

type this command on one line at a DB2 command window on the DB2 client:

catalog database database_name as local_database_alias at node local_db2node_alias

authentication data_encrypt

For more information about these parameters, see “Installing and configuring the

DB2 runtime client” on page 16.

JDBC drivers for a WebSphere Application Server on 64-bit

operating systems

Although the WebSphere Application Server at Version 5.1 can run on 64-bit

operating systems, the WebSphere Application Server requires a DB2 JDBC driver

that is a 32-bit DB2 runtime client to connect to the DB2 database.


If you install the 64-bit DB2 server on a 64-bit operating system on which the

Tivoli Identity Manager Server and the WebSphere Application Server will also be

installed, you should not install the 64-bit DB2 runtime client. You should complete

these steps when you install the DB2 server:

1. Choose the Custom option.

2. Exclude the 64-bit runtime client.

3. After the server is installed, install the DB2 JDBC driver that is a 32-bit DB2

runtime client.

If the 64-bit runtime client is already installed, do one of the following:

v Remove the 64-bit runtime client and then install the DB2 JDBC driver that is a

32-bit DB2 runtime client.

v Alternatively, create a 32-bit DB2 instance and catalog a connection to the 64-bit

instance that is either local or remote. Then, use the Tivoli Identity Manager

installation program to point the JDBC provider in the WebSphere Application

Server to the 32-bit instance.

To create the 32-bit DB2, instance, enter the following command:

– Command line:

- Windows: \sqllib\bin\db2icrt

- UNIX: DB_INSTANCE_HOME/instance/db2icrt -w WordWidth instancename

The value of the -w WordWidth parameter specifies the bit level that is

used, such as 32-bit. The value of instancename is a DB2 instance such as

db2inst2. For example, type this command:

db2icrt -w 32 db2inst2

– Graphical user interface: DB_INSTANCE_HOME/instance/db2isetup

Determining the correct service listening port and service

name

Creating the DB2 UDB instance creates the service listening port number and the

database service name. The default service listening port number is 50000. The

service name has this default value:

v Windows: db2c_DB2

v UNIX: db2cdb2inst1

When you catalog the local DB2 node alias, which is step 2b on page 16, you must

define either the service listening port number or the default service name.

To determine whether the correct service name or service listening port is defined,

complete these steps:

1. Locate the statement that is similar to the following example, which specifies

the current port number in the services file on the computer on which the DB2

server resides:

v Windows

– DB2 UDB Version 8.1: db2c_DB2 50000/tcp

– DB2 UDB Version 8.2: db2cdb2: 50000/tcp

v UNIX

– DB2 UDB Version 8.1: db2inst1: 50000/tcp

– DB2 UDB Version 8.2: db2c_db2: 50000/tcp

The services file has the following path:


v Windows: %SYSTEMROOT%\system32\drivers\etc\services

v UNIX: /etc/services2. If the services file does not contain the DB2 instance service name and port

number, complete these steps:

a. Edit the appropriate services file for your operating system and add a DB2

service name and number:

v Windows: db2c_DB2 50000/tcp

v UNIX: db2inst1: 50000/tcp

The default value of the DB2 UDB port number is 50000.

b. Configure DB2 UDB to use the service name. Use the following command:

db2 update dbm cfg using svcename service_name|port_number

Provide the value of either service_name or port_number. The value of

service_name matches the new service name that you created in step 2a.

c. Stop and start the DB2 service to enable the port number to take effect. Use

the following commands:

db2stop

db2start

d. Verify the service names and ports are successfully updated by checking

that DB2 UDB is now listening on the new port. Enter this command:

netstat -an

In the listing, you should see the port that you specified, such as 50000, is

open for listening. For more information, refer to documentation that the

DB2 UDB product provides. Use these parameters:

-a Show both listening and non-listening sockets.

-n Show numerical addresses rather than symbolic host, port or user

names.

Tuning performance

Performance issues can occur after you initially configure DB2 UDB. For example,

loading a large number of users can encounter performance issues. You may see

this message:

Not enough storage available for processing the sql statements.

To provide additional storage space, change the DB2 UDB application heap size to

a larger value. For recommendations and examples of setting DB2 UDB heap sizes

and other performance-sensitive parameters, refer to the IBM Tivoli Identity

Manager Performance Tuning Guide technical supplement.

Installing and configuring the Oracle database

This section describes installing and configuring the Oracle database for Tivoli

Identity Manager.

In all cases, refer to the installation and migration guides that the Oracle

Corporation provides for complete information. For more information, refer to

these Web sites:

http://otn.oracle.com/documentation/index.html






Before you create a database

This section describes steps to complete before you create an Oracle database for

Tivoli Identity Manager. Complete these steps:

v “Installing the Oracle database server”

v “Configuring the init.ora file”

v “Setting environment variables” on page 21

v “Backing up an existing database” on page 21

v “Installing the JDBC driver” on page 21

Installing the Oracle database server

You might install the Oracle database server on the same computer or on a

computer that is separate from Tivoli Identity Manager. For more information on

installing the Oracle database server, refer to documentation available at this Web

site:


Note: If you manually create the Oracle database for Tivoli Identity Manager, you

must manually install the JVM feature, or any transactions from Tivoli

Identity Manager will subsequently fail. Using the Oracle Database

Configuration Assistant wizard installs the JVM feature by default.

Configuring the init.ora file

You must configure the init.ora file for the Tivoli Identity Manager database.

Complete these steps:

1. Copy the init.ora file.

v Windows

a. Under the ORACLE_HOME\admin\ directory, create a directory named

db_name\pfile. The value of db_name might be itimdb.

b. Copy the sample init.ora file from the

ORACLE_HOME\ora92\dbs\sample\pfile\ directory to the

ORACLE_HOME\admin\db_name\pfile directory.

c. Rename the new init.ora file to a value of initdb_name.ora.v UNIX

Copy the ORACLE_HOME/dbs/init.ora file to a new

ORACLE_HOME/dbs/initdb_name.ora file.2. Based on your environment requirements, tune the value of the following

parameters in the initdb_name.ora file:

compatible=9.2.0.0

db_name=itimdb

processes=150

java_pool_size=32M

shared_pool_size=50M

Additionally, define three control files for the Tivoli Identity Manager database.

This example statement defines the control files:

control_files=("/u01/app/oracle/oradata/db_name/control01.ctl",

"/u01/app/oracle/oradata/db_name/control02.ctl",

"/u01/app/oracle/oradata/db_name/control03.ctl"

3. Manually create all the directories defined in the initdb_name.ora file.




Setting environment variables

Set the environment variables for Oracle by editing the .profile file. Required

environment variables include ORACLE_SID and ORACLE_HOME, and also

include the library path, and the system path.

Source the profile on UNIX operating systems, which updates the environment

variables in the current session, to ensure that Tivoli Identity Manager can

communicate with the database. To source the profile, enter the following

command:

# . /.profile

For more information, refer to the Oracle Web site.

Backing up an existing database

Perform a full backup of any existing database, and review the preliminary steps

that the documentation from the Oracle Corporation provides for upgrading an

Oracle database, before you begin to install the Oracle product or upgrade an

existing database. For Web sites that provide this information, see “Installing the

Oracle database server” on page 20.

Installing the JDBC driver

Copy the Oracle JDBC driver from the Oracle server directory into a directory on

the computer on which Tivoli Identity Manager will later be installed. The Tivoli

Identity Manager installation program prompts for the directory containing the

JDBC driver. In a cluster configuration, the JDBC driver is required on the

computer that has the deployment manager and also on each Tivoli Identity

Manager cluster member computer. At Oracle database Version 9i, the Oracle JDBC

driver (the ojdbc14.jar file) is located in the ORACLE_HOME/ora92/jdbc/lib/

directory.

Creating the Tivoli Identity Manager database

Skip this step if you use the Oracle Database Configuration Assistant wizard,

which creates the Tivoli Identity Manager database.

Manually create a Tivoli Identity Manager database using these steps:

1. Create and start the database instance using these steps:

v Windows

a. Create the instance with this command on one line:

# oradim -new -sid db_name -pfile ORACLE_HOME\admin\db_name\pfile\

initdb_name.ora

The value of the -sid parameter specifies the database instance name. For

example, the value of db_name might be itimdb. The value of the -pfile

parameter specifies the file that you previously configured in

“Configuring the init.ora file” on page 20.

b. Start the database instance with these commands:

# sqlplus "/ as sysdba"

SQL> startup nomount pfile=ORACLE_HOME\admin\db_name\pfile\initdb_name.ora

c. Verify that the Windows service OracleServicedb_name is started.v UNIX

Start the database instance with these commands:


SQL> startup nomount pfile= ORACLE_HOME/dbs/initdb_name.ora


2. Use an SQL script similar to the following example to create your database.

Change the values in the script to match any requirements at your site. In this

example, the value of the db_name is an instance name such as itimdb.

-- Create database

CREATE DATABASE db_name

CONTROLFILE REUSE

LOGFILE ’/u01/oracle/db_name/redo01.log’ SIZE 1M REUSE,

’/u01/oracle/db_name/redo02.log’ SIZE 1M REUSE,

’/u01/oracle/db_name/redo03.log’ SIZE 1M REUSE,

’/u01/oracle/db_name/redo04.log’ SIZE 1M REUSE

DATAFILE ’/u01/oracle/db_name/system01.dbf’ SIZE 10M REUSE

AUTOEXTEND ON

NEXT 10M MAXSIZE 200M

CHARACTER SET UTF8;

-- Create another (temporary) system tablespace

CREATE ROLLBACK SEGMENT rb_temp STORAGE (INITIAL 100 k NEXT 250 k);

-- Alter temporary system tablespace online before proceeding

ALTER ROLLBACK SEGMENT rb_temp ONLINE;

-- Create additional tablespaces ...

-- RBS: For rollback segments

-- USERs: Create user sets this as the default tablespace

-- TEMP: Create user sets this as the temporary tablespace

CREATE TABLESPACE rbs

DATAFILE ’/u01/oracle/db_name/db_name.dbf’ SIZE 5M REUSE AUTOEXTEND ON

NEXT 5M MAXSIZE 150M;

CREATE TABLESPACE users

DATAFILE ’/u01/oracle/db_name/users01.dbf’ SIZE 3M REUSE AUTOEXTEND ON


CREATE TABLESPACE temp

DATAFILE ’/u01/oracle/db_name/temp01.dbf’ SIZE 2M REUSE AUTOEXTEND ON


-- Create rollback segments.

CREATE ROLLBACK SEGMENT rb1 STORAGE(INITIAL 50K NEXT 250K)

tablespace rbs;


tablespace rbs;


tablespace rbs;


tablespace rbs;

-- Bring new rollback segments online and drop the temporary system one

ALTER ROLLBACK SEGMENT rb1 ONLINE;




ALTER ROLLBACK SEGMENT rb_temp OFFLINE;

DROP ROLLBACK SEGMENT rb_temp ;

3. Install the JVM for the database. Use these commands:


SQL> @$ORACLE_HOME/rdbms/admin/catalog.sql

SQL> @$ORACLE_HOME/rdbms/admin/catproc.sql

SQL> @?/javavm/install/initjvm.sql

SQL> @?/xdk/admin/initxml.sql

SQL> @?/xdk/admin/xmlja.sql

SQL> @?/rdbms/admin/catjava.sql

SQL> connect system/manager

SQL> @$ORACLE_HOME/sqlplus/admin/pupbld.sql

The value of the manager parameter is the password for the system user

account.


Starting the Oracle product and the listener service

To start the Oracle database, complete these steps:

v Windows

Use the Services menu to start the Oracle database service called

OracleServicedb_name.

v UNIX

Enter these commands:

# su - oracle


# SQL> startup

To start the Oracle listener service, complete these steps:

v Windows

Use the Services menu to start the Oracle TNS listener named

OracleOraHome92TNSListener. If the Oracle listener service is idle, start the

listener.

v UNIX

# su - oracle

# lsnrctl start

To ensure that Oracle processes are started, enter this command:

ps -ef | grep ora

The ps (process) command searches for processes. The grep command selects the

processes that contain a string. The parameters in this example include:

-e Select all processes.

-f Display a full listingTo ensure that the listener is running, enter this command:

# lsnrctl status

Installing and configuring SQL Server 2000 on the Windows operating

system

This section describes installing and configuring SQL Server 2000 on the Windows

operating system. Complete these steps:

v “Preparing to install SQL Server 2000”

v “Installing SQL Server 2000”

v “Configuring SQL Server 2000” on page 24

Preparing to install SQL Server 2000

Complete the following procedures prior to installing SQL Server 2000 on a

Windows system:

1. Obtain the latest SQL Server 2000 service pack.

2. Log in to the Windows system with an Administrator account before launching

the SQL Server 2000 installation.

Installing SQL Server 2000

You might install SQL Server 2000 on the same computer or on a computer that is

separate from Tivoli Identity Manager. After installing SQL Server 2000, install the


latest SQL Server 2000 service pack. For more information on installing SQL Server

2000, refer to documentation available at these Web sites:



Configuring SQL Server 2000

You must complete several post-installation tasks to configure SQL Server 2000 for

Tivoli Identity Manager:

1. Launch the MS SQL Server Enterprise Manager.

2. Navigate the tree, clicking the Databases node.

3. Click Tools and use the menu to open SQL server configuration properties.

4. On the SQL server configuration properties window, click the Security tab.

Ensure that SQL Server and Windows authentication (mixed-mod

authentication) is enabled.

5. Create a new database using a name such as itimdb.

6. For both data files and also for the transaction log, enter the following values

for the database that you create:

v Initial file size: 20 MB

v Automatically grow the file.

v Allow unrestricted file growth.




Chapter 3. Installing and configuring a directory server

Tivoli Identity Manager stores user account and organizational data (but not data

for schedules, ACI definitions, and audit data) in a directory server. This chapter

focuses on configuring the directory server for use by Tivoli Identity Manager. The

supported combinations of directory servers and required fix packs are described

in the IBM Tivoli Identity Manager Release Notes.

The information in this chapter is not a substitute for the more extensive,

prerequisite documentation that is provided by the directory server product itself.

For more information that you are assumed to know, refer to these sources:

v IBM Tivoli Directory Server

– Hardware and software requirements, and documentation Version 5.2: http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm Version 6.0: http://publib.boulder.ibm.com/infocenter/tiv2help/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xml

– Fixes

http://www.ibm.com/software/sysmgmt/products/support/IBMDirectoryServer.html

v Sun ONE Directory Server

– Usage and maintenance

http://www.sun.com/software/products/directory_srvr_ee/index.html

http://www.sun.com/download/index.jsp

– Documentation


Before you install the directory server product

Before you install the directory server product, complete these steps:

v Read the installation guide that the directory server product provides.

v Ensure that your installation meets the directory server hardware and software

requirements.

Installing and configuring IBM Tivoli Directory Server

This section describes installing and configuring the IBM Tivoli Directory Server.

Installing IBM Tivoli Directory Server

You can install the IBM Tivoli Directory Server on the same computer with Tivoli

Identity Manager or on a separate computer.

The IBM Tivoli Directory Server uses DB2 Universal Database as a data store. If

DB2 UDB is not already installed, installing the IBM Tivoli Directory Server can

also install an instance of DB2 UDB on the same computer.

On the same computer, if you install IBM Tivoli Directory Server and the DB2

server that the Tivoli Identity Manager Server uses, you should install the DB2

server before you install the IBM Tivoli Directory Server. For information on











installing the directory server, refer to documentation that the directory server

product provides. For example, access this Web site:

http://www.ibm.com/software/sysmgmt/products/support/

IBMDirectoryServer.html

Installing the required fix packs

If your version of the IBM Tivoli Directory Server requires a fix pack, obtain and

install the fixes. For more information, refer to these support Web sites:

Version 5.2: http://publib.boulder.ibm.com/tividd/td/IBMDS/IDSapinst52/en_US/HTML/ldapinst.htm

Version 6.0: http://publib.boulder.ibm.com/infocenter/tiv2help/index.jsp?toc=/com.ibm.IBMDS.doc/toc.xml

Verify that the correct fix pack is installed on the IBM Tivoli Directory Server.

Open a fix pack file such as PF520-operatingsystem-0x.txt. For example:

v Windows: FP520W-01.txt

v Solaris: FP520OS-01.txt

Search for a text description similar to IBM Directory Release: aus52ldap Build:

041206a. The file is in this directory:

v Windows

LDAP_HOME\bin

v AIX and Linux

usr/ldap/bin

v Solaris

opt/IBMldapc/bin

For more information on these steps, refer to the IBM Tivoli Identity Manager Release

Notes and also to the documentation that the IBM Tivoli Directory Server fix pack

provides.

Setting up the IBM Tivoli Directory Server

Setting up the IBM Tivoli Directory Server requires creating the LDAP suffix for

your organization before you install the Tivoli Identity Manager Server. Setting up

the IBM Tivoli Directory Server also requires configuring the Tivoli Identity

Manager referential integrity file. An LDAP suffix, also known as a naming

context, is a distinguished name (DN) that identifies the top entry in a locally-held

directory hierarchy.

Creating the LDAP suffix object

Create the LDAP suffix for Tivoli Identity Manager using the command line

interface as follows:

1. Identify the directory server process or service, stop the directory server, create

the suffix, and restart the directory server.

a. Identify the directory server process or service.

v UNIX: grep for the process ID ibmslapd.

v Windows: Click Start –> Administrative Tools –> Services. Scroll the list

of services to locate the IBM Tivoli Directory Server.








b. Check the status of the directory server process or service. For example,

type:

ibmdirctl -D adminDN -w adminPW -h hostname -p port status

The value of adminDN (required) binds to the LDAP directory. The adminDN

parameter is a string-represented distinguished name. The value of

adminPW (required) is the administrator password. The value of hostname

(optional) and port (optional) are the host name and port of the computer

on which the directory server and the administration daemon are running.

c. If the server is running, stop the server.

v UNIX: End the ibmslapd process using the ibmdirctl command that the

administration daemon control program provides. For example, type:

ibmdirctl -D adminDN -w adminPW -h hostname -p port stop

The value of adminDN (required) binds to the LDAP directory. The

adminDN parameter is a string-represented distinguished name. The value

of adminPW (required) is the administrator password. The value of

hostname (optional) and port (optional) are the host name and port of the

computer on which the directory server and the administration daemon

are running.

v Windows:

1) Click Start –> Administrative Tools –> Services.

2) Right click the IBM Tivoli Directory Server item in the list of services

and click Stop.

Alternatively, use the ibmdirctl command that the administration

daemon control program provides. For example, type:

ibmdirctl -D adminDN -w adminPW -h hostname -p port stop


adminDN parameter is a string-represented distinguished name. The

value of adminPW (required) is the administrator password. The value

of hostname (optional) and port (optional) are the host name and port

of the computer on which the directory server and the administration

daemon are running.d. Create the suffix.

v For IBM Tivoli Directory Server Version 5.2, enter this command:

ldapcfg -s "itim_suffix"

The -s parameter specifies the suffix. The itim_suffix variable is a value

such as dc=com.

v For IBM Tivoli Directory Server Version 6.0, enter this command:

idscfgsuf -I instancename -s itim_suffix

The -I parameter specifies the directory server instance. For more

information on a value for instancename, see “Definitions for HOME and

other directory variables” on page xii.e. Start the server.

v UNIX: Start the ibmslapd process using the ibmdirctl command that the

administration daemon control program provides. For example, type:

ibmdirctl -D adminDN -w adminPW -h hostname -p port start


adminDN parameter is a string-represented distinguished name. The value

of adminPW (required) is the administrator password. The value of

hostname (optional) and port (optional) are the host name and port of the

computer on which the directory server and the administration daemon

are running.

Chapter 3. Installing and configuring a directory server 27

v Windows:

1) Click Start –> Administrative Tools –> Services.

2) Right click the IBM Tivoli Directory Server item in the list of services

and click Start.2. To add the LDAP suffix as a domain object, first create an LDAP Data

Interchange Format (LDIF) file, such as suffix.ldif, that has the following

statements. In this example, dc=com is the value that is specified for the Tivoli

Identity Manager suffix.

dn:dc=com

dc:com

objectclass:top

objectclass:domain

#one blank line must end this file, or the ldapadd command will not run

3. Use the ldapadd command to add the domain object. For example, complete

these steps:

a. Change to the LDAP_HOME/bin directory.

b. Enter the following command on one line:

ldapadd -h ldaphost -D ldap_admin -w ldap_admin_pwd -f full_pathsuffix.ldif

For example:

ldapadd -h localhost -D cn=root -w secret -f suffix.ldif

This example uses the following parameters:

-h Specifies an alternate host on which the LDAP server is running.

-D Uses the distinguished name to bind to the LDAP directory.

-w Uses the password for simple authentication.

-f Reads the entry modification from a file.

Verifying successful suffix object configuration

To verify the suffix object configuration in this example, enter this command:

ldapsearch -h localhost -b dc=com "(objectclass=domain)"

The options are:

-h Specifies an alternate host on which the LDAP server is running.

-b Specifies the search base of the initial search, instead of the default.

The output should confirm that you have configured permissions for dc=com and

initialized the suffix with data.

dc=com

objectclass=domain

objectclass=top

dc=com

Configuring the referential integrity plug-in on the IBM Tivoli

Directory Server

The referential integrity plug-in for the Tivoli Identity Manager application on the

IBM Tivoli Directory Server helps maintain consistency in references to objects that

are deleted from the directory. Use the following steps to configure the referential

integrity plug-in on the IBM Tivoli Directory Server:


1. Assuming that you stopped the IBM Tivoli Directory Server, copy the

referential integrity plug-in file from the Tivoli Identity Manager product CD to

the following directory in the default installation directory for IBM Tivoli

Directory Server:

v Windows:

– Version 5.2: LDAP_HOME\bin. For example, copy the file to the

C:\IBM\LDAP\bin directory.

– Version 6.0: LDAP_HOME\lib. For example, copy the file to the

C:\IBM\LDAP\lib directory.v UNIX:

Version 5.2 and 6.0: LDAP_HOME/lib. For example, copy the file to the

usr/IBM/LDAP/lib directory.

On an AIX 64-bit system using a 64-bit DB2 instance, use the

LDAP_HOME/lib64 directory if the full library path name is not specified in

the ibmslapd.conf file.The referential integrity plug-in file names are:

v AIX: libdelref.a

v Solaris: libdelref.so

v Windows: libdelref.dll

v Linux: libdelref.so

On UNIX systems, ensure that the file permission on the referential integrity

plug-in file is set to -r-xr-xr-x.

2. Copy the new Tivoli Identity Manager configuration file named timdelref.conf

from the ITIM_HOME/config/ldap/ibm directory on the version 4.6 Tivoli

Identity Manager Server or from the Tivoli Identity Manager product CD to the

etc directory on the IBM Tivoli Directory Server, replacing the previous

configuration file:

v Version 5.2: LDAP_HOME/etc

v Version 6.0: IDS_instance_HOME/etc3. Edit the ibmslapd.conf configuration file for IBM Tivoli Directory Server. The

file location varies depending on the IBM Tivoli Directory Server version:

v UNIX:

– Version 5.2: LDAP_HOME/etc. For example, locate the file in the

usr/IBM/LDAP/etc directory.

– Version 6.0: IDS_instance_HOME/etc. For example, locate the file in the

/home/instance_owner_name/etc directory.v Windows:

– Version 5.2: LDAP_HOME\etc. For example, locate the file in the

C:\IBM\LDAP\etc directory.

– Version 6.0: IDS_instance_HOME\etc. For example, locate the file in the

C:\idsslapd-ldapdb2\etc directory.4. In the configuration file, specify the referential integrity file for Tivoli Identity

Manager:

a. Locate the following line:

ibm-slapdPlugin: database path_to_rdbmfilename rdbm_backend_init

The path_to_rdbmfilename variable is one of the following files:

v AIX: /lib/libback-rdbm.a

v UNIX other than AIX: /lib/libback-rdbm.so

v Windows: /lib/libback-rdbm.dll


The Windows path is specified with a forward slash.b. Add the following line, all on one line, directly after the previous line:

v UNIX:

Version 5.2

ibm-slapdPlugin: preoperation

LDAP_HOME/lib/lib_filename DeleteReferenceInit

file=LDAP_HOME/etc/timdelref.conf dn=itim_suffix

Version 6.0


LDAP_HOME/lib/lib_filename

DeleteReferenceInit file=IDS_instance_HOME/etc/timdelref.conf

dn=itim_suffix

v Windows:

Version 5.2

ibm-slapdPlugin: preoperation "LDAP_HOME/bin/lib_filename"

DeleteReferenceInit file="LDAP_HOME\etc\timdelref.conf"

dn=itim_suffix

Version 6.0


"LDAP_HOME/lib/lib_filename"

DeleteReferenceInit file="IDS_instance_HOME\etc\timdelref.conf"

dn=itim_suffix

Notes:

1) The LDAP_HOME variable is the default installation directory for the

IBM Tivoli Directory Server. The lib_filename variable is the name of

the referential integrity plug-in filename, as identified in step 1 on

page 29.

2) The itim_suffix variable is a value such as dc=com.

3) On the Windows operating system, to specify the path to the

libdelref.dll and the timdelref.conf files, ensure that you enclose the

value of lib_filename in double quote marks. Additionally, specify the

path to the libdelref.dll file with a forward slash.5. Save the changes that you made to the configuration file.

6. Start the IBM Tivoli Directory Server.

7. Determine whether the referential integrity plug-in is reconfigured and loaded

appropriately. Locate the IBM Tivoli Directory Server log file for the

configuration.

v UNIX:

– Version 5.2: LDAP_HOME/var/ibmslapd.log. On AIX, for example, the

file is in the usr/IBM/LDAP/var directory.

– Version 6.0: IDS_instance_HOME/etc/ibmslapd.log. On AIX, for example,

the file is in the usr/idsslapd-ldapdb2/etc directory.v Windows:

– Version 5.2: LDAP_HOME\var\ibmslapd.log. For example, the file is in

the C:\IBM\LDAP\var directory.

– Version 6.0: IDS_instance_HOME\logs\ibmslapd.log. For example, the file

is in the C:\idsslapd-ldapdb2\logs directory.You should see a message similar to the following information:

Plugin of type PREOPERATION is successfully loaded

from /usr/ldap/lib/libdelref.a


If you repeat this operation, more than one message occurs in the log file.

Examine the timestamp on the most recent message in the file. If the operation

does not succeed, ensure that the referential integrity plug-in file is in the target

directory.

Preventing connection problems with multiple LDAP sessions

Each instance of the Tivoli Identity Manager Server allocates a number of LDAP

sessions to form a connection pool at startup. The default minimum number of

sessions is 50. In a Tivoli Identity Manager cluster that has more than one cluster

member, starting the cluster can require more than 100 LDAP connections.

On the Windows operating system, the IBM Tivoli Directory Server supports a

default of 64 concurrent connections. Connection attempts beyond 64 connections

result in failed logons to the Tivoli Identity Manager Server and a ″Directory

Server not available″ error message similar to this example:

Connection pool exceeded: directory server not available

To prevent connection problems, define the value of SLAPD_OCHANDLERS to

increase the available connections. Complete these steps:

1. Locate the following stanza in the ibmslapd.conf file:

dn: cn=Front End, cn=Configuration

2. Add the following line to this stanza:

ibm-slapdsetenv: SLAPD_OCHANDLERS=number-of-threads

One thread supports 64 connections. If there are multiple instances of the Tivoli

Identity Manager Server, increase this value. If there are two instances of the

server, each requiring a minimum of 50 simultaneous LDAP connections,

specify a value of 2 or larger. For example, add this line to the stanza:

ibm-slapdsetenv: SLAPD_OCHANDLERS=4

3. Save the changes that you made to the configuration file.

4. Restart the IBM Tivoli Directory Server so that the changes take effect.

Avoiding port conflicts

IBM Tivoli Directory Server might install the WebSphere Application Server –

Express, which can cause potential port conflicts. If another WebSphere Application

Server is on the same computer, resolve any port conflicts with WebSphere

Application Server – Express before you run the other server. For more

information, see “Resolving port conflicts” on page 40.

Installing and configuring Sun ONE Directory Server

This section describes installing and configuring Sun ONE Directory Server.

Installing the Sun ONE Directory Server

For the instructions and more information on installing the Sun ONE Directory

Server, refer to documentation available at these Web sites:



http://www.sun.com/software/download/inter_ecom.html#dirserv





Configuring the Sun ONE Directory Server

To configure the Sun ONE Directory Server, complete these steps:

1. Start and log on to the Sun ONE Directory Server administrative console. For

example, to start the directory server, enter this command:

path/Sun/mps/startconsole

On AIX, for example, the value of path is usr.

2. Navigate to your directory server in the console tree and open the directory

server.

3. Select the Configuration tab and configure a new root suffix that can be any

value for the suffix that you define for Tivoli Identity Manager, such as dc=com.

For example, complete these steps:

a. On the Configuration tab, right click the Data folder.

b. In the New Suffix window, type dc=com.

c. Select the new item dc=com. Then, add an attribute such as o for

organization.

d. Click Save. Then, on the warning window, click Do nothing.4. Give the new root suffix an object class of domain. In the Create New Root

Suffix window, complete these steps:

a. Select the Directory tab.

b. Right-click the name of the directory server in the directory server tree and

select the new root suffix such as dc=com that you created in step 3, located

under New Root Object.

c. In the New Object window, select domain and repeatedly click OK in

subsequent windows.5. Restart the directory server.

6. Open the Performance folder and increase the memory cache available for the

Tivoli Identity Manager Server to an maximum cache size that is appropriate to

the physical memory for your hardware configuration. If the Sun ONE

Directory Server is installed on its own machine, set this value to 75% of the

available memory.

7. Select the database object in the Tivoli Identity Manager application node, and

change the memory available in the database settings to a value that is

appropriate to the physical memory for your hardware configuration. If the

Tivoli Identity Manager application is the only application using this directory,

set this value to 60% of the maximum cache size.

8. Save the settings.

9. Restart the directory server.

Note: Sun ONE Directory Server access control instructions (ACIs) might have

enabled anonymous read access. To provide more secure data, modify the

default ACIs to disable anonymous read access. For more information, refer

to the Sun ONE Directory Server documentation.


Chapter 4. Installing and configuring WebSphere Application

Server

This chapter describes generic steps to create a WebSphere Application Server

environment before you install the Tivoli Identity Manager Server in either

single-server or cluster configurations.

Before you install the WebSphere Application Server

Before installing the WebSphere Application Server, complete these tasks:

v “Meeting installation requirements”

v “Solaris: Setting additional kernel parameters for WebSphere embedded

messaging”

v “UNIX: Creating groups and users before installing WebSphere embedded

messaging” on page 34

Meeting installation requirements

To meet the installation requirements for the WebSphere Application Server,


v Read the installation guide that the WebSphere Application Server provides.

v Ensure that your system meets the product hardware and software requirements.

v Ensure that all required operating system fix packs and cumulative fixes are in

place. For more information on tuning operating systems for the WebSphere

Application Server, refer to this Web site:

http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tprf_tuneopsys.html

For more information on installing the WebSphere Application Server, refer to the

following Web sites:

v Hardware and software requirements

http://www.ibm.com/software/webservers/appserv/doc/latest/prereq.html

http://www.ibm.com/software/webservers/appserv/doc/v51/prereqs/was_v511.htm

v Fixes

http://www.ibm.com/software/webservers/appserv/was/support/

v Documentation http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp http://www.redbooks.ibm.com/

Solaris: Setting additional kernel parameters for WebSphere

embedded messaging

Before installing the WebSphere Application Server on Solaris operating systems,

specify the additional kernel parameter values that the WebSphere Application

Server requires to support WebSphere embedded messaging. Installation fails if

these additional kernel parameter values are not specified.




http://www.ibm.com/software/webservers/appserv/doc/latest/prereq.html



http://www.ibm.com/software/webservers/appserv/was/support/

http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp

http://www.redbooks.ibm.com/

Tivoli Identity Manager has prerequisites for WebSphere Application Server and

WebSphere embedded messaging that require additional kernel settings. On Solaris

9, for files and additional processes that ensure prerequisite checking, access these

Web sites:

http://publib.boulder.ibm.com/infocenter/ws51help/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/relnotes/relnotes_aes.html

To locate the list of kernel parameters for Solaris systems, take these steps in the

WebSphere Application Server information center that the Web site provides:

1. In the table of contents, click Installing -> Getting started -> Installing the

product -> Installing the base Application Server on Solaris platforms.

2. Scroll the target information section to the step that reads ″Set kernel values to

support Application Server.″

AIX: Validating port 9090 is available for the WebSphere

Application Server administrative host

The WebSphere Application Server administrative host uses the default port 9090.

On AIX systems, the AIX wsmserver process might use port 9090 for Web-based

System Manager servers. To test whether the port is being used, enter this

command:

netstat -an | grep 9090

Use these parameters:

-a Show both listening and non-listening sockets.

-n Show numerical addresses rather than symbolic host, port or user names.

To make port 9090 available for the WebSphere Application Server administrative

host, specify a different port for the AIX wsmserver process. At a command line

prompt, type these commands:

cd /path/websm/bin

./wsmserver -disable

./wsmserver -enable -listenport availableportnumber

./wsmserver -start

The path parameter has a value such as usr. The value of the availableportnumber is

an available, unused port number.

UNIX: Creating groups and users before installing WebSphere

embedded messaging

Before you install the WebSphere embedded messaging server and client that the

WebSphere Application Server provides, create the groups and users that the

WebSphere embedded messaging requires on UNIX operating systems. Complete

these steps:

1. Create the groups mqm and mqbrkrs, and create the mqm user. Add the mqm user to

the mqm group. Add root to both groups.

2. To make the changes effective, log off:

v UNIX: If you are running the Common Desktop Environment, you must log

off completely. Closing the open consoles is insufficient.

v Linux: Log out of the desktop session or shell process.3. Log on again as root. For more information, refer to the installation

documentation that the WebSphere product provides.




Installing the WebSphere Application Server base product, IBM HTTP

Server, and WebSphere Web Server plug-in

The WebSphere installation program can also install the IBM HTTP Server and

WebSphere Web Server plug-in. You can install these features either with the

WebSphere Application Server or on a separate computer. Additional configuration

steps are required if you install the IBM HTTP Server and WebSphere Web Server

plug-in on a separate computer. For more information on installation, refer to the

following Web site:

http://www.ibm.com/software/webservers/appserv/infocenter.html

Run the WebSphere installation program to install the WebSphere Application

Server, IBM HTTP Server and WebSphere Web Server plug-in. In a cluster

configuration, do not install the IBM HTTP Server and the WebSphere Web Server

plug-in on each cluster member. Complete these steps:

1. Install the WebSphere Application Server from the root user on UNIX systems,

or from a user with administrator authority on the Windows operating

system.

2. Start the WebSphere Application Server base installation program and

complete the required steps.

3. Choose custom installation and do not select the WebSphere sample

applications.

4. Enter the values that the WebSphere installation program requires.

5. When installation is complete, the installation wizard displays a First Steps

window. Click Verify the Installation to verify that there are no installation

problems.

6. If the IBM HTTP Server and the WebSphere Application Server are installed

on the same computer, bring down the HTTP server before you apply fix

packs and cumulative fixes for the WebSphere Application Server. Stop the

WebSphere Application Server system and any related process. For example,

stop the JMS server.

7. After you apply the WebSphere Application Server Fix Pack, start the

WebSphere Application Server using the following command:

v Windows

WAS_HOME\bin\startServer.bat servername

For example, the value of servername is server1.

v UNIX

WAS_HOME/bin/startServer.sh servername

8. After you start the WebSphere Application Server, verify that the WebSphere

embedded messaging queue manager is also running. To verify the status,

enter this command:

dspmq

A message similar to the following message indicates that the queue manager

for server1 is running:

QMNAME(WAS_wasnodename_server1) STATUS(status_string)

The value of wasnodename is the node name that is defined when the

WebSphere Application Server is installed. The value of status_string might be

a string such as Running or Ended Immediately.

9. Use the following Web address to access the WebSphere administrative

console:

http://hostname:9090/admin

Chapter 4. Installing and configuring WebSphere Application Server 35

http://www.ibm.com/software/webservers/appserv/infocenter.html

The value of hostname is either the fully qualified host name or the IP address

of the computer on which you installed the WebSphere Application Server

base product. The value 9090 is the default port number for the WebSphere

administrative HTTP transport. The port number may not be 9090 if there is

another instance of the WebSphere Application Server on the computer.

10. Ensure you have resolved any port problems, if you have more than one

version of WebSphere Application Server installed on the computer. For more

information, see “Resolving port conflicts” on page 40.

11. Examine the SystemOut.log and SystemErr.log files to ensure that there are no

other problems. For more information, see “Logs and directories” on page 102.

Installing the IBM HTTP Server

Although you can install the IBM HTTP Server and the WebSphere Web Server

plug-in on the same computer that has the deployment manager, you might want

to install the IBM HTTP Server and the WebSphere Web Server plug-in on a

separate computer for additional security. For more information, see “Moving the

HTTP server out of the cell for additional security” on page 45.

To install the IBM HTTP Server and the WebSphere Web Server plug-in, complete

these steps:

1. Start the WebSphere Application Server base installation program.

2. Navigate through the installation windows and any windows that check

prerequisites, accepting the default settings.

3. Choose the Custom installation option when that installation window is

displayed and then click Next.

4. On the features selection window, select only the following items and then click

Next:

v IBM HTTP Server

v Web Server plug-ins (for IBM HTTP Server)5. Accept the default target directories, or modify the target and then click Next.

6. On the summary window, verify the options and click Install to install the

components.

7. Obtain and install the required fix pack and cumulative fixes for the WebSphere

Application Server base product. The fix pack also includes the fix for IBM

HTTP Server. For more information, refer to the IBM Tivoli Identity Manager

Release Notes.

If you install the IBM HTTP Server on a separate computer, there are additional

steps to set up the server for use with Tivoli Identity Manager on the WebSphere

Application Server. For more information, see “Moving the HTTP server out of the

cell for additional security” on page 45.

Creating a cluster configuration

The cluster installation and configuration program has the following sequence:

1. “Installing the deployment manager” on page 37

2. “Installing the WebSphere Application Server base product on each node” on

page 37

3. “Adding nodes to a cell” on page 38

4. “Verifying that the deployment manager, node agents, and JMS servers are

running” on page 38


5. “Creating a cluster” on page 39

Installing the deployment manager

To install the deployment manager, complete these steps:

1. Start the deployment manager installation program and complete the required

steps. Ensure that you do the following actions:

v If both the WebSphere Application Server base product and the deployment

manager are installed on the same computer, install the WebSphere

Application Server base product first. During the deployment manager

installation, select the option that allows the deployment manager to co-exist

with the WebSphere Application Server base product. The deployment

manager is assigned new port numbers to avoid a port conflict.2. When installation is complete, the installation wizard displays a First Steps

window. Click Verify the Installation to verify that there are no installation

problems.

3. Stop the deployment manager before you apply a fix pack or cumulative fix.

4. Install the required fix pack or cumulative fixes. For more information, refer to


5. After you install the fix pack or cumulative fix, start the deployment manager:

a. Change to the deployment manager bin subdirectory.

b. Start the deployment manager using the following command:

v Windows

startManager.bat

v UNIX

startManager.sh

6. Use the following Web address to access the administrative console:


The value of hostname is the fully qualified host name or the IP address of the

computer on which you installed the deployment manager. The value 9090 is

the default port number for the WebSphere administrative HTTP transport. If

you have multiple instances of the WebSphere Application Server on the same

computer, the port number may be a different value, such as 9091. The port

number is the port number for the WebSphere virtual host (admin_host) that is

assigned during installation, allowing coexistence of more than one WebSphere

Application Server.

Installing the WebSphere Application Server base product on

each node

Install the WebSphere Application Server base product on each computer on which

the Tivoli Identity Manager Server runs as a Tivoli Identity Manager cluster

member.

Do not install the IBM HTTP Server and the WebSphere Web Server plug-in on

each cluster member.

To install the WebSphere Application Server base product, follow the steps in

“Installing the WebSphere Application Server base product, IBM HTTP Server, and

WebSphere Web Server plug-in” on page 35.


Adding nodes to a cell

You can add a node to a Tivoli Identity Manager cell by running the addNode.sh

script on each application server that you want to add as a node to the cluster.

Enter this statement on one line:

v Windows

"WAS_HOME\bin\addNode.bat dmgr_host portnumber"

v UNIX

WAS_HOME/bin/addNode.sh dmgr_host portnumber

The value of dmgr_host is the host name of the computer on which the deployment

manager is installed. The portnumber parameter specifies the Simple Object Access

Protocol (SOAP) port number that is assigned to the deployment manager. The

value can be omitted if the default port number 8879 is used.

A node agent is created and started after a node is successfully added to a cell. A

JMS server that is associated with the node is also created after a node is

successfully added to a cell.

Verifying that the deployment manager, node agents, and JMS

servers are running

You must ensure that the deployment manager, WebSphere Application Server

node agents, and JMS servers are running. If Tivoli Identity Manager will use DB2

Universal Database, and either the DB2 server or the DB2 runtime client is already

installed, you must source the DB2 UDB profile on each cluster member computer

on UNIX systems before the node agent is started. Sourcing the DB2 UDB profile

on UNIX systems ensures that Tivoli Identity Manager can communicate with the

database. For more information, see either “UNIX: Sourcing the DB2 Universal

Database profile” on page 57 for a single-server configuration or “UNIX: Sourcing

the DB2 Universal Database profile” on page 73 for a cluster configuration.

To ensure that the deployment manager and all WebSphere Application Server

node agents are running, complete these steps using either a command line

interface or the WebSphere administrative console:

v Command line interface

To determine the status of the node agent and the JMS server, run the following

command on the computer on which the WebSphere Application Server base

product is installed:

– Windows

WAS_HOME\bin\serverStatus.bat -all

– UNIX

WAS_HOME/bin/serverStatus.sh -all

The status of the node agent and JMS server is displayed. If the node agent is

not started, run the following command:

– Windows

"WAS_HOME\bin\startNode.bat"

– UNIX

WAS_HOME/bin/startNode.sh

If the JMS server is not started, run the following command on the computer on

which the node agent resides:

– Windows

"WAS_HOME\bin\startServer.bat jmsserver"


– UNIX

WAS_HOME/bin/startServer.sh jmsserver

To determine the status of the deployment manager, run this command on the

computer on which the deployment manager is installed:

– Windows

WAS_NDM_HOME\bin\serverStatus.bat -all

– UNIX

WAS_NDM_HOME/bin/serverStatus.sh -all

If the deployment manager is not started, run this command on the computer

that has the deployment manager:

– Windows

startManager.bat

– UNIX

startManager.sh

v Administrative console

If the deployment manager is running, you can log on to the WebSphere

administrative console to verify the status of the node agents and JMS servers.


1. To verify the status of the node agents, click System Administration –>

Node Agents. A window opens that displays the node agents and their

status. If a node agent is not running, start the node agent by entering this

command on the computer that has the idle node agent:

– Windows

"WAS_HOME\bin\startNode.bat"

– UNIX


2. To verify the status of the JMS servers, click Servers –> JMS Servers. A

window opens that displays the JMS servers and their status. If a JMS server

is not running, start the JMS server by selecting the server on the WebSphere

administrative console and clicking Start.

Creating a cluster

On the WebSphere administrative console of the deployment manager, complete

these steps to create a cluster:

1. Click Servers –> Clusters.

2. On the next window, click New.

3. Enter a name that you give to the cluster, select the appropriate server, and

click Next.

4. Complete the New Clustered Servers window, specifying a cluster member, and

click Apply. Repeat the specification for additional cluster members. When the

list is complete, click Next.

5. Examine the cluster member summary to ensure that the list of cluster

members is correct. Click Finish.

6. In the Messages window, click Save.

7. Select Synch changes with Nodes, and save the configuration to the master

repository.


Resolving port conflicts

The WebSphere Application Server uses a set of default ports for different

purposes. For example, the value 9090 is the default port number for the

WebSphere administrative HTTP transport. Several of the ports that are associated

with the Tivoli Identity Manager application are described in Table 3. If any default

port numbers are already in use prior to installing either the WebSphere

Application Server base product or the deployment manager, either release the port

or choose a different port number when you install the WebSphere Application

Server.

Table 3. Default port numbers

Description Port number Used by Alternate port

number

example

HTTP Transport 9080 WebSphere Application Server

default host

9081

HTTP Transport 9090 WebSphere Application Server

administrative host

9091

SOAP connector port Deployment

manager:

8879

WebSphere

Application

Server base:

8880

WebSphere administrative

component

Deployment

manager: 8889

WebSphere

Application

Server base:

8881

IBM HTTP Server 80 HTTP server Value of 80 is

required.

To determine whether a port is available before starting the installation program,

enter this command:

netstat -an

The command uses these parameters:

-a Displays both listening and non-listening sockets.

-n Displays addresses and port numbers in numerical form.

Optionally configuring security for Tivoli Identity Manager

When enabled, WebSphere global security ensures that authenticated users have

the necessary permissions to access Tivoli Identity Manager JavaBeans™ (EJB™)

components. Configuring this security component involves configuring an

authentication mechanism, a user registry, and optionally, Java 2 security. The

manual steps differ, depending on whether the deployment is for one node or for

multiple nodes.

The Java 2 security policy that Tivoli Identity Manager provides grants Tivoli

Identity Manager all permissions on the system. Enabling Java 2 security can cause

a reduction in performance of the WebSphere Application Server. For more

information, refer to performance information that the WebSphere Application

Server product provides.


Enabling Java 2 security for the Tivoli Identity Manager application also causes

Java 2 security to be enforced on all applications that are running on the

WebSphere Application Server. If you enable Java 2 security for the Tivoli Identity

Manager application, you should also appropriately configure all other applications

running on the WebSphere Application Server to support Java 2 security.

For more information on configuring secure sockets layer (SSL) authentication in

the Tivoli Identity Manager environment, refer to the IBM Tivoli Identity Manager

Information Center.

Configuring security manually for single-node deployments

before installing Tivoli Identity Manager

To configure the security for single-node deployment, complete the following

manual steps before installing Tivoli Identity Manager:

1. Specify an administrative user with these steps:

a. Create or select an administrative user in the user registry of your operating

system. In subsequent examples, the user is called the System User or

wasadmin.

b. Create or select another administrative user in the user registry of your

operating system. In subsequent examples, the user is called the EJB user or

itimadmin. Define the EJB User ID prior to starting installation. This user ID

will be used when configuring security after Tivoli Identity Manager

installation. For more information, see “Optionally configuring security after

installing Tivoli Identity Manager” on page 87.

2. Specify the authentication mechanism and user registry with these steps:

a. Start the WebSphere Application Server, and log in at the console.

b. Click Security –> Global Security.

c. Select the following options:

v Active Authentication Mechanism: Select SWAM (Simple WebSphere

Authentication Mechanism)

v Active User Registry: Select Local OS

d. Save the configuration changes.3. Configure the local OS user registry with these steps:

a. Click Security –> User Registries–> Local OS.

b. Enter the System User user ID (wasadmin) and password.

c. Save the configuration changes.4. Enable security with these steps:

a. Click Security –> Global Security.

b. Click Enabled. The action also selects Enforce Java 2 Security. For

performance reasons, you might consider disabling Java 2 security.

c. Save the configuration changes.5. On a single-node deployment, restart the WebSphere Application Server. When

starting the administrative server, you might be required to specify the

WebSphere administrative user ID and password. For example:

v Windows

WAS_HOME\bin\stopServer server1 [-username wasadmin -password wasadminpwd]

WAS_HOME\bin\startServer server1

v UNIX

WAS_HOME/bin/stopServer.sh server1 [-username wasadmin -password wasadminpwd]

WAS_HOME/bin/startServer.sh server1


Configuring security manually for multi-node deployments

before installing Tivoli Identity Manager

To configure security for multi-node deployment, complete the following steps

before installing Tivoli Identity Manager:

1. Set up LDAP for multi-node security with these steps:

a. First, using the management tool that the directory server provides, create

an organization unit (for example) ou=WasSecurity,dc=com. The value of

dc=com might be the suffix for your organization.

b. Next, create the wasadmin organizational Person object for the WebSphere

Application Server administrative user that is specified as the System User.

Use the management tool that the directory server provides, or use the

following examples:


Create an ePerson. For example, create

(cn=wasadmin,ou=WasSecurity,dc=com). Set the following fields and

values:

– sn=wasadmin

– cn=wasadmin

– uid=wasadmin

– userPassword=wasadminpwd

You can also import the following LDIF file, updating the baseDN with a

value such as dc=com and userPassword variables for your environment.

For example, the file contains these statements:

dn:cn=wasadmin,ou=WasSecurity,baseDN

userPassword:userPassword

uid:wasadmin

objectclass:top

objectclass:person

objectclass:ePerson

sn:wasadmin

cn:wasadmin


Create an inetOrgPerson. For example, create

(uid=wasadmin,ou=WasSecurity,dc=com). Set the following fields and

values:

– sn=wasadmin

– cn=wasadmin

– uid=wasadmin

– userPassword=wasadminpwd

– givenName=wasadminpwd



An example file contains these statements:

dn:uid=wasadmin,ou=WasSecurity,baseDN


uid: wasadmin

givenName: wasadmin

objectClass:inetorgperson

objectClass:organizationalPerson

objectClass:person

objectClass:top

sn:wasadmin

cn:wasadmin


c. Depending on the directory server, create the itimadmin organizational

Person object for the WebSphere Application Server administrative user that

is specified as the EJB user. For more information on setting up an

unprivileged itimadmin object in the context of security planning for Tivoli

Identity Manager, refer to the IBM Tivoli Identity Manager Planning for

Deployment Guide.


Create an ePerson. For example, create

(cn=itimadmin,ou=WasSecurity,dc=com). Set the following fields and

values:

– sn=itimadmin

– cn=itimadmin

– uid=itimadmin

– userPassword=itimadminpwd




dn:cn=itimadmin,ou=WasSecurity,baseDN


uid:itimadmin

objectclass:top

objectclass:person

objectclass:ePerson

sn:itimadmin

cn:itimadmin


Create an inetOrgPerson. For example, create

(uid=wasadmin,ou=WasSecurity,dc=com). Set the following fields and

values:

– sn=itimadmin

– cn=itimadmin

– uid=itimadmin

– userPassword=itimadminpwd

– givenName=itimadminpwd




dn:uid=itimadmin,ou=WasSecurity,baseDN


uid:itimadmin

givenName:itimadmin

objectClass:inetorgperson

objectClass:organizationalPerson

objectClass:person

objectClass:top

sn:itimadmin

cn:itimadmin

2. Set up the authentication mechanism and user registry with these steps:

a. Start the deployment manager, and log in at the console.

b. Click Security –> Global Security.

c. Select the following options:

v Active Authentication Mechanism: LTPA (Lightweight Third Party

Authentication)


v Active User Registry: LDAPd. Save the configuration changes.

3. Configure the authentication mechanism with these steps:

a. Click Security –> Authentication Mechanisms –> LTPA.

b. Create and confirm a password for the LTPA authentication mechanism.

c. Save the configuration changes.4. Configure the LDAP user registry with these steps:

a. Click Security –> User Registries–> LDAP.

b. Set the following fields and values:

v Server User ID=wasadmin

v Server User Password=wasadminpwd

v Type=directoryservertype

The value of directoryservertype identifies the directory server such as

IBM_Directory_Server.

v Host=ITIM LDAP server hostname

v Base Distinguished Name (DN): ou=WasSecurity,dc=com

v Bind Distinguished Name (DN): Enter the bind distinguished name such

as cn=root.

v Bind Password: Enter the password for the bind distinguished name.

v Ignore Case: Check this optionc. Save the configuration changes.

5. Enable security with these steps:

a. Click Security –> Global Security.

b. Click Enabled. The action also selects Enforce Java 2 Security. For

performance reasons, you might consider disabling Java 2 security.

c. Save the configuration changes.6. To run with security enabled, complete these steps:

a. On the computer with the deployment manager, enter:

v Windows

WAS_NDM_HOME\bin\stopManager [-username wasadmin -password wasadminpwd]

WAS_NDM_HOME\bin\startManager

v UNIX

WAS_NDM_HOME/bin/stopManager.sh [-username wasadmin -password wasadminpwd]

WAS_NDM_HOME/bin/startManager.sh

b. On other computers with the node agent:

v Windows

WAS_HOME\bin\stopNode [-username wasadmin -password wasadminpwd]

WAS_HOME\bin\startNode

v UNIX

WAS_HOME/bin/stopNode.sh [-username wasadmin -password wasadminpwd]


c. Restart the cluster. Complete these steps:

1) Log in to the deployment manager using the wasadmin user ID and

password at the console.

2) Click Servers –> Clusters.

3) Select the cluster.

4) Click Stop and then click Start.


d. Restart the JMS server. Complete these steps:

1) Log on to the deployment manager.

2) Click Servers –> JMS Servers.

3) Select the server.

4) Click Stop and then click Start.

Disabling security

For testing purposes or troubleshooting, you might need to disable security. To

disable security using the WebSphere administrative console, complete these steps:

1. Click Security –> Global Security.

2. Clear the Enabled and Enable Java 2 Security checkboxes.

3. Stop and then start all node agents, JMS servers, and application servers.

Moving the HTTP server out of the cell for additional security

To provide additional security, configure an HTTP server, such as the IBM HTTP

Server, to reside on a standalone computer that is external to any other Tivoli

Identity Manager component. An example of a cluster configuration that provides

additional security is similar to Figure 6. This process includes installing the IBM

HTTP Server and the WebSphere Web Server plug-in, copying several files from

the deployment manager, and configuring the web server to load and configure a

WebSphere module when the server is started.


1. On the external computer, install and configure the IBM HTTP Server and the

WebSphere Web Server plug-in.

2. Create a directory under the HTTP_HOME/conf directory called WebSphere.

3. Copy the WAS_NDM_HOME/config/cells/plugin-cfg.xml file from the

deployment manager computer to the HTTP_HOME/conf/WebSphere

directory.

Tivoli Identity Manager cell

Tivoli Identity Manager cluster

WebSphere Application Server baseTivoli Identity Manager ServerJDBC driver

}}

}IBM HTTP ServerWebSphere Web

Server plug-in

WebSphereApplication ServerNetwork DeploymentJDBC driver

}


LDAPdata store

Figure 6. HTTP server configuration for increased security


4. If Secure Socket Layer (SSL) communication is enabled, also copy the following

files from the deployment manager computer to the

HTTP_HOME/conf/WebSphere directory:

v WAS_NDM_HOME/etc/plugin-key.kdb

v WAS_NDM_HOME/etc/plugin-key.sth

For more information on configuring SSL authentication in the Tivoli Identity

Manager environment, refer to the IBM Tivoli Identity Manager Information

Center.

5. The behavior of the WebSphere Web Server plug-in is governed by the

plugin-cfg.xml file. On the computer that has the IBM HTTP Server, open the

plugin-cfg.xml file in the text editor and make the following changes:

v Change each instance of the WAS_NDM_HOME/etc/ directory to the

HTTP_HOME/conf/WebSphere directory. That is, replace

/path/WebSphere/DeploymentManager/etc with

/path/IBMHttpServer/conf/WebSphere.

v Change the directory of the http_plugin.log file to HTTP_HOME/logs. That

is, replace /path/WebSphere/DeploymentManager/logs/http_plugin.log

with /path/IBMHttpServer/logs/http_plugin.log.



v AIX: /usr

v Other UNIX: /opt6. Use a text editor to open the HTTP_HOME/conf/httpd.conf file and add the

following WebSphere Web Server plug-in setting as one line at the bottom of

the file:

LoadModule ibm_app_server_http_module WAS_HOME/WebSphere/

AppServer/bin/mod_ibm_app_server_http.operatingsystem

The operatingsystem is one of these values:

v dll for the Windows operating system

v so for the UNIX, including the AIX operating system

On the next line, enter the following WebSphere Web Server plug-in setting:

WebSpherePluginConfig HTTP_HOME/conf/WebSphere/plugin-cfg.xml

Ensure that any required WebSphere Application Server Fix Pack is also installed

on the computer on which the WebSphere Web Server plug-in is installed. For

more information on fix packs, refer to the IBM Tivoli Identity Manager Release

Notes.


Chapter 5. Installing Tivoli Identity Manager in a single-server

configuration

This chapter describes tasks that install and configure the Tivoli Identity Manager

Server in a single-server configuration. The installation program installs only the

Tivoli Identity Manager Server.

Before you begin

Before you begin to install Tivoli Identity Manager Server in a single-server

configuration, complete these tasks:

1. Determine which product CDs that you need to install Tivoli Identity

Manager. For an itemization of the CD contents, refer to a text file such as

itim-4.6-cd-images-operatingsystem.txt that is provided with the CD image. For

a complete list of these image files, see Appendix A, “Installation images and

fix packs,” on page 109.

2. Ensure that free disk space and virtual memory requirements are met.

Additionally, ensure that there is adequate free disk space in the system temp

directory and in the WAS_HOME directory. The target computer must meet

the machine requirements described in the IBM Tivoli Identity Manager Release

Notes.

3. Ensure that you have the needed administrative authority. On Windows

systems, the logon user ID must be in the Administrators Group. On UNIX

systems, the logon user ID must be root.

4. Installing the Tivoli Identity Manager Server writes data to the Tivoli Identity

Manager database. If DB2 UDB is used, ensure that the following conditions

are met:

v If DB2 UDB is selected, the Tivoli Identity Manager installation program

pre-allocates 1 GB database table space on the computer on which the DB2

server resides. Ensure that this free disk space is available on the DB2

server. For more information on database table space, refer to the IBM Tivoli

Identity Manager Performance Tuning Guide technical supplement.

v Database configuration, such as creating table space, requires that you have

authority as database administrator. On Windows systems, the authority

can be the db2admin user. On UNIX operating systems, the authority can

be db2inst1. 5. Ensure that the directory server has loaded the appropriate referential

integrity plug-in. For more information, see “Configuring the referential

integrity plug-in on the IBM Tivoli Directory Server” on page 28.

6. Ensure that the prerequisite applications are running that are described in

Table 4:

Table 4. Prerequisite applications

Prerequisite For more information, see

Database Chapter 2, “Installing and configuring a database,” on page

11

Directory server Chapter 3, “Installing and configuring a directory server,”

on page 25


7. Ensure that the WebSphere Application Server can be stopped and started

before you install the Tivoli Identity Manager Server. To be sure, stop and

start the WebSphere Application Server. See Chapter 4, “Installing and

configuring WebSphere Application Server,” on page 33 for more information

on these steps.

8. If WebSphere global security is already turned on, complete the necessary

manual steps after installing the Tivoli Identity Manager Server. For more

information on post-installation steps, see “Running Java 2 security on

single-node deployments” on page 89. For more information on global

security, refer to the WebSphere documentation.

9. Obtain or complete the planning worksheet which captures the details of your

configuration. For more information, see Appendix B, “Worksheets,” on page

111.

10. If you are upgrading a version of Tivoli identity Manager that is already on

the computer, see Appendix C, “Upgrading from Tivoli Identity Manager

Version 4.5.1 to Version 4.6,” on page 115 for more information on protecting

Tivoli Identity Manager customizations and data.

Overview of the installation program in a single-server configuration

The flowchart in Figure 7 on page 49 describes the basic sequence of events during

installation of Tivoli Identity Manager Server in a single-server configuration:


Enterencryption key

Pre-installationsummary

Configuredatabase

ConfigureLDAP

Configuresystem

Enter installationdirectory

Singleserver

ClusterInstallation

Type?

Clusterinstallation

Yes

NoWebSphereApplication

Serveralready

installed?

Confirm WebSphereApplication Server

installation directory

YesPromptwarning

message:Exit?

Exitinstallation

Confirm locationof the Tivoli Common

Directory

No

No

YesIs

WebSpheresecurity

on?

Entercredential

Enterhost name,

server name

Detect WebSphereApplication Server


Ignore

Figure 7. Single-server installation flowchart

Chapter 5. Installing Tivoli Identity Manager in a single-server configuration 49

Starting the installation wizard

To install the Tivoli Identity Manager Server in a single-server configuration,

complete the following steps:

1. Start the installation program. Log on to an account with system administration

privileges on the computer where the Tivoli Identity Manager Server will be

installed.

2. Insert the Tivoli Identity Manager product CD into the CD-ROM drive. To

locate the correct CD for your environment, refer to Appendix A, “Installation

images and fix packs,” on page 109.

3. To run the installation program, complete these steps:

v Windows

a. Click Start –> Run.

b. Enter your CD-ROM drive, and then enter the following command:

instWIN-WAS.exe

The Welcome window opens.v UNIX

a. Open a command prompt window, and change to your CD-ROM drive.

b. Enter one of the following commands for the Tivoli Identity Manager

installation program:

– AIX

instAIX-WAS.bin

– Solaris

instSOL-WAS.bin

– Linux

instLINUX-WAS.bin

The installation program starts and displays the Welcome window.

Completing the installation wizard pages

Use the first set of installation wizard pages to set up the installation:

1. To change the language that is used for the installation wizard pages, select

another language from the drop-down list. This choice only affects the

installation wizard and not the language version of Tivoli Identity Manager to

be installed. Then, click OK. For more information on installing a language

pack, see “Optionally installing a language pack” on page 58.

2. In the License Agreement window, read the license agreement and decide

whether to accept its terms. If you do, select Accept, and then click Next.

The Tivoli Identity Manager Installation Directory window opens.

3. Accept the default ITIM_HOME installation directory, or select Choose to

select another directory. Then, click Next.

4. In the Installation Type window, select Single Server. Then, click Next.

5. In the Database Type window, select one of the following database types, and

then click Next:

v DB2 Universal Database

You are prompted for the DB_INSTANCE_HOME directory that contains the

database for Tivoli Identity Manager.

v Oracle Database

v Microsoft SQL Server 2000


Caution windows open to prompt you to ensure that these conditions are

true:



server resides. Ensure that space is available and click Next.

v If the Oracle database is selected, a window prompts you for the location of

the Oracle JDBC driver. Provide the location and click Next.

v The directory server version is at the correct level. Ensure that the version is

correct and click Next. 6. The WebSphere Application Server Installation Directory window appears and

displays a value for the WAS_HOME directory.

There can be multiple installations of the WebSphere Application Server on a

computer. If the WAS_HOME directory is not the directory on which you

intend to install the Tivoli Identity Manager Server, enter the correct directory

value. Click Next.

7. A window opens to prompt you to verify the following WebSphere

Application Server data:

v Host name of the computer. Accept the displayed value unless the

computer has multiple host names and the WebSphere Application Server is

installed under a host name other than the displayed value.

v WebSphere Application Server name, which defaults to server1, where you

intend to deploy the Tivoli Identity Manager Server.

Verify the WebSphere Application Server data and click Next.

8. If WebSphere global security is on, a WebSphere Application Server

Administrator Credential window requires you to specify the WebSphere

Application Server user ID and password. This is the wasadmin user ID

described in the manual steps in “Optionally configuring security for Tivoli

Identity Manager” on page 40.


Provide the user ID and password, and then click Next.

9. In the encryption key window, provide an encryption key, which can be any

word or phrase. The key is used to encrypt Tivoli Identity Manager passwords

and other sensitive text. Then, click Next.

10. In the Tivoli Common Directory window, accept the default directory that the

Tivoli Identity Manager installation program defines, or choose a new one.

Then, click Next. Ensure that the directory has at least 25 MB of free space.

The Tivoli Common Directory is the central location for all

serviceability-related files, such as logs and first-failure capture data.

11. In the Pre-install Summary window, review the components to be installed,

the required free disk space, and the Tivoli Identity Manager installation

directory. If everything is acceptable, click Install.

12. Complete the remaining automated installation program in “Responding to

major installation actions.”

Responding to major installation actions

The Tivoli Identity Manager installation program opens a series of progress

windows for additional, major installation actions. Some windows require your

input. The installation program installs and configures the Tivoli Identity Manager

application on the WebSphere Application Server, sets up the Tivoli Identity

Manager database on the database server, and sets up the LDAP schema and a

configuration of data on the directory server.

The major installation actions include these steps:

1. Copying Tivoli Identity Manager files to the target computer.

The installation program copies Tivoli Identity Manager files to the

ITIM_HOME directory.

2. Ensuring that the WebSphere Application Server is running.

Figure 8. WebSphere Application Server Administrator Credential window


The WebSphere Application Server must be running to allow Tivoli Identity

Manager deployment and configuration to occur. The Tivoli Identity Manager

installation program verifies the status of the WebSphere Application Server. If

the WebSphere Application Server is not running, the Tivoli Identity Manager

installation program attempts to start the WebSphere Application Server.

An error message appears if the Tivoli Identity Manager installation program

fails to start the WebSphere Application Server. If an error occurs, you can do

either of these steps:

v Quit the installation program and complete these steps:

a. Resolve the problem that prevents starting the WebSphere Application

Server.

b. Manually delete all files in the ITIM_HOME directory.

c. Run the Tivoli Identity Manager installation program again.v Continue the installation program after you ensure that you can manually

start and stop the WebSphere Application Server without error. Complete

these steps:

a. Start the WebSphere Application Server:

– Windows

"WAS_HOME\bin\startServer.bat servername"

– UNIX


b. Stop the WebSphere Application Server:

– Windows

"WAS_HOME\bin\stopServer.bat servername"

– UNIX

WAS_HOME/bin/stopServer.sh servername

c. Proceed to the next step in the Tivoli Identity Manager installation

program.3. Deploying the Tivoli Identity Manager Server onto the WebSphere Application

Server.

The Tivoli Identity Manager application runs within the WebSphere Application

Server as an enterprise application. The Tivoli Identity Manager installation

program uses the WebSphere command line interface (wsadmin) to deploy the

Tivoli Identity Manager application onto the WebSphere Application Server.

Deploying the Tivoli Identity Manager application also performs certain

configuration steps on the WebSphere Application Server. These steps require

several minutes to complete. For more information about configuration, see

“Deploying and configuring the Tivoli Identity Manager J2EE application” on

page 138.

When the deployment completes, the Tivoli Identity Manager files are in these

directories:

v WAS_HOME/installedApps/cellname/enRole.ear

v WAS_HOME/config/cells/cellname/applications/enRole.ear

If the deployment fails, an error message provides the location of the

setupEnrole.stdout log file. Examine the errors in the setupEnrole.stdout log

file.

If the log data indicates failure to establish a Simple Object Access Protocol

(SOAP) connection to the WebSphere Application Server configuration manager,

or some type of WebSphere Application Server scripting error, complete these

steps:


a. Exit the Tivoli Identity Manager installation program.

b. Resolve the problem that prevents connection to the WebSphere Application

Server or a problem described as a scripting error. For more information,

refer to the WebSphere documentation.

c. Manually delete all files in the ITIM_HOME directory.

d. Run the Tivoli Identity Manager installation program again.

If the log data indicates that failure is due to a timeout, continue the Tivoli

Identity Manager installation program.

If the Tivoli Identity Manager installation program has completed, delete the

following directories if they exist:

v WAS_HOME/installedApps/cellname/enRole.ear

v WAS_HOME/config/cells/cellname/applications/enRole.ear

Run one of the following commands to deploy the Tivoli Identity Manager

Server onto the WebSphere Application Server:

v If WebSphere global security is on, run this command:

ITIM_HOME/bin/setupEnrole install server:name user:user_id password:pwd

The value of name is the name of the WebSphere Application Server on

which the Tivoli Identity Manager application is deployed. The value of

user_id is the WebSphere administrator user ID, such as wasadmin. The value

of pwd is the password for the WebSphere administrator user ID, such as

wasadminpwd.

v If WebSphere global security is off, enter this command:

ITIM_HOME/bin/setupEnrole install server:name

4. Gathering database data and configuring the database.

In this step, the Tivoli Identity Manager installation program sets up the Tivoli

Identity Manager database and configures the JDBC driver provider in the

WebSphere Application Server. For more information, see “Configuring the

Tivoli Identity Manager database” on page 77.

If an error occurs, examine the error and provide a corrective action. The error

might describe a problem in configuring the Tivoli Identity Manager database

or the WebSphere Application Server. There is more information in the

ITIM_HOME/install_logs/dbConfig.stdout log file. You might need to refer to

documentation that the database product or that the WebSphere product

provides.

Continue the Tivoli Identity Manager installation program. When the

installation completes, complete these steps:

a. Save the current log data by renaming the

ITIM_HOME/install_logs/dbConfig.stdout log file.

b. When the correction is complete, use this command to configure the Tivoli

Identity Manager database:

v Windows

ITIM_HOME\bin\DBConfig

v UNIX

ITIM_HOME/bin/cmdWrapper.sh DBConfig

New log data is recorded in the ITIM_HOME/install_logs/dbConfig.stdout

log file.

Note: The DBConfig command creates the database table definitions that

Tivoli Identity Manager requires. Run this command only if the

command failed to configure the database during installation. If the


Tivoli Identity Manager database tables have been previously set,

running the DBConfig command first drops all previously existing

Tivoli Identity Manager tables.5. Gathering directory server data and configuring the directory server.

In this step, the Tivoli Identity Manager installation program sets up the LDAP

schema and defines default settings for Tivoli Identity Manager. For more

information, see “Configuring the directory server” on page 79.

If an error occurs, record the error message that is displayed, which might

describe a problem in setting up the LDAP schema or creating a configuration

of data on the directory server.



a. Examine the errors and provide a corrective action. There is more

information in the ITIM_HOME/install_logs/ldapConfig.stdout log file. You

might also need to refer to documentation that the directory server product

provides.

b. Save the current log data by renaming the

ITIM_HOME/install_logs/ldapConfig.stdout log file.

c. When the correction is complete, use this command to configure the

directory server:

ITIM_HOME/bin/ldapConfig

New log data is recorded in the


Note: Do not run the ldapConfig command a second time, unless the LDAP

configuration fails during the Tivoli Identity Manager installation

process. Running the ldapConfig command will restore default values

that Tivoli Identity Manager uses. If you have changed the value of any

of these Tivoli Identity Manager attributes, such as the password of the

user ID named itim manager, the value is overwritten.

6. Gathering Tivoli Identity Manager data and configuring the Tivoli Identity

Manager Server.

The Tivoli Identity Manager installation program copies a set of Tivoli Identity

Manager property files to the ITIM_HOME/data directory. During this step,

you can use the GUI to change some of the Tivoli Identity Manager properties.

For more information, see “Configuring commonly used system properties” on

page 80.

The Tivoli Identity Manager installation program also configures the

WebSphere environment settings that the Tivoli Identity Manager Server

requires. This step takes several minutes to complete. For more information on

configuring the WebSphere environment, see Appendix D, “Steps that the

installation program takes to configure the WebSphere environment,” on page

127.


describe a problem in configuring the WebSphere environment settings that the

Tivoli Identity Manager Server requires.




information in the ITIM_HOME/install_logs/runConfigTmp.stdout log file.

You might also need to refer to documentation that the WebSphere product

provides.


b. When the correction is complete, use this command: To update commonly-used properties and also to reset WebSphere

Application Server settings for the Tivoli Identity Manager application, run

this command:

v Windows

ITIM_HOME\bin\runConfig install

v UNIX:

– DB2 UDB

ITIM_HOME/bin/cmdWrapper.sh runConfig install

The cmdWrapper.sh command automatically sources the DB2 profile.

– Other databases

ITIM_HOME/bin/runConfig install

New log data is recorded in the ITIM_HOME/install_logs/runConfig.stdout

log file.7. Restarting the WebSphere Application Server, to make the new WebSphere

Application Server configuration available after completing the Tivoli Identity

Manager Server installation.

If an error message indicates failure to restart the WebSphere Application

Server, complete the installation and then attempt to restart the WebSphere

Application Server. To restart the WebSphere Application Server, complete these

steps:

v Windows



v UNIX


For more information, see “Verifying that the Tivoli Identity Manager Server is

operational.”

Verifying that the Tivoli Identity Manager Server is operational

To verify that the Tivoli Identity Manager Server and related processes are running,


1. Ensure that the WebSphere Application Server is running.

Start the WebSphere administrative console. On a browser, enter this Web

address:

http://address:9090/admin/

The value of address is the fully qualified host name or the IP address of the

computer on which the WebSphere Application Server is running. The value

9090 is the default port number for the WebSphere administrative HTTP

transport. If you have multiple instances of the WebSphere Application Server

on the same computer, the port number may be a different value, such as 9091.

For more information, see step 7.

2. On the WebSphere administrative console, click Applications –> Enterprise

Application and verify that the Tivoli Identity Manager Server enRole is

running. For additional steps to verify that the Tivoli Identity Manager Server

and other processes are running, see Chapter 8, “Troubleshooting and verifying

the installation,” on page 93.

3. Log on to the Tivoli Identity Manager Server using the WebSphere embedded

HTTP transport. For example, at a browser window, enter this command:

http://hostname:9080/enrole


The value of hostname is the host name of the WebSphere Application Server.

Port 9080 is the default port number of the WebSphere virtual host. If you have

multiple installations of the WebSphere Application Server on the same system,

this port number may have a different value, such as 9081.

The browser displays the Tivoli Identity Manager logon window. Enter the

Tivoli Identity Manager Server administrator user ID (″itim manager″) and

password (immediately after installation, the value is ″secret″).

4. After successfully logging on to Tivoli Identity Manager Server using the

WebSphere embedded HTTP transport, attempt to log on to the Tivoli Identity

Manager Server using the IBM HTTP Server. Log on at this address:

http://http_server_hostname/enrole

The value of http_server_hostname is the host name of the IBM HTTP Server. For

more information if you cannot display the Tivoli Identity Manager logon

window, or cannot log on to Tivoli Identity Manager, see “Ensuring that the

HTTP server is running” on page 96.

5. After a first, successful logon, the logon window immediately prompts you to

change the administrator password. Ensure that your password change is

successful. After you change the password, you are ready to create your

organization object and a user that is termed an ITIM User.

If you cannot start and log on to Tivoli Identity Manager, see Chapter 8,

“Troubleshooting and verifying the installation,” on page 93.

UNIX: Sourcing the DB2 Universal Database profile

On UNIX operating systems, run the DB2 UDB profile to set up the correct

environment to run DB2 UDB programs. This action enables communication

between the Tivoli Identity Manager Server and the DB2 server. This manual step

is not necessary on Windows systems.

To source the profile, complete these steps:

1. Enter the appropriate db2profile command for your default login shell.

For example, if your default login shell is ksh, source the DB2 UDB profile by

entering the following command:

. DB_INSTANCE_HOME/db2profile

2. Verify that you successfully sourced the profile. Enter the following command:

set | grep -i db2

The -i parameter specifies that the search is not sensitive to case. In the

following output, the existence of the value db2inst1 associated with the value

of DB_INSTANCE_HOME indicates that the profile was successfully sourced:

CLASSPATH=/home/db2inst1...

DB2DIR=/usr/lpp/db2_08_01

DB2INSTANCE=db2inst1

3. Include the db2profile command in your user profile to ensure that the profile

is sourced every time that the database runs.

Ensure that the DB2 UDB profile is correctly sourced before doing these tasks:

v Running DBConfig, the database configuration tool. For more information, see

step 4 on page 54.

v Running runConfig, the system configuration tool. For more information, see

step 6 on page 55.

v Starting the WebSphere Application Server. For more information, see step 7 on

page 56.


Optionally installing a language pack

After installing Tivoli Identity Manager, if the default language is not English,


1. Before you run the Tivoli Identity Manager language pack setup program,

ensure that the version of the Java Runtime Environment that Tivoli Identity

Manager requires is accessible from the command line. For more information,

refer to the IBM Tivoli Identity Manager Release Notes.

For example, enter this command:

java-fullversion

2. Obtain the language pack CD for the Tivoli Identity Manager Server. On UNIX

systems, mount the language pack CD.

3. Use command line mode to install the language pack. For example, enter this

language pack command at a command prompt:

java –jar itimlp_setup.jar

The Tivoli Identity Manager language pack setup program starts. To complete

the language pack installation, follow the instructions that appear in the setup

program windows.

4. Verify that the language pack is installed. Complete these steps:

a. Verify that these files are present in the

WAS_HOME/installedApps/cellname/enRole.ear/app_web.war directory:

v AppletLabels_lang.properties

v AppletErrorMessages_lang.properties

v AppletMessages_lang.properties

The value of lang is a string such as fr that indicates a language such as

French.

b. Verify that one or more of the following files are present in the

ITIM_HOME/data directory:

v ErrorMessages_lang.properties

v Labels_lang.properties

v Messages_lang.properties

v adhocreporting_lang.properties

Preparing to install adapters

Use SSL production certificates to ensure secure communication between the Tivoli

Identity Manager Server and the Tivoli Identity Manager adapter. For more

information, see “Adapters overview” on page 2.

The Certificate Authority issuer certificate that corresponds to the certificate of the

Tivoli Identity Manager adapter must be installed into the truststore file that the

Tivoli Identity Manager Server is configured to use. Tivoli Identity Manager uses

the standard Java keystore and truststore mechanisms to store certificates and

issuer certificates for SSL communications. You can use any standard Java keystore

tools to maintain certificates, such as the Java keytool command line utility, or the

WebSphere key management utility (iKeyman). The source certificate files can be in

any format that the keystore tool supports. For more information, refer to the IBM

Tivoli Identity Manager Planning for Deployment Guide.


1. Using the Tivoli Identity Manager import utility, install the adapter profile.


2. After installing Tivoli Identity Manager, if the default language is not English,

complete these steps before you install the first Tivoli Identity Manager

adapter:

a. Before you run the Tivoli Identity Manager language pack setup program,


Manager requires is accessible from the command line. For more

information, refer to the IBM Tivoli Identity Manager Release Notes.


java-fullversion

b. Obtain and mount the language pack CD for the Tivoli Identity Manager

adapters. Use command line mode to install the language pack for the

adapters on the Tivoli Identity Manager Server. For example, enter the

following command:

java –jar itimlp_agents_setup.jar

The Tivoli Identity Manager language pack setup program starts. To

complete the language pack installation, follow the instructions that appear

in the setup program panels.


Chapter 6. Installing Tivoli Identity Manager in a cluster

configuration

This chapter describes installing and configuring the Tivoli Identity Manager in a

cluster configuration. Before continuing, read “Configuration options” on page 4.

For required application versions and fix packs, refer to the IBM Tivoli Identity

Manager Release Notes.

Before you begin

Before you begin to install Tivoli Identity Manager Server in a cluster


1. Determine which product CDs that you need to install Tivoli Identity

Manager. For an itemization of the CD contents, refer to a text file such as

itim-4.6-cd-images-operatingsystem.txt that is provided with the CD image. For

a complete list of these image files, see Appendix A, “Installation images and

fix packs,” on page 109.

2. Ensure that free disk space and virtual memory requirements are met on

every computer in the cluster. Additionally, ensure that there is adequate free

disk space in the system temp directory and in the WAS_HOME and

WAS_NDM_HOME directories. The target computers must meet the machine

requirements described in the IBM Tivoli Identity Manager Release Notes.

3. Ensure that you have the needed administrative authority. On Windows

systems, the logon user ID must be in the Administrators Group. On UNIX

systems, the logon user ID must be root.

4. Installing the Tivoli Identity Manager Server writes data to the Tivoli Identity

Manager database. If DB2 UDB is used, ensure that the following conditions

are met:



server resides. Ensure that this free disk space is available on the DB2

server. For more information on database table space, refer to the IBM Tivoli

Identity Manager Performance Tuning Guide technical supplement.

v Database configuration, such as creating table space, requires that you have

authority as database administrator. On Windows systems, the authority

can be the db2admin user. On UNIX systems, the authority can be db2inst1. 5. In a cluster, the name of the Tivoli Identity Manager installation directory

must be the same for all cluster members. Specify an identical directory to

avoid later runtime difficulties in certificate recognition or in identity feed

activities on different cluster member computers. For example, specify

/usr/IBM/itim on the AIX operating system as the directory on all cluster

member computers.

6. Ensure that the directory server has loaded the appropriate referential

integrity plug-in. For more information, see “Configuring the referential

integrity plug-in on the IBM Tivoli Directory Server” on page 28.

7. Ensure that the prerequisite applications are running that are described in

Table 5 on page 62:


Table 5. Prerequisites that must be running

Prerequisite For more information

Database Chapter 2, “Installing and configuring a database,”

on page 11

Directory server Chapter 3, “Installing and configuring a directory

server,” on page 25

8. Determine that the WebSphere Application Server cell and cluster are ready

for Tivoli Identity Manager installation. Complete the steps to construct a

WebSphere Application Server cell and a cluster, described in “Creating a

cluster configuration” on page 36.

The processes described in Table 6 must be running before and after you

install the Tivoli Identity Manager Server:

Table 6. Processes that must be running before and after installing the Tivoli Identity

Manager Server

Process For more information

v Deployment manager

v WebSphere Application Server node

agents

v WebSphere Application Server JMS

servers on all nodes in the cluster

“UNIX: Creating groups and users before

installing WebSphere embedded messaging”

on page 34

9. If DB2 UDB is used, ensure that the DB2 UDB profile is correctly sourced

before starting the WebSphere node agent on each cluster member node. For

more information, see “UNIX: Sourcing the DB2 Universal Database profile”

on page 73.

10. If WebSphere global security is already turned on, complete the necessary

manual steps after installing Tivoli Identity Manager. For more information on

those post-installation steps, see “Running Java 2 security on multi-node

deployments” on page 89. For more information on global security, refer to

the WebSphere documentation.

11. Obtain or complete the planning worksheet which captures the details of your

configuration. For more information, see Appendix B, “Worksheets,” on page

111.

12. If you are upgrading a version of Tivoli Identity Manager that is already on

the computer, see Appendix C, “Upgrading from Tivoli Identity Manager

Version 4.5.1 to Version 4.6,” on page 115 for more information on protecting

Tivoli Identity Manager customizations and data.

Overview of the installation program in a cluster configuration

The flowchart in Figure 9 on page 63 describes the basic sequence of events during

installation of the Tivoli Identity Manager Server in a cluster configuration:


Enter Tivoli IdentityManager Server


Installationtype?

Single Server Singleserver

installation

Cluster

Directory of WebSphere ApplicationServer base and deployment manager

Choose clusternode type

Iscluster

member?

No

Yes

No

Yes

Confirm WebSphereApplication Server base product


WebSphereApplication Server

base productexists?

Promptwarning

message:Exit?

No

YesExit

Ignore

Isdeploymentmanager?

No

Yes

No

Yes

Confirm deployment managerinstallation directory

Deploymentmanagerexists?

No

YesExit

Ignore

Enter clustername

Verify host name,IP address

A

Promptwarning

message:Exit?

Figure 9. Cluster installation flowchart

Chapter 6. Installing Tivoli Identity Manager in a cluster configuration 63

Install the Tivoli Identity Manager Server on the following computers:

v The deployment manager.

Install the Tivoli Identity Manager Server on the computer that has the

deployment manager before you install the Tivoli Identity Manager Server on

cluster nodes. The deployment of the Tivoli Identity Manager application and

also the configuration of the database and the directory server for Tivoli Identity

Manager occurs during this installation. The deployment manager distributes the

Tivoli Identity Manager application to all cluster member computers. The

installation program expands the Tivoli Identity Manager Enterprise Application

Archive (EAR) file on each cluster member.

v One or more cluster members.

Repeat the steps in this chapter to install the Tivoli Identity Manager Server on

each computer that is a cluster member. The installation program does these

tasks:

– Copies additional Tivoli Identity Manager files to the target computer.

Enterencryption key

Pre-installationsummary

Configuredatabase

ConfigureLDAP

Configuresystem

No

Yes

Yes

No

IsWebSphere

securityon?

Entercredential

A

Installing ondeploymentmanager?

Confirm locationof the Tivoli Common

Directory

Figure 10. Cluster installation flowchart (continued)


– Configures the WebSphere Application Server that hosts the cluster member.

Installing the Tivoli Identity Manager Server on clusters must be done

sequentially, one computer at a time. Running the Tivoli Identity Manager

installation program simultaneously on more than one computer at a time might

result in synchronization problems with the WebSphere master configuration file.

Note: If the same computer has both the deployment manager and a Tivoli

Identity Manager cluster member, you must select both the deployment

manager and the cluster member node types when you run the Tivoli

Identity Manager installation program.

Starting the installation wizard

To install Tivoli Identity Manager Server in a cluster configuration, complete the

following steps:

1. Log on to an account with system administration privileges on the computer

where the Tivoli Identity Manager Server will be installed.

2. Insert the Tivoli Identity Manager product CD into the CD-ROM drive. To

locate the correct CD for your environment, refer to Appendix A, “Installation

images and fix packs,” on page 109.


v Windows



instWIN-WAS.exe





– AIX

instAIX-WAS.bin

– Solaris

instSOL-WAS.bin

– Linux

instLINUX-WAS.bin

The installation program starts and displays the Welcome window.

Completing the installation wizard pages

Use the first set of installation wizard pages to set up the installation:

1. To change the language that is used for the installation wizard pages, select

another language from the drop-down list. This choice only affects the

installation wizard and not the language version of Tivoli Identity Manager to

be installed. Then, click OK. For more information on installing a language

pack, see “Optionally installing a language pack” on page 74.


whether to accept its terms. If you do, select Accept, and then click Next.

The Tivoli Identity Manager Installation Directory window opens.


3. Accept the default ITIM_HOME installation directory, or select Choose to

select another directory. Then, click Next.

4. In the Installation Type window, select Regular cluster. Then, click Next.

5. In the Installing Tivoli Identity Manager on a Cluster Environment window,

read the conditions that apply to a cluster environment. Before continuing,

apply any other changes that are necessary to configure the environment for

these conditions. For example, verify that the deployment manager and all

WebSphere node agents are running. For more information, see “Verifying that

the deployment manager, node agents, and JMS servers are running” on page

38. Click Next.

The Database Type window opens.

6. In the Database Type window, select one of the following database types, and

then click Next:

v DB2 Universal Database

You are prompted for the DB_INSTANCE_HOME directory that contains the

database for Tivoli Identity Manager.

v Oracle Database

If the Oracle database is selected, another window prompts you for the

location of the Oracle JDBC driver. Provide the location and click Next. For

more information, see “Tivoli Identity Manager information for the

database” on page 111.

v Microsoft SQL Server 2000 7. In the Choose Cluster Node Type window, select one or both of these node

types:


You must install Tivoli Identity Manager first on the computer that has the

deployment manager.

v Cluster member

Install Tivoli Identity Manager on every cluster member that does not reside

on the same computer as the deployment manager, after you install Tivoli

Identity Manager on the computer that has the deployment manager. If you

have the deployment manager and a Tivoli Identity Manager cluster

member on the same computer, you must select both node types. 8. If you selected a cluster member for the Tivoli Identity Manager installation,

the WebSphere Application Server Installation Directory window appears and

displays a value for a WAS_HOME directory.

There can be multiple installations of the WebSphere Application Server on a

computer. If the WAS_HOME directory is not the directory on which you

intend to install the Tivoli Identity Manager Server, enter the correct directory

value. Click Next.

9. If you selected the deployment manager for the Tivoli Identity Manager

installation, the WebSphere Application Server Installation Directory window

appears and displays a value for a WAS_NDM_HOME directory. If the

WAS_NDM_HOME directory is not the directory on which you intend to

install the Tivoli Identity Manager Server, enter the correct directory value.

Click Next.

10. If you selected the deployment manager for the Tivoli Identity Manager

installation, caution windows open to prompt you to ensure that these

conditions are true:




server resides. Ensure that space is available and click Next.

v The directory server version is at the correct level. Ensure that the version is

correct and click Next.11. In the data window that requests the cluster name, enter an existing cluster

name such as cluster1 that was defined for the Tivoli Identity Manager cluster.

Then, click Next.

12. A window opens to prompt you to verify the host name and IP address of the

computer. Accept the displayed value unless the computer has multiple host

names and IP addresses, and either the deployment manager or the

WebSphere Application Server is installed under a host name or IP address

other than the displayed value. Verify the WebSphere Application Server data

and click Next.

13. If you are installing Tivoli Identity Manager on a cluster member, the

Directory Server Information window opens.

Complete the fields shown in Figure 11. The window does not appear during

Tivoli Identity Manager installation on the computer that has the deployment

manager.

From the information worksheet you completed in “Tivoli Identity Manager

information for the directory server” on page 112, enter organization data in

the fields in the window. For every cluster member, the information must be

identical and must match the LDAP specification that was entered during

Tivoli Identity Manager installation on the deployment manager. Click Next.

14. If WebSphere global security is on, a WebSphere Application Server

Administrator Credential window that is similar to Figure 12 on page 68

requires you to specify the WebSphere Application Server user ID and

Figure 11. Directory server information window


password. This is the wasadmin user ID described in the manual steps in

“Optionally configuring security for Tivoli Identity Manager” on page 40.

15. In the encryption key window, provide an encryption key, which can be any

word or phrase. The key is used to encrypt Tivoli Identity Manager passwords

and other sensitive text. Then, click Next.

16. In the Tivoli Common Directory window, accept the default directory for the

Tivoli Common Directory that the Tivoli Identity Manager installation

program defines, or choose a new one. For more information on directory

paths, see “Definitions for HOME and other directory variables” on page xii.

Then, click Next. Ensure that the directory has at least 25 MB of free space.

The Tivoli Common Directory is the central location for all

serviceability-related files, such as logs and first-failure capture data.

17. In the Pre-install Summary window, review the components to be installed,

the required free disk space, and the Tivoli Identity Manager installation

directory. If everything is acceptable, click Install.

18. Complete the remaining automated installation program. “Responding to

major installation actions” describes these major steps.

Responding to major installation actions

The Tivoli Identity Manager installation program opens a series of progress

windows for additional, major installation actions. Some windows require your

input. The installation program installs and configures the Tivoli Identity Manager

application on the WebSphere Application Server, sets up the Tivoli Identity

Manager database on the database server, and sets up the LDAP schema and a

configuration of data on the directory server.

The major installation actions include these steps:

1. Copying Tivoli Identity Manager files to the target computer.

Figure 12. WebSphere Application Server Administrator Credential window


The installation program copies Tivoli Identity Manager files to the

ITIM_HOME directory.

2. Deploying Tivoli Identity Manager onto the deployment manager.

The Tivoli Identity Manager application runs within the WebSphere Application

Server as an enterprise application. The Tivoli Identity Manager installation

program uses the WebSphere command line interface (wsadmin) to deploy the

Tivoli Identity Manager application onto the deployment manager.



requires. The deployment takes several minutes to complete. For more

information on configuring the WebSphere environment, see Appendix D,

“Steps that the installation program takes to configure the WebSphere

environment,” on page 127.

When the deployment completes, the Tivoli Identity Manager files are in the

WAS_NDM_HOME/config/cells/cellname/applications/enRole.ear directory.

If the deployment fails, an error message provides the location of the

setupEnrole.stdout log file. Examine the errors in the setupEnrole.stdout log

file. Then, complete these tasks:

v If the log data indicates failure to create a SOAP connection to the

deployment manager, or some type of deployment manager scripting error,


a. Exit the Tivoli Identity Manager installation program.

b. Resolve the problem that prevents connection to the WebSphere

Application Server or a problem described as a scripting error. For more

information, refer to the WebSphere documentation.

c. Manually delete all files in the ITIM_HOME directory.

d. Run the Tivoli Identity Manager installation program again.v If the log data indicates that failure is due to a timeout, continue the Tivoli

Identity Manager installation program. When installation finishes, complete

these steps:

a. If the WAS_NDM_HOME/config/cells/cellname/applications/enRole.ear

directory was created, delete the directory on the computer that has the

deployment manager.

b. Run one of the following commands to deploy the Tivoli Identity

Manager Server onto the deployment manager:

– If WebSphere global security is on, run this command:

ITIM_HOME/bin/setupEnrole install server:name user:user_id password:pwd


which the Tivoli Identity Manager application is deployed. The value

of user_id is the WebSphere administrator user ID, such as wasadmin.

The value of pwd is the password for the WebSphere administrator

user ID, such as wasadminpwd.

– If WebSphere global security is off, enter this command:

ITIM_HOME/bin/setupEnrole install server:name

3. If installation is on the deployment manager, the next step is gathering

database data and configuring the database.

In this step, the Tivoli Identity Manager installation program sets up the Tivoli

Identity Manager database and configures the JDBC driver provider in the

WebSphere Application Server. For more information, see “Configuring the

Tivoli Identity Manager database” on page 77.


If an error occurs, examine the error and provide a corrective action. There is

more information in the ITIM_HOME/install_logs/dbConfig.stdout log file.

You might need to refer to documentation that the database product or that the

WebSphere product provides.



a. Save the current log data by renaming the

ITIM_HOME/install_logs/dbConfig.stdout log file.

b. When the correction is complete, type this command to configure the Tivoli

Identity Manager database:

v Windows


v UNIX


New log data is recorded in the ITIM_HOME/install_logs/dbConfig.stdout

log file.

Note: The DBConfig command creates the database table definitions that

Tivoli Identity Manager requires. Run this command only if the

command failed to configure the database during installation. If the

Tivoli Identity Manager database tables have been previously set,

running the DBConfig command first drops all previously existing

Tivoli Identity Manager tables.4. If installation is on the deployment manager, the next step is gathering

directory server data and configuring the directory server.

In this step, the Tivoli Identity Manager installation program sets up the LDAP

schema and defines default settings for Tivoli Identity Manager. For more

information, see “Configuring the directory server” on page 79.


describe a problem in setting up the LDAP schema or creating a configuration

of data on the directory server.




information in the ITIM_HOME/install_logs/ldapConfig.stdout log file. You

might also need to refer to documentation that the directory server product

provides.

b. Save the current log data by renaming the


c. When the correction is complete, use this command to configure the

directory server:


New log data is recorded in the


Note: Do not run the ldapConfig command a second time, unless the

LDAP configuration fails during the Tivoli Identity Manager

installation process. Running the ldapConfig command will restore

default values that Tivoli Identity Manager uses. If you have changed

the value of any of these Tivoli Identity Manager attributes, such as

the password of the user ID named itim manager, the value is

overwritten.


5. If installation is on the deployment manager or on a cluster member, the Tivoli

Identity Manager installation program copies a set of Tivoli Identity Manager

property files to the ITIM_HOME directory. During this step, you can use the

GUI to change some of the Tivoli Identity Manager properties.

If the installation is on a cluster member, ensure that the directory and database

connection information that you enter on the Directory tab and the Database

tab match the information that you entered on these tabs when you configure

the deployment manager. The default database user ID is enrole. The user ID

password is the password that is created for the user ID enrole during the

deployment manager setup. Do not change the default database user ID and

password. The Tivoli Identity Manager will not function properly if any user

information is incorrect. For more information, see “Configuring commonly

used system properties” on page 80.



requires. This step takes several minutes to complete. For more information on

configuring the WebSphere environment, see Appendix D, “Steps that the

installation program takes to configure the WebSphere environment,” on page

127.


describe a problem in configuring the WebSphere environment settings that the

Tivoli Identity Manager Server requires.




information in the ITIM_HOME/install_logs/runConfigTmp.stdout log file.

You might also need to refer to documentation that the WebSphere product

provides.

b. When the correction is complete, enter one of the following commands: To update commonly-used properties and also to reset WebSphere

Application Server settings for the Tivoli Identity Manager application, run

this command:

v Windows


v UNIX:

– DB2 UDB



– Other databases


New log data is recorded in the ITIM_HOME/install_logs/runConfig.stdout

log file.6. Restart the cluster. For more information, see “Starting a cluster” on page 72.

7. Verify that the Tivoli Identity Manager Server is working correctly. For more

information, see “Verifying that the Tivoli Identity Manager Server is

operational” on page 56.


Starting a cluster

When installation completes and any required configuration and security

modification is done, restart the cluster. On the WebSphere administrative console,

complete these steps, which assume that the installation process automatically

started the Tivoli Identity Manager:

1. Stop the Tivoli Identity Manager program and the Tivoli Identity Manager

cluster.

a. Click Servers –> Clusters.

b. Select the Tivoli Identity Manager cluster.

c. Click Stop. The Tivoli Identity Manager application stops when the cluster

stops.2. Start the Tivoli Identity Manager application and the Tivoli Identity Manager

cluster.

a. Click Servers –> Clusters.

b. Select the Tivoli Identity Manager cluster.

c. Click Start. The Tivoli Identity Manager application starts when the cluster

starts.

Use the WebSphere administrative console to verify that all required cluster

applications are started. Complete these steps:

1. Click Applications –> Enterprise Applications. Examine the status of the Tivoli

Identity Manager (enRole) application.

2. Click Servers –> Application Servers. Examine the status of the cluster

members.

3. Additionally, examine the log files for other problems. For more information,

see “Logs and directories” on page 102.

If the status of the Tivoli Identity Manager (enRole) application indicates a partial

start, complete these steps:

1. Locate the computer that has the cluster member that fails to start.

2. Examine the following log files of the computer where the cluster member

resides:

v WAS_HOME/logs/member_hostname/SystemOut.log

v Tivoli_Common_Directory/logs/trace.log3. Correct the problem. Then, use the WebSphere administrative console to start

the cluster member.

Verifying that the Tivoli Identity Manager Server is operational

To verify that the Tivoli Identity Manager Server and related processes are running,


1. Start the Tivoli Identity Manager Server cluster. For more information, see

“Starting a cluster.”

2. Ensure that the JMS server that is associated with each cluster member node is

running.

a. On the WebSphere administrative console, click Servers –> JMS Servers.

b. Select the target JMS server and examine the status column for the server. If

the server is not active, click Start to activate it.

For more information, see “Determining if the JMS server is running on a

cluster node” on page 98.


3. Log on to Tivoli Identity Manager Server using the WebSphere embedded

HTTP transport. For example, at a browser window, enter this command:


The value of hostname is the fully qualified name or IP address of the computer

on which the Tivoli Identity Manager Server is running. The port number

default is 9080. If you have multiple instances of the WebSphere Application

Server on the same computer, the port number may be a different value, such

as 9081.

The browser displays the Tivoli Identity Manager logon window. Enter the

Tivoli Identity Manager Server administrator user ID (″itim manager″) and

password (immediately after installation, the value is ″secret″).

4. After successfully logging on to Tivoli Identity Manager Server using the

WebSphere embedded HTTP transport, attempt to log on to the Tivoli Identity

Manager Server using the IBM HTTP Server. Log on at this address:


The value of http_server_hostname is the host name of the IBM HTTP Server. For

more information if you cannot display the Tivoli Identity Manager logon

window, or cannot log on to Tivoli Identity Manager, see “Ensuring that the

HTTP server is running” on page 96.

5. After a first, successful logon, the logon window immediately prompts you to

change the administrator password. Ensure that your password change is

successful. After you change the password, you are ready to create your

organization object and a user that is called an ITIM User.

If you cannot start and log on to Tivoli Identity Manager, see Chapter 8,

“Troubleshooting and verifying the installation,” on page 93.

UNIX: Sourcing the DB2 Universal Database profile

On UNIX operating systems, run the DB2 UDB profile to set up the correct

environment to run DB2 UDB programs. This action enables communication

between the Tivoli Identity Manager Server and the DB2 server. This manual step

is not necessary on Windows systems.

To source the profile, complete these steps:

1. Enter the appropriate db2profile command for your default login shell.

For example, if your default login shell is ksh, source the DB2 UDB profile by

entering the following command:

. DB_INSTANCE_HOME/SQLLIB/db2profile

2. Verify that you successfully sourced the profile. Enter the following command:

set | grep -i db2

The -i parameter specifies that the search is not sensitive to case. In the

following output, the existence of the value db2inst1 associated with the value

of DB_INSTANCE_HOME indicates that the profile was successfully sourced:

CLASSPATH=/home/db2inst1...

DB2DIR=/usr/lpp/db2_08_01

DB2INSTANCE=db2inst1

3. Include the db2profile command in your user profile to ensure that the profile

is sourced every time that the database runs.

Ensure that the DB2 UDB profile is correctly sourced before doing these tasks:


v Running DBConfig, the database configuration tool. For more information, see

step 3 on page 69.

v Running runConfig, the system configuration tool. For more information, see

step 5 on page 71.

v Starting a WebSphere node agent. For more information, see “Verifying that the

deployment manager, node agents, and JMS servers are running” on page 38.

Optionally installing a language pack

After installing Tivoli Identity Manager, if the default language is not English,


1. Before you run the Tivoli Identity Manager language pack setup program,


Manager requires is accessible from the command line. For more information,



java-fullversion

2. Obtain the language pack CD for the Tivoli Identity Manager Server. On UNIX

systems, mount the language pack CD.

3. Use command line mode to install the language pack. For example, enter this

language pack command at a command prompt:

java –jar itimlp_setup.jar

The Tivoli Identity Manager language pack setup program starts. To complete

the language pack installation, follow the instructions that appear in the setup

program windows.

4. Verify that the language pack is installed. Complete these steps:

a. Verify that these files are present in the

WAS_HOME/installedApps/cellname/enRole.ear/app_web.war directory:

v AppletLabels_lang.properties

v AppletErrorMessages_lang.properties

v AppletMessages_lang.properties

The value of lang is a string such as fr that indicates a language such as

French.

b. Verify that one or more of the following files are present in the

ITIM_HOME/data directory:

v ErrorMessages_lang.properties

v Labels_lang.properties

v Messages_lang.properties

v adhocreporting_lang.properties

Changing cluster configurations after Tivoli Identity Manager is

installed

This section describes expanding or reducing the members in a cluster for

performance reasons after Tivoli Identity Manager is installed.

Expanding a cluster using a new computer

To add a new cluster member to an existing Tivoli Identity Manager cluster,

complete these steps to add a computer with a WebSphere Application Server that

was not previously in the WebSphere cell.


1. Run the addNode command to federate the new node into the cell. If DB2 UDB

is used, ensure that you set the DB2 environment before you run the addNode

command. For more information, see “Adding nodes to a cell” on page 38.

2. Create a new Tivoli Identity Manager cluster member on the new node. On the

WebSphere administrative console, complete these steps:

a. Click Servers –> Cluster.

b. On the next window, click the Tivoli Identity Manager cluster name.

c. Click Cluster Members, then click New.

d. Select the node name that is the node that you added to the cell. Enter the

node name. Then, click Next.

e. Verify the summary window, then click Finish.

f. Save the changes.3. Run the Tivoli Identity Manager installation program on the new computer,

choosing cluster member installation.

4. Update the WebSphere Web Server plug-in file. Using the WebSphere

administrative console, click Environment –> Update Web Server Plugin –>

OK. If the IBM HTTP Server is located on a different computer than the

computer that has the WebSphere Application Server, move the plugin-cfg.xml

file to the IBM HTTP Server computer. For more information, see “Moving the

HTTP server out of the cell for additional security” on page 45.

5. Start the new cluster member. Click Servers –> Clusters and select the cluster.

In the cluster, click Cluster Members. Select the new member and click Start.

Removing cluster members

To remove cluster members, complete these steps:

1. Run the Tivoli Identity Manager uninstallation program on the computer that

has the cluster member that you intend to remove. For more information, see

Chapter 9, “Uninstalling the Tivoli Identity Manager Server,” on page 105.

2. On the WebSphere administrative console, delete the cluster member from the

cluster.

3. Update the WebSphere Web Server plug-in file. Using the WebSphere

administrative console, click Environment –> Update Web Server Plugin –>

OK. For more information, see “Generating the WebSphere Web Server plug-in

configuration file.”

Generating the WebSphere Web Server plug-in configuration

file

If you add to or reduce the number of cluster members, you must generate the

plugin-cfg.xml configuration file for the WebSphere Web Server plug-in. Complete

these steps:

1. Log on to the deployment manager, using the WebSphere administrative

console.

2. From the left pane of the console, click Environment –> Update Web Server

Plugin –> OK.

3. After the update completes, click Save to save your configuration to the master

repository. The updated plugin-cfg.xml file should reside in the

WAS_NDM_HOME/config/cells directory.

4. If the IBM HTTP Server and deployment manager are installed on different

computers, you must move the plugin-cfg.xml file to the computer that has the

IBM HTTP Server, and replace the existing plugin-cfg.xml file.


5. Restart the IBM HTTP Server.

Preparing to install adapters

Use SSL production certificates to ensure secure communication between the Tivoli

Identity Manager Server and the Tivoli Identity Manager adapter. For more

information, see “Adapters overview” on page 2.

The Certificate Authority issuer certificate that corresponds to the certificate of the

Tivoli Identity Manager adapter must be installed into the truststore file that the

Tivoli Identity Manager Server is configured to use. Tivoli Identity Manager uses

the standard Java keystore and truststore mechanisms to store certificates and

issuer certificates for SSL communications. You can use any standard Java keystore

tools to maintain certificates, such as the Java keytool command line utility, or the

WebSphere key management utility (iKeyman). The source certificate files can be in

any format that the keystore tool supports. For more information, refer to the IBM

Tivoli Identity Manager Planning for Deployment Guide.

A cluster configuration requires that the issuer certificate that corresponds to the

certificate of the Tivoli Identity Manager adapter is installed into the truststore file

of each application server on the cluster.


1. Using the Tivoli Identity Manager import utility, install the adapter profile.

2. In a cluster configuration, install the adapter profile once. For recommendations

on where to install the adapter profile in a cluster configuration, refer to the

adapter installation guide for your specific adapter.

3. Labels from the CustomLabels.properties file are stored in the Tivoli Identity

Manager database. In a cluster configuration, import the adapter profile on the

computer on which the deployment manager is installed, although the adapter

profile can be imported on any server in the cluster. The profile information is

pushed into the directory and becomes available to all cluster members.

4. After installing Tivoli Identity Manager, if the default language is not English,

complete these steps before you install the first Tivoli Identity Manager

adapter:

a. Before you run the Tivoli Identity Manager language pack setup program,


Manager requires is accessible from the command line. For more



java-fullversion

b. Obtain and mount the language pack CD for the Tivoli Identity Manager

adapters. Use command line mode to install the language pack for the

adapters on the Tivoli Identity Manager Server. For example, enter the

following command:

java –jar itimlp_agents_setup.jar

The Tivoli Identity Manager language pack setup program starts. To

complete the language pack installation, follow the instructions that appear

in the setup program panels.


Chapter 7. Configuring the Tivoli Identity Manager Server

Configuring the Tivoli Identity Manager Server has these steps:

v “Configuring the Tivoli Identity Manager database”

v “Configuring the directory server” on page 79

v “Configuring commonly used system properties” on page 80

v “Optionally configuring security after installing Tivoli Identity Manager” on

page 87

v “Modifying system properties during normal operation” on page 90

Configuring the Tivoli Identity Manager database

The Tivoli Identity Manager installation program automatically uses the DBConfig

database configuration tool during a single-server installation, or during a cluster

installation on the deployment manager, to set up these components:

v Tivoli Identity Manager database

v WebSphere JDBC driver provider configuration

v WebSphere data source configuration

Completing the database configuration windows

A database configuration window opens to allow you to configure the database

property file and to set up tables in the Tivoli Identity Manager database. The

fields that appear in the window might vary, depending on which database that

you use. For more information, see Appendix B, “Worksheets,” on page 111.

On the database configuration window, follow these steps:

1. Complete the Identity Manager Database Information fields. The data is

required to configure and connect to the Tivoli Identity Manager database.

Ensure that the database administrator ID has the rights to update the

database. If the database is DB2 UDB, the IP Address and Port Number fields

are greyed out. These fields are required for other databases. For example, for

an Oracle database, enter the IP address of your Oracle database server in the

IP Address field; the default value for the Port Number field is 1521.


2. Click Test to ensure that the connection to the database is active. When the

database test is successful, the Tivoli Identity Manager User Password field

becomes active and the Test button changes to Continue. The User ID field

defaults to the value enrole, which cannot be changed. Before you continue,

ensure that the user ID enrole exists on the computer that is the database

server.

3. Enter the correct password for the existing database user ID that is named

enrole and click Continue. The database configuration requires several minutes

to complete.

Manually starting the DBConfig database configuration tool

The DBConfig command creates the database table definitions that Tivoli Identity

Manager requires. Run this command only if the command failed to configure the

database during installation. If the Tivoli Identity Manager database tables have

been previously set, running the DBConfig command first drops all previously

existing Tivoli Identity Manager tables.

To manually start the database configuration tool (DBConfig), complete these

tasks:

1. Ensure that the WebSphere Application Server is running. For more

information, see “Ensuring that the WebSphere Application Server is running”

on page 98.

2. Run the following command:

v Windows


v UNIX


Running the database configuration tool writes data to the

ITIM_HOME/install_logs/dbConfig.stdout log file. The database configuration

requires several minutes to complete.

Figure 13. Database configuration window


Configuring the directory server

Do not run the ldapConfig command a second time, unless the LDAP

configuration fails during the Tivoli Identity Manager installation process. Running

the ldapConfig command will restore default values that Tivoli Identity Manager

uses. If you have changed the value of any of these Tivoli Identity Manager

attributes, such as the password of the user ID named itim manager, the value is

overwritten.

Completing the directory server configuration windows

To configure the LDAP data repository with Tivoli Identity Manager values,


1. Enter the values for the LDAP Server Information fields to set up the

connection to the directory server. For example, the value of the Host Name

field is the fully qualified host name of the computer on which the directory

server is running.

2. Click Test to ensure that the connection to the directory server can be

established. When the test for a connection to the directory server is successful,

the fields in the Identity Manager Directory Information section become active.

3. See Appendix B, “Worksheets,” on page 111 and complete the fields with the

values for your site. Then, click Continue.

Manually running the ldapConfig configuration tool

To avoid the loss of existing directory server data, you must not manually run this

tool unless a directory server configuration problem occurs during installation.

To manually start the ldapConfig configuration tool, run the following command:


Running the configuration tool writes data to the

ITIM_HOME/install_logs/ldapConfig.stdout log file. The directory server

configuration requires several minutes to complete.

Figure 14. Directory configuration window

Chapter 7. Configuring the Tivoli Identity Manager Server 79

Configuring commonly used system properties

The Tivoli Identity Manager installation program automatically runs the runConfig

system configuration tool to edit commonly used system properties for the Tivoli

Identity Manager Server and also to configure WebSphere Application Server

settings for the Tivoli Identity Manager application. The Tivoli Identity Manager

installation program runs the system configuration tool for both a single-server

and cluster configuration, which includes the deployment manager and the cluster

members.

You can run the system configuration tool manually. For more information, see

“Manually starting the system configuration tool.” For alternative ways to

configure system properties, see “Modifying system properties during normal

operation” on page 90.

The system configuration tool provides these windows:

v “General tab”

v “Directory tab” on page 82

v “Database tab” on page 83

v “Logging tab” on page 84

v “Mail tab” on page 84

v “UI tab” on page 85

v “Security tab” on page 86

Manually starting the system configuration tool

To update commonly-used properties and also to reset WebSphere Application

Server settings for the Tivoli Identity Manager application, run this command:

v Windows


v UNIX:

– DB2 UDB



– Other databases


Running the system configuration tool writes log data to the

ITIM_HOME/install_logs/runConfig.stdout log file.

General tab

Click the General tab. The General tab of the system configuration tool configures

the general information about the Tivoli Identity Manager Server.


The following field values on the General tab are prefilled by the installation

program:

v Host name

Not used with the Tivoli Identity Manager Server running on the WebSphere

Application Server.

v TCP/IP port number


Application Server.

v SSL TCP/IP port number


Application Server.

v Scheduling information

– Heart beat

The Scheduling Information field displays information about how frequently

a scheduling thread queries the scheduled message stores for events to

process (Heart Beat). You might want to consider performance issues before

you enable a more frequent beat. Only system administrators can modify the

Heart Beat, which is measured in seconds.

– Recycle bin age limit (days)

When you delete Tivoli Identity Manager objects (such as organization units,

persons, or accounts), the objects are not immediately removed from the

system. Instead, they are moved to a recycle bin container. Emptying the

recycle bin is a separate deletion process that involves running cleanup

scripts.

For example, to avoid assigning an old user ID to a new user, the assignment

process might check the recycle bin to determine if an old user ID exists. You

might set the value of the recycle bin interval to an interval that determines

the length of time to retain old user IDs.

The Recycle Bin Age Limit field specifies the number of days that an object

remains in the recycle bin of the system before it becomes available for

deletion by cleanup scripts. The cleanup scripts can only remove those objects

that are older than the age limit setting. For example, if the age limit setting is

Figure 15. General tab window


62 days (the default value), only objects that have been in the recycle bin for

more than 62 days can be deleted by cleanup scripts.

You can use the following scripts to either manually remove or to schedule

the periodic cleanup of recycle bin entries with expired age limits:

- Windows

ITIM_HOME\bin\win\ldapClean.cmd

To schedule periodic cleanup, register the above command script with the

Windows scheduler.

- UNIX

ITIM_HOME/bin/unix/ldapClean.sh

To schedule periodic cleanup, create a UNIX cron job such as the following

example:

ITIM_HOME/bin/unix/schedule_garbage.cron

Directory tab

Click the Directory tab. The Directory tab of the system configuration tool displays

directory connection information and LDAP connection pool information. The tab

also has a Test button to test the connection to the directory server. If you update

any field on this tab, click Test to ensure that the connection works.

The information is pre-filled for the deployment manager, but not for a WebSphere

Application Server. If necessary, modify the following information for the directory

server:

v Principal DN and password that the Tivoli Identity Manager Server uses to log

onto the directory server

v Directory server host name

v Port number for the directory server

v The LDAP connection pool information defines a pool of LDAP connections

accessible by the Tivoli Identity Manager Server. Once a connection is

established and data is stored in the LDAP directory server, changing the host

name or the port number might have detrimental effects.

Figure 16. Directory tab window


– In the Maximum Pool Size field, specify the maximum number of

connections that the LDAP Connection Pool can have at any time.

– In the Initial Pool Size field, specify the initial number of connections to be

created for the LDAP Connection Pool.

– In the Increment Count field, specify the number of connections to be added

to the LDAP Connection Pool every time a connection is requested after all

connections are in use.

Database tab

Click the Database tab. The Database tab displays general database information

and database pool information. The tab also has a Test button to test the

connection to the database. If you update any field on this tab, click Test to ensure

that the connection works. Changing the configuration after the system is set up

can have detrimental effects.

Depending on the type of connection that is used, one of several windows is

displayed when configuring database properties. The window in this example

displays the Database tab when Tivoli Identity Manager does not use an Oracle

Client to connect to the Oracle database.

If this installation is on a cluster member, the information must match the database

specification previously made for the deployment manager.

v In the Database Type field, specify a database such as DB2 UDB.

v In the Database Name or Alias field, specify the name or alias of the database.

For example, the value of Database Name may be itimdb.

– DB2 Universal Database only: The Database Name or Alias field displays

how Tivoli Identity Manager connects to the database.

If the database is installed locally, the value represents the name of the

database.

If the database is installed remotely, the value represents the local alias name

of the remote database.

– Oracle only: The field label is: Database IP:Port:Name

– Microsoft SQLServer only: The field label is: Database IP:Port:Service Name

Figure 17. Database tab window


v In the Database User and the User Password fields, specify the database

account and password that Tivoli Identity Manager uses to log onto the

database. The default user ID is enrole, which is created by the Tivoli Identity

Manager database configuration program (DBConfig). The account must have a

valid user password.

v The database pool information determines the number of JDBC connections. For

more information on supported JDBC drivers, see “Configuring the DB2 JDBC

driver” on page 16.

– In the Initial Capacity field, specify the initial number of JDBC connections.

– In the Maximum Capacity field, specify the maximum number of JDBC

connections that the Tivoli Identity Manager Server can open to the database

at any one time.

– In the Login Delay Seconds field, specify the time, in seconds, between

connections.

Logging tab

Click the Logging tab.

The Logging tab of the system configuration tool enables you to set the level of

tracing. Choose one of these values:

MIN Writes less information to the log file. Use this setting for best

performance.

MED Writes an increased amount of information to the log file.

MAX Writes the maximum amount of information to the log file. The increased

amount of logging activity mighty affect performance. This is

approximately the equivalent of INFO or VERBOSE.

Mail tab

Click the Mail tab.

Figure 18. Logging tab window


The Mail tab of the system configuration tool displays mail notification and

gateway parameters:

v In the Identity Manager URL field, specify the login Universal Resource Locator

(URL) for the Tivoli Identity Manager Server that is first presented as a

hyperlink in e-mail to new Tivoli Identity Manager users.

The value is the URL of the proxy server (for example, the IBM HTTP Server).

Specify the host name (or IP address) and port in the base URL. Ensure that the

value matches the published login URL to your Tivoli Identity Manager system.

– Single-server configuration

The base URL is the address of the Web server (for example, the IBM HTTP

Server) which by default uses port 80. For more information, see Table 3 on

page 40.

– Cluster configuration

The base URL is the address of the Web server which load-balances to all

application server instances in the cluster (not the base URL of a specific

application server instance).v In the Mail From field, specify the address to the Tivoli Identity Manager

system administrator e-mail address for your site. All e-mail is delivered from

the Mail From parameter. You must change this address, or you will send spam

to the e-mail address listed.

v In the Mail Server Name field, specify the SMTP mail host that sends mail

notification. SMTP mail servers are supported. The SMTP host is the mail

gateway. For example, enter a host name such as swiftcreek.mycity.ibm.com.

UI tab

Click the UI tab.

Figure 19. Mail tab window


The UI tab of the system configuration tool displays information to customize the

Tivoli Identity Manager Server GUI.

v In the Customer Logo field, specify the file name of the logo graphic.

v In the Customer Logo Link field, specify an optional URL link activated by

clicking on the logo image. System administrators can specify these two

variables to replace the IBM logo with their company logo throughout the Tivoli

Identity Manager system. The default IBM logo file is the ibm_banner.gif file,

which is located in the

WAS_HOME/installedApps/cell_name/enRole.ear/app_web.war/images

directory.

v In the List Page Size field, specify how many items that require a search in the

directory are displayed on lists throughout the user interface. If the total number

of items exceeds the set List Page Size, the list is spread over multiple pages. For

example, the value controls the size of the names list that appears when you

browse the My Organization –> Manage People tab in the Tivoli Identity

Manager GUI.

Security tab

Click the Security tab. The Security tab of the system configuration tool displays

information to manage database, LDAP, and application server user IDs and

passwords that are stored in Tivoli Identity Manager properties files. The tab

displays the encryption settings and application server user management

preferences in the Tivoli Identity Manager Server.

Figure 20. UI tab window


By default, passwords in the Tivoli Identity Manager property files are not

encrypted.

v In the Encryption box, check the box to encrypt the passwords used for

database and LDAP connections and the password of the EJB user that is used

for EJB authentication. The encryption flags are set to true. Clear the box to

decrypt the passwords and set the flags to false. The flags are represented by the

following properties in the enRole.properties file:

enrole.password.database.encrypted

enrole.password.ldap.encrypted

enrole.password.appServer.encrypted

v In the System User and System User Password fields, specify the system user

and the system user password. The fields are prefilled if WebSphere global

security is on, and an administrator user ID and password have been entered.

The fields are blank if WebSphere global security is not on.

v In the EJB User and EJB User Password fields, specify the EJB user and the EJB

user password. The fields initially take the values of the System User and

Password fields. The length of the EJB user ID must be fewer than 12 characters.

If you define your own EJB user during installation to be different than the

System User, you might need to modify the EJB User and EJB User Password

fields. If you change the value of the EJB user ID or the EJB password on this

system configuration Security window, additional manual steps are required

after Tivoli Identity Manager installation to map the security role to the ITIM

user in order to start Tivoli Identity Manager. For more information, see

“Optionally configuring security after installing Tivoli Identity Manager.”

Optionally configuring security after installing Tivoli Identity Manager

If you chose to enable global security on the WebSphere Application Server, map

the itimadmin administrative user to the ITIM_SYSTEM role to further limit access.

If you also enabled Java 2 security, verify that the was.policy file exists. Any time

that the System User or EJB User are modified outside of Tivoli Identity Manager,

run the runConfig command to update the Tivoli Identity Manager configuration.

Each of the following steps applies to both single and multi-node deployments.

Figure 21. Security tab window


Mapping an administrative user to a role

Map an administrative user to a Tivoli Identity Manager role with these steps:


Applications.

2. Click enRole.

3. In Additional Properties, scroll down and click Map security roles to

users/groups.

4. Select the check box for ITIM_SYSTEM.

5. Click Lookup users.

6. Click Search.

7. Select the EJB User (itimadmin) from the list.

8. Click OK.

9. To prevent unauthorized access, clear the Everyone? or All Authenticated?

check boxes.

10. Save the configuration changes.

Ensuring that the was.policy file exists

The Tivoli Identity Manager installation program automatically creates the

was.policy policy file with all the permissions that the Tivoli Identity Manager

application needs to run with Java 2 security enabled.

Enabling Java 2 security for the Tivoli Identity Manager application also causes

Java 2 security to be enforced on all applications that are running on the

WebSphere Application Server. If you enable Java 2 security for the Tivoli Identity

Manager application, you should also appropriately configure all other applications

running on the WebSphere Application Server to support Java 2 security.

Ensure that the was.policy file exists. If the file does not exist, create the file in the

following directory on the node:

WAS_HOME/config/cells/cellname/applications/enRole.ear/deployements/enrole/META-INF

The file contents are similar to these lines:

grant codeBase "file::${application}" {

permission java.security.AllPermission;

};

Updating the system user and the EJB user

If you made changes to the System User or to the EJB User fields, you must

update Tivoli Identity Manager configurations with these new values. Complete

these steps:

1. Start the system configuration tool. To do so, enter the following command:

v Windows

ITIM_HOME\bin\runConfig

v UNIX

ITIM_HOME/bin/runConfig.sh

2. Select the Security tab.


3. Update the System User field and its password with the wasadmin user ID

that you created in the local OS registry.

4. Update the EJB User field and its password with the itimadmin user ID that

you created in the local operating system registry.

5. Click OK.

Running Java 2 security on single-node deployments

To run with security enabled in a single-node deployment, use the WebSphere

administrative console to restart Tivoli Identity Manager and log in when

prompted. Complete these steps:

1. Click Applications –> Enterprise Applications.

2. Select enRole. Then, click Start.

Running Java 2 security on multi-node deployments

To run the Java 2 security component after installing Tivoli Identity Manager on

multi-node deployments, synchronize the nodes in the cell, and ensure that the

timeout interval is large enough to prevent accidental timeouts.

Synchronizing the nodes in the cell

Synchronize the deployment manager configuration with the nodes in the cell.

Restart the Tivoli Identity Manager cluster. Restart Tivoli Identity Manager with

these steps:

1. Click Server –> Clusters.

2. Select the check box next to the cluster name.

3. Click Stop. Wait for the cluster to stop, and then click Start.

Increasing the timeout interval

Ensure that the token expiration value is large enough to prevent accidental

timeouts.

Security uses a Lightweight Third Party Authentication (LTPA) token that expires

after an interval of system inactivity. The default is 120 minutes, which might not

be large enough to use with Tivoli Identity Manager. On some systems, the actual

Figure 22. Security tab window


timeout interval might be shorter than the value that is specified. A timeout might

prevent you from logging on. When a timeout occurs, you must recycle the

deployment manager, the cluster, and all node agents.


1. Start the WebSphere administrative console.

2. Click Security –> Authentication Mechanisms –> LTPA –> Timeout.

3. Set the token expiration interval to a value that exceeds the longest anticipated

interval of system inactivity at your site.

Modifying system properties during normal operation

You configure the Tivoli Identity Manager Server by managing system properties.

For example, a system property determines how the server responds to the correct

completion of a challenge question. System properties can be modified at any time.

You may need to restart the Tivoli Identity Manager Server when changes are

made to certain system properties such as the server startup modules, which are

not recognized unless you restart the server. Restart the Tivoli Identity Manager

Server after modifying any property using the system configuration tool. Changes

to other system properties can be recognized within 30 seconds. Logging properties

can be changed without restarting the server and changes take effect within 30

seconds.

To modify system properties, use these choices:

v Use the system configuration tool, runConfig. For more information, see

“Modifying system properties with the system configuration tool.”

v Make changes manually. For more information, see “Modifying system

properties manually.”

v Use the Tivoli Identity Manager Server GUI. For more information, see

“Modifying system properties with the Tivoli Identity Manager GUI” on page

91.

Modifying system properties with the system configuration

tool

After installation, use the system configuration tool (runConfig) for the following

tasks:

v Changing the password of the enrole user.

v Specifying password encryption and updating Tivoli Identity Manager EJB user

IDs and passwords.

Modifying system properties manually

Alternatively, you can manually modify system properties by editing the

appropriate property file.

System and supplemental property files are located on the Tivoli Identity Manager

Server in the ITIM_HOME/data directory. These files contain all of the system and

supplemental properties used by the server. For more information about system

properties located in the enRole.properties file, refer to the IBM Tivoli Identity

Manager Information Center.


Modifying system properties with the Tivoli Identity Manager

GUI

You can also modify certain system properties from within the Configuration

section of the Main Menu Navigation Bar in the Tivoli Identity Manager Server

GUI.

From the Configuration tab, you can modify the following properties:

v Lost password question behavior

v Enable/disable password editing

v Password expiration period (number of days)

This property is only for the Tivoli Identity Manager Server account. The user

has to change the password before this period is reached. Whenever a new

password is set for the Tivoli Identity Manager Server account, the password

expiration period is affected from that time. You can make this period never

expire by setting this value to zero.

v Password retrieval expiration period (number of hours)

After the new account is created, the user receives an e-mail with the URL link

that provides the password. The user has to get the password before this

password retrieval period expires.

v Maximum number of invalid logon attempts

Sets the maximum number of invalid logon attempts. If exceeded, the account is

suspended. The default setting is ″0″ (unlimited logon attempts).


Chapter 8. Troubleshooting and verifying the installation

This section describes how to correct problems with the Tivoli Identity Manager

installation and then to verify that the Tivoli Identity Manager Server and its

prerequisite processes are running correctly.

You can test whether the database, the directory server, and other programs that

the Tivoli Identity Manager Server uses are correctly configured and also in full

communication with each other. To determine supported prerequisite products,

release levels, and fix pack specifications, refer to the IBM Tivoli Identity Manager

Release Notes, which takes precedence over this document.

Correcting problems starting the installation

If you cannot start the Tivoli Identity Manager installation program, check these

requirements:

v Is there enough real memory available to run the installation program? For more


v Are the correct operating system levels, patches, and space requirements

provided for the hardware and software prerequisites? For more information,


v Does the installation program have the correct file permissions to run?

v If the installation is on a UNIX system, do you have the correct permissions and

display variables set?

A common mistake is to log into the desktop, omit enabling the X Server and

setting the DISPLAY environment variable, and then telnet to a remote host on

which you intend to install the Tivoli Identity Manager Server. To correct this

problem, complete these tasks:

1. Run this command at the command shell of your desktop to enable the X

Server:

xhost +

2. After you telnet to the remote host, run this command to set the DISPLAY

environment variable:

export DISPLAY=hostname:0.0

The value of hostname is the host name or IP address of your local desktop

computer.v Using a terminal session such as a vnc session or a session started with a similar

product, the Tivoli Identity Manager installation process fails to complete. Error

messages may indicate that the jmsserver process stopped. A subsequent attempt

to install may produce an error message indicating a problem with the enrole.ear

file.

To correct this, install Tivoli Identity Manager directly on the operating system

of the target computer. Do not use a vnc session or a session provided by similar

products to install Tivoli Identity Manager.

Verifying the installation

This section describes verifying whether the database, the directory server, and

other programs that the Tivoli Identity Manager Server uses are correctly

configured and also in full communication with the Tivoli Identity Manager Server.


Testing the database connection

Before starting the Tivoli Identity Manager Server, use the WebSphere

administrative console to test the database connection. Complete these steps:

1. Start the WebSphere administrative console.


The value of hostname is the fully qualified host name of the computer on

which you installed the WebSphere Application Server or the deployment

manager.

2. On any configuration, click Resources –> JDBC Providers.

On a cluster configuration, additionally select the target node.

3. Select the scope as server, select a target server such as server1, and then click

Apply.

4. Scroll down to the list of JDBC providers, and click ITIM db_type JDBC

Provider. The value of the db_type parameter specifies DB2 UDB, Oracle, or

Microsoft SQL Server 2000.

5. Scroll the JDBC Provider window that appears to view the Additional

Properties. Click Data Sources.

6. Select ITIM Data Source.

7. In the Data Sources window, click Test Connection. A message appears that

indicates the test result.

If the connection does not work, complete these steps:

1. If DB2 Universal Database is used, ensure that you execute the DB2 command

db2profile on a UNIX or Linux system to set up the environment before you

start the following processes:

v WebSphere Application Server base product running on a Tivoli Identity

Manager single server

v WebSphere node agent running on a Tivoli Identity Manager cluster2. If the Oracle database is used, ensure that both the Oracle database product

and the listener service are started. For more information, see “Starting the

Oracle product and the listener service” on page 23.

3. The CLASSPATH definition of the JDBC provider is set up during Tivoli

Identity Manager installation. Verify that the CLASSPATH value is correct.


a. Click Resources –> JDBC Providers –> ITIM DB2 JDBC Provider (XA).

b. Examine the properties to verify that the CLASSPATH value is correct. For

example, its value should be similar to the following path:

$ITIM_DB_JDBC_DRIVER_PATH/db2java.zip

To determine the value of $ITIM_DB_JDBC_DRIVER_PATH, click

Environment –> Manage WebSphere Variables. Select the node scope and

click Apply. Scroll the list to locate the variable.4. Verify that the DB2 user ID and password are correct. Complete these steps:

a. Click Resources –> JDBC Providers –> ITIM DB2 JDBC Provider (XA) –>

Data Sources.

b. Examine these fields to verify the correct values:

v Component-managed Authentication Alias

The value should be itim-init.

v Container-managed Authentication Alias

The value should be itim-init.


c. In the J2C Authentication Data Entries for Related Items, examine the Alias

list to ensure that an itim-init entry exists.

1) Click itim-init.

2) Verify that the value of the user ID field is enrole. Do not change this

value.

3) Note the password field. If you use this field to reset the password,

ensure that the password value that you enter is identical to the value

defined in the ITIM_HOME/data/enRoleDatabase.properties file.5. Ensure that other database settings are correct, such as specifying the TCP/IP

protocol, the local database alias, and cataloging the local database alias. For

more information, see Chapter 2, “Installing and configuring a database,” on

page 11.

Ensuring that the directory server is running

This section describes the steps to ensure that the installed directory server for

Tivoli Identity Manager is running.

IBM Tivoli Directory Server

To determine whether the IBM Tivoli Directory Server is running, complete these

steps:

v On Windows systems, click Start –> Administrative Tools –> Services. Scroll the

list of services to the directory server entry such as IBM Tivoli Directory Server.

Ensure that the directory server service is started.

v On UNIX systems, ensure that the ibmslapd process is running. Enter this

command:

ps -ef|grep ibmslapd

The ps (process) command searches for processes. The grep command selects the

processes that contain a string. The parameters in this example include:

-e Select all processes.

-f Display a full listing.If the IBM Tivoli Directory Server is running, a process ID (PID) number is

returned. If a PID number is not returned, stop and start the server. For more

information, see Chapter 3, “Installing and configuring a directory server,” on

page 25.

v If the IBM Tivoli Directory Server is running, you must ensure that the IBM

Tivoli Directory Server is not in configuration mode. Enter this command:

ldapsearch -s base -b " " objectclass=* ibm-slapdisconfigurationmode

If the IBM Tivoli Directory Server is not in configuration mode, the value of the

ibm-slapdisconfigurationmode parameter is FALSE. The ldapsearch command

opens a connection to an LDAP server, binds, and performs a search. The -s

parameter specifies the scope of the search to be base, one, or sub, which

searches a base object, one level, or subtree. The -b parameter uses searchbase as

the starting point for the search, instead of the default.

If problems continue, examine the ibmslapd.log file for messages that indicate

whether the directory server is completely or partially started. The location of the

log file depends on the IBM Tivoli Directory Server version:

v UNIX:

– Version 5.2: LDAP_HOME/var/ibmslapd.log. On AIX, for example, the file is

in the usr/IBM/LDAP/var directory.

Chapter 8. Troubleshooting and verifying the installation 95

– Version 6.0: IDS_instance_HOME/etc/ibmslapd.log. On AIX, for example, the

file is in the usr/idsslapd-ldapdb2/etc directory.v Windows:

– Version 5.2: LDAP_HOME\var\ibmslapd.log. For example, the file is in the

C:\IBM\LDAP\var directory.

– Version 6.0: IDS_instance_HOME\logs\ibmslapd.log. For example, the file is

in the C:\idsslapd-ldapdb2\logs directory.

Sun ONE Directory Server

Determine whether the Sun ONE Directory Server process is running. On the

computer on which the directory server is installed, enter this command:

ps -ef|grep slapd

If Sun ONE Directory Server is running, a process ID (PID) number is returned. If

a PID number is not returned, start and stop the server. For more information on

start and stop procedures, refer to this Web site:


All requests are locked in running state

If all requests in the system seem to be stuck in the running state, the connection

between the Tivoli Identity Manager Server and the directory server might have

been lost or become corrupt. Check the server log such as

Tivoli_Common_Directory/msg.log and look for any errors. In particular, look for the

SERVER_NOT_AVAILABLE error.

Stop and start the directory server, and then stop and start the Tivoli Identity

Manager Server.

Ensuring that the HTTP server is running

The HTTP server receives Tivoli Identity Manager requests and routes them to a

Tivoli Identity Manager Server in either a single-server or cluster environment. You

must determine that the HTTP server is running and also that the default virtual

host of the WebSphere Application Server has the correct host alias, which is a

combination of the host name and port number that are defined as a pair.

For test purposes only, you can use the HTTP transport that is embedded in the

WebSphere Application Server as the Web server. In production, use an HTTP

server such as the IBM HTTP Server. The HTTP server may be on the same

computer as the Tivoli Identity Manager Server or on another computer. For more

information, see “Moving the HTTP server out of the cell for additional security”

on page 45.

Using the embedded HTTP transport, for test purposes only

In a single-server configuration, for test purposes only, you can use the HTTP

transport that is embedded in the WebSphere Application Server to log on to Tivoli

Identity Manager. Ensure that you can log on to Tivoli Identity Manager using the

embedded HTTP transport first, before attempting to log on using the

production-level HTTP server, such as the IBM HTTP Server.

To log on to Tivoli Identity Manager using the embedded HTTP transport, enter

this command:

http://WebSphere_hostname:transport_portnumber/enrole



The default port number for the HTTP transport port 1 is 9080. If you have

multiple instances of the WebSphere Application Server on the same computer, the

port number may be a different value, such as 9081.

Determining that the HTTP server is running

In a production environment, complete these steps to determine that the

production-level HTTP server, such as the IBM HTTP Server, is running:

1. To ensure that the server process is running, complete these steps:

v Windows

On Windows systems, click Start –> Administrative Tools –> Services. Scroll

the list of services to the HTTP server entry.

v UNIX

Enter this command:

ps -ef|grep http|grep

You should observe that HTTP processes are running.2. If you do not see a message indicating that IBM HTTP Server is running, start

the server. Enter the following command on the computer on which the HTTP

server resides:

v Windows

net start "IBM HTTP Server version"

v UNIX

HTTP_HOME/bin/apachetcl start

3. Ensure that the IBM HTTP Server is started by entering this Web address on a

browser:

http://http_server_hostname

The value of http_server_hostname is the host name on which the IBM HTTP

Server resides. If you cannot access the home page of the IBM HTTP Server, the

IBM HTTP Server is either not started, or is not listening on port 80.

4. If you cannot display the home page of the HTTP server after starting the IBM

HTTP Server, examine the status of the server on port 80. Enter the following

command on the computer on which the HTTP server resides:

v Windows

netstat -a | find "80"

v UNIX

netstat -a | grep 80

The -a option displays all connections and listening ports.

If port 80 is not in a listening state, examine the HTTP_HOME/conf/httpd.conf

file for either the port 80 or the listen 80 statement:

If you see a statement such as port 81 or listen 81, change the port value in

the statement to 80. Restart the WebSphere Application Server and then restart

the IBM HTTP Server. Determine whether port 80 is now in a listening state.

If port 80 is in use by another Web server, stop that server and start the IBM

HTTP Server.

Ensuring that WebSphere embedded messaging is running

The JMS server runs either as the embedded Java Virtual Machine (JVM) in the

WebSphere Application Server base product or as its own dedicated JVM

(jmsserver) that is created as part of adding a node to a cell. In either case, Tivoli

Identity Manager uses the queue-based messaging system which is running as

native WebSphere MQ processes.


Ensuring that the JMS server is running in a single-server

configuration

The WebSphere MQ queue manager should be running when the JMS server is

running. To determine whether the queue manager is running, enter this

command:

dspmq

The dspmq command displays the status of the queue manager. For example:

QMNAME(WAS_nodename_servername) STATUS(Running)

The value of nodename is the WebSphere Application Server node name defined

during WebSphere Application Server installation. The servername parameter is

usually a value such as server1.

If the queue manager is not running, enter this command to start the processes:

strmqm WAS_nodename_servername

The value of nodename is the WebSphere Application Server node name defined

during WebSphere Application Server installation. The servername parameter is

usually a value such as server1.

Determining if the JMS server is running on a cluster node

To determine whether the JMS server is running on a cluster node, complete these

steps:

1. On the WebSphere administrative console, click Servers –> JMS Servers.

2. Select the target JMS server and examine the status column for the server.

If WebSphere embedded messaging is not running, complete these steps:

1. Select the target JMS server.

2. Click Start.

Ensuring that the WebSphere Application Server is running

In a single server configuration, the WebSphere Application Server, such as server1,

should be running. This is the WebSphere Application Server on which the Tivoli

Identity Manager application is deployed. In a cluster, both the deployment

manager and the node agents should be running.

To determine whether the WebSphere Application Server is running, enter this

command:

v Windows

path\bin\serverStatus.bat -all

v UNIX

path/bin/serverStatus.sh -all

The value of path is WAS_HOME for a single-server configuration or a cluster

member. The value of path is WAS_NDM_HOME for the deployment manager. In a

cluster configuration, you must check both the deployment manager and each

cluster member.

These processes should be running:

v For the WebSphere Application Server base product, a server such as server1,

should be running. This is the WebSphere Application Server on which the

Tivoli Identity Manager application is deployed.


v Cluster member: The node agent should be running before you install the Tivoli

Identity Manager Server. After you install the Tivoli Identity Manager Server, the

node agent, the JMS server, and the cluster member node should be running.

v Deployment manager: The dmgr process should be running.

If you do not find the process running, complete these steps to start the server:

v Single-server configuration

– Windows



– UNIX


v Cluster configuration

– Deployment manager and node agent, see “Verifying that the deployment

manager, node agents, and JMS servers are running” on page 38.

– Cluster member, see “Starting a cluster” on page 72.

Additionally, examine the following log files in the logs directory for entries that

indicate the startup status of server1. For example, examine the log files in the

WAS_HOME/logs/servername directory.


Checking the Web browser operation

This section describes potential problems associated with the Web browser.

Ensuring that the browser registers the Java Plug-in

Tivoli Identity Manager workflow, policy, or form designer uses applets that

require the Java plug-in, provided by the Java 2 Runtime Environment, Standard

Edition (JRE). The Java plug-in provides a connection between browsers and the

Java platform, and enables applets to run within a browser. For more information

on the version of the Java plug-in that Tivoli Identity Manager supports, refer to


If the Java plug-in is not installed on your system, or is not at a supported level,

the browser prompts you to install the plug-in. For more information on these

steps, refer to the IBM Tivoli Identity Manager Information Center.

Microsoft Internet Explorer: Enabling active scripting

For Microsoft Internet Explorer, ensure that the Active Scripting item is enabled in

the Scripting section of the browser. Complete these steps:

1. Click Tools –> Internet Options on the main menu.

2. On the Security tab, click the Internet icon and click the Custom Level button.

3. Click the Scripting –> Active Scripting list items and click Enable.

Using a supported browser

You may not be able to log on to Tivoli Identity Manager for a variety of reasons.

For example, you might be using an unsupported Web browser. For a list of

supported browsers, refer to the IBM Tivoli Identity Manager Release Notes.

Selecting a language default for a Web browser

If you log on using the single sign-on capability and need to select a language,

append /language to the Web site address. For example, enter:


https://mysite.myco.com/enrole/language

Avoiding two Web browser sessions on the same computer

Do not start two separate browser sessions from the same client computer. The two

sessions are regarded as one session ID, resulting in problems with data.

Troubleshooting the Tivoli Identity Manager startup

To verify that the Tivoli Identity Manager Server is running, complete these steps:


Applications –> enRole.

2. If the Tivoli Identity Manager Server is not running, select the application and

click Start.

If the Tivoli Identity Manager Server does not start, examine the following log

files:

v WAS_HOME/logs/servername/SystemOut.log

The value of servername is usually server1.

v Tivoli_Common_Directory/logs/trace.log

In this directory, also examine the msg.log file. Installing Tivoli Identity Manager

Server defines the value of Tivoli_Common_Directory.

Verifying a logon using the embedded HTTP transport in a

single-server configuration

To verify that you can log on to Tivoli Identity Manager using the WebSphere

embedded HTTP transport in a single-server configuration, enter this command:


The value of hostname is the fully qualified name or IP address of the computer on

which the Tivoli Identity Manager Server is running. The port number default is

9080. If you have multiple instances of the WebSphere Application Server on the

same computer, the port number may be a different value, such as 9081.

The browser displays the Tivoli Identity Manager logon window. Enter the Tivoli

Identity Manager Server administrator user ID (″itim manager″) and password

(immediately after installation, the value is ″secret″).

Verifying a logon using the HTTP server

Log on to Tivoli Identity Manager using the HTTP server, enter this command:


If you cannot log on, complete these steps:

v Determine whether the correct HTTP server is running.

Multiple levels of HTTP servers can co-exist on the same computer. Ensure that

the HTTP server is running that is associated with the WebSphere Application

Server in a single-server configuration, or with the deployment manager in a

cluster configuration. For more information, see Chapter 4, “Installing and

configuring WebSphere Application Server,” on page 33.

v If the IBM HTTP Server is already started, but you cannot access the Tivoli

Identity Manager logon window, complete these steps:

– Examine the IBM HTTP Server error.log and access.log files to ensure that the

Tivoli Identity Manager logon request was received. If the request was

received, ensure that the WebSphere Web Server plug-in is installed on the

Web server computer. Also ensure that the WebSphere Web Server plug-in


library and the WebSphere plugin-cfg.xml file are referenced correctly in the

HTTP_HOME/conf/httpd.conf file. The file should contain the following

statements:

# WebSphere plugin settings

LoadModule ibm_app_server_http_module full_path/mod_ibm_app_server_http.*

WebSpherePluginConfig full_path/plugin-cfg.xml

This example assumes that the IBM HTTP Server and the WebSphere

Application Server are on the same computer. For example, this statement on

one line specifies a WebSphere Web Server plug-in for a Windows

environment in a clustered configuration:

LoadModule ibm_app_server_http_module "C:\Program Files\WebSphere\AppServer/

bin/ mod_ibm_app_server_http.dll"

Additionally, this statement on one line specifies the plugin-cfg.xml file:

WebSpherePluginConfig "C:\Program Files\WebSphere\AppServer/config/

cells/plugin-cfg.xml"

On the deployment manager, this statement on one line specifies the

plugin-cfg.xml file:

WebSpherePluginConfig "C:\Program Files\WebSphere\DeploymentManager/config/

cells/plugin-cfg.xml"

– Examine the error.log and access.log log files in the HTTP_HOME/logs

directory for additional information.

Verifying the host alias definition on the WebSphere default host

If the IBM HTTP Server is already started and the settings in the

HTTP_HOME/conf/httpd.conf file are correct, but you still cannot access the Tivoli

Identity Manager logon window, complete these steps:

v Ensure that the mapping of port 80 is specified for the WebSphere default virtual

host.

The Tivoli Identity Manager Server is associated with the WebSphere default

virtual host, which defines host aliases that are pairs of host names and port

numbers.

Only the requests from those host aliases are processed by the servlets and JSPs

of the Tivoli Identity Manager Server. The Tivoli Identity Manager requests are

associated to the default HTTP port 80.

To ensure that port 80 is defined on the host alias of the WebSphere default

virtual host, complete these steps:

1. Using the WebSphere administrative console, click Environment –> Virtual

Hosts –> Default Host –> Host Aliases.

2. Ensure that a value of *:80 is one of the host aliases.

3. If you find a value of *:81 as the host alias, change the value to *:80.

4. Save the configuration. In a cluster configuration, propagate the change by

selecting Synch Changes with Nodes.

5. Click Update Web Server Plugin, and then click OK.

6. Restart the WebSphere environment:

– Single server: Restart the WebSphere Application Server.

– Cluster: Restart the Tivoli Identity Manager cluster.v If you still cannot log on, examine the Tivoli Identity Manager log and trace files

in the Tivoli Common Directory. For more information on this directory’s

location, see “Definitions for HOME and other directory variables” on page xii.

Contact IBM Support for the problem that you locate in the log or trace files.


Solving additional logon problems

Complete these steps if you encounter additional logon problems:

v Examine the WAS_HOME/logs/itim_server_hostname/SystemOut.log file to

determine whether the request was sent to the WebSphere Application Server. If

the SystemOut.log file contains a DBLink exception and DB2 Universal Database

is the database, ensure that you sourced the DB2 profile.

v If continued attempts fail to log on to Tivoli Identity Manager, determine

whether the SystemOut.log file contains errors about referencing Tivoli Identity

Manager properties files.

Ensure that the ITIM_HOME/data directory contains the properties files.

Additionally, ensure that the WebSphere Application Server also references the

ITIM_HOME/data directory. Complete these steps.

1. On the WebSphere administrative console, click Servers –> Application

Servers.

2. Select a server such as server1 and search for the Process Definition entry.

3. In the Process Definition, select Java Virtual Machine.

4. Ensure that the Classpath field specifies the ITIM_HOME/data directory.v If the HTTP_HOME/logs/activity.log file indicates that no Tivoli Identity

Manager logon requests arrived, and you have tried the previous steps, reboot

the operating system. Attempt to log on again.

Logs and directories

When the system configuration is complete, note the following log locations:

Table 7. Install log file names and directories

File names Directory

dbConfig.stdout

ldapConfig.stdout

itim_installer_debug.txt

runConfig.stdout (on cluster member)

runConfigTmp.stdout (on single server

and deployment manager)

setupEnrole.stdout

StartStopWas.stdout (on single server)

ITIM_HOME/install_logs

itim_install.stdout

itim_install.stderr

system root

Tivoli_Identity_Manager_InstallLog.log If installation completes successfully, the

log file is in the ITIM_HOME directory.

If installation fails, the log file is in the

following location:

v Windows: On the desktop

v UNIX: System root


Table 7. Install log file names and directories (continued)

File names Directory

SystemOut.log

SystemErr.log

v Single-server

WAS_HOME/logs/servername/

v Cluster member

WAS_HOME/logs/servername/

v Network deployment manager:

NDM_WAS_HOME/logs/dmgrname/

For more information on WebSphere

Application Server log files, refer to the

WebSphere Application Server

documentation.

trace.log

msg.log

Tivoli_Common_Directory/logs/

The Tivoli Common Directory is the

central location for all

serviceability-related files, such as logs

and first-failure capture data.

For more information on using IBM Logging Toolkit for Java (JLog) for logging

and alerting, refer to the IBM Tivoli Identity Manager Problem Determination Guide.

For recommendations on avoiding log file and disk space problems, refer to the

IBM Tivoli Identity Manager Performance Tuning Guide technical supplement.

Standard Tivoli Identity Manager logging properties are located in the

enRoleLogging.properties file. For more information, refer to the IBM Tivoli Identity



Chapter 9. Uninstalling the Tivoli Identity Manager Server

Uninstalling Tivoli Identity Manager uses the Tivoli Identity Manager installation

program to perform the following tasks:

v Removes all files in the ITIM_HOME directory that the Tivoli Identity Manager

installation program created, including certificates in the ITIM_HOME/cert

directory.

v Clears all configuration settings that were created for the Tivoli Identity

Manager Server on the WebSphere Application Server.

v Removes the Tivoli Identity Manager Server that was deployed on these

computers:

– Single server configuration: Computer that has the WebSphere Application

Server.

– Cluster configuration: Computer that has the deployment manager.

In a cluster configuration, uninstalling the Tivoli Identity Manager Server

from the deployment manager removes the availability of the Tivoli Identity

Manager Server to the cluster. The deployed Tivoli Identity Manager

application files are automatically removed from Tivoli Identity Manager

cluster members.

What is not removed

Uninstalling the Tivoli Identity Manager Server does not modify existing database

tables or the directory server schema. The Tivoli Identity Manager log files are not

removed.

For more information on manually removing the database tables, directory server

schema, and log files, see “Manually removing components” on page 106.

Before you begin

Before you uninstall the Tivoli Identity Manager Server, complete these tasks:

v Single server configuration

– Back up any certificates in the ITIM_HOME/cert directory.

– Ensure that the WebSphere Application Server is running.v Cluster configuration

– Back up any certificates in the ITIM_HOME/cert directory.

– If you are uninstalling the Tivoli Identity Manager Server from a cluster

configuration, ensure that the node agents are running and that the

deployment manager is also running.

Steps to uninstall the Tivoli Identity Manager Server

To uninstall the Tivoli Identity Manager Server, complete these steps:

1. Uninstall the Tivoli Identity Manager Server using this command:

ITIM_HOME/itimUninstallerData/Uninstall_ITIM

v Single server configuration

Run the command on computer on which the Tivoli Identity Manager Server

is installed.


v Cluster configuration

Run the command on each cluster member first, and then run the command

on the computer on which the deployment manager is installed.2. Complete the uninstallation wizard panels and confirm that you want to

uninstall the Tivoli Identity Manager Server.

Verifying that the Tivoli Identity Manager Server is uninstalled

To verify that the Tivoli Identity Manager Server has been uninstalled and

removed as an application from the WebSphere Application Server, complete these

steps:

1. Examine the ITIM_HOME directory and remove any residual Tivoli Identity

Manager directories, configuration files, and log files.

2. Launch the WebSphere administrative console and log in.

3. From the navigation tree, navigate to the target node, and click the Enterprise

Applications link.

A list is displayed of the enterprise applications that are installed on the

application server.

If you see an application named enRole listed, the uninstallation process was

unable to automatically remove the Tivoli Identity Manager Server from the

WebSphere Application Server. You can remove the application manually. For

more information, see “Manually removing the Tivoli Identity Manager Server

from the WebSphere Application Server.”

Manually removing components

This section describes manually removing components that are not removed by the

uninstallation process.

Manually removing the Tivoli Identity Manager Server from the

WebSphere Application Server

To uninstall the Tivoli Identity Manager Server in a single server or a cluster


1. On the WebSphere administrative console, take these steps:

a. Select the enRole application.

b. Click Stop.

c. When the enRole application stops, select the enRole application again.

d. Click Uninstall.2. Manually ensure that the enRole.ear directory is completely removed. Take

these steps:

a. Open the applications directory:

v Single server and each cluster member

WAS_HOME/AppServer/config/cells/cellname/applications


WAS_NDM_HOME/AppServer/config/cells/cellname/applicationsb. If the enRole.ear directory exists, remove the directory.

Manually removing other files or directories

Examine the ITIM_HOME directory and remove any residual Tivoli Identity

Manager directories, configuration files, and log files.


Ensuring that Tivoli Identity Manager objects are removed

from the Sun ONE Directory Server

Before you re-install Tivoli Identity Manager, ensure that any previous Tivoli

Identity Manager schema objects, object classes, and other attributes are removed

from the Sun ONE Directory Server. Complete these tasks:

1. Start the Sun ONE Directory Server administration console.

2. On the Configuration tab, remove the Tivoli Identity Manager suffix.

3. On the Directory tab, complete these tasks:

a. Remove the Tivoli Identity Manager domain.

b. Click Config –> Plugins. Then, open the properties for the referential

integrity postoperation entry and delete all attributes that begin with the

characters er.4. Stop the directory server.

5. Open the ldapServerInstance/config/schema/99user.ldif file. Then, remove all

Tivoli Identity Manager object classes and attribute types that begin with the

characters er.

6. Start the directory server.

Chapter 9. Uninstalling the Tivoli Identity Manager Server 107

Appendix A. Installation images and fix packs

This section itemizes the installation images, and provides a Web address for the

product fix packs.

Installation images

The base CD for each operating system contains a list of the installation files that

Tivoli Identity Manager provides.

Locate the installation image file that is appropriate for your operating system:

v itim-4.6-cd-images-linux.txt

v itim-4.6-cd-images-aix.txt

v itim-4.6-cd-images-sun.txt

v itim-4.6-cd-images-windows.txt

For example, to locate all the files provided for the Tivoli Identity Manager

installation on the AIX operating system, open the itim-4.6-cd-images-aix.txt file on

the AIX base CD.

For more information on all supported platforms and their prerequisite

applications, refer to the IBM Tivoli Identity Manager Release Notes.

Verifying the fix pack level

Verify that the WebSphere Application Server Fix Pack is at the correct level. Enter

one of these commands:

v Windows:

– Single server or cluster member

WAS_HOME\bin\versionInfo.bat

– Deployment manager

WAS_NDM_HOME\bin\versionInfo.bat

v UNIX:

– Single server or cluster member

WAS_HOME/bin/versionInfo.sh

– Deployment manager

WAS_NDM_HOME/bin/versionInfo.sh

For example, the version is similar to the following output:

v WebSphere Application Server base

Installed Product

-----------------------------------------------

Name IBM WebSphere Application Server

Version 5.1.1.3

ID BASE



Installed Product

-----------------------------------------------

Name IBM WebSphere Application Server for Network Deployment

Version 5.1.1.3

ID ND

Obtaining fix packs

A fix pack file for Tivoli Identity Manager has a name similar to the following:

4.6.0-TIV-TIM-platform-WAS-000n.zip

where platform is a value such as AIX and n is an integer such as 1.

Tivoli Identity Manager fixes are available at this Web site:

http://www-1.ibm.com/support/dlsearch.wss?rs=644&q=&tc=SSTFWV&dc=D420&loc=en_US&cs=utf-8&lang=en&sort=desc&rankfile=8&p=1

For more information on registering your personal IBM online ID and alternatives

in obtaining fix packs, see “Obtaining fixes” on page 142.




Appendix B. Worksheets

Complete these worksheets before you install Tivoli Identity Manager and its

prerequisites.

Tivoli Identity Manager information for the database

This table shows the required information for the database product:

Field name Description Default or example value Your value

Administrator ID The administrator user ID (the

db2InstanceName as database instance owner)

that you created when you installed the

database.

For more information, see “Configuring the

DB2 server” on page 13.

Default for DB2 UDB:

v Windows: db2admin

v UNIX: db2inst1

Default for Oracle:

v sys

v sysmanager

Administrator

Password

The password for the administrator user ID.

Database Name The database name that Tivoli Identity

Manager uses to store its data. If the database

is installed locally, the database name is the

name of the database. If the database is

installed remotely, the database name is the

local alias name of the remote database.

For more information on the remote database,

see “Configuring the DB2 JDBC driver” on

page 16.

Example: itimdb

Database Type The type of database that is used for the

Tivoli Identity Manager database.

Example: DB2 UDB

user ID The account that Tivoli Identity Manager uses

to log in to the database. For more

information, see “Creating a user on

Windows and UNIX systems” on page 14.

Required value: enrole This value is

pre-defined

and cannot be

changed.

user ID password The password for the enrole user ID.

IP Address The IP address of the database server. This

value is required for Oracle and SQL Server

2000 only, not for DB2 UDB.

Example: 9.67.5.10

Port Number The port number of the database server. This

value is required for Oracle and SQL Server

2000 only, not for DB2 UDB.

Oracle default: 1521.

SQL Server 2000 default:

1433

JDBC driver Connects a Java-based application to a

database.

Oracle example:

ojdbc14.jar

Additionally, the installation program uses the following database pool

information. The database pool information determines the number of JDBC

connections that the Tivoli Identity Manager Server can open to the database.

Evaluate the following values in relation to your site needs:



Initial Capacity The initial number of JDBC connections that

Tivoli Identity Manager Server can open to

the database.

Default: 5

Maximum Capacity The maximum number of JDBC connections

that Tivoli Identity Manager Server can open

to the database at any one time.

Default: 50

Login Delay Seconds The time, in seconds, between connections. Default: 1

Tivoli Identity Manager information for the directory server

Collect the following information for the directory server:


Host name The fully qualified host name of the directory

server.

Example:

ldap.lab.domain.com

Identity Manager DN

Location

The value of the Identity Manager DN

Location field is the root suffix for Tivoli

Identity Manager. The value that you enter in

the field must match the suffix (for example,

dc=com) that you created when you

configured the directory server. For more

information, see Chapter 3, “Installing and

configuring a directory server,” on page 25.

Example: dc=com

Name of your

organization

The formal name of your company. This value

is displayed in the organization chart on many

of the Tivoli Identity Manager windows. You

can enter either single-byte character set

(ASCII) characters or double-byte character set

(DBCS) characters in this field.

Example: IBM

Corporation

Default Org Short

Name

The abbreviation for your company name.

This value is used internally in the IBM Tivoli

Directory Server to represent your

organization. Enter only single-byte character

set (ASCII) characters in this field, such as an

identifier in English.

Example: ibmcorp

Number of hash

buckets

The quantity of data buckets. Data buckets are

used to allocate data items for sorting or

lookup purposes.

Default: 1 (ou=0). Do not modify

this value.

Port The port on which the directory server is

listening.

Example: 389

Principal DN The user ID that represents the principal

distinguished name.

Example: cn=root

Principal DN Password The password of the user ID that represents

the principal distinguished name.

Example: secret

The installation program reports the following LDAP Connection Pool Information

fields for a pool of LDAP connections accessible by Tivoli Identity Manager Server.

To determine values appropriate for your configuration, refer to the technical

supplement IBM Tivoli Identity Manager Performance Tuning Guide.



Max. pool size The maximum number of connections that the

LDAP connection pool can have at any time.

Default: 100

Initial pool size The initial number of connections that were

created for the LDAP connection pool.

Default: 50

Increment count The number of connections that are added to

the LDAP connection pool every time a

connection is requested, after all connections

are in use.

Default: 3

Tivoli Identity Manager information

Note the following information for Tivoli Identity Manager:


Encryption key Used to encrypt Tivoli Identity Manager

passwords and other sensitive text.

Example: sunshine

Encryption

(checkbox)

On the System Configuration Security tab,

encrypts the password of the database, LDAP,

and WebSphere Application Server

administrator user ID in the Tivoli Identity

Manager property files.

Default: Not checked

Logging level Determines how verbose the logs are when you

trace system errors. Select how detailed the log

file is by choosing a value between MIN and

MAX. The more severe the logging level, the

better the performance of the system because

less information is written to the log file.

Default: MIN

Mail server name The name of the SMTP mail server. Enter the

host name of the SMTP host that is the mail

gateway.

Example: smtp.site.com

User ID The Tivoli Identity Manager Administrator user

ID. The value is pre-defined.

Default: itim manager

Password The password for the Tivoli Identity Manager

administrator user ID. You are required to

change the password the first time that you log

on after installing the Tivoli Identity Manager

Server.

Default: secret

System User The WebSphere Application Server

administrator user ID. This value is required

only if WebSphere global security is enabled.

For more information, see “Optionally

configuring security for Tivoli Identity

Manager” on page 40.

Default: wasadmin

System User

Password

The password for the WebSphere Application

Server user ID.

Appendix B. Worksheets 113


EJB User The EJB User is authorized to call all EJB

methods in both privileged and unprivileged

layers of the Tivoli Identity Manager

application. Define the EJB User ID prior to

starting installation. If this field is pre-filled

when it appears, the field might contain the

value of wasadmin. Change the field to the

value of itimadmin. This value is required only

if WebSphere global security is enabled. For

more information, see “Optionally configuring

security for Tivoli Identity Manager” on page

40.

Default: itimadmin

EJB User Password The password for the EJB User ID.

WebSphere Application Server: single-server installation

WebSphere Application Server installation for a single-server configuration has the

following fields. For more information, see Chapter 4, “Installing and configuring

WebSphere Application Server,” on page 33.


Installation directory The installation directory for the WebSphere

Application Server base product.

Default: WAS_HOME

Host name Host name or the IP address of the computer

on which the WebSphere Application Server

is running.

Example: myhostname

Server Name A case-sensitive name for the WebSphere

Application Server to which you deploy the

Tivoli Identity Manager Server during a

single-server installation.

Example: server1

WebSphere Application Server: cluster installation

WebSphere Application Server installation for a cluster configuration has the

following fields. For more information, see Chapter 4, “Installing and configuring

WebSphere Application Server,” on page 33.


Cluster name A case-sensitive name that is used to create the

Tivoli Identity Manager cluster. This name is

case sensitive. This field is not displayed

during single-server installation.

Example: ITIM_CLUSTER

Installation directory The installation directory for the WebSphere

Application Server base product and the

WebSphere deployment manager.

For more information, see “Definitions for

HOME and other directory variables” on page

xii.

Example: WAS_HOME and

WAS_NDM_HOME

IP Address The IP address of the computer on which the

deployment manager or the WebSphere

Application Server base product is installed.


Appendix C. Upgrading from Tivoli Identity Manager Version

4.5.1 to Version 4.6

The Tivoli Identity Manager installation program will upgrade a computer that has

Tivoli Identity Manager Version 4.5.1, or Version 4.5.1 with fix packs applied, to

Tivoli Identity Manager Version 4.6. Some manual steps are required to preserve or

re-customize settings. This section describes upgrading both single-server and

cluster configurations. For more information on prerequisite software that this

release supports, refer to the IBM Tivoli Identity Manager Release Notes.

The upgrade process has these major tasks:

1. Ensure that the operating system is at a level that this release of Tivoli Identity

Manager supports, and that the system has the required fix pack or patches.

2. Manually upgrade prerequisite software applications.

You must upgrade any software that is part of the existing Tivoli Identity

Manager environment to meet the requirements for the new Tivoli Identity

Manager version. This includes migrating or applying fixes to the database,

directory server, and WebSphere Application Server base product and

deployment manager.

Migrating from AIX Version 5.1 to AIX Version 5.2 can remove symbolic links

from the DB2 Version 8.1 product directory, such as a link to libdb2.a. You must

back up the DB2 database for Tivoli Identity Manager, uninstall DB2, upgrade

AIX Version 5.1 to Version 5.2, reinstall DB2, and then restore the DB2 database.

3. To migrate the WebSphere Application Server, make one of these choices:

v Use the following steps to migrate WebSphere Application Server Version

5.0.2 to Version 5.1.1.3, and no longer use WebSphere Application Server

Version 5.0.2.

You can migrate WebSphere Application Server, Version 5.0 directly to

Version 5.1 by running the WebSphere Application Server installation

program and select the migration option. The program migrates all user

configuration and existing enterprise applications in WebSphere Application

Server Version 5.0 to WebSphere Application Server Version 5.1.

However, you might not be able to migrate WebSphere Application Server

Version 5.0.2 directly to Version 5.1. To migrate WebSphere Application

Server Version 5.0.2 to Version 5.1.1.3, complete these tasks:

a. Migrate the WebSphere Application Server on these computers:

– Single server: Migrate the WebSphere Application Server.

– Cluster: Migrate the WebSphere Application Server base product and

the deployment manager.b. For each computer, read the WebSphere Application Server installation

information to ensure that the computer meets the WebSphere

Application Server requirements.

c. Install WebSphere Application Server Version 5.1 on a separate directory.

Make sure to choose the option to allow coexistence with WebSphere

Application Server Version 5.1. Ensure that you use the same WebSphere

Application Server ports that WebSphere Application Server Version 5.0.2

previously used.

On an AIX system, installing WebSphere Application Server Version 5.1.x

requires font package X11.fnt.coreX 5.x.x.x. Refer to the IBM Tivoli Identity


Manager Release Notes for the most current fix pack, cumulative fix, and

any possible Authorized Program Analysis Report (APAR).

d. Apply WebSphere Application Server Version 5.1 Fix Pack 1 and

cumulative fix 3, bringing WebSphere Application Server to Version

5.1.1.3.

e. Migrate all WebSphere Application Server Version 5.0.2 configuration

settings and enterprise applications, including Tivoli Identity Manager

Version 4.5.1, to WebSphere Application Server Version 5.1.1.3. To do so,

run these commands:

cd /WAS_HOME_51/bin

./WASPreUpgrade.sh backupDirectory WAS_HOME_502

./WASPostUpgrade.sh backupDirectory

The value of backupDirectory is any directory that you define to store the

WebSphere Application Server Version 5.0.2 data that is migrated.v Alternatively, install WebSphere Application Server Version 5.1 and allow it

to co-exist with WebSphere Application Server Version 5.0.2. Do not use the

ports that WebSphere Application Server Version 5.0.2 previously defined.

You might select this alternative if you have applications that continue to

require WebSphere Application Server Version 5.0.2.

No migration occurs for WebSphere Application Server 5.0.2 configuration

settings or enterprise applications, including Tivoli Identity Manager Version

4.5.1, to WebSphere Application Server Version 5.1.1.3.

After you install WebSphere Application Server Version 5.1, run the Tivoli

Identity Manager Version 4.6 installation program to upgrade Tivoli Identity

Manager Version 4.5.1 to ITIM 4.6 on WebSphere Application Server Version

5.1.1.3. After you upgrade Tivoli Identity Manager to version 4.6, remove

Tivoli Identity Manager Version 4.5.1 from WebSphere Application Server

Version 5.0.2.

For more information on migration, refer to WebSphere documentation at

this Web site:

http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1/index.jsp4. Upgrade the Tivoli Identity Manager Server using the Tivoli Identity Manager,

Version 4.6 installation program.

The Tivoli Identity Manager installation program upgrades the database

schema, the directory server schema and data, the WebSphere Application

Server configuration for Tivoli Identity Manager, the Tivoli Identity Manager

property files, and other Tivoli Identity Manager files. During the upgrade

process, the ITIM_HOME/data directory is copied to the

ITIM_HOME/data/backup directory.

Note: To perform the upgrade, you must select the current ITIM_HOME

directory for the Tivoli Identity Manager Version 4.6 installation location.

Tivoli Identity Manager Version 4.6 will use Tivoli Identity Manager

Version 4.5.1 home directory (for example, itim45) as the Tivoli Identity

Manager Version 4.6 home directory. After making an upgrade, you can

validate the current Tivoli Identity Manager version by examining the

copyright notice in the header of the Messages.properties file.


http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1/index.jsp

Processes and settings that the upgrade process preserves

Some workflow processes that start in the Tivoli Identity Manager previous release

4.5.1 or above will continue to run when the upgrade to Tivoli Identity Manager

4.6 completes. For example, user operations such as new account requests and

password changes that start in version 4.5.1 will complete after Tivoli Identity

Manager is upgraded to version 4.6.

The upgrade process preserves the following settings:

v Certificate-authority (CA) certificates. Tivoli Identity Manager demonstration

certificates are updated.

v Existing WebSphere Application Server settings that are related to the Tivoli

Identity Manager application.

v Tivoli Identity Manager properties defined in the following files:

– enRole.properties

– enRoleAuthentication.properties

– enRoleDatabase.properties

– enRoleLDAPConnection.properties

– enRoleMail.properties

– enroleworkflow.properties

– ui.properties

– CustomLabels.properties

– adhocreporting.propertiesv The following workflow system process files in the

data/workflow_systemprocess directory:

– notifytemplate.html

– addserviceselectionpolicy.xml

– changeserviceselectionpolicy.xml

– removeserviceselectionpolicy.xml

– multiaccountdelete.xml

– multiaccountpassword.xml

– multiaccountrestore.xml

– multiaccountsuspend.xml

– multiuserdelete.xml

– multiusersrestore.xml

– multiusersuspend.xml

Processes and settings that are not preserved, or require manual

upgrade

The upgrade process does not preserve the following workflow processes, which

you must stop or allow to complete before you upgrade Tivoli Identity Manager:

v Policy Add/Modify/Remove

v Dynamic Role Add/Modify/Remove

v Reconciliations

v Identity feeds

Appendix C. Upgrading from Tivoli Identity Manager Version 4.5.1 to Version 4.6 117

All other customized data and settings are lost after the upgrade process. For more

information, see “Preserving customized data manually” on page 123. These

customizations are not preserved:

v LDAP schema

v Java security

v Custom logos used in a Welcome page and XLS style sheets. If you modified the

welcome page, you must re-implement the Styles.css file.

v Logging settings

v Any shared library used by Tivoli Identity Manager through a WebSphere

Application Server shared library definition. For more information, see

“Post-migration tasks” on page 123.

Additionally, you must manually upgrade the following components:

v Crystal reports. For more information, see “Upgrading Crystal Reports” on page

124.

v Tivoli Identity Manager jar files that the Tivoli Identity Manager client

applications use.

Tivoli Identity Manager client applications must replace their Tivoli Identity

Manager Version 4.5.1 itim_api.jar and api_ejb.jar files with those from Tivoli

Identity Manager Version 4.6.

For any Tivoli Identity Manager client application that has a duplicate copy of

Tivoli Identity Manager properties files on the client side, take these steps:

1. Rename the duplicate property files on the client application to preserve any

manual changes that you might have made.

2. Copy the property files from the Tivoli Identity Manager Server to the

duplicate copy on the client application.

3. If you manually changed the duplicate property files earlier, manually apply

the changes again.

Before you begin

Before upgrading Tivoli Identity Manager, complete these steps:

1. If at all possible, reduce system activity prior to starting the upgrade process.

It is recommended that you avoid starting large policy enforcements or

reconciliation requests prior to upgrading Tivoli Identity Manager. Do not

delete entries directly from the SCHEDULED_MESSAGES table in the Tivoli

Identity Manager database.

2. Complete or stop the following workflow processes, which are not preserved

during upgrade:

v Policy Add/Modify/Remove

v Dynamic Role Add/Modify/Remove

v Reconciliations

v Identity feeds3. If you are using an Oracle database, login to SQLPlus using an account that can

grant privileges to the user enrole. Then, grant the CREATE VIEW privilege to

the user enrole. For example, enter these commands:

sqlplpus system/manager@itimdb

SQL > GRANT CREATE VIEW to enrole;

SQL > quit;

4. Migrate the database server to the supported version. Then, back up the Tivoli

Identity Manager database, and ensure that the database server is running.


5. Migrate the directory server to the supported version. Then, back up the Tivoli

Identity Manager schema and data, and ensure that the directory server is

running. For Tivoli Identity Manager Version 4.5.1 recovery purposes, export

the Tivoli Identity Manager LDAP directory to an LDIF file.

6. Complete these steps for your WebSphere Application Server configuration:

v Single-server: Migrate the WebSphere Application Server base product.

v Cluster: Migrate the deployment manager, and migrate the WebSphere

Application Server base product on each node.7. If you intend to save the Tivoli Identity Manager configuration information on

the WebSphere Application Server, perform a backup of the WebSphere

configuration files. Complete these steps:

a. Stop the WebSphere Application Server.

b. To make a backup file, run the following command on the computer that

hosts the WebSphere Application Server base product:

v Windows

WAS_HOME\bin\backupConfig.bat

v UNIX

WAS_HOME/bin/backupConfig.sh

The command creates a compressed file, such as

WebSphereConfig_2005–07–10.zip that contains all current Tivoli Identity

Manager configuration settings. The file is created in the directory from

which you run the backupConfig command.The backup preserves the WebSphere Application Server configuration that

includes the settings for Tivoli Identity Manager.

8. Ensure that the appropriate servers are running in the WebSphere environment.


v Single-server configuration: Start the WebSphere Application Server that you

previously upgraded to version 5.1.x (refer to the IBM Tivoli Identity Manager

Release Notes for the most current fix pack, cumulative fix, and possible

APARs). Using the WebSphere administrative console, stop the Tivoli Identity

Manager application enRole.

v Cluster configuration: Ensure that the deployment manager and all the node

agents are running. Using the WebSphere administrative console, stop the

Tivoli Identity Manager cluster.9. On a single-server configuration, and on each cluster member in a cluster

configuration, complete these steps:

v Back up the itim directory.

v Access the WAS_HOME/installedApps/cellname/enRole.ear directory and

store any customized files in a temporary holding area.

v Access the

WAS_HOME/installedApps/cellname/enRole.ear/app_web.war/META-INF

directory and store the MANIFEST.MF file in a temporary holding area.

Upgrading a single-server configuration

The upgrade process performs these tasks in a single-server configuration:

1. Backs up files in the ITIM_HOME/data directory.

2. Replaces the files in the ITIM_HOME directory.


3. Ensures that WebSphere Application Server Version 5.1.x is running, and starts

the WebSphere Application Server if it is not running. Refer to the IBM Tivoli

Identity Manager Release Notes for the most current fix pack, cumulative fix,

and possible APARs.

4. Removes the existing Tivoli Identity Manager Version 4.5.1 (enRole) from

WebSphere Application Server Version 5.1.x.

5. Deploys the Tivoli Identity Manager Version 4.6 to WebSphere Application

Server Version 5.1.x.

6. Updates the Tivoli Identity Manager database to create new tables and other

settings.

7. Updates the LDAP server to add new LDAP schema and default Tivoli

Identity Manager settings.

8. Starts the system configuration tool (runConfig) to prompt the user to

examine current system configuration values.

9. Updates several Tivoli Identity Manager properties files. For more

information, see step 117.

10. Updates the WebSphere Application Server configuration for Tivoli Identity

Manager Version 4.6.

To upgrade a single-server configuration, complete these steps:


v Windows



instWIN-WAS.exe





– AIX

instAIX-WAS.bin

– Solaris

instSOL-WAS.bin

– Linux

instLINUX-WAS.bin

The installation program starts and displays the Welcome window. 2. Select the appropriate language and click OK.


whether to accept its terms. If you do, select Accept and click Next.

4. In the Choose Install Directory window, you must select the existing Tivoli

Identity Manager Version 4.5.1 home directory that you want to upgrade.

Accept the existing 4.5.1 directory, or click Choose.... and select the correct

directory. Then, click Next.

5. In the Upgrade from 4.5.1 to 4.6? window, click Continue to Next to start the

upgrade.

6. Read the caution windows to ensure that the prerequisite applications meet

the requirements that Tivoli Identity Manager supports. Then, click Next.


7. In the WebSphere Application Server installation directory window, specify

the WebSphere Application Server that you intend to use. There can be

multiple instances of the WebSphere Application Server on the computer.

Click Next.

8. In the Java home window, notice the directory to which Tivoli Identity

Manager Version 4.6 now points. You might need to manually migrate any

files that reference the previous directory to reference the current directory.

Click OK.


Tivoli Common Directory or specify a different directory. The Tivoli Identity

Manager installation program creates the CTGIM subdirectory to store

serviceability-related files for Tivoli Identity Manager. Ensure that the

directory has at least 25 MB of free space. Click Next.

10. In the Pre-install Summary window, click Install.

The upgrade process silently upgrades the previously configured database and

LDAP server. Additionally, the installation program launches the system

configuration tool to allow you to change configuration settings, if necessary.

11. In the System Configuration Tool window, examine the values of all

parameters, which should be the values of the existing Tivoli Identity Manager

version 4.5.1 program. Verify the values and click OK. The system

configuration requires several minutes to complete. For more information, see

Chapter 7, “Configuring the Tivoli Identity Manager Server,” on page 77.

Upgrading a cluster configuration

The upgrade process performs these tasks in a cluster configuration:

1. Backs up files in the ITIM_HOME/data directory.

2. Replaces the files in the ITIM_HOME directory.

3. On the computer that has the deployment manager, does these tasks:

a. Removes the existing Tivoli Identity Manager Version 4.5.1 (enRole) from

WebSphere Application Server Version 5.1.x. Refer to the IBM Tivoli Identity

Manager Release Notes for the most current fix pack, cumulative fix, and

possible APARs.

b. Deploys the Tivoli Identity Manager Version 4.6 to WebSphere Application

Server Version 5.1.x.

c. Updates the Tivoli Identity Manager database to create new tables and other

settings.

d. Updates the LDAP server to add new LDAP schema and default Tivoli

Identity Manager settings.4. On each computer that has a Tivoli Identity Manager cluster member, does

these tasks:

a. Starts the system configuration tool (runConfig) to prompt the user to

examine current system configuration values.

b. Updates several Tivoli Identity Manager properties files. For more

information, see step 117.

c. Updates the WebSphere Application Server configuration for Tivoli Identity

Manager Version 4.6.

To upgrade a cluster configuration on the deployment manager, and also on each

cluster member computer, complete these steps:



v Windows



instWIN-WAS.exe





– AIX

instAIX-WAS.bin

– Solaris

instSOL-WAS.bin

– Linux

instLINUX-WAS.bin

The installation program starts and displays the Welcome window. 2. Select the appropriate language and click OK.


whether to accept its terms. If you do, select Accept and click Next.

4. In the Choose Install Directory window, you must select the existing Tivoli

Identity Manager Version 4.5.1 home directory that you want to upgrade.

Accept the existing 4.5.1 directory, or click Choose.... and select the correct

directory. Then, click Next.

5. In the Upgrade from 4.5.1 to 4.6? window, click Continue to Next to start the

upgrade.

6. Read the caution windows to ensure that the prerequisite applications meet

Tivoli Identity Manager requirements. Then, click Next.

7. In the WebSphere Application Server installation directory window, specify

the deployment manager or the WebSphere Application Server base product

that you intend to use. Then, click Next.

If the deployment manager of the Tivoli Identity Manager cluster is on the

computer, the deployment manager installation directory window opens.

Ensure the installation location for the deployment manager is correct.

If the Tivoli Identity Manager cluster is on the computer, the installation

directory window opens for the WebSphere Application Server base product.

There can be multiple instances of the deployment manager or the WebSphere

Application Server base product on the computer. Ensure the installation

directory for the WebSphere Application Server base product is the location

where the product resides.

8. In the Java home window, notice the directory to which Tivoli Identity

Manager Version 4.6 now points. You might need to manually migrate any

files that reference the previous directory to reference the current directory.

Click OK.


Tivoli Common Directory or specify a different directory. The Tivoli Identity

Manager installation program creates the CTGIM subdirectory to store

serviceability-related files for Tivoli Identity Manager. Ensure that the

directory has at least 25 MB of free space.

10. In the Pre-install Summary window, read the summary. Then, click Install.


On the deployment manager, the upgrade process silently upgrades the

previously configured database and LDAP server. Additionally, the installation

program launches the system configuration tool to allow you to change

configuration settings, if necessary.

11. In the system configuration tool window, click OK and complete the

installation.

Post-migration tasks

If the directory server is the IBM Tivoli Directory Server, you must upgrade the

previous Tivoli Identity Manager Version 4.5.1 referential integrity file named

timdelref.conf to the new version. Complete these steps:

1. Stop the Tivoli Identity Manager Server.

2. Stop the IBM Tivoli Directory Server.

3. Copy the new Tivoli Identity Manager configuration file named timdelref.conf

from the ITIM_HOME/config/ldap/ibm directory on the version 4.6 Tivoli

Identity Manager Server or from the Tivoli Identity Manager product CD to the

etc directory on the IBM Tivoli Directory Server, replacing the previous

configuration file:

v Version 5.2: LDAP_HOME/etc

v Version 6.0: IDS_instance_HOME/etc4. Restart the directory server.

5. Restart the Tivoli Identity Manager Server.

Preserving customized data manually

To preserve customized data that is not preserved by the upgrade process,

complete these manual steps:

v LDAP schema

Repeat the customization that you provided for the previous version of Tivoli

Identity Manager.

v Java security

Tivoli Identity Manager, Version 4.6 uses IBM Development Kit for Java 1.4.2,

which is bundled by the WebSphere Application Server, Version 5.1 in the

WAS_HOME/java directory.

Manually apply the changes that you made for the previous IBM Development

Kit for Java to the new IBM Development Kit for Java.

v Custom logos and customized style sheets

If you need to insert customized logos and style sheets in the

WAS_HOME/cellname/enRole.ear directory, restore these files from a backup

location.

v Logging settings

Tivoli Identity Manager Version 4.6 separates message logging and tracing to

different outputs and uses the IBM Logging Toolkit for Java (JLog) by default.

The logging settings are defined in the enRoleLogging.properties file.

Tivoli Identity Manager Version 4.5.1 used the Log4J logging toolkit. The Tivoli

Identity Manager Version 4.6 upgrade program renames the previous logging

setting properties file for the Log4J logging toolkit to

enRoleLogging.log4j.properties. If you customized the Log4J logging toolkit

setting and want to continue to use the Log4J logging toolkit for logging,



1. Specify the new property enrole.logging.provider in the enRole.properties file

with this statement:

enrole.logging.provider=com.ibm.itim.logging.Log4jProvider

The Tivoli Identity Manager application will continue to perform tracing by

using the IBM Logging Toolkit for Java.

2. Restart the Tivoli Identity Manager application.v If Tivoli Identity Manager Version 4.5.1 loaded specific jar files using settings for

a WebSphere Application Server shared library, you need to define the name of

the shared library to the newly-deployed Tivoli Identity Manager Version 4.6.

For example, Tivoli Identity Manager Version 4.5.1 might load a shared library

with a name such as user_shared_library.

Complete these tasks on the WebSphere administrative console to associate the

previously-defined shared library with Tivoli Identity Manager Version 4.6:

1. Click Applications –> Enterprise Applications –> enRole.

2. Select Additional Properties –> Libraries.

3. Click Add and select a shared library such as user_shared_library from the

drop-down list.

4. Click Apply to apply the changes.

5. Save the configuration.

6. Restart the WebSphere Application Server to allow the changes to take effect.

Upgrading Crystal Reports

You must manually reconfigure Crystal Reports when you upgrade Tivoli Identity

Manager. After the upgrade completes, re-import all the reports that were

imported for Tivoli Identity Manager Version 4.5.x. For more information on using

the Crystal Reports designer tool to configure Crystal Reports, including importing

reports for use with Tivoli Identity Manager, refer to the IBM Tivoli Identity


Correcting upgrade problems

If the upgrade process fails to complete, pop-up messages describe the problem.


1. If the Tivoli Identity Manager deployment of the enRole.ear directory failed,

examine the ITIM_HOME/install_logs/setupEnrole.stdout log file to determine

the cause. Correct the problem and redeploy the enRole.ear directory. Complete

these tasks:

v Single-server

– Uninstall the enRole.ear directory from the WebSphere Application Server

using this command:

ITIM_HOME/bin/SetupEnrole uninstall server:name user:user_id password:pwd

Verify that the uninstallation process removed the

WAS_HOME/installedApps/cellname/enRole.ear directory and the

WAS_HOME/config/cells/cellname/applications/enRole.ear directory. If

the directories exist, remove both enRole.ear directories manually.

– Install the enRole.ear directory using this command on the WebSphere

Application Server:

ITIM_HOME/bin/SetupEnrole install server:name user:user_id password:pwd

Copy the jsafe.jar and log4j.jar file from the ITIM_HOME/lib directory to

the enRole.ear directory.



which the Tivoli Identity Manager application is deployed. The value of

user_id is the WebSphere administrator user ID, such as wasadmin. The value

of pwd is the password for the WebSphere administrator user ID, such as

wasadminpwd.

v Cluster

– Uninstall the enRole.ear directory from the deployment manager using

this command:

ITIM_HOME/bin/SetupEnrole uninstall user:user_id password:pwd

Verify that the uninstallation process removed the

WAS_NDM_HOME/config/cells/cellname/applications/enRole.ear

directory. If the directory exists, remove the enRole.ear directory manually.

– Install the enRole.ear directory using this command on the deployment

manager:

ITIM_HOME/bin/SetupEnrole install user:user_id password:pwd

On each Tivoli Identity Manager cluster member, copy the jsafe.jar and

log4j.jar file from the ITIM_HOME/lib directory to the

WAS_HOME/installedApps/cellname/enRole.ear directory.2. If the LDAP schema upgrade failed, examine the

ITIM_HOME/install_logs/ldapUpgrade.stdout log file. Correct the problem and

run the following program:

ITIM_HOME/bin/ldapUpgrade

3. If the database schema upgrade failed, examine the

ITIM_HOME/install_logs/dbUpgrade.stdout log file. Correct the problem and

run the following program:

ITIM_HOME/bin/DBUpgrade

4. Restart the Tivoli Identity Manager application.

5. Log on to Tivoli Identity Manager.

On Windows Server 2003, you might not be able to log on to Tivoli Identity

Manager after upgrading or installing Tivoli Identity Manager.

To resolve this problem, reboot the system, which may correct certain

environment settings and WebSphere embedded messaging queue problems.

Examine the WAS_HOME\logs\server1\SystemOut.log file to determine

whether any exception relates to the WebSphere embedded messaging queue

manager.


Appendix D. Steps that the installation program takes to

configure the WebSphere environment

This section describes the steps that the Tivoli Identity Manager installation

program takes to configure the WebSphere environment.

Use the manual steps described in this section only to verify or to modify the

WebSphere configuration. Do not use these steps for installation.

Additional configuration steps are required that are not described here, such as

updating Tivoli Identity Manager property files, configuring the Tivoli Identity

Manager database, and configuring the LDAP server.

Before you begin

Before you begin, start the WebSphere Application Server, and log on to the

WebSphere administrative console. All the tasks assume that you are logged on to

the console.

The installation and configuration activities refer to the directories that are

described in Table 8.



v AIX: /usr

v Other UNIX: /opt

Table 8. Referenced directories

Directory Default Location Description

ITIM_HOME Windows:

C:\Program Files\IBM\itim

UNIX:

/path/IBM/itim

The base directory

that contains the

Tivoli Identity

Manager code,

configuration, and

documentation.

WAS_HOME Windows:

C:\Program Files\WebSphere\AppServer

UNIX:

/path/WebSphere/AppServer

The WebSphere

Application Server

home directory

DB_INSTANCE_HOME Windows:

path\IBM\SQLLIB

UNIX:

v AIX, Linux: /home/dbinstancename

v Solaris: /export/home/dbinstancename

The directory that

contains the

database for Tivoli

Identity Manager.


||

|||

Configuring resources for the Tivoli Identity Manager Server

This section describes configuring resources that the Tivoli Identity Manager Server

requires, including database drivers, data sources, and message queues. The

installation program takes the following actions:

1. “Setting environment properties”

2. “Setting transaction service properties” on page 129

3. “Creating J2C authentication data entries” on page 129

4. “Creating the JDBC driver and the WebSphere Application Server data source”

on page 130

5. “Creating Tivoli Identity Manager JMS objects at the cell level” on page 131

6. “Creating Tivoli Identity Manager JMS objects at the server level” on page 132

7. “Creating message listener ports” on page 134

8. “Configuring the internal JMS server” on page 137

9. “Updating the JVM classpath” on page 137

10. “Overriding client encoding” on page 138

Setting environment properties

The Tivoli Identity Manager installation program sets environment variables for

both a single-server configuration and for all cluster members in a Tivoli Identity

Manager cluster configuration.

To verify these variables, complete these steps:

1. Click Environment –> Manage WebSphere Variables.

2. At the node level, verify values for the fields described in Table 9.

Table 9. ITIM_HOME variable

Field Value

Name ITIM_HOME

Value Windows:

path\IBM\itim

UNIX:

/path/IBM/itim

3. At the node level, verify the ITIM_DB_JDBC_DRIVER_PATH variable.

Table 10. ITIM_DB_JDBC_DRIVER_PATH variable

Field Value

Name ITIM_DB_JDBC_DRIVER_PATH

Value JDBC_DRIVER_PATH

This is the directory where the database JDBC driver

resides. For example, on a Windows system that has a

JDBC driver for DB2 UDB, enter the value C:\Program

Files\SQLLIB\java\.


|

|||

|

|

|

Setting transaction service properties

The Tivoli Identity Manager installation program sets transaction service properties

for a single-server configuration and for all cluster members in a Tivoli Identity


To verify these service properties, complete these steps:

1. Click Servers –> Application Servers –> servername –> Transaction Service.

2. Verify values for the fields described in Table 11.

Table 11. Transaction service properties

Field Value

Total Transaction Lifetime Timeout 1200

Client Inactivity Timeout 600

Creating J2C authentication data entries

The Tivoli Identity Manager installation program creates J2EE Connector (J2C)

authentication data entries for a single-server configuration and for the deployment

manager in a Tivoli Identity Manager cluster configuration.

To verify J2C authentication data entries, complete these steps:

1. Click Security –> JAAS Configuration –> J2C Authentication Data.


Table 12. J2C authentication data entries

Field Value

Alias itim_init

User ID enrole

Password A password for the enrole user ID

Description Initial J2C authentication alias for Tivoli Identity Manager

3. To verify the second J2C authentication data entry, examine values for the fields

described in Table 13.

Table 13. Additional J2C authentication data entries

Field Value

Alias itim_jms

User ID Enter either the WebSphere administrator ID when WebSphere

global security is on, or enter an empty field when WebSphere

global security is off.

Password Enter a password for either the WebSphere administrator ID when

WebSphere global security is on, or enter an empty field when

WebSphere global security is off.

Description JMS J2C authentication alias

Appendix D. Steps that the installation program takes to configure the WebSphere environment 129

|

|

|

|

|

Creating the JDBC driver and the WebSphere Application

Server data source

The Tivoli Identity Manager installation program creates the JDBC provider and

the WebSphere Application Server data sources for a single-server configuration

and for all cluster members in a Tivoli Identity Manager cluster configuration.

To verify the JDBC provider at the server level, complete these steps:

1. Click Resources –> JDBC Provider.

2. Click New to create the JDBC provider.

3. Select DB2 Universal JDBC Driver Provider (XA), then click OK.


Table 14. JDBC provider

Field Value

Name ITIM DB2 JDBC Provider (XA)

Description ITIM JDBC2 XA Compliant Driver (DB2)

Implementation Class COM.ibm.db2.jdbc.DB2XADataSource

Classpath ${ITIM_DB_JDBC_DRIVER_PATH}/db2java.zip

5. To verify the data source, complete these steps:

a. Click Resources –> JDBC Provider.

b. Select DB2 Universal JDBC Driver Provider (XA), and then select Data

Sources.

c. Verify values for the fields described in Table 15.

Table 15. Data source

Field Value

Name ITIM Data Source

JNDI Name enroleDataSource

Description ITIM Data Source

Component-managed

Authentication Alias

itim_init

Container-managed


itim_init

Mapping-Configuration

Alias

DefaultPrincipalMapping

Statement Cache Size 100

6. Configure the database name. Complete these steps:

a. Click ITIM DB2 JDBC Provider (XA) –> Data Sources. Then, select ITIM

Data Source from the list of data sources.

b. Select Custom Properties, and then select database name.

c. Verify the value of the database name as itimdb.7. Configure the connection pool. Complete these steps:

a. Click ITIM DB2 JDBC Provider (XA) –> Data Sources –> ITIM Data

Source –> Connection Pool.


|

|

|

|

|

b. Verify values for the fields described in Table 16.

Table 16. Connection pool fields

Field Value

Min Connections 5

Max Connections 50

Creating Tivoli Identity Manager JMS objects at the cell level

The Tivoli Identity Manager installation program creates JMS objects for a

single-server configuration and for the deployment manager in a Tivoli Identity


To verify JMS objects, complete these steps:

1. Verify the ITIM Queue Connection Factory at the cell level. Complete these

steps:

a. Click Resources –> WebSphere JMS Provider –> WebSphere Queue

Connection Factory. The WebSphere Queue Connection Factory is at the

cell level.

b. Verify a new Queue Connection Factory with values for the fields described

in Table 17. Accept default values for the other fields.

Table 17. Queue Connection Factory values - cell level

Field Value

Name ITIM Shared Queue Connection Factory

JNDI Name enrole.jms.SharedQueueConnectionFactory

Description ITIM Shared Queue Connection Factory

Node Select the current node in a single-server configuration. Select a

cluster member node in a cluster configuration.

Component-managed


itim_jms

Container-managed


itim_jms

Mapping-Configuration Alias


XA Enabled True

c. Select Create Queue Connection Factory, and verify that the connection

pool and the session pool have a maxConnection size of 50.2. Verify ITIM WebSphere queue destinations at the cell level. Complete these

steps:

a. Click Resources –> WebSphere JMS Provider –> ITIM WebSphere Queue

Destinations.

b. Verify 3 new queue destinations. Use defaults for any values that are not

specified in the following tables:

v itim_policy

Table 18. Queue destination values - itim_policy

Field Value

Name itim_policy


|

|

|

|

||

|

|

Table 18. Queue destination values - itim_policy (continued)

Field Value

JNDI Name policyAnalysisQueue

Description ITIM Policy Analysis Queue

Persistence PERSISTENT

v itim_policy_simulation

Table 19. Queue destination values - itim_policy_simulation

Field Value

Name itim_policy_simulation

JNDI Name policySimulationQueue

Description ITIM Policy Simulation Queue


v itim_wf_shared

Table 20. Queue destination values - itim_wf_shared

Field Value

Name itim_wf_shared

JNDI Name sharedWorkflowQueue

Description ITIM Shared Workflow Queue


Creating Tivoli Identity Manager JMS objects at the server

level

The Tivoli Identity Manager installation program creates JMS objects for a

single-server configuration and for all cluster members in a Tivoli Identity


To verify JMS objects, complete these steps:

1. Verify the ITIM Queue Connection Factory at the server level. Complete these

steps:

a. Click Resources –> WebSphere JMS Provider –> WebSphere Queue

Connection Factory. The WebSphere Queue Connection Factory is at the

server level.

b. Verify a new Queue Connection Factory with values for the fields described

in Table 17 on page 131. All other fields can have default values.

Table 21. Queue Connection Factory values - server level

Field Value

Name ITIM Queue Connection Factory

JNDI Name enrole.jms.QueueConnectionFactory

Description ITIM Queue Connection Factory

Node Select the current node.

Component-managed


itim_jms


|

|

|

Table 21. Queue Connection Factory values - server level (continued)

Field Value

Container-managed


itim_jms

Mapping-Configuration Alias


XA Enabled True

c. Select Create Queue Connection Factory, and verify that the connection

pool and the session pool have a maxConnection size of 50.2. Verify ITIM WebSphere queue destinations at the server level. Complete these

steps:

a. Click Resources –> WebSphere JMS Provider –> ITIM WebSphere Queue

Destinations.

b. Verify 6 new queue destinations. Accept defaults for values that are not

specified in the following tables:

v itim_ms

Table 22. Queue destination values - itim_ms

Field Value

Name itim_ms

JNDI Name mailServicesQueue

Description ITIM Mail Services Queue


v itim_rs

Table 23. Queue destination values - itim_rs

Field Value

Name itim_rs

JNDI Name remoteServicesQueue

Description ITIM Remove Services Queue


v itim_wf

Table 24. Queue destination values - itim_wf

Field Value

Name itim_wf

JNDI Name WorkflowQueue

Description ITIM Workflow Queue


v itim_rs_pending

Table 25. Queue destination values - itim_rs_pending

Field Value

Name itim_rs_pending


||

|

|

Table 25. Queue destination values - itim_rs_pending (continued)

Field Value

JNDI Name ITIM Remote Pending Queue

Description ITIM Remote Pending Queue


v itim_ps

Table 26. Queue destination values - itim_ps

Field Value

Name itim_ps

JNDI Name partitioningServiceQueue

Description ITIM Partitioning Service Queue


v itim_adhocSync

Table 27. Queue destination values - itim_adhocSync

Field Value

Name itim_adhocSync

JNDI Name adhocSyncQueue

Description ITIM Adhoc Sync Queue


Creating message listener ports

The Tivoli Identity Manager installation program creates message listener ports for

a single-server configuration and for all cluster members in a Tivoli Identity


To verify message listener ports, complete these steps:

1. Access the listener ports definition window. Complete these steps:

v Single-server configuration: Click Servers –> Applications Servers –>

servername –> Message Listener Service –>Listener Ports.

v Each cluster member: Click Servers –> Applications Servers –>

clustermembername –> Message Listener Service –>Listener Ports.2. Verify the listener ports described in the following tables:

v ITIMAdhocSyncListenerPort

Table 28. ITIMAdhocSyncListenerPort

Field Value

Name ITIMAdhocSyncListenerPort

Connection Factory

JNDI Name

enrole.jms.QueueConnectionFactory

Destination JNDI

Name

adhocSyncQueue

Maximum Sessions 5

Maximum Retry 100


|

|

v ITIMLocalWorkflowListenerPort

Table 29. ITIMLocalWorkflowListenerPort

Field Value

Name ITIMLocalWorkflowListenerPort

Connection Factory

JNDI Name


Destination JNDI

Name

workflowQueue

Maximum Sessions 10

Maximum Retry 100

v ITIMMailServicesListenerPort

Table 30. ITIMMailServicesListenerPort

Field Value

Name ITIMMailServicesListenerPort

Connection Factory

JNDI Name


Destination JNDI

Name

mailServicesQueue

Maximum Sessions 3

Maximum Retry 100

v ITIMPartitioningServiceListenerPort

Table 31. ITIMPartitioningServiceListenerPort

Field Value

Name ITIMPartitioningServiceListenerPort

Connection Factory

JNDI Name


Destination JNDI

Name

partitioningServiceQueue

Maximum Sessions 5

Maximum Retry 100

v ITIMRemoteServicesListenerPort

Table 32. ITIMRemoteServicesListenerPort

Field Value

Name ITIMRemoteServicesListenerPort

Connection Factory

JNDI Name


Destination JNDI

Name

remoteServicesQueue

Maximum Sessions 5

Maximum Retry 100


v ITIMRemoteServicesPendingListenerPort

Table 33. ITIMRemoteServicesPendingListenerPort

Field Value

Name ITIMRemoteServicesPendingListenerPort

Connection Factory

JNDI Name


Destination JNDI

Name

remotePendingQueue

Maximum Sessions 5

Maximum Retry 100

v ITIMPolicyAnalysisListenerPort

Table 34. ITIMPolicyAnalysisListenerPort

Field Value

Name ITIMPolicyAnalysisListenerPort

Connection Factory

JNDI Name


Destination JNDI

Name

policyAnalysisQueue

Maximum Sessions 5

Maximum Retry 100

v ITIMPolicySimulationListenerPort

Table 35. ITIMPolicySimulationListenerPort

Field Value

Name ITIMPolicySimulationListenerPort

Connection Factory

JNDI Name


Destination JNDI

Name

policySimulationQueue

Maximum Sessions 5

Maximum Retry 100

v ITIMSharedWorkflowListenerPort

Table 36. ITIMSharedWorkflowListenerPort

Field Value

Name ITIMSharedWorkflowListenerPort

Connection Factory

JNDI Name


Destination JNDI

Name

sharedWorkflowQueue

Maximum Sessions 5

Maximum Retry 100


Configuring the internal JMS server

The Tivoli Identity Manager installation program creates the internal JMS server

for a single-server configuration and for all cluster members in a Tivoli Identity


To verify the internal JMS server, complete these steps:

1. Access the internal JMS server definition window. Complete these steps:


servername –> Server Component –>Internal JMS Server.

v Each cluster member: Click Servers –> JMS Servers –> jmsservername.2. Verify the following queue names, which should match the queue names

specified on the queue destination:

v itim_ms

v itim_rs

v itim_wf

v tim_rs_pending

v itim_ps

v itim_adhocSync

v itim_wf_shared

v itim_policy

v itim_policy_simulation

For more information on queue destinations, see “Creating Tivoli Identity

Manager JMS objects at the cell level” on page 131 and “Creating Tivoli

Identity Manager JMS objects at the server level” on page 132.

3. Verify the queue values in Table 37:

Table 37. Queue values

Field Value

Number of Threads 20

Initial State Started

Updating the JVM classpath

The Tivoli Identity Manager installation program updates the internal Java Virtual

Machine (JVM) classpath for a single-server configuration and for all cluster

members in a Tivoli Identity Manager cluster configuration.

To verify the JVM classpath, specify the ITIM_HOME/data directory in the JVM

classpath. The PropertiesManager uses the JVM classpath to resolve the location of

this directory. Complete these steps:

1. Access the Java Virtual Machine definition window. Complete these steps:

v Single-server configuration: Click Servers –> Application Servers –>

servername –> Process Definition –>Java Virtual Machine.


clustermembername –> Process Definition –>Java Virtual Machine.2. Verify ${ITIM_HOME}/data in the Classpath attribute.


|

|

|

|||

|

Overriding client encoding

The Tivoli Identity Manager installation program ensures that the JVM overrides

client encoding with UTF-8 encoding for a single-server configuration and for all

cluster members in a Tivoli Identity Manager cluster configuration.

To verify that the JVM overrides client encoding with UTF-8 encoding, complete

these steps:

1. Access the Java Virtual Machine definition window. Complete these steps:


servername –> Process Definition –>Java Virtual Machine.


clustermembername –> Process Definition –>Java Virtual Machine.2. Verify -Dclient.encoding.override=UTF-8 in the Generic JVM arguments

attribute.

Deploying and configuring the Tivoli Identity Manager J2EE application

The Tivoli Identity Manager installation program performs additional steps to

deploy and configure the Tivoli Identity Manager J2EE application for a

single-server configuration and for the deployment manager in a Tivoli Identity


Tivoli Identity Manager installation program performs the following tasks to

deploy and configure the Tivoli Identity Manager J2EE application:

1. “Deploying Tivoli Identity Manager on the WebSphere Application Server”

2. “Configuring application classloader settings” on page 139

3. “Regenerating the WebSphere Web Server plug-in” on page 139

4. “Configuring the JAAS login module” on page 139

5. “Configuring the JAAS login module for JNDI feed” on page 139

Deploying Tivoli Identity Manager on the WebSphere

Application Server

The Tivoli Identity Manager installation program deploys Tivoli Identity Manager

on the WebSphere Application Server. Tivoli Identity Manager can also be

deployed with the following steps:

1. Click Applications –> Install New Application.

2. On the next series of windows to prepare for application installation, complete

these steps:

a. Verify the value ITIM_HOME/enrole.ear in the Server path field. Click Next.

b. On the next window, accept all the default values to generate bindings and

mappings. Click Next.3. On the next series of windows to install a new application, complete these

steps:

a. Provide the values in Table 38 for options to install a new application.

Accept the default values for all other fields, then click Next.

Table 38. Installation values

Field Value

Pre-compile JSP True


||

|

||||

||

|

|

|

|

|

|||

|

b. For the next series of windows, accept the default values, and then click

Next:

1) Deploy EJBs

2) Provide JNDI names for beans

3) Map virtual hosts for web modules

4) Map modules to application serversc. On the window to map security roles to users and groups, enter the value

Everyone=true in the ITIM_SYSTEM field. Then, click Next.

d. On the Summary window, review the options.

Configuring application classloader settings

To verify configuration of application classloader settings, complete these steps:

1. Click Applications –> Enterprise Applications –> enRole.

2. Verify the values in Table 39.

Table 39. Application classloader values

Field Value

Classloader Mode PARENT_LAST

WAR Classloader

Policy

Application

Regenerating the WebSphere Web Server plug-in

The Tivoli Identity Manager installation program regenerates the WebSphere Web

Server plug-in after deploying Tivoli Identity Manager. To regenerate the

WebSphere Web Server plug-in, click Environment –> Update Web Server Plugin.

Configuring the JAAS login module

To verify configuration of the JAAS login module, complete these steps:

1. Click Security –> JAAS Configuration –> Application Logins.

2. Click New and enter the alias name ITIM in the General Properties field. Then,

click OK.

3. Click the ITIM link in the Application Login Configuration/ITIM window.

4. On the Application Login Configuration/ITIM window, click the JAAS Login

Modules link.

5. Verify the module classname as

com.ibm.itim.apps.jaas.spi.PlatformLoginModule.

Configuring the JAAS login module for JNDI feed

The Tivoli Identity Manager Server provides a Java Naming and Directory (JNDI)

Service Provider that can be used as a programming interface to deliver human

resources database changes to the server. To verify configuration of the JAAS login

module for JNDI feed, complete these steps:

1. Click Security –> JAAS Configuration –> Application Logins.

2. Click New and enter the alias name serviceLoginContext in the General

Properties field. Then, click OK.

3. Click the serviceLoginContext link in the Application Login Configuration

window.


|

|

|

|||

|

|

||||

4. On the Application Login Configuration/ServiceLogonContext window, click

the JAAS Login Modules link.

5. Verify the module classname as

com.ibm.remoteservices.provider.itim.ServiceLoginModule.


|

Appendix E. Support information

This section describes the following options for obtaining support for IBM

products:

v “Searching knowledge bases”

v “Obtaining fixes” on page 142

v “Contacting IBM Software Support” on page 142

Searching knowledge bases

If you have a problem with your IBM software, you want it resolved quickly. Begin

by searching the available knowledge bases to determine whether the resolution to

your problem is already documented.

Search the information center on your local system or

network

IBM provides extensive documentation that can be installed on your local

computer or on an intranet server. You can use the search function of this

information center to query conceptual information, instructions for completing

tasks, reference information, and support documents.

Search the Internet

If you cannot find an answer to your question in the information center, search the

Internet for the latest, most complete information that might help you resolve your

problem. To locate Internet resources for your product, open one of the following

Web sites:

v IBM Tivoli Identity Manager Performance Tuning Guide

Provides information needed to tune Tivoli Identity Manager Server for a

production environment. It is available on the Web at:



Identity Manager link. Browse the information center for the Technical

Supplements section.

v Redbooks and white papers are available on the Web at:


Browse to the Self Help section, in the Learn category, and click the Redbooks

link.

v Technotes are available on the Web at:


v Field guides are available on the Web at:


v For an extended list of other Tivoli Identity Manager resources, search the

following IBM developerWorks Web site:









Obtaining fixes

A product fix might be available to resolve your problem. You can determine what

fixes are available for your IBM software product by checking the product support

Web site:

1. Go to the IBM Software Support Web site

(http://www.ibm.com/software/support).

2. Under Products support pages A to Z, select the letter for your product name.

3. In the list of specific products, click IBM Tivoli Identity Manager.

4. Under Self help, you find a list of fixes, fix packs, and other service updates

for your product.

5. Click the name of a fix to read the description and optionally download the fix.

To receive weekly e-mail notifications about fixes and other news about IBM

products, follow these steps:

1. From the support page for any IBM product, click My support in the upper-left

corner of the page.

2. If you have already registered, skip to the next step. If you have not registered,

click register in the upper-right corner of the support page to establish your

user ID and password.

3. Sign in to My support.

4. On the My support page, click Edit profiles in the left navigation pane, and

scroll to Select Mail Preferences. Select a product family and check the

appropriate boxes for the type of information you want.

5. Click Submit.

6. For e-mail notification for other products, repeat Steps 4 and 5.

For more information about types of fixes, see the Software Support Handbook

(http://techsupport.services.ibm.com/guides/handbook.html).

Contacting IBM Software Support

IBM Software Support provides assistance with product defects.

Before contacting IBM Software Support, your company must have an active IBM

software maintenance contract, and you must be authorized to submit problems to

IBM. The type of software maintenance contract that you need depends on the

type of product you have:

v For IBM distributed software products (including, but not limited to, Tivoli,

Lotus, and Rational products, as well as DB2 and WebSphere products that run

on Windows or UNIX operating systems), enroll in Passport Advantage in one

of the following ways:

– Online: Go to the Passport Advantage Web page

(http://www.lotus.com/services/passport.nsf/WebDocs/

Passport_Advantage_Home) and click How to Enroll

– By phone: For the phone number to call in your country, go to the IBM

Software Support Web site

(http://techsupport.services.ibm.com/guides/contacts.html) and click the

name of your geographic region.v For IBM eServer software products (including, but not limited to, DB2 and

WebSphere products that run in zSeries, pSeries, and iSeries environments), you

can purchase a software maintenance agreement by working directly with an

IBM sales representative or an IBM Business Partner. For more information


http://www.ibm.com/software/support

http://techsupport.services.ibm.com/guides/handbook.html



http://techsupport.services.ibm.com/guides/contacts.html

about support for eServer software products, go to the IBM Technical Support

Advantage Web page (http://www.ibm.com/servers/eserver/techsupport.html).

If you are not sure what type of software maintenance contract you need, call

1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, go to

the contacts page of the IBM Software Support Handbook on the Web

(http://techsupport.services.ibm.com/guides/contacts.html) and click the name of

your geographic region for phone numbers of people who provide support for

your location.

Follow the steps in this topic to contact IBM Software Support:

1. Determine the business impact of your problem.

2. Describe your problem and gather background information.

3. Submit your problem to IBM Software Support.

Determine the business impact of your problem

When you report a problem to IBM, you are asked to supply a severity level.

Therefore, you need to understand and assess the business impact of the problem

you are reporting. Use the following criteria:

Severity 1 Critical business impact: You are unable to use the program,

resulting in a critical impact on operations. This condition

requires an immediate solution.

Severity 2 Significant business impact: The program is usable but is

severely limited.

Severity 3 Some business impact: The program is usable with less

significant features (not critical to operations) unavailable.

Severity 4 Minimal business impact: The problem causes little impact on

operations, or a reasonable circumvention to the problem has

been implemented.

Describe your problem and gather background information

When explaining a problem to IBM, be as specific as possible. Include all relevant

background information so that IBM Software Support specialists can help you

solve the problem efficiently. To save time, know the answers to these questions:

v What software versions were you running when the problem occurred?

v Do you have logs, traces, and messages that are related to the problem

symptoms? IBM Software Support is likely to ask for this information.

v Can the problem be re-created? If so, what steps led to the failure?

v Have any changes been made to the system? (For example, hardware, operating

system, networking software, and so on.)

v Are you currently using a workaround for this problem? If so, please be

prepared to explain it when you report the problem.

The Tivoli Identity Manager serviceability tool assists in gathering information for

working with an IBM Software Support representative. The tool collects Tivoli

Identity Manager related log files, performs a check of the product JAR files,

gathers some limited configuration details, and creates a compressed file that

contains this information. The compressed file can then be transferred or e-mailed

to a support representative.

Appendix E. Support information 143

http://www.ibm.com/servers/eserver/techsupport.html


Use this tool only when directed to by your support representative. For more

information, refer to the IBM Tivoli Identity Manager Problem Determination Guide.

Submit your problem to IBM Software Support

You can submit your problem in one of two ways:

v Online: Go to the ″Submit and track problems″ page on the IBM Software

Support site (http://www.ibm.com/software/support/probsub.html). Enter

your information into the appropriate problem submission tool.

v By phone: For the phone number to call in your country, go to the contacts page

of the IBM Software Support Handbook on the Web

(http://techsupport.services.ibm.com/guides/contacts.html) and click the name

of your geographic region.

If the problem you submit is for a software defect or for missing or inaccurate

documentation, IBM Software Support creates an Authorized Program Analysis

Report (APAR). The APAR describes the problem in detail. Whenever possible,

IBM Software Support provides a workaround for you to implement until the

APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the

IBM product support Web pages daily, so that other users who experience the

same problem can benefit from the same resolutions.

For more information about problem resolution, see “Searching knowledge bases”

on page 141 and “Obtaining fixes” on page 142.


http://www.ibm.com/software/support/probsub.html


Appendix F. Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in

other countries. Consult your local IBM representative for information on the

products and services currently available in your area. Any reference to an IBM

product, program, or service is not intended to state or imply that only that IBM

product, program, or service may be used. Any functionally equivalent product,

program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify the

operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter

described in this document. The furnishing of this document does not give you

any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

North Castle Drive

Armonk, NY 10504-1785

U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM

Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106-0032, Japan

The following paragraph does not apply to the United Kingdom or any other

country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER

EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS

FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or

implied warranties in certain transactions, therefore, this statement may not apply

to you.

This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be

incorporated in new editions of the publication. IBM may make improvements

and/or changes in the product(s) and/or the program(s) described in this

publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for

convenience only and do not in any manner serve as an endorsement of those Web

sites. The materials at those Web sites are not part of the materials for this IBM

product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it

believes appropriate without incurring any obligation to you.


Licensees of this program who wish to have information about it for the purpose

of enabling: (i) the exchange of information between independently created

programs and other programs (including this one) and (ii) the mutual use of the

information which has been exchanged should contact:

IBM Corporation

2ZA4/101

11400 Burnet Road

Austin, TX 78758

U.S.A.

Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.

The licensed program described in this information and all licensed material

available for it are provided by IBM under terms of the IBM Customer Agreement,

IBM International Program License Agreement, or any equivalent agreement

between us.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may

vary significantly. Some measurements may have been made on development-level

systems and there is no guarantee that these measurements will be the same on

generally available systems. Furthermore, some measurements may have been

estimated through extrapolation. Actual results may vary. Users of this document

should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.

IBM has not tested those products and cannot confirm the accuracy of

performance, compatibility or any other claims related to non-IBM products.

Questions on the capabilities of non-IBM products should be addressed to the

suppliers of those products.

Trademarks

The following terms are trademarks or registered trademarks of International

Business Machines Corporation in the United States, other countries, or both: IBM,

IBM logo, AIX, DB2, Domino, Lotus, SecureWay, Tivoli, Tivoli logo, Universal

Database, WebSphere.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of

Microsoft Corporation in the United States, other countries, or both.

Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation

in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other

countries.


Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.

Java and all Java-based trademarks are trademarks of Sun

Microsystems, Inc. in the United States, other countries, or

both.

Other company, product, and service names may be trademarks or service marks

of others.

Appendix F. Notices 147

Glossary

A

access. (1) The ability to read, update, delete, or

otherwise use a resource. Access to protected resources

is usually controlled by system software. (2) The ability

to use data that is stored and protected on a computer

system.

access control. In computer security, the process of

ensuring that the resources of a computer system can

be accessed only by principals in authorized ways. See

also principal.

access control list. In computer security, a list that is

associated with a resource that identifies all the

principals that can access the resource and the

permissions for those principals. See also permission

and principal.

access control item (ACI). Data that (a) identifies the

permissions of principals and (b) is assigned to a

resource.

account. An entity that contains a set of parameters

that define the application-specific attributes of a

principal, which include the identity, user profile, and

credentials.

ACI target. The resource for which you define the

access control items. For example, an ACI target can be

a service.

activity. The smallest unit of work in a workflow. See

also workflow.

adapter. (1) A set of software components that

communicate with an integration broker and with

applications or technologies in order to perform tasks,

such as executing application logic or exchanging data.

(2) A transparent, intermediary software component

that allows different software components with

different interfaces to work together.

administrative domain. A logical collection of

resources that is used to separate responsibilities and

manage permissions. See also permission.

adopt. To assign an orphan account to the appropriate

owner.

adoption rules. The set of rules that determine which

orphan accounts belong to which owners. See also

orphan account.

agent. A process that manages target resources on

behalf of a system in order to respond to requests.

aggregate message. A collection of notification

messages that are combined into a single e-mail, along

with optional user defined text.

alias. In identity management, an identity for a user,

which might match the user ID. The alias is used

during reconciliation to determine who owns the

account. A person can have several aliases, for example,

GSmith, GWSmith, and SmithG.

application server. A server program in a distributed

network that provides the execution environment for

an application program.

application user administrator. A type of person who

uses Tivoli Identity Manager to set up and administer

(a) the services that are managed by Tivoli Identity

Manager or (b) the Tivoli Identity Manager users of

those services.

approval. A type of workflow activity that allows

someone to approve or reject a request. See also

workflow.

audit trail. A chronological record of events or

transactions. You can use audit trails for examining or

reconstructing a sequence of events or transactions,

managing security, and for recovering lost transactions.

authentication. The process of verifying that an entity

is the entity that it claims to be, often by verifying a

user ID and password combination. Authentication

does not identify the permissions that a person has in

the system. See also authorization.

authorization. The process of granting a user either

complete or restricted access to an object, resource, or

function. See also authentication.

authorization owner. A user who can manage access

control items (ACIs) for a resource.

C

Certificate Authority (CA). An organization that

issues certificates. The CA authenticates the certificate

owner’s identity and the services that the owner is

authorized to use, issues new certificates, renews

existing certificates, and revokes certificates that belong

to users who are no longer authorized to use them.

challenge-response authentication. An authentication

method that requires users to respond to a prompt by

providing information to verify their identity when

they log in to the system. For example, when users

forget their password, they are prompted (challenged)

with a question to which they must provide an answer


(response) in order to either receive a new password or

receive a hint for specifying the correct password.

Common Criteria. A standardized method, which is

used by international governments, the United States

federal government, and other organizations, for

expressing security requirements in order to assess the

security and assurance of technology products.

connector. A plug-in that is used to access and update

data sources. A connector accesses the data and

separates out the details of data manipulations and

relationships. See also adapter.

credentials. Authentication information that is

associated with a principal. See also authentication and

principal.

D

DAML. See Directory Access Markup Language.

data model. A description of the organization of data

in a manner that reflects the information structure of an

enterprise.

data warehouse. (1) A subject-oriented collection of

data that is used to support strategic decision making.

(2) A central repository for all or significant parts of the

data that an organization’s business systems collect.

delegate (noun). The user who is designated to

approve requests or provide information for requests

for another user.

delegate (verb). (1) To assign all or a subset of

administrator privileges to another user, such that the

user can perform all or a subset of administrator

activities for a specific set of the users. (2) To designate

a user to approve requests or provide information for

requests for another user.

delegate administrator. The user who has all or a

subset of administrator privileges over a specific set of

users.

delegate administration. The ability to apply all or a

subset of administrator privileges to another user (the

delegate administrator), such that the user can perform

all or a subset of administrator activities for a specific

set of the users.

deprovision. To remove a service or component. For

example, to deprovision an account means to delete an

account from a resource. See also provision.

digital certificate. An electronic document that is used

to identify an individual, server, company, or some

other entity, and to associate a public key with the

entity. A digital certificate is issued by a certification

authority and is digitally signed by that authority. See

also Certificate Authority.

Directory Access Markup Language (DAML). An

XML specification that extends the functions of

Directory Services Markup Language (DSML) 1.0 in

order to represent directory operations. In Tivoli

Identity Manager, DAML is mainly used for server to

agent communications. See also Directory Services

Markup Language v2.0.

directory server. A server that can add, delete, change,

or search directory information on behalf of a client.

Directory Services Markup Language v1.0 (DSMLv1).

An XML implementation that describes the structure of

data in a directory and the state of the directory. DSML

can be used to locate data into a directory. DSMLv1 is

an open standard defined by OASIS. Contrast with

Directory Services Markup Language v2.0.

Directory Services Markup Language v2.0 (DSMLv2).

An XML implementation that describes the operations

that a directory can perform (such as how to create,

modify, and delete data) as well as the results of those

operations. Whereas DSMLv1 can be used to describe

the structure of data in a directory, DSMLv2 can be

used to communicate with other products about that

data. DSMLv2 is an open standard defined by OASIS.

Contrast with DSMLv1.

distinguished name (DN). The name that uniquely

identifies an entry in a directory. A distinguished name

is made up of name-component pairs. For example,

CN=John Doe, O=My Organization, C=US.

domain administrator. The owner of an

administrative domain. See also administrative domain.

dynamic content tags. A set of XML tags (based on

the XML Text Template Language (XTTL) schema) that

allows the administrator to provide customized

information in a message, notification, or report. See

also XML Text Template Language.

dynamic organizational role. An organizational role

that is assigned to a person by using an LDAP filter.

When a user is added to the system and the LDAP

filter parameters are met, the user is automatically

added to the dynamic organizational role. See also

organizational role.

E

entitlement. In security management, a data structure,

service, or list of attributes that contains externalized

security policy information.

entitlement workflow. A workflow that defines the

business logic that is used when provisioning a policy.

For example, an entitlement workflow is used to define

approvals for managing accounts. See also workflow.


entity. A person or object about which you want to

store information or manage. For example, a person

and an organization are both entities.

entity type. Categories of managed objects. See also

entity.

escalation. The process that defines what happens and

who acts when an activity has not been completed in

the specified amount of time.

escalation limit. The amount of time, for example,

hours or days, that a participant has to respond to a

request, before an escalation occurs.

event. The encapsulated data that is sent as a result of

an occurrence, or situation, in the system.

F

failover. An operation that switches a system to a

redundant or standby system when services fail.

FESI extension. A Java extension that can be used to

enhance JavaScript code and then be embedded within

a FESI script.

Free EcmaScript Interpreter (FESI). An

implementation of the EcmaScript scripting language,

which is an ISO standard scripting language that is

similar to the JavaScript scripting language.

G

group. A collection of Tivoli Identity Manager users.

H

help desk assistant. A person who uses Tivoli Identity

Manager to assist users and managers with managing

their accounts and passwords.

I

identity. The subset of profile data that uniquely

represents a person or entity and that is stored in one

or more repositories.

identity feed. The automated process of creating one

or more identities from one or more common sources

of identity data.

identity policy. The policy that defines the user ID to

be used when creating an account for a user.

IIOP (Internet Inter-ORB Protocol). A protocol that is

used for communication between Common Object

Request Broker Architecture (CORBA) object request

brokers (ORBs).

ITIM group. A list of Tivoli Identity Manager

accounts. Membership within an ITIM group

determines the access to data within Tivoli Identity

Manager.

ITIM user. A user who has a Tivoli Identity Manager

account.

J

JDBC (Java Database Connectivity). An industry

standard for database-independent connectivity

between the Java platform and a wide range of

databases. The JDBC interface provides a call-level API

for SQL-based database access.

join directive. The set of rules that define how to

handle attributes when two or more provisioning

policies are applied. Two or more policies might have

overlapping scope, so the join directive specifies what

actions to take when this overlap occurs.

L

LDAP (Lightweight Directory Access Protocol). An

open protocol that uses TCP/IP to provide access to

directories that support an X.500 model and that does

not incur the resource requirements of the more

complex X.500 Directory Access Protocol (DAP). For

example, LDAP can be used to locate people,

organizations, and other resources in an Internet or

intranet directory.

LDAP directory. A hierarchical directory of names that

can reflect an organization’s structure or geography and

that is accessed using LDAP.

LDAP filter. A search filter that narrows the results

from an LDAP search.

LDIF (LDAP Data Interchange Format). A file format

that is used to describe directory information as well as

changes that need to be applied to a directory, such

that directory information can be exchanged between

directory servers that are using LDAP.

life cycle. Passage or transformation through different

stages over time. For example markets, brands, and

offerings have life cycles.

life cycle rules. A set of rules in a policy that

determine which operations to use when automatically

handling commonly occurring events, such as

suspending an account that has been inactive for a

period of time.

location. An entity that is a subdivision of an

organization, usually based on geographical area.

Glossary 151

M

mail. A type of workflow activity that sends a

notification to one or more users about a request.

managed resource. An entity that exists in the runtime

environment of an IT system and that can be managed.

manager. A type of person who uses Tivoli Identity

Manager to manage their own accounts and passwords

or the accounts and passwords of those people that

they supervise.

manual service. A type of service that requires

manual intervention by the service owner to complete

the provisioning request.

N

namespace. (1) The set of unique names that a service

recognizes. (2) Space reserved by a file system to

contain the names of its objects.

nested group. A group that contains another group.

See also group.

notification. A message that is sent to a user and that

explains the actions that were taken for a request.

O

operation. An action that can be performed against an

object; for example, add, modify, or delete.

operational workflow. A workflow that defines the

lifecycle process for accounts, persons, and other

entities. See also workflow.

organization. A hierarchical arrangement of

organizational units, such that each user is included

once and only once. See also organizational unit.

organization tree. A hierarchical structure of an

organization that provides a logical place to create,

access, and store organizational information.

organizational container. An organization,

organizational unit, location, business partner unit, or

administration domain.

organizational role. In identity management, a list of

account owners that is used to determine which

entitlements are provisioned to them. See also dynamic

organizational role and static organizational role.

organizational unit. A type of organizational

container that represents a department or similar

grouping of people.

orphan account. On a managed resource, an account

whose owner cannot be automatically determined by

the provisioning system.

P

participant. In identity management, an individual, a

role, a group, or a JavaScript script that has the

authority to respond to a request that is part of a

workflow. See also workflow.

password. In computer and network security, a

specific string of characters that is used by a program,

computer operator, or user to access the system and the

information stored within it.

password retrieval. The method of retrieving a new or

changed password by accessing a designated Web site

and specifying a shared secret. See also shared secret.

password strength rules. The set of rules that a

password must conform to, such as the length of the

password and the type of characters that are allowed

(or not allowed) in the password.

password strength policy. A policy that defines the

password strength rules. A password strength policy is

applied whenever a password is set or modified.

password synchronization. The process of

coordinating passwords across services and systems

such that only a single password is needed to access

those multiple services and systems.

permission. Authorization to perform activities on

resources, such as reading and writing local files,

creating network connections, and loading native code.

person. An individual in the system that has a person

record in one or more corporate directories.

plug-in. A software module that adds function to an

existing program or application.

policy. A set of considerations that influence the

behavior of a managed resource or a user.

post office. A component that collects notifications

from the appropriate workflow activities and

distributes those notifications to the appropriate

workflow participants.

principal. A person or group that has been granted

permissions.

privilege. See permission.

profile. Data that describes the characteristics of a

user, group, resource, program, device, or remote

location.

provision. (1) To set up and maintain the access of a

user to a system. (2) To create an account on a

managed resource.

provisioning. The process of providing, deploying,

and tracking a service or component.


provisioning policy. A policy that defines the access

to various managed resources, such as applications or

operating systems. Access is granted to all users, users

with a specific role, or users who are not members of a

specific role.

R

reconciliation. The process of synchronizing data in a

central data repository with data on a managed

resource.

registration. The process of accessing a system and

requesting an account on that system.

registry. A repository that contains access and

configuration information for users, systems, and

software.

relationship. A defined association between two or

more data entities, which is used when defining a Free

EcmaScript Interpreter (FESI) extension or when

customizing the graphical user interface.

relevant data. The data that is used to complete a

workflow activity in a workflow operation at runtime.

See also workflow.

repository. A persistent storage area for data and

other application resources. Common types of

repositories are databases, directories, and file systems.

request. The item that initiates a workflow and

instigates the various activities of a workflow. See also

workflow.

request for information (RFI). A workflow activity

that requests additional information from the specified

participant. See also workflow.

resource. A hardware, software, or data entity. See

also managed resource.

restore. To activate an account that was suspended.

rights. See permission.

rule. A set of conditional statements that enable

computer systems to identify relationships and execute

automated responses accordingly.

S

schema. The fields and rules in a repository that

comprise a profile. See also profile.

scope. In identity management, the set of entities that

a policy or an access control item (ACI) can affect.

secure socket layer (SSL). A security protocol that

provides communication privacy. SSL enables

client/server applications to communicate in a way that

is designed to prevent eavesdropping, tampering, and

message forgery.

security. The protection of data, system operations,

and devices from accidental or intentional ruin,

damage, or exposure.

security administrator. A type of person who sets up

and administers Tivoli Identity Manager for users,

managers, help desk assistants, and application user

administrators.

self-registration. See registration.

service. A representation of a managed resource,

application, database, or system.

service owner. A role that identifies the person who

owns and maintains a particular service in Tivoli

Identity Manager. See also service.

service selection policy. A policy that determines

which service to use in a provisioning policy. See also

provisioning policy.

service type. A category of related services that share

the same schemas. See also service.

shared secret. An encrypted value that is used to

retrieve the initial password of a user. This value is

defined when the personal information for the user is

initially loaded into the system.

single signon (SSO). The ability of a user to log on

once and access multiple applications without having

to log on to each application separately.

static organizational role. An organizational role that

is manually assigned to a person. See also

organizational role.

supervisor. A role that identifies the person who

supervises another set of users and who is often

responsible for approving or rejecting requests that are

made by those users.

suspend. To deactivate an account so that the account

owner cannot access the service.

system administrator. A role that identifies the person

who is responsible for the configuration,

administration, and maintenance of Tivoli Identity

Manager.

T

tenant. In a hosted service environment, a virtual

enterprise instance of an application. Each tenant can

share directory servers or relational databases while

remaining completely separate service instances.

Glossary 153

to-do list. A collection of outstanding activities. See

also activity.

topic. The subject of a notification message, which

allows messages to be grouped together based on the

same task.

transition. A connection between two workflow

elements. See also workflow.

U

universally unique identifier (UUID). The 128–bit

numerical identifier that is used to ensure that two

entities do not have the same identifier. The identifier is

unique for all space and time.

user. Any individual, organization, process, device,

program, protocol, or system that uses the services of a

computing system.

V

view. A collection of graphical user interfaces that

represent the set of tasks that a particular type of user

is allowed to perform. Administrators can customize

views to contain different collections of graphical user

interfaces.

W

workflow. The sequence of activities performed in

accordance with the business processes of an enterprise.

See also activity.

work order. A workflow activity that requires a

participant to perform an activity outside of the scope

of the system.

X

XML Text Template Language (XTTL). An XML

schema that provides a means for representing dynamic

content within a message, notification, or report. The

XML tags are also called dynamic content tags. See also

dynamic content tags.


Index

Special characters.profile file

DB2 UDB profile 57, 73

db2profile command, including in file 57, 73

DBLink exception 102

Oracle 21

″secret″, as first password 113

WAS_HOMEWebSphere Application Server base installation

directory 114

Numerics34-bit runtime client on 64-bit operating system 17

389, port 112

50000, default DB2 UDB listening port number 18

64-bit operating system 17

80, port 40

8880, port 40

9080, port 40

9090, port 40

Aaccessibility

pdf format, for screen-reader software xi

statement for documentation xi

text, alternative for document images xi

accountLDAP storage 4

remote resource, management 1

active scripting, browser 99

activity.log file 102

activity.log, logon request 102

adapteragent-less or agent-based 2

definition 2

location 2

profile 58, 76

remote resource 1

secure communication 58, 76

addNode, command 38

addserviceselectionpolicy.xml, workflow process file 117

adhocreporting.properties 117

Admin IDdatabase field 111

db2admin 111

db2inst1 111

Admin Password, database field 111

administrativesystem management interface tool

SMIT 14

system management tooladmintool 14

userEJB user 41

ID, DB2 UDB 13

itimadmin 41

mapping to role 88

System User 41

administrative (continued)user (continued)

wasadmin 41

Administrator 47, 61

admintool, administrative tool (Solaris) 14

alias, database 83

api_ejb.jar 118

app_ctl_heap_sz example, update database 14

applheapsz example, update database 14

application server, WebSphere Application Server 3

ASCII character setDefault Org Short Name field 112

organization name 112

audience, who should read this book vii

authentication alias, itim-init 94

authentication, J2C 129

authorityAdministrator 47, 61

database 47, 61

db2admin user 47, 61

installing Tivoli Identity Manager Server 47, 61

logon user ID in Administrator Group 47, 61

rootensuring 47, 61

was.policy file 41, 88

Bbackup

commandbackupConfig 119

configuration file, Tivoli Identity Manager 119

Oracle 21

backupConfig, command 119

bookssee publications xi

browseractive scripting 99

language default 100

two session problems 100

using supported 99

CCA certificate

preserved during upgrade 117

requirements 58, 76

cache size, Sun ONE Directory Server 32

catalog, db2 command 16

celladding nodes 38

definition 5

WebSphere Application Server 5

certificateCA, preserved during upgrade 117

demonstration, upgraded 117

identical directory requirement, cluster member 61

server-adapter communication 58, 76

supported certificate types 58, 76

trust store, identical on cluster members 76


changeserviceselectionpolicy.xml, workflow process file 117

character set, for organization name 112

classloader settings, Tivoli Identity Manager 139

CLASSPATHexample 57, 73

verifying database 94

Classpath field, specifying data directory 102

classpath, JVM 137

cleanupcron job 82

recycle bin age limit 82

clientdatabase

DB2 UDB 12

on remote computer 12

encodingoverriding 138

UTF-8 138

inactivity timeout 129

interface 1

upgrading duplicate properties files 118


clusterdefinition 5

deployment 36

deployment manager 39

expandingnew computer 74

installationflowchart 62

restart after 72

sequence 64, 65

sequential requirement 65

Tivoli Identity Manager Server 61

wizard 65

manual steps to create 39

membercertificate files 61

certificate recognition 61

certificate trust store, identical 76

components, products installed on 6

CustomLabels.properties, stored in Tivoli Identity

Manager database 76

definition 6

deployment manager installation deploys Tivoli Identity

Manager 64

generating plugin-cfg.xml 75

homogeneous operating system 6

HR feed 61

IBM HTTP Server and WebSphere Web Server plug-in

not on every member 37

identical database specification 83

identical directory requirement 61

identical LDAP specification 67

installation sequence after deployment manager 65

multiples on same computer 66

new, adding to cluster 74

partial start 72

removing 75

restriction for Tivoli Identity Manager 6

sourcing DB2 UDB profile on each member 38

sourcing DB2 UDB profile on each member, AIX and

Solaris 38


name, WebSphere Application Server field 114

prerequisitesdatabase 61

cluster (continued)prerequisites (continued)


directory server 61

JMS servers 62

node agents 62

WebSphere Application Server base 62

WebSphere Global Security 41

WebSphere global security on? 62

regular 6

remove member 75

Tivoli Identity Manager installationwizard 65

cn=itimadmin,ou=WasSecurity,dc=com 43

cn=root 28, 112

cn=wasadmin,ou=WasSecurity,dc=com 42

co-existing productsdeployment manager 37

HTTP server 100

port reassignment 37


commandaddNode 38

backupConfig 119

connect 17

db2catalog 16

create 14

force application all 15

update 14

db2cmd 14

db2fs 13

db2level 13, 26

db2profile 57, 73

db2set 15

db2start 15, 16

db2stop 15

dspmq 35, 98

java 58, 74

ldapadd 28

ldapcfg 27

ldapClean 82

ldapsearch 28

logon 73, 100

netstat 40

runConfig 80

serverStatus 38, 98

startManager 37

startNode 38, 39

startServer 38, 53

stopServer 53

strmqm 98

versionInfo.bat 109

versionInfo.sh 109

Common Desktop Environment 34

communication with database, profile 38

configurationdatabase 77

DB2 UDBcreate user enrole 14

JDBC driver 4

performance 19

overview 1

SQL Server 2000 23, 24

Sun ONE Directory Server 32

Tivoli Identity ManagerDatabase tab 83


configuration (continued)Tivoli Identity Manager (continued)

Directory tab 82

enRole.properties 80

General tab 80

Logging tab 84

Mail tab 84

Security tab 86

UI tab 85

WebSphere Application Serverpreserved during upgrade 117

regular-cluster 6

single-server 4

configuration filehttpd.conf 75

ibmslapd.conf 29, 31

timdelref.conf 29, 123

conflictdeployment manager ports 37

HTTP server ports 36

port80 40, 101

8879 40

9080 40

9090 40

9443 101

conflict with wsmserver 40

reassignment 37, 40

table of numbers assigned 40

unregistered WebSphere Application Server –

Express 31

table of port numbers 40

two WebSphere products on same computer 37

connect, db2 command 17

connectionIncrement Count 83

Increment Count, LDAP 113

initial JDBC 112

Initial Pool Size 83

Initial Pool Size, LDAP 113

JDBC 84

login delay 84

Max. Pool Size, LDAP 113

maximum JDBC 112

Maximum Pool Size 83

pool, LDAP 31, 83

problems, preventing with LDAP sessions 31

conventionsHOME directory

Tivoli_Common_Directory xiv

DB_INSTANCE_HOME xiii, 127

HTTP_HOME xiv

ITIM_HOME xiv, 127

LDAP_HOME xiii

WAS_HOME xiv, 127

WAS_MQ_HOME xiv

WAS_NDM_HOME xiv

typeface xii

UNIX variable, directory notation xii

used in this document xi

create, db2 command 14

Crystal reportsmanual upgrade 118

Crystal Reportsupgrading manually 124

CTGIM, Tivoli Common Directory 52, 68

customerlogo

image file 86

link 86

upgrading manually 123

customer supportsee Software Support 142

CustomLabels.properties 76, 117

Ddata

directorycontains properties file 102

copied during upgrade 116

specified by Classpath field 102

historical, on database 3, 11

initializing LDAP suffix 28

organizational, on directory server 4, 25

transactional, on database 3, 11

user account, on directory server 4, 25

databaseitim_dbname

create 14

update 14

Administrator 47, 61

authentication alias, itim-init 94

authority 47, 61

CLASSPATH 94

client32-bit DB2 runtime 18


JDBC driver 4

remote computer 12

command to create 14

configurationfields 77

initial 77

connectiondb2profile 94

testing 94

DB2 UDBinitially empty 12

profile, sourcing 57, 73

select during installation 50, 66

db2admin user 47, 61

enRoleDatabase.properties file 95

fieldAdmin ID 111

Admin Password 111

Database Name 111

Database Type 111

Database User 111

IP Address 111

Port Number 111

User Password 111

fix pack 13, 26

historical data 3, 11

itimdb 83

database name 14

JDBC connections 84

login delay 84

namealias 83

itimdb 111

Oracle.profile file 21

Index 157

database (continued)Oracle (continued)

environment variables 21

init.ora file 21

install, configure 19

java_pool_size parameter 21

JVM feature required by Tivoli Identity Manager 20

processes parameter 21


shared_pool_size parameter 21

poolInitial Capacity 112

Login Delay Seconds 112

Maximum Capacity 112

profiledb2profile command 57, 73


verifying successful 57, 73

schema preserved during upgrade 117


server, definition 3

session persistencedb2profile 57, 73

Oracle environment variables 21

SQL Server 2000, select during installation 50, 66

tab 83

TCP/IP 15

transactional data 3, 11

type 83

upgrade, schema preserved 117

user enrole 84

Database Name, database field 111

Database Type, database field 111

Database User, database field 111

DB_INSTANCE_HOMEDB2 UDB installation directory xiii, 127

definition xiii, 127

db2force application all, command 15

db2 commandcatalog 16

create 14

update 14

DB2 runtime client64-bit operating systems 17

computers that require 16


named pipes, avoiding 16

type of JDBC driver 3

using TCP/IP as protocol 16

DB2 UDBAdministrative user ID 13

client64-bit operating systems 17

on remote computer 12

commandcatalog 16

connect 17

create 14

db2 force application all 15

db2cmd 14

db2set 15

db2start 15

db2stop 15

update 14

configurationcreate user enrole 14

DB2 UDB (continued)configuration (continued)

EXTSHM environment variable 15

JDBC driver 4

performance 19

service listening port number 18

steps 14

TCP/IP communication 15

db2admin 13

db2inst1, instance name on UNIX or Linux 12

db2profile command 57, 73

deployment 12

First Steps 13

home directory 12

initially empty 12

instance namedb2 on Windows 13

instance, db2inst1 on UNIX or Linux 12

out of memory error 19

profilesourcing 57, 73

sourcing on each cluster member, AIX and Solaris 38

relation to Tivoli Identity Manager 12

runtime adjustment 14

service namedb2c_DB2 on Windows 18

db2cdb2inst12 on UNIX 18

storage space 19

user named enrole 14

wizard, verifying installation 13

DB2 UDB Serverdeployment 12

fix pack 13


setting up 11

db2admin 13, 111

db2c_DB2, service name on Windows 18

db2cdb2inst12, DB2 service name on UNIX 18

DB2COMM 15, 17

db2fs, command 13

db2inst1, instance name on UNIX or Linux 12

db2inst1, instance owner user name 111

db2level, command 13, 26

db2profilecommand 57, 73

in .profile file 57, 73

sourcing, for DB2 UDB 58, 74

db2setcommand 14, 15

DB2COMM 15

DB2ENVLIST=EXTSHM 16

db2start, command 15, 16

db2stop, command 15

dbConfig.stdout 102


dc=compermissions 28

suffix value 112

defaultibm_banner.gif 86

logo image file 86

Default Org Short Name, directory server field 112

delay, database login 112

demonstration certificate upgraded 117

deploymentadapter 2

cluster 39


deployment (continued)cluster configuration 36

cluster member 74

DB2 UDB 12


IBM HTTP Server 35

IBM Tivoli Directory Server 25

illustration, basic 1

node, add to cell 38

outside cell 45

overview 1

planning steps 7

port conflicts 40

security 40

server 1



WebSphere embedded messaging 34

WebSphere Web Server plug-in 35, 75

deployment managerco-existing with WebSphere Application Server base

product 37

create cluster 39

database configuration 77

deployment 37

httpd.conf 46

IBM HTTP Server on different computer 75

installing 37

LDAP data repository 79

manual steps to create cluster 39

plugin-cfg.xml 75

plugin-key.kdb 46

plugin-key.sth 46

port conflict 37

propagating Tivoli Identity Manager Server 64

running before installing Tivoli Identity Manager

Server 98

startManager command 37

verifying 38


directoryWAS_HOME 114

DB_INSTANCE_HOME xiii, 127

HTTP_HOME xiv

identical requirement, on cluster members 61

installationDB2 UDB xiii, 127

IBM HTTP Server xiv

IBM Tivoli Directory Server xiii


WebSphere Application Server base product xiv, 127

WebSphere Application Server Network Deployment

product xiv

WebSphere MQ xiv

installation for Sun ONE Directory Server xiii

ITIM_HOME xiv, 127

LDAP_HOME xiii

names, UNIX notation xii

WAS_HOME xiv, 114, 127

WAS_MQ_HOME xiv

WAS_NDM_HOME xiv

directory serverdefinition 4

determination if running 95

fieldDefault Org Short Name 112

Host name 112

directory server (continued)field (continued)

Identity Manager DN Location 112

Increment Count 113


Max. Pool Size 113

Name of your organization 112

Number of hash buckets 112

Password 112

Port 112

Principal DN 112

host name 82

ibmslapd process 95

ibmslapd.log file 96

identity management 4

LDAP directory 4

organizational data 4, 25

port number 82

Principal DN 82

process ID (PID) 95

requests locked in running state 96

user account data 4, 25

disabilities, using documentation xi

disable, Java 2 security configuration 45

DNprincipal password, as directory server field 112

principal, as directory server field 112

suffix example 28

top entry in a locally-held directory hierarchy 26

documentsrelated x

Tivoli Identity Manager library vii

domainobject 28

object, ldapadd command 28

objectclass 28

double-byte character set, for organization name 112

driver, JDBC 3, 130

dspmq, command 35, 98

Dynamic Role Add/Modify/Remove, workflow process 117

Ee-mail

address for the Tivoli Identity Manager Server 85

mail gateway 85

system administrator address 85

editing password 91

EJB userfield, WebSphere Application Server 114

initial values 87

itimadmin 88

length limit 87

manual steps 87

mapping 88

updating 87, 88

user name 41

embeddedHTTP transport 96


embedded HTTP transport, WebSpherelogon 73, 100

empty, DB2 UDB 12

encryptioncheckbox 113

enrole.password.appServer.encrypted 87

enrole.password.database.encrypted 87

Index 159

encryption (continued)enrole.password.ldap.encrypted 87


key 52, 68

key, WebSphere Application Server 113

settings 87

enroledefault user ID, database 84

password identical in enRoleDatabase.properties file 95

required user ID 111

usercreate 14

on DB2 server 14

privileges, no special 14

enrole.jms.QueueConnectionFactory 134

enrole.password.appServer.encrypted 87

enrole.password.database.encrypted 87

enrole.password.ldap.encrypted 87

enRole.properties/data directory 90

configuring Tivoli Identity Manager Server 80

encryption properties 87


enRoleAuthentication.properties 117

enRoleDatabase.properties 117


enRoleLDAPConnection.properties 117

enRoleLogging.log4j.properties 123

enRoleLogging.properties file 103

enRoleMail.properties 117

enroleworkflow.properties 117

environment variableDB2COMM 15

EXTSHM 15

ITIM_DB_JDBC_DRIVER_PATH 128

Oracle 21

processes, Oracle 21

set by Tivoli Identity Manager installation program 128

setting with .profile file 21

shared_pool_size, Oracle 21

UNIX notation xii

exception, DBLink 102

expired password 91

export EXTSHM environment variable 15

EXTSHMAIX operating system 15

DB2 UDB 15

environment variableconfiguration 15

setting in profile file 15

shell for client application shell 15

shell for db2start 15

FFirst Steps

DB2 UDB installation 13

verifying WebSphere installation 35

fix packdatabase 13, 26

IBM HTTP Server 36


stopping processes before applying 35

fixes, obtaining 142

flowchartcluster installation 62

single-server installation 48

Ggarbage cleanup


schedule_garbage.cron 82

global securitydetermining state before installation 48, 62

itimadmin 89

wasadmin 89

WebSphere Application ServerEJB User field 114

settings 51, 113

System User field 113

Global Securityconfiguration 41

group, WebSphere embedded messagingadding root 34

mqbrkrs 34

mqm 34

Hhash bucket, directory server 112

heap size, DB2 UDB 19

heart beat 81

historical data, on database 11

home directoriesDB_INSTANCE_HOME xiii, 127

DB2 UDB 12

HTTP_HOME xiv

ITIM_HOME xiv, 127

LDAP_HOME xiii

WAS_HOME xiv, 127

WAS_MQ_HOME xiv

WAS_NDM_HOME xiv

homogeneous, operating system 6

host namedirectory server 82

directory server field 112


HTTPembedded HTTP transport, WebSphere 73, 100

serveraccess 4

definition 4

determine if running 97

multiple on same computer 100

multiple versions 100

not on every cluster member 37

port 80 101

requests 4

WebSphere Web Server plug-in 4

transportembedded 96

test purposes only 96

HTTP_HOMEdefinition xiv

IBM HTTP Server installation directory xiv

httpd.confWebSphere Web Server plug-in 46

IIBM HTTP Server

configuring outside cell 45

deployment 35

fix pack for WebSphere Application Server base 36


IBM HTTP Server (continued)installing 36

plugin-cfg.xml 75

separate computer recommended 36

IBM Logging Toolkit for Java (JLog) 123

IBM logo file, default 86

IBM Tivoli Directory Serverdeployment 25

fix pack 26


LDAP suffix 26

port conflict 31

referential integrity file 26

setting up 26

ibm_banner.gif 86

ibmdirctl, command 27

ibmslapdibmdirctl command, to stop 27

log file 30

process ID 26, 27

process running 95

ibmslapd.confLDAP sessions 31

SLAPD_OCHANDLERS 31


identical directory, cluster members 61

identity feed, lost if running during upgrade 117

Identity Manager DN Location, directory server field 112

iKeyman, WebSphere key management utility 58, 76

imagedirectory 86

installation file name 109

itim-4.6-cd-images-aix.txt 109

itim-4.6-cd-images-linux.txt 109

itim-4.6-cd-images-sun.txt 109

itim-4.6-cd-images-windows.txt 109

logo 86

Increment Countdirectory server field 113

LDAP 83

information centers, searching to find software problem

resolution 141

init.ora file, Oracle 21

Initial Capacity, database pool field 112

Initial Pool Sizedirectory server field 113

LDAP 83

instAIX-WAS.bin, installation program 50, 65, 120, 122

installationdeployment manager 37

directoryDB2 UDB xiii, 127

IBM HTTP Server xiv

IBM Tivoli Directory Server xiii

Sun ONE Directory Server xiii

WebSphere Application Server base product xiv, 114,

127


product xiv

WebSphere MQ xiv

IBM HTTP Server 35, 36

imageitim-4.6-cd-images-aix.txt 109

itim-4.6-cd-images-linux.txt 109

itim-4.6-cd-images-sun.txt 109

itim-4.6-cd-images-windows.txt 109

instAIX-WAS.bin 50, 65, 120, 122

installation (continued)instLINUX-WAS.bin 50, 65, 120, 122

instSOL-WAS.bin 50, 65, 120, 122

instWIN-WAS.exe 50, 65, 120, 122

logs 102

restarting clusters 72

select database 50, 66

sequencecluster 64, 65

single-server 50

SQL Server 2000 23

Tivoli Identity Manager Serverauthority 47, 61

cluster 61

flowchart, cluster 62

flowchart, single-server 48

single-server 47

verifyingTivoli Identity Manager Server 56, 72

WebSphere installation 35

WebSphere Application Server basefor Tivoli Identity Manager Server 37

on node 37

WebSphere Web Server plug-in 35, 36

instance nameDB2 UDB on UNIX or Linux 12

DB2 UDB on Windows 13

instLINUX-WAS.bin, installation program 50, 65, 120, 122

instSOL-WAS.bin, installation program 50, 65, 120, 122

instWIN-WAS.exe, installation program 50, 65, 120, 122

Internet Explorer, active scripting 99

Internet, searching to find software problem resolution 141,

142

IP Address, database field 111

ITIM user 57, 73

itim_adhocSync queue 134

itim_api.jar 118

ITIM_DB_JDBC_DRIVER_PATH 94, 128

ITIM_HOMEdefinition xiv, 127

directory xiv, 127

itim_install.stderr 102

itim_install.stdout 102

itim_installer_debug.txt 102

itim_ms queue 133

itim_ps queue 134

itim_rs queue 133

itim_rs_pending queue 133

itim_wf queue 133

itim-4.6-cd-images-aix.txt, installation image 109

itim-4.6-cd-images-linux.txt, installation image 109

itim-4.6-cd-images-sun.txt, installation image 109

itim-4.6-cd-images-windows.txt, installation image 109

itim-init, authentication alias 94

ITIMAdhocSyncListenerPort 134

itimadminEJB user 41, 88, 89

object 43

user 114

User 43

itimdbdatabase

database name 14

database name or alias 83

on remote or local computer 111

setting initial values, SQL Server 2000 24

SQL Server 2000 24

Index 161

ITIMLocalWorkflowListenerPort 135

itimlp_agents_setup.jar 59, 76

itimlp_setup.jar 58, 74

ITIMMailServicesListenerPort 135

ITIMPartitioningServiceListenerPort 135

ITIMPolicyAnalysisListenerPort 136

ITIMPolicySimulationListenerPort 136

ITIMRemoteServicesListenerPort 135

ITIMRemoteServicesPendingListenerPort 136

ITIMSharedWorkflowListenerPort 136

JJ2C authentication 129

JAAS login moduleJNDI feed 139

manual deployment 139

jar fileapi_ejb.jar 118

itim_api.jar 118

itimlp_agents_setup.jar 59, 76

itimlp_setup.jar 58, 74

jsafe.jar 124

log4j.jar 124

manual upgrade 118

ojdbc14.jar 21

Java 2 securityconfiguration

multi-node 42

single-node 41

customization, upgrading manually 123

disabling 45

lost during upgrade 118

Java Naming and Directory (JNDI) service provider 139

Java Runtime Environmentlanguage pack 58, 74

required level 58, 74

java_pool_size parameter, Oracle 21

java, command 58, 74

JDBCconnection

fields 84

initial number 112

Maximum Capacity of database pool 112

driver32-bit DB2 runtime client 18


DB2 runtime client 3

DB2 UDB database client 4

manual creation 130

ojdbc14.jar 21

SQL Server 2000 database 4

type 2 3

type 4 4

initial connections 112

JLog for logging and alerting 103

JMS objects, create manuallycell level 131

JMS objects, creating manuallyserver level 132

JMS serverinternal, creating manually 137

verifying, single-server 98


JNDI feed 139

jsafe.jar 124

JVM classpath 137

Kkernel

settings for DB2 UDB 11

settings for WebSphere embedded messagingSolaris 34

keyencryption

password 113


plugin-key.kdb file 46

knowledge bases, searching to find software problem

resolution 141

Llanguage

on installation panels 50, 65

packdefault not English 58, 74

installing 58, 74

jar file name 58, 74

Java Runtime Environment 58, 74

specifying at logon 100

LDAPconnection increment 83

connection pool 31, 83

customization, upgrading manually 123

directory server 4

ibmslapd.conf file 31

Increment Count 113

initial configuration 79

initial connections 83


Max. Pool Size 113

maximum connections 83

schema customization lost during upgrade 118

sessions 31

suffixcreating 26

definition 26


initializing with data 28

verifying configuration 28

LDAP_HOMEdefinition xiii

IBM Tivoli Directory Server installation directory xiii

Sun ONE Directory Server installation directory xiii

ldapaddadd domain object 28

command 28

ldapcfg, command 27

ldapClean, command 82

ldapConfig.stdout 102

ldapsearch, command 28

LDIFfile example 28

ldapadd 28

suffix.ldif file 28

libdelrefsuccess message 30

testing configuration 30

libdelref.a, referential integrity file 29

libdelref.dll, referential integrity file 29

libdelref.so, referential integrity file 29

Lightweight Third Party Authentication (LTPA) 43

limit, recycle bin age 82


limitationhomogeneous operating system 6

vertical cluster configuration 6

list page size, as search control 86

listenerports, creating manually 134

service, Oracle 23

Log4J logging toolkit setting, upgrading manually 123

log4j.jar 124

loggingdbConfig.stdout 102


IBM Logging Toolkit for Java (JLog) 123


itim_install.stderr 102

itim_install.stdout 102

itim_installer_debug.txt 102

ldapConfig.stdout 102

level 113

MAX 84

MED 84

MIN 84

performance settings 84

runConfig.stdout 102

runConfigTmp.stdout 102

setupEnrole.stdout 102

StartStopWas.stdout 102

system properties 90

tab 84

Tivoli_Identity_Manager_InstallLog.log 102

tracing 84

upgrading Log4J logging toolkit setting 123

logging utilitysettings 118

login delaydatabase connections 84

time between database connections 112

logocustomized lost during upgrade 118

customized, upgrading manually 123

default image 86

logonactivity.log file 102

attempts 91

command 73, 100


SystemOut.log file 102

logsavoiding file and disk space problems 103

enRoleLogging.properties file 103

installation 102

msg.log 103

SystemErr.log 103

SystemOut.log 103

trace.log 103

lost password 91

LTPA (Lightweight Third Party Authentication) 43

Mmail

gateway 113

server name 113

tab 84

manualssee publications xi

MAX, logging 84

Max. Pool Size, directory server field 113

Maximum Capacity, database pool field 112

Maximum Pool Size, LDAP 83

MED, logging 84

memory segments shared, setting with EXTSHM 15

messagepreoperation 31

status of WebSphere embedded messaging 35

MIN, logging 84

mqbrkrs group, WebSphere embedded messaging 34

mqm group, WebSphere embedded messaging 34

msg.login Tivoli Common Directory 103

verifying Tivoli Identity Manager Server 100

multi-nodeJava 2 security configuration 42

securitynode synchronization 89

timeout interval 89

multiaccountdelete.xml, workflow process file 117

multiaccountpassword.xml, workflow process file 117

multiaccountrestore.xml, workflow process file 117

multiaccountsuspend.xml, workflow process file 117

multiuserdelete.xml, workflow process file 117

multiusersrestore.xml, workflow process file 117

multiusersuspend.xml, workflow process file 117

Nname

database 83

organization field 112

naming context, definition 26

netstat, command 40

nodeadding to cell 38

agentverifying 38


installing WebSphere Application Server base 37

local alias for DB2 UDB 16

local alias of database 17

name fieldidentical to host name of physical computer 114


synchronization, multi-node deployment 89


notifytemplate.html, workflow process file 117

Number of hash buckets, directory server field 112

Oobjectclass

domain 28

top 28

ojdbc14.jar file, JDBC driver for Oracle 21

online publicationsaccessing xi

operating system64-bit 17

homogeneous 6

identity provisioning 2

Oracle.profile file 21

backup 21

command to start server 23

Index 163

Oracle (continued)environment variables 21

init.ora file 21


java_pool_size parameter 21

JDBC driver (ojdbc14.jar) 21

JVM feature required by Tivoli Identity Manager 20

listener service 23

processes parameter 21

session persistence 21

shared_pool_size parameter 21

SQL script example 22

organizationdata, on directory server 25

unit suffix 42

organization nameformal company name 112

single or double-byte character set 112

ou=WasSecurity,dc=com 42

out of memory error, DB2 UDB 19

overview of deployment 1

Ppassword

″secret″ as first password 113


editing 91

enrole user, password identical in


expiration period 91

lost 91

properties file 113

retrieval expiration period 91

Tivoli Identity Manager Server field 113

path names, notation xii

pdf format, for screen-reader software xi

performanceDB2 UDB 19

distributed environment configuration 5

LDAP connection 82

table of log files 103

tracing level 84

permissionsdc=com 28

EJB component 40

Java 2 security 40

libdelref file 29



planningactivities 9

authority 9

change control 10

list of sites 9

major steps in installation 7

script library 10

troubleshooting 10

worksheets 10

plug-indefault installation directory 29

file permissions 29

libdelref.a 29

libdelref.dll 29

libdelref.so 29

plugin-cfg.xml 75


plug-in (continued)plugin-key.sth file 46


update after deleting cluster member 75


pluginplugin-cfg.xml 101

plugin-cfg.xml 101


plugin-key.sth file 46

Policy Add/Modify/Remove, workflow process 117

poolInitial Capacity, database 112

Initial Pool Size, LDAP 113

JDBC connections, database 84

Login Delay Seconds, database 112

Max. Pool Size, LDAP 113

Maximum Capacity, database 112

port389 112

50000 18

80 40, 101

8880 40

9080 40, 73, 100

9090 40

conflictconflict with wsmserver 40

resolving 40

table of numbers assigned 40

unregistered WebSphere Application Server –

Express 31

directory server 82


enrole.jms.QueueConnectionFactory 134

in services file 18

ITIMAdhocSyncListenerPort 134

ITIMLocalWorkflowListenerPort 135

ITIMMailServicesListenerPort 135

ITIMPartitioningServiceListenerPort 135

ITIMPolicyAnalysisListenerPort 136

ITIMPolicySimulationListenerPort 136

ITIMRemoteServicesListenerPort 135

ITIMRemoteServicesPendingListenerPort 136

ITIMSharedWorkflowListenerPort 136

listener, creating manually 134

number, as database field 111

reassignment, co-existing products 37

service listening 18

SSL port number 81

TCP/IP port number 81

preoperation, message 31

prerequisitecluster

database 61


directory server 61

JMS servers 62

node agents 62



single-serverdatabase 48

directory server 48



Principal DNdirectory server 82


Principal DN (continued)directory server field 112

Password, directory server field 112

privilegelogon 50, 65

planning need 10

user, enrole 14

problem determinationbrowser

avoiding two sessions 100


using supported 99

databaseauthentication alias 94

database connectionCLASSPATH 94

db2profile 94

testing 94

DB2 UDB.profile file 102


DB2 user ID, password 94

describing problem for IBM Software Support 143

determining business impact for IBM Software

Support 143

directory serveribmslapd.log 96

process ID (PID) 95

requests locked in running state 96

embedded HTTP transport, WebSpherelogon 73, 100

HTTP serverdetermine if running 97

httpd.conf 97

multiple versions 100

port 80 97, 101

installationdatabase configuration 54, 70

database connection 94

DBConfig 54, 70

directory server configuration 55, 70

file permissions 93

hardware, software prerequisites 93

ldapConfig 55, 70, 71

log files 56, 71, 93

permissions and display variables 93

real memory 93

Simple Object Access Protocol (SOAP) connection 53,

69

wasadmin user ID 54, 69


wsadmin 53, 69

JLog for logging and alerting 103

JMS serverdspmq command 98


logs and directories 102

properties files 102

queue managerdspmq command 98

starting 98

strmqm command 98

submitting problem to IBM Software Support 144


Tivoli Identity Managerembedded HTTP transport, WebSphere 73, 100

HTTP server, correct level 100

problem determination (continued)Tivoli Identity Manager (continued)

HTTP server, port 80 101

ITIM_HOME/data directory 102

msg.log file 100

properties files 102

running process 100


trace.log file 100

WebSphere Application Serverdeployment manager 99

dmgr process 99

node agent 99

server1 98

serverStatus command 98

process file, workflowaddserviceselectionpolicy.xml, preserved during

upgrade 117

changeserviceselectionpolicy.xml, preserved during

upgrade 117

multiaccountdelete.xml, preserved during upgrade 117

multiaccountpassword.xml, preserved during upgrade 117

multiaccountrestore.xml, preserved during upgrade 117

multiaccountsuspend.xml, preserved during upgrade 117

multiuserdelete.xml, preserved during upgrade 117

multiusersrestore.xml, preserved during upgrade 117

multiusersuspend.xml, preserved during upgrade 117

notifytemplate.html, preserved during upgrade 117

removeserviceselectionpolicy.xml, preserved during

upgrade 117

process, workflowDynamic Role Add/Modify/Remove, lost if running

during upgrade 117

Policy Add/Modify/Remove, lost if running during

upgrade 117

processes parameter, Oracle 21

profileadapter 58, 76

cluster configuration 76

cluster member 38

communication with database 38

DB2 UDB.profile file 57, 73

db2profile command 57, 73


repeated sourcing 57, 73

sourcing 57, 73

sourcing on each cluster member, AIX and Solaris 38

profile fileEXTSHM environment variable 15

propertiesconfiguring with Tivoli Identity Manager GUI 91


fileconfigure 80

data directory 102

encryption 87



list 90

Log4J logging toolkit setting 123

security tab 86

SystemOut.log file, indicating error 102

heart beat 81


tracing 84

Index 165

properties (continued)transaction service



properties fileclient, upgrading duplicate files 118

CustomLabels.properties 76

encryption 113

fileadhocreporting.properties 117








ui.properties 117

password 113


upgrade, preservedadhocreporting.properties 117








ui.properties 117

provisioningidentity 2

relational database 3

publicationsaccessing online xi

related x

Tivoli Identity Manager library vii

Qqueue

itim_adhocSync 134

itim_ms 133

itim_ps 134

itim_rs 133

itim_rs_pending 133

itim_wf 133

queue managerdspmq command 98

starting 98

status 98

strmqm command 98

Rreconciliation, lost if running during upgrade 117


referential integrity filedefinition 28

file permissions 29


libdelref.a 29

libdelref.dll 29

libdelref.so 29

loading success message 31

steps to configure 28

referential integrity file (continued)testing configuration 30

regular cluster, definition 6

regular-cluster configurationinstalling 64

selecting 67

remotecomputer, database client 12

host name of node with DB2 UDB 16

name of DB2 database 17

resourceaccount management 1

adapter 1

removeserviceselectionpolicy.xml, workflow process file 117

removing cluster member 75

requests locked in running state, directory server 96

requirementCA certificate 58, 76

cluster 61

single-server 48

retrieval period, password 91

rootadding to group, WebSphere embedded messaging 34

authority for installation specialist 9

group member, WebSphere embedded messaging 34

logon user ID, to install Tivoli Identity Manager

Server 47, 61

suffix, Sun ONE Directory Server 32

used in value for distinguished name 28

using system management tool 14

runConfigchange password, enrole user 90

command 80

configuring Tivoli Identity Manager Server 80

EJB user 90

password encryption 90

system properties 90

runConfig.stdout 102

runConfigTmp.stdout 102

running processdatabase 94

directory server 95

HTTP server 97

HTTP transport 96

logs and directories 102

Tivoli Identity Manager Server 100, 102

using runConfig (System Configuration) 90



runtimeadjust DB2 UDB 14

client64-bit operating system 17

computers that require 16

DB2 UDB 3


environment, WebSphere Application Server 3

Java Runtime Environment 58, 74

Sschedule_garbage.cron, job 82

schedulingheart beat 81

ldapClean 82

periodic cleanup 82

Recycle Bin Age Limit 81


scheduling (continued)schedule_garbage 82

thread 81

scriptcreate Oracle database 22

library suggested 10

search, items displayed 86

secret, as first password 113

Secure Socket Layerplugin-key.kdb file 46

plugin-key.sth file 46

securityconfiguring IBM HTTP Server outside cell 45

EJB user 88

map administrative user to role 88

multi-node deploymentnode synchronization 89

timeout interval 89

tab 86


segments, shared memory, setting with EXTSHM 15

sequenceinstallation, cluster 64, 65

installation, single-server 50

requirement, cluster installation 65

Server Name, WebSphere Application Server field 114

serverStatus, command 38, 98

service namedb2c_DB2 on Windows 18

db2cdb2inst12 on UNIX 18

service pack, SQL Server 2000 24

serviceability-related files, Tivoli Common Directory 52, 68

services file, port number 18

sessionbrowser problem 100

connection pool, LDAP 31

LDAP 31, 83

persistencedb2profile 57, 73

Oracle environment variables 21

settingsDB2 UDB

EXTSHM environment variable 15

kernel, on Solaris 11

kernel, WebSphere embedded messaging 33

preserved, upgrading Tivoli Identity Manager 117

runtime, DB2 UDB 14

setupEnrole.stdout 102

shared memory segments, setting with EXTSHM 15

shared_pool_size parameter, Oracle 21

Simple WebSphere Authentication Mechanism (SWAM) 41

single-nodeJava 2 security configuration 41

single-serverconfiguration

installing 47


definition 4

installationauthority 47, 61

flowchart 48

sequence 50


wizard 50

prerequisitesdatabase 48


single-server (continued)prerequisites (continued)


SLAPD_OCHANDLERS 31

SMTP mail host 85, 113

Software Supportcontacting 142

describing problem for IBM Software Support 143

determining business impact for IBM Software

Support 143

submitting problem to IBM Software Support 144

Solariskernel settings for DB2 UDB 11

kernel settings for WebSphere embedded messaging 34

sorting, hash bucket 112

sourcedata 2

DB_INSTANCE_HOME 57, 73

DB2 UDB profile 57, 73

DB2INSTANCE 57, 73

specialistworking practices 9

SQL Server 2000configuring 24

installing 23

itimdb database 24

service pack, obtaining 24

SSLTCP/IP port number 81

startManager, command 37

startNode, command 38, 39

startServer, command 38, 53

StartStopWas.stdout 102

statusDB2 UDB installation wizard 12


Oracle listener 23



stopServer, command 53

storage spacecluster configuration 61

DB2 UDB 19

more than one WebSphere Application Server on

computer 6

single-server configuration 47

tuning guide 103

WebSphere Web Server plug-in, IBM HTTP Server 36

strmqm, command 98

suffixcn=itimadmin,ou=WasSecurity,dc=com 43

cn=wasadmin,ou=WasSecurity,dc=com 42

dc=com 112

ou=WasSecurity,dc=com 42

suffix.ldif file 28

Sun ONE Directory Server 96

cache size, setting maximum 32

configuring 32

root suffix 32

system administrator e-mail address 85

system configuration toolLogging tab, tracing 84

System Management Interface Tool (SMIT, AIX) 14

system propertiesenRole.properties 90

interval to recognize changes 90

logging 90

Index 167

system properties (continued)logon attempts 91

managing 90

manual modification 90

passwordediting 91

expiration period 91

lost 91

retrieval expiration period 91

restart Tivoli Identity Manager Server 90

runConfig 90

Web user interface 91

System userupdating 88

System UserUser ID, WebSphere Application Server 113

user name 41

SystemErr.log 103

SystemOut.logerrors and properties files 102

file 103

logon request 102


Ttab

Database 83

Directory 82

General 80

Logging 84

Mail 84

Security 86

UI 85

TCP/IPconfiguration, DB2 UDB 15

DB2COMM 17

port number 81

SSL port number 81

TCP/IP protocolDB2 runtime client 16

testingdatabase 94

directory server 95

HTTP server 97

HTTP transport 96

JMS server 98



text, alternative for document images xi

the Tivoli Identity Manager Serveruninstalling

saving configuration information in WebSphere 119

threadLDAP connections 31

scheduling 81

SLAPD_OCHANDLERS 31

timdelref.confconfiguration file for Tivoli Identity Manager 29, 123

target directory 29, 123

timeout interval, multi-node security 89

Tivoli Common DirectoryCTGIM 52, 68

msg.log 103

serviceability-related files 52, 68

trace.log 103

Tivoli Identity Managerfield

User ID 113

manual deploymentclassloader settings 139

JAAS login module 139

JNDI service provider 139



uninstalling 105

Tivoli Identity Manager ServerCA certificate 58, 76

configurationDatabase tab 83

General tab 80

Directory tab 82

fieldPassword 113

host name 81

installation, configuration 47

installingauthority 47, 61

cluster 61

flowchart, cluster 62

flowchart, single-server 48

single-server 47

Logging tab 84

Mail tab 84

msg.log file 100

Security tab 86


test communication 93

trace.log file 100

UI tab 85

uninstallingadditional products 105

database tables 105

directory server schema 105

steps 105

verifying 100

Tivoli software information center xi

Tivoli_Common_Directorydefinition xiv

Tivoli_Identity_Manager_InstallLog.log 102

top, objectclass 28


trace.login Tivoli Common Directory 103


tracingIBM Logging Toolkit for Java (JLog) 124

logging 84

MAX 84

MED 84

MIN 84

performance settings 84

transaction serviceClient Inactivity Timeout 129


transactional data, on database 11

type2 JDBC driver 3

4 JDBC driver 4

database 83

typeface conventions xii


Uui.properties 117

uninstallingTivoli Identity Manager 105

additional products 105

database tables 105

directory server schema 105

saving configuration information in WebSphere 119

steps 105

utility for Tivoli Identity Manager 75

unregistered WebSphere Application Server – Express 31

update, db2 command 14

upgradingbefore upgrading 118

configuration 119, 121

Crystal Reportsmanual steps 124

Crystal reports, manually 118

custom logos lost 118

customizationJava 2 security, manually 123

LDAP schema, manually 123

Log4J logging toolkit setting 123

logos, manually 123

customized logging settingsutility lost 118

duplicate properties files on client side 118

Dynamic Role Add/Modify/Remove lost if running 117

identity feed lost if running 117

jar files for client, manually 118

Java security lost 118

LDAP schema customization lost 118

Policy Add/Modify/Remove lost if running 117

problems, correction 124

reconciliation lost if running 117

stepscluster configuration 121


taskscluster configuration 121


Tivoli Identity Manager version 4.5.1 to 4.6CA certificates preserved 117

customization, preserving WebSphere Application

Server 116

data directory 116

database schema 117

demonstration certificate upgraded 117

property files 117

settings preserved 117

WebSphere Application Server configuration 117

WebSphere Application Server installation 116

WebSphere Application Server migration 116

workflow files 117

workflow_systemprocess directory 117

useraccount data, on directory server 25

enroleon DB2 server 14

privileges, no special 14

ID field, Tivoli Identity Manager 113

ID, verifying for database 94

password, verifying for database 94

user passworddatabase field 111

identical in enRoleDatabase.properties file 95

user, ITIM 57, 73

UTF-8, encoding 138

Vverifying

databaseCLASSPATH 94

connection 94

installation 13

user ID 94

user password 94


HTTP server 97

HTTP server version 100

installationTivoli Identity Manager Server 56, 72

JMS serversingle-server 98

node agent 38



versionInfo.bat,command 109

versionInfo.sh,command 109

WWAS_HOME

definition xiv, 127

WebSphere Application Server base installation

directory xiv, 114, 127

WAS_MQ_HOMEdefinition xiv

WebSphere MQ installation directory xiv

WAS_NDM_HOMEdefinition xiv


installation directory xiv

was.policy file, permissions 41, 88

wasadminobject 42

System User 41, 89

User 42

User ID, WebSphere Application Server 113

Web addressTivoli Identity Manager 73, 100

WebSphere administrative console 36

Web user interface (Tivoli Identity Manager) 91

WebSphere administrative consolestarting 56

Web address 36

WebSphere Application Serverconfiguration


regular-cluster 6

single-server 4

definition 3

encryptioncheckbox 113

key 113

fieldCluster name 114

Installation directory 114

Logging Level 113

Mail Server Name 113

Node name 114

Server Name 114

global securityEJB User field 114

itimadmin 89

Index 169

WebSphere Application Server (continued)global security (continued)

settings 51, 113

System User field 113

wasadmin 89

Java Message Service 3

verifying 98

WebSphere Application Server – Expressport conflict 31

unregistered WebSphere Application Server – Express 31

WebSphere embedded messagingdeployment 34

groupadding root 34

mqbrkrs 34

mqm 34

message indicates running 35

process 3

verifyingsingle-server 98

verifying operation 35

WebSphere MQ 3

WebSphere installationcustom installation recommended 35

First Steps 35

IBM HTTP Server installation 35

WebSphere Web Server plug-in installation 35

WebSphere key management utility (iKeyman) 58, 76

WebSphere MQ, WebSphere embedded messaging 3

WebSphere Web Server plug-inconfiguration file 75

definition 4

deployment 35

HTTP server 4

installing 36

manual regeneration 139

not on every cluster member 37

plugin-cfg.xml 75

separate computer recommended 36

wizardFirst Steps, WebSphere installation 35

Tivoli Identity Manager installationcluster 65

single-server 50

verifying DB2 UDB installation 13

workflow process file, preserved during upgradeaddserviceselectionpolicy.xml 117

changeserviceselectionpolicy.xml 117

multiaccountdelete.xml 117

multiaccountpassword.xml 117

multiaccountrestore.xml 117

multiaccountsuspend.xml 117

multiuserdelete.xml 117

multiusersrestore.xml 117

multiusersuspend.xml 117

notifytemplate.html 117

removeserviceselectionpolicy.xml 117

workflow process, lost if running during upgradeDynamic Role Add/Modify/Remove 117

Policy Add/Modify/Remove 117

worksheetplanning 10

tables 111


��

Program Number: 5724–C34

Printed in USA

SC32-1750-01

tivoli identity managerpublib.boulder.ibm.com/tividd/td/itim/sc32-1750-01/... · manager, node...

Documents